In this Threat Analysis report, the Cybereason team investigates a recent IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. IcedID, also known as BokBot, is traditionally known as a banking trojan used to steal financial information from its victims.…
Tag: PERSISTENCE
Since October 2022, we’ve been observing multiple malware types delivered via a new dropper strain that we are referring to as “NeedleDropper”. Its name references one of the ways the dropper stores data. NeedleDropper is not just a single executable, it carries several files which together create a malicious execution, extracting files to decrypt and inject malicious code.…
Phylum has uncovered yet another malware campaign waged against PyPI users. And once again, the attack chain is complicated and obfuscated, but it’s also quite novel and further proof that supply chain attackers aren’t going to be giving up any time soon.
BackgroundOn the morning of December 22, 2022 Phylum’s automated risk detection platform flagged a package called pyrologin.…
Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.…
USB Spreading
Read More
As Mandiant recently wrote about in our blog post, Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia, USB spreading malware continues to be a useful vector to gain initial access into organizations. In this incident, a USB infected with several strains of older malware was inserted at a Ukrainian organization in December 2021.…
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment using an admin account.
The Ursnif malware family (also commonly referred to as Gozi or ISFB) is one of the oldest banking trojans still active today.…
APT-C-36, also known as Blind Eagle, is a financially motivated threat group that has been launching indiscriminate attacks against citizens of various countries in South America since at least 2018.
In a recent campaign targeting Ecuador based organizations, CPR detected a new infection chain that involves a more advanced toolset.…
Read More
This post is also available in: 日本語 (Japanese)
Executive SummaryWhen malware authors go to great lengths to avoid behaving maliciously if they detect they’re running in a sandbox, sometimes the best answer for security defenders is to write their own sandbox that can’t easily be detected.…
BlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. We have published technical details of how this notorious group steals cryptocurrency before. We continue to track the group’s activities and this October we observed the adoption of new malware strains in its arsenal.…
Beware of What Is Lurking in the Shadows of Your IT
Five Stages of a Ransomware Attack, during one ransomware incident X-Force uncovered an entrenched advanced adversary that was leveraging a Shadow IT bridged network to maintain access to two organizations for over a year.
During the investigation, X-Force identified the ransomware attack was contained within a single domain of the multi-domain forest.…
Deriving Threat Actor TTPs from Management Infrastructure Tracking
You can find our previous work on Stage 1 and Stage 2 of IcedID’s initial infection chain in our Dragons News Blog. Data on Stage 1 C2 infrastructure is now also shared as part of our Botnet Analysis and Reporting Service (BARS).…
Introduction
Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware. This week’s infection involved a downloaded JavaScript (.js)…
The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware.…
NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai.
Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow.…
Executive Summary
Mandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply chain attack.
Threat activity tracked as UNC4166 likely trojanized and distributed malicious Windows Operating system installers which drop malware that conducts reconnaissance and deploys additional capability on some victims to conduct data theft.…
Read More
This post is also available in: 日本語 (Japanese)
Executive SummarySince our last blog in early February covering the advanced persistent threat (APT) group Trident Ursa (aka Gamaredon, UAC-0010, Primitive Bear, Shuckworm), Ukraine and its cyber domain has faced ever-increasing threats from Russia. Trident Ursa is a group attributed by the Security Service of Ukraine to Russia’s Federal Security Service.…
GuLoader is an advanced malware downloader that uses a polymorphic shellcode loader to dodge traditional security solutions
CrowdStrike researchers expose complete GuLoader behavior by mapping all embedded DJB2 hash values for every API used by the malware
New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings
New redundant code injection mechanism means to ensure code execution by using inline assembly to bypass user mode hooks from security solutions
Read More
CrowdStrike analyzes malware to augment the behavior and machine learning-based detection and protection capabilities built into the CrowdStrike Falcon® platform to deliver automated, world-class protection to customers. …
A malicious Python file found on the PyPI repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.…
Malware Modifies User’s .LNK files to Establish persistence
Read More
During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign where we observed Threat Actors (TAs) dropping DarkTortilla malware. DarkTortilla is a complex .NET-based malware that has been active since 2015. The malware is known to drop multiple stealers and Remote Access Trojans (RATs) such as AgentTesla, AsyncRAT, NanoCore, etc.…
ESET researchers discovered a spearphishing campaign, launched in the weeks leading up to the Japanese House of Councillors election in July 2022, by the APT group that ESET Research tracks as MirrorFace. The campaign, which we have named Operation LiberalFace, targeted Japanese political entities; our investigation revealed that the members of a specific political party were of particular focus in this campaign.…