This blog entry offers a technical analysis of a new SolidBit variant that is posing as different applications to lure gamers and social media users. The SolidBit ransomware group appears to be planning to expand its operations through these fraudulent apps and its recruitment of ransomware-as-a-service affiliates.…
Tag: LATERAL MOVEMENT
An analysis of three in-the-wild payloads delivered using the recently discovered Follina exploit shows how attackers can use it to achieve persistent access in victim environments and turbo-charge efforts to ‘live off the land’ and avoid detection by security monitoring tools.
…
Gootkit has been known to use fileless techniques to drop Cobalt Strike and other malicious payloads. Insights from a recent attack reveal updates in its tactics.
Our in-depth analysis of what began as an unusual PowerShell script revealed intrusion sets associated with Gootkit loader. In the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into downloading these files.…
Threat Actors Leveraging Microsoft Applications to Deliver Cobalt-Strike Beacons
Read More DLL (Dynamic-Link Library) sideloading is a technique used by Threat Actors to infect users using legitimate applications which load malicious DLL files that spoof legitimate ones. Recently Cyble Research Labs published a blog about Qakbot malware that leverages a calculator to perform DLL Sideloading.…
DLL (Dynamic-Link Library) sideloading is a technique used by Threat Actors to infect users using legitimate applications which load malicious DLL files that spoof legitimate ones. Recently published a blog about Qakbot malware that leverages a calculator to perform DLL Sideloading.
Similarly, we came across a Twitter post wherein researchers mentioned a document file that performs DLL Sideloading using Microsoft applications such as “Teams.exe”…
In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware.
In March 2022, less than a year after LockBit 2.0 first emerged, researchers caught wind of an upcoming new variant of the LockBit ransomware. LockBit…
Our X-Ops teams – SophosLabs, SecOps (Sophos Managed Threat Response [MTR] and Sophos Rapid Response), and Sophos AI – operate in a virtuous Observe-Orient-Decide-Act loop, building on each teams’ work to improve customer protections. A recent set of investigations illustrates our OODA-loop process: Attacks against a pair of vulnerabilities in Microsoft SQL were researched, documented, and addressed proactively.…
Summary
Actions to take today:
• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.…
This research was conducted by Michael Mullen and Nikolaos Pantazopoulos from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
Summary tl;drIn the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement.…
By Securonix Threat Labs, Threat Research: Den Iuzvyk, Tim Peck
July 5, 2022
IntroductionA new malware loader named BumbleBee is actively being used to target businesses using mass phishing or spear-phishing campaigns as an initial attack vector. Malware loaders (or droppers) are commonly used by ransomware groups and other APTs to distribute payloads as they are extremely effective during the initial stages of compromise.…
By Flavio Costa,
In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell.…Using a methodology first seen in 2020, an unknown threat actor has been exploiting a three-year-old bug in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons and other malware in the process.
In the weeks following the initial, 2019 disclosure of the vulnerability, attackers scanned the internet for vulnerable applications.…
This research was conducted by Ross Inman (@rdi_x64) and Peter Gurney from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
tl;drThis blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.…
This post is also available in: 日本語 (Japanese)
Executive SummaryTo better detect attacks that affect the actions of signed applications – such as supply-chain attacks, dynamic-link libraries (DLL) hijacking, exploitation and malicious thread injection – we have devised a suite of analytics detectors that are able to detect global statistical anomalies.…
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.…
The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.
The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.…
UNC2165 Overlaps with Evil Corp Activity
Read More OFAC sanctions against Evil Corp in December 2019 were announced in conjunction with the Department of Justice’s (DOJ) unsealing of indictments against individuals for their roles in the Bugat malware operation, updated versions of which were later called DRIDEX. DRIDEX was believed to operate under an affiliate model with multiple actors involved in the distribution of the malware.…
Recently Cyble researchers came across a post where a researcher mentioned about fake Proof of Concept (POC) of CVE-2022-26809. Upon further investigation, we discovered that it’s malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500.…
ВведениеОбщие сведенияАнализ ВПО и инструментовMyKLoadClientСхема 1Схема 2Тестовый образецПолезная нагрузкаZupdaxПолезная нагрузкаСвязь с RedsipСвязи с Winnti и FF-RATСвязи с Bronze Union и TA428ЗагрузчикиDownloader.Climax.ADownloader.Climax.BRtlShareДроппер rtlstat.dllИнжектор rtlmake.dllПолезная нагрузка rtlmain.dll (rtlmainx64.dll)Использование RtlSharePlugXDemo dropperBH_A006Стадия 0.…
Read More In December last year, the vulnerability (CVE-2021-44228) of Java-based logging utility Log4j became a worldwide issue. It is a remote code execution vulnerability that can include the remote Java object address in the log message and send it to the server using Log4j to run the Java object in the server.…