Tag: PERSISTENCE

Key takeawaysAdversaries continue to abuse and increase reach through malvertising such as Google Ads by impersonating legitimate software Elastic Security Labs is shedding light on an undiscovered hVNC malware that has been quietly collecting a large install base This malware we are calling LOBSHOT appears to be leveraged for financial purposes employing banking trojan and info-stealing capabilitiesPreamble

Elastic Security Labs along with the research community noticed a large spike in the adoption of malvertising earlier this year.…

Read More

ESET researchers have discovered a campaign that we attribute to the APT group known as Evasive Panda, where update channels of legitimate applications were mysteriously hijacked to deliver the installer for the MgBot malware, Evasive Panda’s flagship backdoor.

Key points of the report:

Users in mainland China were targeted with malware delivered through updates for software developed by Chinese companies.…
Read More
Key Findings:In this report we reveal new findings related to Educated Manticore, an activity cluster with strong overlap with Phosphorus, an Iranian-aligned threat actor operating in the Middle East and North America. Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains.…
Read More
Introduction

We introduced Tomiris to the world in September 2021, following our investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States (CIS). Our initial report described links between a Tomiris Golang implant and SUNSHUTTLE (which has been associated to NOBELIUM/APT29/TheDukes) as well as Kazuar (which has been associated to Turla); however, interpreting these connections proved difficult.…

Read More

Found in Environments Protected By: Proofpoint

By Nathaniel Raymond, Cofense Intelligence

Gh0st RAT, a decades-old open-source remote administration tool (RAT), recently appeared in phishing campaigns targeting a healthcare organization. Gh0st Remote Administration Tool was created by a Chinese hacking group named C. Rufus Security Team that released it publicly in 2008.…

Read More

The X_Trader software supply chain attack affected more organizations than 3CX. Initial investigation by Symantec’s Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe. In addition to this, two other organizations involved in financial trading were also breached.…

Read More

By Securonix Threat Labs, Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov

TL;DR 

The Securonix Threat Research team (STR) has recently observed a new attack campaign tracked by Securonix as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier [1].…

Read More

ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.…

Read More

MgBot modular malware framework

MgBot is a well-designed modular framework that is actively maintained. The components of the framework are the following:

MgBot EXE dropper MgBot DLL Loader MgBot Plugins

The MgBot plugins that were deployed in this activity have numerous capabilities that can provide the attackers with a significant amount of information about compromised machines.…

Read More

Over the past several months, Sophos X-Ops has investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool we’ve dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.…

Read More

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed since September last year.

The ransomware uses .NET Reactor to obfuscate its code, likely to deter analysis.…

Read More

Using malicious Google Ads or SEO poisoning to distribute malware has become a common tactic for cybercriminals. For example, in the Secureworks® 2022 State of the Threat report, Counter Threat Unit™ (CTU) researchers described legitimate web searches being hijacked by SEO poisoning to infect victims’ systems with Gootloader, and malicious Google Ads bundling infostealers like RedLine in trojanized installers for messaging apps such as Signal.…

Read More

Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest.…

Read More
Summary

In recent years, malware attacks have become increasingly sophisticated, and attackers are always finding new ways to exploit vulnerabilities and steal sensitive data. To stay ahead of these threats, security researchers must constantly monitor the landscape and identify new threats as they emerge. In this article, we’ll take a closer look at the findings of a recent study conducted by Zscaler’s ThreatLabz team, which uncovered a new backdoor built using Free Pascal that has the ability to steal data from infected systems.…

Read More