This report is a continuation of the “Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies” post that was uploaded on August 16, 2022 and follows the group’s activities since that post.
This group has always relied on open-source tools and lacked any distinct characteristics to profile them due to the lack of PDB information.…
Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware.…
In this blog post we will be analyzing the recent “ESXiArgs” Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.
Attack VectorsIn the past Ransomware targeting ESXi Hypervisors was largely human-operated as a later stage of general Ransomware attack, where other Assets (Clients, Servers) are encrypted first.…
On February 3rd, CERT-FR warned users about a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware. The report also stated that the Threat Actors (TAs) leveraging a two-year-old vulnerability tracked as CVE-2021-21974. According to VMware, ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, and 6.5 before ESXi650-202102101-SG contain a heap overflow vulnerability in OpenSLP.…
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command and control server (C2). Upon performing initial discovery and user enumeration, the threat actor used AutoHotkey to launch a keylogger.…
Zscaler’s ThreatLabz research team diligently monitors and tracks active threat campaigns globally to rapidly detect new developments and proactively safeguard Zscaler customers. The seven case studies that follow provide an in-depth analysis of the AveMaria infostealer attack chain and how it has been shifting over the past six months.…
Office Visual Basic for Applications (VBA) macros have been a core tool in most threat actors’ arsenals for decades.
Their capabilities have enabled clever — and just clever-enough — threat actors to deliver a dizzying array of malware to countless devices around the world. During that time, they have served as what is quite possibly the most commonplace attack vector to infect and compromise Windows PCs.…
In September of last year, our Incident Response team was called to an incident that was identified as an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, we were able to push back these threats. By ingesting the tactics, techniques & procedures (TTPs) of the incident into our autonomous enrichment technology, Arpia, we were able to detect and respond to three other incidents, preventing our clients from being compromised by the mysterious threat actor.…
Just like Hollywood has its own celebrities and well-known actors, the world of malicious open-source packages also has its own notorious players. And just like Hollywood stars, these threat actors don’t always stay in the spotlight. They can take breaks and reemerge with new tactics, techniques, and tools.…
Aqua Nautilus researchers discovered a new elusive and severe threat that has been infiltrating and residing on servers worldwide since early September 2021. Known as HeadCrab, this advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers.…
Information stealers are malware designed to steal sensitive information from infected computers, such as login credentials, financial data, and personal information. They typically do this by searching for specific types of files and data on the infected computer and then exfiltrating that information to a remote server controlled by the attackers.…
FortiGuard Labs recently captured Excel documents in the Microsoft OLE Compound File format that contain malicious VBA Macros. Their file names are Pago_detalles.xls, makbuzu.xls, and Pago.xls. I then conducted deep research on them and found that they all belong to the same malicious campaign that cryptojacks systems to mine for Monero (XMR) cryptocurrency.…
Research by: Arie Olshtein
Executive summary Initially observed in July 2016, TrickGate is a shellcode-based packer offered as a service to hide malware from EDRs and antivirus programs. Over the last 6 years, TrickGate was used to deploy the top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more.…Summary
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software.…
Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.…
This post is also available in: 日本語 (Japanese)
Executive SummaryRecently, our Unit 42 incident response team was engaged in a Black Basta breach response that uncovered several tools and malware samples on the victim’s machines, including GootLoader malware, Brute Ratel C4 red-teaming tool and an older PlugX malware sample.…
By Nico Paulo Yturriaga · January 24, 2023
GuLoader is an advanced shellcode downloader infamous for using anti-analysis tricks to evade detection and obstruct reverse engineering. As of this writing, the GuLoader campaign is aggressively ongoing. Trellix’s customers in the e-commerce industry located in South Korea and the United States were heavily targeted by the GuLoader operators.…
Summary
Emotet, a Trojan that is primarily spread through spam emails, has been a prevalent issue since its first appearance in 2014. With a network made up of multiple botnets, denoted as “epochs” by security research team Cryptolaemus, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks.…