Identifying Connected Infrastructure and Management Activities
Introduction
This blog post seeks to build on recent public reporting on campaigns attributed to SideCopy, a Pakistani-linked threat group. SideCopy has been active since 2019, primarily targeting South Asian countries, with a focus on India and Afghanistan. The group’s name comes from its use of an infection chain that mimics that of SideWinder APT, an Indian-linked threat group.…
Threat actors (TAs) employ diverse file formats to disseminate malicious payloads, primarily to enhance the likelihood of a successful infection. These different file formats are being sent via spam email as an attachment to entice users to download and execute them, thereby exposing themselves to malicious content.…
ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.…
Found in Environments Protected By: Microsoft, Fortimail
By Kurtis Nicks, Cofense Phishing Defense Center
Phishing attacks continue to evolve, with threat actors becoming increasingly clever in their attempts to deceive their targets. The Cofense Phishing Defense Center (PDC) has recently observed a sophisticated phishing campaign targeting EPOS Net customers, a large Japanese credit card company.…
Threat Actors (TAs) have shown increasing interest in utilizing the Go programming language. This can be attributed to its cross-platform capabilities and the added challenge it presents to reverse engineering. Consequently, numerous malware, including ransomware, has been observed that were implemented using the Go language.…
Cyble Research and Intelligence Labs (CRIL) came across a new ransomware group named Money Message. Money Message can encrypt network shares and targets both Windows and Linux operating systems. Upon analyzing Money Message binaries, we noticed a similarity: they contained admin credentials in the configuration, which were then used to target network resources.…
Proxyjacking has Entered the Chat | Sysdig
Did you know that you can effortlessly make a small passive income by simply letting an application run on your home computers and mobile phones? It lets others (who pay a fee to a proxy service provider) borrow your Internet Protocol (IP) address for things like watching a YouTube video that isn’t available in their region, conducting unrestricted web scraping and surfing, or browsing dubious websites without attributing the activity to their own IP.…
On December 10, 2021, the Apache Software Foundation disclosed CVE-2021-44228, aka “Log4Shell”, a critical vulnerability in Apache’s Log4j version 2.14.1 and earlier that affects a large number of products that utilize this logging library.
Through our Consulting and Managed Defense clients, Mandiant observed four unique applications targeted and exploited using CVE-2021-44228.…
Cl0p Ransomware Victim Count Continues to Climb at an Alarming Rate
In 2019, Cl0p Ransomware surfaced as a Ransomware-as-a-Service (RaaS) model and became notorious due to its advanced techniques. Its main target was larger organizations with an annual income of USD 5 million or higher. The Threat Actors (TAs) infiltrate the targeted systems and encrypt the files, demanding a ransom to be paid in exchange for the decryption key.…
By Juan Andres Guerrero-Saade, Asaf Gilboa, David Acs, James Haughom, Phil Stokes & SentinelLabs
Executive Summary As of Mar 22, 2023 SentinelOne began to see a spike in behavioral detections of the 3CXDesktopApp, a popular voice and video conferencing software product categorized as a Private Automatic Branch Exchange (PABX) platform.…Cyble Research and Intelligence Labs (CRIL) discovered a new Malware-as-a-Service (MaaS) platform called “Cinoshi”. Cinoshi’s arsenal consists of a stealer, botnet, clipper, and cryptominer. Currently, this MaaS platform is offering stealer and web panel for free, and such free services are rarely seen.…
SideCopy APT is a Threat Actor(TA) from Pakistan that has been active since 2019, focusing on targeting South Asian nations, especially India and Afghanistan. The SideCopy APT gets its name from the infection chain, which imitates that of the SideWinder APT.…
Emotet is a sophisticated banking malware that usually spreads via email attachments. Its primary aim is to extract confidential data from its targets, including passwords and banking details, and send it to the Command and Control (C&C) server.…
Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT.…
Following a bank run on its deposits, Silicon Valley Bank (SVB) experienced a failure on March 10, 2023, and has garnered significant media attention. As SVB has traditionally been the preferred banking partner for many startups worldwide, its failure is expected to significantly impact this community.…
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1101 is now tracked as Storm-1101.
To learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…
Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades.…
Cyble Research and Intelligence Labs (CRIL) came across a new malware strain called “WhiteSnake” Stealer. The stealer was first identified on cybercrime forums at the beginning of this month. It is designed to extract sensitive information from the victim’s computer.…
LOCKBIT, the most nefarious ransomware group, claimed to have compromised the networks of an Indian investment company, Infrastructure Leasing & Financial Services Limited (IL&FS), on February 28, 2023.
IL&FS was in the news in 2018 for their troubled financial health leading to a grave NBFC financial crisis and liquidity drought that unraveled several other corporates in India.…