Key Findings
Proofpoint is tracking new variants of IcedID used by at least three threat actors. Initial analysis suggests this is a forked version with potentially a separate panel for managing the malware. While much of the code base is the same, there are several key differences.…Tag: PAYLOAD
The scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has, thankfully, not been replicated on Mac devices. With a few unsuccessful exceptions, the notion of locking a Mac device and holding its owner to ransom in return for access to the machine and its data has not yet proven an attractive proposition for attackers.…
Earth Preta has actively been changing its tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the tools and malware used by the threat actor in its most recent campaigns.
In our previous research, we disclosed and analyzed a new campaign initiated by the threat actor group Earth Preta (aka Mustang Panda).…
Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments.…
Threat Actors Use DLL Sideloading to Fly Under the Radar
Read More SideCopy APT is a Threat Actor(TA) from Pakistan that has been active since 2019, focusing on targeting South Asian nations, especially India and Afghanistan. The SideCopy APT gets its name from the infection chain, which imitates that of the SideWinder APT.…
Emotet Malware Adapts with OneNote Attachments to Deliver Payloads
Read More Emotet is a sophisticated banking malware that usually spreads via email attachments. Its primary aim is to extract confidential data from its targets, including passwords and banking details, and send it to the Command and Control (C&C) server.…
Summary
Read More At Zscaler ThreatLabz, we have been closely monitoring the tools, techniques and procedures (TTPs) of APT37 (also known as ScarCruft or Temp.Reaper) – a North Korea-based advanced persistent threat actor. This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations.…
Published On : 2023-03-20
EXECUTIVE SUMMARYResearch team at CYFIRMA recently discovered a malicious sample in wild which pretends to be a ransomware named as ALC Ransomware. Our research team analysed and found it to be a scareware in actual, as it is not encrypting files on the victim machine.…
This post is also available in: 日本語 (Japanese)
Executive SummaryTrigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised.…
This post is also available in: 日本語 (Japanese)
Executive SummaryMalware authors often throw curve balls that are meant to confound automated detection systems. We’ve adapted to these techniques by tailoring our analysis platform in a couple of notable ways that we’ll discuss, particularly to address malware that engages in sandbox evasion.…
In November 20211 and February 2022,2 Microsoft announced that by default it would block Excel 4 and VBA macros in files that were downloaded from the internet. Following these changes, CrowdStrike Intelligence and the CrowdStrike Falcon® Complete managed detection and response team observed eCrime adversaries that had previously relied on macro execution for malware delivery adapt their tactics, techniques and procedures (TTPs). …
Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.…
Update 2023-03-21 – We’ve talked with members of the NuGet team and they had already detected and removed the malicious packages in question.
Malicious packages are often spread by the open source NPM and PyPI package repositories, with few other repositories affected. Specifically – there was no public evidence of severe malicious activity in the NuGet repository other than spam packages used for spreading phishing links.…
Check Point Research (CPR) provides an in-depth analysis of the dotRunpeX injector and its relation to the older version
DotRunpeX is protected by virtualization (a customized version of KoiVM) and obfuscation (ConfuserEx) – both were defeated
Investigation shows that dotRunpeX is used in the wild to deliver numerous known malware families
Commonly distributed via phishing emails as malicious attachments and websites masquerading as regular program utilities
We confirmed and detailed the malicious use of a vulnerable process explorer driver to disable the functionality of Anti-Malware services
CPR introduces several PoC techniques that were approved to be effective for reverse engineering protected or virtualized dotnet code
Read More During the past few months, we have been monitoring the dotRunpeX malware, its usage in the wild, and infection vectors related to dozens of campaigns.…
Last February a Blackberry report alluded to one of APT-C-36 campaigns (Blind Eagle). The APT-C-36 group has many similarities in terms of tactics, techniques and procedures (TTPs) with the group Hagga / Aggah, as we have been able to observe at Lab52. Particularly, this article describes one of the campaigns that has been linked to APT-C-36, where the artefacts used are noticeable Hagga artefacts. …
Cisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that has been running several successful espionage campaigns since at least June 2022.
YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis.…
Read More The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November. The group’s activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.…
In part one on North Korea’s UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.…
Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT.…
Email is an essential service for companies and individuals. Billions of emails are exchanged daily, and within a portion of those emails lurk malware aimed at compromising your organization’s network security, stealing your company’s sensitive data and creating operational disruption. This blog dives into the dark side of email traffic, uncovering some of the latest malware threats, tactics and trends that can potentially undermine your systems.…