Information stealers are malware designed to steal sensitive information from infected computers, such as login credentials, financial data, and personal information. They typically do this by searching for specific types of files and data on the infected computer and then exfiltrating that information to a remote server controlled by the attackers.…
Secureworks® Counter Threat Unit™ (CTU) researchers investigated similarities between the Moses Staff hacktivist group persona that emerged in September 2021 and the Abraham’s Ax persona that emerged in November 2022. The analysis revealed several commonalities across the iconography, videography, and leak sites used by the groups, suggesting they are likely operated by the same entity.…
Research by: Arie Olshtein
Executive summary Initially observed in July 2016, TrickGate is a shellcode-based packer offered as a service to hide malware from EDRs and antivirus programs. Over the last 6 years, TrickGate was used to deploy the top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more.…This post is also available in: 日本語 (Japanese)
Executive SummaryRecently, our Unit 42 incident response team was engaged in a Black Basta breach response that uncovered several tools and malware samples on the victim’s machines, including GootLoader malware, Brute Ratel C4 red-teaming tool and an older PlugX malware sample.…
A new trend has been observed among Threat Actors (TAs) of using Golang for their information stealer malware. Golang, also known as Go, is a programming language developed by Google known for its simplicity, efficiency, and performance.…
Summary
Emotet, a Trojan that is primarily spread through spam emails, has been a prevalent issue since its first appearance in 2014. With a network made up of multiple botnets, denoted as “epochs” by security research team Cryptolaemus, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks.…
By Aleksandar Milenkoski, Joey Chen, and Amitai Ben Shushan Ehrlich
Executive Summary SentinelLabs tracks a cluster of recent opportunistic attacks against organizations in East Asia as DragonSpark. SentinelLabs assesses it is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks. The attacks provide evidence that Chinese-speaking threat actors are adopting the little known open source tool SparkRAT.…In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry.
Updated on January 26, 2023 to remove references to Kape Tool and to remove Trend Micro Apex One from the list of programs that the ransomware disables.…
The Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the infected device. Initially, it was found to be distributed through exploit kits, and Threat Actors (TAs) utilized it to deploy other malware, such as the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan.…
Since May 2022, eSentire’s Threat Response Unit (TRU) has observed 11 cases of Raspberry Robin infections. Although the initial access vector is an infected USB drive, however it’s unclear how the USB drives were initially infected. Raspberry Robin hosts its payloads on compromised QNAP servers with the malicious files being stored on USB drives as shortcuts.…
Summary
Three key takeaways from our analysis of Vidar infrastructure:
Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more challenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to Tor.
Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights.…
On January 12, 2023, the Liquor Control Board of Ontario (LCBO) published a news release about a cybersecurity incident, affecting online sales through LCBO.com. It is one of the largest retailers and wholesalers of beverage alcohol in the world.
Web skimmerThe cybersecurity incident was a web skimmer, which is designed to retrieve customer payment information.…
Published On : 2023-01-14
Executive SummaryRecently, researchers noticed various campaigns abusing Google Ads platform to deliver malware to novice users searching for popular applications and cracked versions of legitimate software. Threat actors use cloned websites of legitimate applications to distribute malicious versions of these applications and promote such malicious websites to a wide audience using Google Ad campaigns.…
After our first report about QNAPWorm dating back from March 2022, this malware made the headlines under the name of Raspberry Robin following a RedCanary blogpost. Since then, several vendors such as Microsoft, Secureworks and Avast investigated this malware and made connections to the infamous Russian cybercrime gang EvilCorp, responsible for the Dridex trojan and other malware, as well as several high profile financially motivated campaigns since at least 2014.…
The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The…
Threat Actors (TAs) are increasingly using spam emails and phishing websites to trick users into downloading malware such as Stealer and Remote Access Trojan (RAT) to infect users’ machines and steal sensitive information.
Cyble Research & Intelligence Labs (CRIL) is actively monitoring various stealer malware and publishing blogs about them to inform and educate its readers.…
This post is also available in: 日本語 (Japanese)
Unit 42 researchers perform a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.…
Throughout 2022, Deep Instinct observed various combinations of polyglot files with malicious JARs.
The initial technique dates to around 2018 when it used signed MSI files to bypass Microsoft code signing verification. A year later, in 2019, Virus Total wrote about the MSI+JAR polyglot technique. Microsoft decided not to fix the issue at that time.…
Affected Platforms: FortiOSImpacted Users: Government & large organizationsImpact: Data loss and OS and file corruptionSeverity Level: High
Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.…
Phylum has uncovered yet another malware campaign waged against PyPI users. And once again, the attack chain is complicated and obfuscated, but it’s also quite novel and further proof that supply chain attackers aren’t going to be giving up any time soon.
BackgroundOn the morning of December 22, 2022 Phylum’s automated risk detection platform flagged a package called pyrologin.…