Cisco Talos has observed new cyber attacks targeting Turkey and other Asian countries we believe with high confidence are from groups operating under the MuddyWater umbrella of APT groups. U.S. Cyber Command recently connected MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS).
These campaigns primarily utilize malicious documents (maldocs) to deploy downloaders and RATs implemented in a variety of languages, such as PowerShell, Visual Basic and JavaScript.…
Read More Tag: PHISHING
In July of 2021, we identified an infection campaign targeting important European entities. During this investigation we could identify the threat actor behind these attacks as LazyScripter, an emerging APT group pointed by MalwareBytes in February 2021.
Through our analysis, we could track their activity with precise dates in 2021 based on their samples.…
What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets
Executive Summary
Read More Since its reemergence on Nov. 14, 2021, Black Lotus Labs has once again been tracking Emotet, one of the world’s most prolific malware distribution families which previously infected more than 1.6M devices and caused hundreds of millions of dollars in damage across critical infrastructure, healthcare, government organizations and enterprises around the world.…
Since the dawn of phishing, fraudulent invoicing and purchasing schemes have been one of the most common lures. The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially where a business may be involved.
FortiGuard Labs recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals.…
In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps.
Hive, which is one of the more notable ransomware families of 2021, made waves in the latter half of the year after breaching over 300 organizations in just four months — allowing the group to earn what could potentially be millions of US dollars in profit.…
Recently, Fortinet’s FortiGuard Labs captured more than 500 Microsoft Excel files that were involved in a campaign to deliver a fresh Emotet Trojan onto the victim’s device.
Emotet, known as a modular Trojan, was first discovered in the middle of 2014. Since then, it has become very active, continually updating itself.…
8/24 Editor’s Note: Since the publication, SMTP2Go has updated its security measures.
Key TakeawaysProofpoint researchers have identified ongoing activity by the China-aligned APT actor TA416 in which the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services. This targeting is consistent with other activity reported by Proofpoint, showing an interest in refugee policies and logistics across the APT actor landscape which coincides with increased tensions and now armed conflict between Russia and Ukraine.…By Jake Longden, Cofense Phishing Defense Center
Microsoft Power BI, a popular data-visualization tool, is designed to help users wrangle their data in multiple and more human-friendly formats. As a recognizable application from a commonly used and trusted vendor, Power BI is also a prime target for threat actors to spoof and abuse it for phishing attacks.…
This post was originally published as a white paper in September 2021. Get the full report as a PDF here.
Zusammenfassung (Executive Summary)
Read More Over the past year the TeamTNT threat actor has been very active. TeamTNT is one of the predominant cryptojacking threat actors currently targeting Linux servers.…
Summary
Read More The criminal group behind the Arkei information stealer appears to be interested in more than just picking our pockets. While cryptocurrency remains a primary target for the malware, which has recently been tied to use of the stealthy SmokeLoader downloader, a new analysis of Arkei shows that it has now expanded its reach to collect multifactor (MFA) authentication data as well.…
February 22, 2022 Editor’s Note: Since conducting his initial research, ZeroFox Intelligence Researcher Stephan Simon has uncovered additional details about the operators and the botnet. Updates have been published here.
In late October 2021, ZeroFox Intelligence discovered a previously unknown botnet called Kraken. Though still under active development, Kraken already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim’s system.…
Executive SummaryOur research attributes a decade of activity to a threat actor we call ModifiedElephant.
ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.
ModifiedElephant has been operating since at least 2012, and has repeatedly targeted specific individuals.…
Read More Lorenz is a ransomware strain observed first in February of 2021, and is believed to be a rebranding of the “.sZ40” ransomware that was discovered in October 2020. Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars, and even millions in ransom fee. …
Over the past seven months, SophosLabs has monitored a series of new efforts to distribute SolarMarker, an information stealer and backdoor (also known as Jupyter or Polazert). First detected in 2020, the .NET malware usually delivered by a PowerShell installer has information harvesting and backdoor capabilities.…
Key Takeaways TA402, a likely Palestinian-aligned advance persistent threat actor, has recently engaged in campaigns leveraging a new implant, dubbed by Proofpoint analysts as NimbleMamba.
NimbleMamba is likely a replacement for the group’s previously used LastConn implant.
These campaigns have a complex attack chain that leverages geofencing and URL redirects to legitimate sites in order to bypass detection efforts. …
Read More February 3, 2022
[UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. This vulnerability was later assigned CVE-2022-24682 and was fixed in version 8.8.15P30 Update 2 of Zimbra Collaboration Suite.…
Cisco Talos has observed a new wave of Delphi malware called Micropsia developed and operated by the Arid Viper APT group since 2017.
This campaign targets Palestinian entities and activists using politically themed lures. The latest iteration of the implant contains multiple RAT and information-gathering capabilities.…A new phishing campaign is using specially crafted CSV text files to infect users’ devices with the BazarBackdoor malware.
A comma-separated values (CSV) file is a text file containing lines of text with columns of data separated by commas. In many cases, the first line of text is the header, or description, for each column.…
Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions.
Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran’s Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command. This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise.…Broadcom Software, has found evidence of attempted attacks against a number of organizations in the country.
Active since at least 2013, Shuckworm specializes in cyber-espionage campaigns mainly against entities in Ukraine. The group is known to use phishing emails to distribute either freely available remote access tools, including Remote Manipulator System (RMS) and UltraVNC, or customized malware called Pterodo/Pteranodon to targets.…