This post is also available in: 日本語 (Japanese)
Executive SummaryInstalling a web shell on a web server is a common approach malware authors take to launch exploits or run commands remotely. In November 2020, the INJ3CTOR3 operation targeted the Sangoma PBX, a popular VoIP PBX system, by installing a web shell on its web server.…
This research was conducted by Michael Mullen and Nikolaos Pantazopoulos from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
Summary tl;drIn the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement.…
Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat actors’ interest and we see a continued growth and innovation of malware that targets Linux, such as the recent Symbiote malware that was discovered by our research team.…
During a routine threat-hunting exercise, Cyble Research Labs came across a post on Telegram selling an information stealer malware called “NoMercy stealer.” The malware developer is currently selling the stealer for 780 Indian rupees or 10 USD, indicating that the stealer is developed primarily for Indian Threat Actors (TA).…
During our routine threat-hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher mentioned an interesting infection chain of Xloader malware.
The malware uses multiple file types such as PDF, XLSX, and RTF for its initial infection and execution. It is also designed to drop three modules in memory and execute the final payload using the Process-Hollowing technique.…
Without doubt, one of the hottest and most stressful regions on the planet currently is Eastern Europe. The military conflict that has been ongoing for more than 4 months has unfortunately claimed many victims and is fueling an economic and food crisis in several nations spanning across the globe.…
CERT-UA broke news on June 10, 2022 that various media outlets in Ukraine were targeted with emails containing a malicious document “СПИСОК_посилань_на_інтерактивні_карти.docx” (translated to English as “LIST_of_links_interactive_maps.docx”). According to the report, the document leverages a then zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), CVE-2022-30190 (Follina).…
Since the beginning of 2022, ThreatLabz has been closely monitoring the activities of the Evilnum APT group. We identified several instances of their low-volume targeted attack campaigns launched against our customers in the UK and Europe region.
The new instances of the campaign use updated tactics, techniques, and procedures.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.…
FortiGuard Labs has encountered version 3.0 of what is now dubbed IceXLoader, a new malware loader being advertised in malware hacking forums.
IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.…
QakBot, also known as QBot, QuackBot, or Pinkslipbot, is a banking trojan malware that has existed for over a decade. In recent years, QakBot has become one of the leading banking trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.)…
June 15, 2022
Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or on an irregular basis, while others see a barrage of attacks nearly every week.…
Using a methodology first seen in 2020, an unknown threat actor has been exploiting a three-year-old bug in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons and other malware in the process.
In the weeks following the initial, 2019 disclosure of the vulnerability, attackers scanned the internet for vulnerable applications.…
PureCrypter is actively being developed by a threat actor using the moniker “PureCoder”.…
Introduction
On May 31, a critical unpatched vulnerability, which affects all confluence server and data center supported versions was reported to Atlassian by Volexity, a security company.
Atlassian warned their customers of the critical vulnerability on June 2 and issued a patch a day later. CISA added this vulnerability to their list of Known Exploited Vulnerabilities on June 3.…
Active since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle Eastern organizations in the energy and telecommunication sectors and mostly relying on .NET based malwares.
Zscaler ThreatLabz recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET…
In March 2022, a new malware named “Bumblebee” was discovered and reportedly distributed via spam campaigns. Researchers identified that Bumblebee is a replacement for BazarLoader malware, which has delivered Conti Ransomware in the past. Bumblebee acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc.…
Users who download cracked software risk sensitive personal data being stolen by hackers.
Are you interested in downloading free, cracked software? If so, you should know what you’re getting into.
When you accidentally download malicious cracked software, attackers can take everything you have on your PC, and you’ll end up without your sensitive personal data and even without the software that you were trying to download in the first place.…