Key FindingsCheck Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS).
The attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers. For stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys…
Read More Tag: INITIAL ACCESS
ESET Research
ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible
Matthieu Faou
25 Oct 2023 • , 5 min. read
ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server on October 11th, 2023.…
ESET Research
How ESET Research found a kill switch that had been used to take down one of the most prolific botnets out there
01 Nov 2023 • , 3 min. read
In August 2023, the notorious Mozi botnet, infamous for exploiting vulnerabilities in hundreds of thousands of IoT devices each year, experienced a sudden and unanticipated nosedive in activity.…
Preamble
Read More Elastic Security Labs is disclosing a novel intrusion targeting blockchain engineers of a crypto exchange platform. The intrusion leveraged a combination of custom and open source capabilities for initial access and post-exploitation.
We discovered this intrusion when analyzing attempts to reflectively load a binary into memory on a macOS endpoint.…
Preamble
Read More Elastic Security Labs has observed a campaign to compromise users with signed MSIX application packages to gain initial access. The campaign leverages a stealthy loader we call GHOSTPULSE which decrypts and injects its final payload to evade detection.
MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users.…
NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report on a NetSupport RAT intrusion, but malicious use of this tool dates back to at least 2016.…
Key TakeawaysCyble Research and Intelligence Labs (CRIL) has discovered a new Advanced Persistent Threat (APT) campaign focusing on luring unsuspecting victims through phishing websites mimicking well-known software applications.
In this campaign, a phishing website was observed masquerading as OpenVPN software tailored for Chinese users and serves as a host to deliver the malicious payload.…
Read More Летом 2023 года в ходе исследования инцидента в одной из российских организаций мы обнаружили ряд вредоносных программ, нацеленных на кражу данных. Аналогичные программы, по данным Kaspersky Threat Intelligence, были найдены еще в нескольких государственных и индустриальных организациях РФ, поэтому мы можем предположить, что кража данных из организаций, работающих в данных секторах, была основной целью злоумышленников.…
Recent postsHomeMalware Analysis
Unpacking the Use of Steganography in Recent Malware Attacks
Read More UPD: The section “Additional tasks” has been updated to include a new November 2023 steganography campaign.
Malware delivery techniques are always evolving to bypass security measures. Gone are the days when a scammer could simply send an executable file as an email attachment — today, it simply won’t get past email filters. …
Threat hunting encompasses a range of techniques and approaches aimed at discovering anomalies, threats, and risks associated with attacker activities. In the early days, log review by diligent system administrators was how these anomalies were detected, usually after the fact. This evolved into more structured methodologies created by security experts that attempted to identify these activities in real time.…
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Blockchain, Botnets, Hexadecimal IP notation, Infostealers, and Ransomware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure…
By Ernesto Fernández Provecho and David Pastor Sanz (Threatray) · October 16, 2023
Discord is the first choice for gamers when they want to chat with some friends while playing an online computer game. Moreover, it is also a major choice for users that simply want to communicate with their friends and family.…
Key TakeawaysA Threat Actor (TA) was observed using a Tor Browser phishing website to target Italian-speaking users.
The executable, downloaded from the phishing site, is a .Net binary obfuscated with SmartAssembly. It acts as a dropper, deploying both a legitimate Tor Installer and the malicious “Pure Clipper” payload.…
Read More The Iranian Crambus espionage group (aka OilRig, APT34) staged an eight-month-long intrusion against a government in the Middle East between February and September 2023. During the compromise, the attackers stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers.…
Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities.…
This post is also available in: 日本語 (Japanese)
Executive SummaryWe recently detected a new campaign from the XorDDoS Trojan that led us to conduct an in-depth investigation that unveiled concealed network infrastructure that carries a large amount of command and control (C2) traffic. When we compared the most recent wave of XorDDoS attacks with a campaign from 2022, we found the only difference between the campaigns was in the configuration of the C2 hosts.…
Kimsuky, a threat group known to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy agency in 2014. Other countries have also become targets of their attack since 2017. [1]…
Updates
Nov. 02: Identified a third version of the BadCandy implant. Added expected response from the new version of the implant against one of the HTTP requests used to check for infected device.
Nov. 1: Observed increase in exploitation attempts since the publication of the proofs-of-concept (POCs) of the exploits involved.…
A previously unknown advanced persistent threat (APT) group used custom malware and multiple publicly available tools to target a number of organizations in the manufacturing, IT, and biomedical sectors in Taiwan.
A government agency located in the Pacific Islands, as well as organizations in Vietnam and the U.S.,…