LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.
Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
Changes in these LodaRAT variants include new functionality allowing proliferation to attached removable storage, a new string encoding algorithm and the removal of “dead” functions
A relatively unknown VenomRAT variant named S500 has been observed deploying LodaRAT.…
Read More
Tag: MONITOR
Summary
Actions to Take Today to Mitigate Cyber Threats from Ransomware:
• Prioritize remediating known exploited vulnerabilities.• Enable and enforce multifactor authentication with strong passwords• Close unused ports and remove any application not deemed necessary for day-to-day operations.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
By Max Kersten · November 15, 2022
In early 2022, Ukrainian companies were struck by multiple destructive wipers, attacking various organizations across sectors. This raised questions about the usage and impact of “digital weapons” within the security community, even though wipers themselves weren’t new. The infamous Shamoon wiper dates back more than a decade ago.…
After FortiGuard Labs reported on RapperBot in our previous article titled So RapperBot, What Ya Bruting For? in August 2022, there was a significant drop in the number of samples collected in the wild. But in early October 2022, new samples with the same distinctive C2 protocol used by RapperBot were detected.…
This post is also available in: 日本語 (Japanese)
Executive SummaryIn early August 2022, Cyble Research Labs (a cybercrime monitoring service) uncovered a new crypto miner/stealer for hire that the malware author named Typhon Stealer. Shortly thereafter, they released an updated version called Typhon Reborn. Both versions have the ability to steal crypto wallets, monitor keystrokes in sensitive applications and evade antivirus products.…
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
In early 2022, we investigated an incident that compromised a company in Taiwan.…
Rebranded Chaos Ransomware Using Telegram Group to Finance its activities
Read More
During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) encountered data-destructive ransomware linked to the pro-Russian Threat Actors (TA) group named “Killnet”. The ransomware is a modified version of notorious Chaos Ransomware. Upon execution, the Killnet Ransomware drops a note which contains a link to a pro-Russian Telegram channel containing propaganda posts related to the conflict in Ukraine.…
11/07: Updated article to provide clarity around hunting techniques
Key points from our research:
Following our reporting on Robin Banks in July, Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations. In response, Robin Banks administrators made several changes, including relocating its infrastructure to a notorious Russian provider and changing features of its kits to be more evasive.…
Summary
Read More
APT-36 (also known as Transparent Tribe) is an advanced persistent threat group attributed to Pakistan that primarily targets users working at Indian government organizations. Zscaler ThreatLabz has been closely monitoring the activities of this group throughout 2022. Our tracking efforts have yielded new intelligence about this APT group that has not previously been documented.…
Update 12.01.22: The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on Cuba ransomware, listing this BlackBerry blog as a resource. See Advisory.
SummaryThe threat actor known as RomCom is running a series of new attack campaigns that take advantage of the brand power of SolarWinds, KeePass, and PDF Technologies.…
Introduction
Read More
This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. The goal of the report is to inform our customers about techniques used by attackers. We hope that learning about the attacks that took place in the wild helps you to stay up to date on the modern threat landscape and to be better prepared for attacks.…
Executive Summary
Read More
The sophistication of threat actors’ DDoS strategy and tactics continues to evolve rapidly in response to improved mitigation-side efforts. Actors have complicated filtering and firewalling by bringing a more diverse set of vectors to the attack, attacking at multiple network layers at the same time and automating changes to the mix of vectors at attack time – perhaps even in response to the ongoing mitigation efforts.…
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain.
Qbot, also known as Qakbot or Pinksliplot is actively developed and capable of a number of functions from reconnaissance, lateral movement, data exfiltration, to delivering other payloads acting as an initial access broker.…
Code signing certificates help us assure the file’s validity and legitimacy. However, threat actors can use that against us. In this blog, discover how QAKBOT use such tactic and learn ways how to prevent it.
A threat actor, QAKBOT, along with EMOTET, has been one of the most active threat actors over the past few years, with numerous reports regarding its actions since it was first observed in 2007.…
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather.
DEV-0206 is now tracked as Mustard Tempest DEV-0243 is now tracked as Manatee Tempest DEV-0950 is now tracked as Lace Tempest DEV-0651 is now tracked as Storm-0651 DEV-0856 is now tracked as Storm-0856To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…
Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), … Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails. …
Our latest Brand Phishing Report for Q3 2022 highlights the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September.
While LinkedIn was the most imitated brand in both Q1 and Q2 2022, it’s shipping company DHL that took the top spot in Q3, accounting for twenty-two percent of all phishing attempts worldwide.…
Recently, Zscaler ThreatLabz discovered a new malware being used by the SideWinder APT threat group in campaigns targeting Pakistan: a backdoor we’ve called “WarHawk.” SideWinder APT, aka Rattlesnake or T-APT4, is a suspected Indian Threat Actor Group active since at least 2012, with a history of targeting government, military, and businesses throughout Asia, particularly Pakistan.…
Summary
Actions to take today to mitigate cyber threats from ransomware:
Install updates for operating systems, software, and firmware as soon as they are released. Require phishing-resistant MFA for as many services as possible. Train users to recognize and report phishing attempts.Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
New Temp Stealer Spreading Via Free & Cracked Software
Read More
While monitoring the Dark web for emerging threats, our researcher at Cyble Research and Intelligence Labs (CRIL) found a post where Threat Actors (TAs) advertising a project named “Temp” and selling a loader and stealer. The TA named them Temp Loader and Temp Stealer, respectively.…