Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
Find out how the Managed XDR team uncovered RedLine Stealer’s evasive spear-phishing campaign that targets the hospitality industry.
Recently, we noticed a spike in the number of emails received by one of our customers. After further investigation, we found that three other customers in the hospitality industry were also affected.…
Published On : 2023-02-24
Executive SummaryThe CYFIRMA Research team has provided a preliminary analysis of a new post- exploitation framework called EXFILTRATOR-22 a.k.a. EX-22. After analyzing the available information, it is moderately certain that the individuals responsible for creating the malware are operating from North, East, or South-East Asia (possible countries include China, Taiwan, Hong Kong, Malaysia, Singapore, Philippines, etc.).…
FortiGuard Labs has observed a new LockBit ransomware campaign during last December and January using a combination of techniques effective against AV and EDR solutions. LockBit has been one of the more dangerous ransomware, active since 2019. It was part of several successful attacks against a large variety of industries, including critical infrastructure.…
The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn’t gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature – UEFI Secure Boot – is now a reality.…
Microsoft OneNote is a file type now entrenched in the ongoing saga of abused file formats leveraged by adversaries to reach through defenses and deliver malware payloads to end users. Recently, we have seen OneNote’s sudden rise to prominence, following a pattern of other types of files used in the same capacity.…
We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.
Iron Tiger is an advanced persistent threat (APT) group that has been focused primarily on cyberespionage for more than a decade.…
Summary
APT-C-36, also known as Blind Eagle, has been actively targeting organizations in Colombia and Ecuador since at least 2019. It relies on spear-phishing emails sent to specific and strategic companies to conduct its campaigns. On Feb. 20, the BlackBerry Research and Intelligence team witnessed a new campaign where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.…
Zscaler ThreatLabz researchers observed multiple threat campaigns utilizing the Snip3 crypter, a multi-stage remote access trojan (RAT) loader with new TTPs and available since 2021 as a crypter-as-a-service offering.
The Snip3 Crypter service uses advanced evasion, obfuscation, and reflective code loading techniques in its multi-stage infection chain, along with new Tactics, Techniques, and Procedures (TTPs).…
Attackers are increasingly using OneNote documents to distribute malware, due to the heightened security measures against macro-based attacks and the widespread adoption and popularity of the platform. Analyzing several related case studies, this article showcases the obfuscation techniques used by threat actors to bypass threat detection measures and deceive users into executing malware on their systems via OneNote.…
Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX.
IntroductionTrend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used (via the DLL Search Order Hijacking or T1574.001 technique) to sideload a malicious DLL we identified as a variant of PlugX (Trojan.Win32.KORPLUG.AJ.enc).…
ESET researchers have discovered one of the payloads of the Wslink downloader that we uncovered back in 2021. We named this payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the filename WinorLoaderDLL64.dll, is a loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory.…
Starting on January 20 2023, Bitdefender Labs started to notice a global increase in attacks using the ManageEngine exploit CVE-2022-47966. This Remote Code Execution (RCE) vulnerability (CVSSv3 critical score 9.8) allows full takeover of the compromised system by unauthenticated threat actors. A total of 24 different products from Zoho ManageEngine are vulnerable.…
First observed in December of 2022, Rhadamanthys is a malicious information stealer written in C++, which is being distributed mostly via malicious Google advertisements. The malware is designed to steal credentials from web browsers, VPN clients, email clients and chat clients as well as cryptocurrency wallets.…
In January 2023, through our Dark Web monitoring routine, Sekoia.io identified a new information stealer advertised as Stealc by its alleged developer, going by the handle Plymouth. The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars and Redline stealers.…
8220 Gang is a low-skill crimeware actor known for infecting cloud hosts through n-day vulnerabilities and remote access brute forcing. We have previously detailed how 8220 expanded its botnet and rotated its infrastructure. Since our last write up in October, the group has again switched to new infrastructure and samples, providing us with an opportunity to share an educational walkthrough of the process of investigating cybercrime activity that may be useful to new or lesser experienced SOC teams, analysts and researchers.…
While monitoring different malicious packages found in public software repositories, ReversingLabs researchers have noticed an increase of malicious HTTP libraries on the Python Package Index (PyPI) repository. Actually, we should air-quote “HTTP libraries.” In reality, most of these are simple, malicious packages bearing names that are Frankenstein-like amalgamations of the acronym “HTTP”.…
First observed in October 2022, HardBit is a ransomware threat that targets organizations to extort cryptocurrency payments for the decryption of their data.
Views: 0…
Threat Actors (TAs) are constantly devising new methods to infect users for various reasons, such as avoiding detection from anti-virus solutions, increasing the chances of successfully infecting their targets, and inventive ways to compromise their victims.…