By Tom Hegel and Aleksandar Milenkoski 

Executive SummarySentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.…
Read More

This is the third part of our research based on an investigation of a series of attacks against industrial organizations in Eastern Europe.

The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems.

In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.…

Read More
Key Takeaways

• The blog highlights a new infection technique for distributing STRRAT version 1.6. It involves a spam email with a PDF attachment that, when opened, downloads a zip file containing the malicious JavaScript, which drops STRRAT.• STRRAT version 1.6 employs two string obfuscation techniques: “Zelix KlassMaster (ZKM)” and “Allatori”, making it more challenging for security researchers to analyze and detect the malware.•…

Read More

Affected platforms: WindowsImpacted parties: Any organizationImpact: Controls victim’s device and collects sensitive informationSeverity level: Critical

FortiGuard Labs recently detected a new injector written in Rust—one of the fastest-growing programming languages—to inject shellcode and introduce XWorm into a victim’s environment. While Rust is relatively uncommon in malware development, several campaigns have adopted this language since 2019, including Buer loader, Hive, and RansomExx.…

Read More

August 09, 2023

Shachar Gritzman, Moshe Avraham, Tim Kromphardt, Jake Gionet and Eilon Bendet 

Key TakeawaysOver the last six months, Proofpoint researchers have observed a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies. Over 100 organizations were targeted globally, collectively representing 1.5 million employees.…
Read More
Key TakeawaysThis blog sheds light on a new Tech Scam wherein scammers employ deceptive tactics to lure users into paying for non-existent antivirus solutions. Uncovering Tech Scammers possible involvement in different ransomware attacks. The IP address of a domain used in this scam is associated with both the TORZON MARKETPLACE, a DarkWeb marketplace, and the “Chai Urgent Care” phishing campaign.…
Read More

If you thought that falling victim to ransomware, or a hacker hijacking your workstation was a nightmare, consider the potential catastrophe of having your Kubernetes (k8s) cluster hijacked. It could be a disaster magnified a million times over.

Kubernetes has gained immense popularity among businesses in recent years due to its undeniable prowess in orchestrating and managing containerized applications.…

Read More

The Magniber ransomware is consistently being distributed at high volumes. It has been distributed through the IE (Internet Explorer) vulnerability for the past few years but stopped exploiting the vulnerability after the support for the browser ended. Recently, the ransomware is distributed with filenames disguised as a Windows security update package (e.g.…

Read More
Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023. This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The threat actor uses an uncommon technique to deliver the ransom note.…
Read More

[Update] November 16, 2023: See the subheading: “Collaborative Advisory by CISA, FBI, and MS-ISAC on Rhysida Ransomware.”

[Update] February 13, 2024: “A Free Decryption Tool Released”

The digital world is an ever-evolving landscape, and with it comes the evolution of cyber threats. One such emerging threat is the Rhysida Ransomware Group, a new player in the cybercrime arena that has been making waves since its first sighting in May 2023.…

Read More
.blog-text h3 {color: #693840;font-family:"NeueMachina-Regular", Sans-serif;}.blog-text h2 {color: #E82F49;font-family:"NeueMachina-Regular", Sans-serif;}.blog-text img{max-width: 500px !important}ul {list-style: none;}.blog-text ul li::before {content: "2022";color: #E82F49;font-weight: bold;display: inline-block;width: 1em; margin-left: -1em;}figure div {width: 100%;}td {padding: 5px}figure figcaption {text-align: center;}table p{margin-bottom:0px!important;}

By Gerardo Corona & Julio Vidal Ocelot Team

Context

Ransomware gangs have found a profitable market in LATAM, but they are not alone, they need region-based actors to provide them the initial access to the companies.…

Read More

Trend Micro’s Mobile Application Reputation Service (MARS) team discovered two new related Android malware families involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android users.

Trend Micro’s Mobile Application Reputation Service (MARS) team discovered two new related Android malware families involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android users.…

Read More

Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. [1] Rootkits are malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and network communications for their concealment. Reptile’s concealment capabilities include not only its own kernel module but also files, directories, file contents, processes, and network traffic.…

Read More

In the past, AhnLab Security Emergency response Center (ASEC) had shared the “SparkRAT Being Distributed Within a Korean VPN Installer” [1] case post and the “Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections” [2] case post which covered the SparkRAT malware being distributed through a Korean VPN service provider’s installer.…

Read More

Recorded Future’s Insikt Group has been monitoring the activities of Russian state actors who are intensifying their efforts to hide command-and-control network traffic using legitimate internet services (LIS) and expanding the range of services misused for this purpose. BlueBravo is a threat group tracked by Insikt Group, whose actions align with those of the Russian advanced persistent threat (APT) groups APT29 and Midnight Blizzard, both attributed to Russia’s Foreign Intelligence Service (SVR).…

Read More