Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
Active since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle Eastern organizations in the energy and telecommunication sectors and mostly relying on .NET based malwares.
Zscaler ThreatLabz recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET…
In March 2022, a new malware named “Bumblebee” was discovered and reportedly distributed via spam campaigns. Researchers identified that Bumblebee is a replacement for BazarLoader malware, which has delivered Conti Ransomware in the past. Bumblebee acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc.…
Broadcom Software, has uncovered a cyber-criminal operation that has potentially made the actors behind it at least $1.7 million in illicit gains from cryptocurrency mining and theft via clipboard hijacking.
The malware being used, tracked by Symantec as Trojan.Clipminer, has a number of similarities to another crypto-mining Trojan called KryptoCibule, suggesting it may be a copycat or evolution of that threat.…
Sitting on a sunny beach full of sparkling sand. Exploring the jungle looking for exotic animals and plants. Diving into a deep blue sea where sunlight has a difficult time reaching. Partying all night at clubs in a city you have never been to. Holding hands with friends around a campfire singing Kumbaya.…
During 2019-2021 I was focused on analyzing campaigns orchestrated by the APT-C-36 group and RATs used by this same group and other cybercriminal groups such as RemcosRAT, AsyncRAT, Imminent Monitor RAT, etc. In the last few months I have seen some modifications of TTPs in many of these families that have caught my attention and I wanted to analyze them to see what is new.…
OFAC sanctions against Evil Corp in December 2019 were announced in conjunction with the Department of Justice’s (DOJ) unsealing of indictments against individuals for their roles in the Bugat malware operation, updated versions of which were later called DRIDEX. DRIDEX was believed to operate under an affiliate model with multiple actors involved in the distribution of the malware.…
In a recent blog post by Microsoft, a new Zero-Day vulnerability (CVE-2022-30190) was discussed. This vulnerability affects Microsoft Support Diagnostic Tool (MSDT), and the blog post provides some guidance on mitigating the impact of this vulnerability.
The post mentions that a Remote Code Execution (RCE) vulnerability present in MSDT allows the attackers to execute arbitrary code by exploiting it.…
Fortinet’s FortiGuard Labs captured a phishing campaign that delivers three fileless malware onto a victim’s device. Once executed, they are able to control and steal sensitive information from that device to perform other actions according to the control commands from their server.
In Part I of this analysis, I introduced how these three fileless malware are delivered to the victim’s device via a phishing campaign, and what mechanism it uses to load, deploy, and execute these fileless malware in the target process.…
Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.
Views: 0…
Black Basta Besting Your Network?
first appeared in April 2022. To date, this group has claimed attribution of 29 different victims across multiple industries using a double extortion strategy where the attackers not only execute ransomware but also steal data and threaten to release it publicly if the ransom demands are not met.…
This blog post on TURLA was originally published as a FLINT report (SEKOIA.IO Flash Intelligence) sent to our clients on May 11, 2022.
Executive SummarySEKOIA.IO Threat & Detection Research (TDR) Team have expanded the search on Russian-linked TURLA’s infrastructures from a Google’s TAG blog post.…
Recently Cyble researchers came across a post where a researcher mentioned about fake Proof of Concept (POC) of CVE-2022-26809. Upon further investigation, we discovered that it’s malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500.…
Nokoyawa is a new Windows ransomware that appeared earlier this year. The earliest samples collected by FortiGuard researchers were compiled in February 2022 and share substantial code similarities with Karma, another ransomware that traces its lineage to Nemty through a long string of variants. Nemty is a ransomware family that FortiGuard Labs researchers reported on back in 2019.…
In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. We discovered these domains by monitoring suspicious traffic in our Zscaler cloud. The spoofed sites were created to distribute malicious ISO files which lead to a Vidar infostealer infection on the endpoint.…
Trend Micro’s Managed XDR team addressed a Kingminer botnet attack conducted through an SQL exploit. We discuss our findings and analysis in this report.
We observed malicious activities in a client’s SQL server that flagged a potential exploit in one public-facing device. A quick look at the Trend Micro Vision One™ Workbench showed that a Microsoft SQL server process created an obfuscated PowerShell command.…
This blog post was authored by Hossein Jazi and Jérôme Segura
Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.
Although all countries have reasons to be concerned, the situation is Germany is more complicated than most.…
We analyze the Black Basta ransomware and examine the malicious actor’s familiar infection tactics.
Black Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks after it caused massive breaches to organizations in a short span of time.
On April 20, 2022, a user named Black Basta posted on underground forums known as XSS.IS…
Emotet was first found in the wild in 2014. Back then its main functionality was stealing user banking credentials. Since then it has survived numerous transformations, started delivering other malware and finally became a powerful botnet. In January 2021 Emotet was disrupted by a joint effort of different countries’ authorities.…
In mid-March, FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.…