Tag: PERSISTENCE

Just to clarify, the above subheading isn’t a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers (DDRs).

While hunting for less common Deathstalker intrusions that use the Janicab malware family, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020, possibly active during 2021 and potentially extending an extensive campaign that has been traced back to early 2015 and targeted legal, financial, and travel agencies in the Middle East and Europe.…

Read More

Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and we assess it has a China nexus.

UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S.,…

Read More

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0139 is now tracked as Citrine Sleet.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…

Read More
New Variant of Ransomware Targeting Chile

Most organizations experienced an increase in cyber-attacks during the COVID-19 pandemic. Threat Actors (TAs) leveraged the COVID-19 pandemic as a thematic lure to infect users with different malware families. This pandemic theme related to cyber-attacks has reduced in 2022. However, TAs are still utilizing their arsenal of malicious programs to target users who track information related to Covid-19 infection.…

Read More

Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program.

Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLMSoftwareMicrosoftWindowsCurrentVersionRun) to be registered as one of the Startup Programs, as well as copying files.…

Read More
AXLocker Ransomware Stealing Victim’s Discord Tokens

Ransomware is one of the most critical cybersecurity problems on the internet and possibly the most powerful form of cybercrime plaguing organizations today. It has rapidly become one of the most important and profitable malware families among Threat Actors (TAs). In a typical scenario, the ransomware infection starts with the TA gaining access to the target system.…

Read More

We break down the cyberespionage activities of advanced persistent threat (APT) group Earth Preta, observed in large-scale attack deployments that began in March. We also show the infection routines of the malware families they use to infect multiple sectors worldwide: TONEINS, TONESHELL, and PUBLOAD.

We have been monitoring a wave of spear-phishing attacks targeting the government, academic, foundations, and research sectors around the world.…

Read More

Summary

On August 25, 2022, Chile’s government computer systems were attacked by a previously unseen ransomware variant. CSIRT of Chile’s government published a report which contained some Indicators of Compromise (IoCs) and recommendations for prevention measures.

On October 3, 2022, Invima — The Colombia National Food and Drug Surveillance Institute — reported a cyberattack that led to a temporary shutdown of the organization’s web services.…

Read More

Venus ransomware has been launching data encryption attacks across the globe since at least August 2022. Last week, the Health Sector Cybersecurity Coordination Center issued an advisory stating that at least one healthcare entity in the United States had fallen victim to Venus ransomware, prompting wider warnings for healthcare and other organizations to be on their guard.…

Read More

QBot, also known as Qakbot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a vicious and persistent threat to organizations and has become one of the leading Banking Trojans globally. Over the years, it has changed its initial techniques to deliver payloads like using VBA macros, Excel 4 macros, VBS files, exploits like Follina, etc.…

Read More