Ransomware Operators Thrive in the Shadows

ARCrypter ransomware, also known as ChileLocker, emerged in August 2022 and gained attention following an attack on an entity located in Chile. Subsequently, researchers revealed that this ransomware started targeting organizations worldwide. The Threat Actors (TA)s responsible for this group do not maintain a leak site for extorting their victims.…

Read More

We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents.…

Read More

July 06, 2023

Joshua Miller, Pim Trouerbach, and the Proofpoint Threat Research Team

Key TakeawaysTA453 continues to adapt its malware arsenal, deploying novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets.  TA453 in May 2023 began deploying LNK infection chains instead of Microsoft Word documents with macros. …
Read More

Aqua Nautilus researchers identified an infrastructure of a potentially massive campaign against cloud native environments. This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm.…

Read More
Introduction

In the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor targeting Foreign Affairs ministries and embassies in Europe. Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting European entities, with a focus on their foreign policy.…

Read More
Clipper Malware Infections Pose Grave Risk to Cryptocurrency Users

In the realm of cybersecurity, malicious programs continuously evolve to exploit the vulnerabilities of unsuspecting victims. One particularly notorious threat that has gained popularity is the Clipper malware. This Clipper malware specifically targets cryptocurrency users, aiming to deceive and defraud them of their valuable digital assets.…

Read More
Key takeawaysThe RUSTBUCKET malware family is in an active development phase, adding built-in persistence and focusing on signature reduction. REF9135 actors are continually shifting their infrastructure to evade detection and response. The DPRK continues financially motivated attacks against cryptocurrency service providers. If you are running Elastic Defend, you are protected from REF9135Preamble

The Elastic Security Labs team has detected a new variant of the RUSTBUCKET malware, a family that has been previously attributed to the BlueNorOff group by Jamf Threat Labs in April 2023.…

Read More

During the week of February 20, 2023, Sophos X-Ops MDR team received two separate requests for threat hunts related to unusual activity in two customers’ Microsoft 365 (formerly Office 365) environments. This prompted an investigation into sets of Microsoft Graph security events forwarded to Sophos XDR, to identify whether suspicious or malicious activity occurred.…

Read More
Introduction

The rise of malicious software designed to steal sensitive information has become a significant problem in the cybercrime landscape. They are specifically created to infiltrate computer systems and extract valuable data, including personal information, login credentials, financial details, and intellectual property. Known as information stealers or data stealers, these malware programs pose a prevalent threat.…

Read More

MuddyWater, also known as Mango Sandstorm (Mercury), is a cyber espionage group that is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).

Executive summary:Deep Instinct’s Threat Research team has identified a new C2 (command & control) framework The C2 framework is custom made, continuously in development, and has been used by the MuddyWater group since at least 2021 The framework is named PhonyC2 and was used in the attack on the Technion Institute PhonyC2 is currently used in an active PaperCut exploitation campaign by MuddyWater PhonyC2 is similar to MuddyC3, a previous C2 framework created by MuddyWater

MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection, as can be seen throughout the blog and in the investigation of the leaked code of PhonyC2.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie.…

Read More
Summary

Zscaler ThreatLabz has discovered a new malware variant, RedEnergy stealer (not to be confused with the australian company Red Energy) that fits into the hybrid Stealer-as-a-Ransomware threat category.  

RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The…

Read More

Cryptojacking, the illicit use of computing resources to mine cryptocurrency, has become increasingly prevalent in recent years, with attackers building a cybercriminal economy around attack tools, infrastructure, and services to generate revenue from targeting a wide range of vulnerable systems, including Internet of Things (IoT) devices.…

Read More
In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.…
Read More
1. Overview

RedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out attacks against individuals such as North Korean defectors, human rights activists, and university professors. Their task is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping features that was previously unknown along with a backdoor developed using GoLang that exploits the Ably platform.* ABLY…

Read More

By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

June 21, 2023

TL;DR

MULTI#STORM, an interesting attack campaign involving Python-based loader malware was recently seen being used to deliver Warzone RAT infections using phishing emails.

An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team.…

Read More