Tag: PAYLOAD

We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.

In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”.…

Read More

In recent years, efforts to apprehend threat groups and shrink their operating landscape have gone international. As authorities across multiple countries continue to implement sanctions and openly communicate current trends to the public, threat groups increasingly resort to rebranding or creating similar variants under different names to sidestep crackdowns and obfuscate their identities.…

Read More
Introduction

Zscaler ThreatLabz research team observed a new campaign targeting a Government organization in which the threat actors utilized a new Command & Control (C2) framework named Havoc. While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation.…

Read More

Executive Summary

On January 3, local media reported that a major U.S. city’s housing authority had suffered a ransomware attack. The LockBit ransomware group, which has made false claims in the past, took responsibility for the incident. As of this publication, the housing authority has announced a disruption, but has not elaborated on the nature of the event.…
Read More

For each of these domains, the sample tries to connect to many of its subdomains. Most subdomains will start with the letter x, w, or m, followed by a number. In this sample, the first hardcoded domain is fywkuzp[.]ru:7432, and we could observe a infected machine trying to connect to the following domains:

In the end, Mylobot produces thousands of DNS requests, which makes it quite noisy.…

Read More
Quick overview of VMware ESXi

Last week, unknown threat actors started targeting, en masse, VMware ESXi hypervisors using CVE-2021-21974, an easily exploitable pre-authorization remote code execution vulnerability. Experts from Bitdefender Labs have been monitoring these exploitation attempts. Guided by our telemetry, we are providing a technical advisory to describe these attacks and document our own detections in the wild.…

Read More

Summary

A previously unknown threat actor is targeting organizations in Pakistan using a complex payload delivery mechanism. The threat actor abuses the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as a lure to trick their victims.

The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23.…

Read More
Key FindingsProofpoint began tracking a new threat actor, TA866. Proofpoint researchers first observed campaigns in October 2022 and activity has continued into 2023. The activity appears to be financially motivated, largely targeting organizations in the United States and Germany. With its custom toolset including WasabiSeed and Screenshotter, TA866 analyzes victim activity via screenshots before installing a bot and stealer.…
Read More
ESXi Args Ransomware Outbreak Affects Over 1,000 Servers

On February 3rd, CERT-FR warned users about a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware. The report also stated that the Threat Actors (TAs) leveraging a two-year-old vulnerability tracked as CVE-2021-21974. According to VMware, ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, and 6.5 before ESXi650-202102101-SG contain a heap overflow vulnerability in OpenSLP.…

Read More
Introduction

Office Visual Basic for Applications (VBA) macros have been a core tool in most threat actors’ arsenals for decades.

Their capabilities have enabled clever — and just clever-enough — threat actors to deliver a dizzying array of malware to countless devices around the world. During that time, they have served as what is quite possibly the most commonplace attack vector to infect and compromise Windows PCs.…

Read More

In September of last year, our Incident Response team was called to an incident that was identified as an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, we were able to push back these threats. By ingesting the tactics, techniques & procedures (TTPs) of the incident into our autonomous enrichment technology, Arpia, we were able to detect and respond to three other incidents, preventing our clients from being compromised by the mysterious threat actor.…

Read More
Threat Actors Ramp Up OneNote Attachment Usage in their Attacks

Threat Actors (TAs) are using spam emails to trick individuals into downloading malware, such as Remote Access Trojans (RATs) and Stealers, to infect their devices and steal sensitive information. Cyble Research & Intelligence Labs (CRIL) closely monitors different malware families and routinely publishes informative blogs to educate our readers.…

Read More