Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
The holiday season seems to be at an ebb for the Aviation Industry in Southeast Asia, as two low-cost carriers faced ransomware attacks this week.
Ransomware is a daunting threat that has loomed over strategic industries, including Aviation, in 2022. In our previous blog, we covered the emerging threats to the Aviation industry and predicted an increase in large-scale cyber-attacks on the sector.…
It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure.
When infected, the “.KOXIC_[random…
Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program.
Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLMSoftwareMicrosoftWindowsCurrentVersionRun) to be registered as one of the Startup Programs, as well as copying files.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers introduce a machine learning model that predicts the maliciousness of .NET samples based on specific structures in the file, by analyzing a .NET wiper named DoubleZero. We identify the challenges of detecting this threat through PE structural analysis and conclude by examining the cues picked up by the machine learning model to detect this sample.…
Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
This report analyzes the threat landscape ahead of the 2022 FIFA World Cup hosted in Qatar that begins on November 20, 2022.…
Summary
Actions to Take Today to Mitigate Cyber Threats from Ransomware:
• Prioritize remediating known exploited vulnerabilities.• Enable and enforce multifactor authentication with strong passwords• Close unused ports and remove any application not deemed necessary for day-to-day operations.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
This post will discuss the solution to the specific technical challenges we faced when analyzing the malware described in the blog “Fake Hungarian Government Email Drops Warzone RAT.” The final payload in that campaign, Warzone RAT, was deployed through a chain of increasingly obfuscated .NET binaries.…
Summary
On August 25, 2022, Chile’s government computer systems were attacked by a previously unseen ransomware variant. CSIRT of Chile’s government published a report which contained some Indicators of Compromise (IoCs) and recommendations for prevention measures.
On October 3, 2022, Invima — The Colombia National Food and Drug Surveillance Institute — reported a cyberattack that led to a temporary shutdown of the organization’s web services.…
By Max Kersten · November 15, 2022
In early 2022, Ukrainian companies were struck by multiple destructive wipers, attacking various organizations across sectors. This raised questions about the usage and impact of “digital weapons” within the security community, even though wipers themselves weren’t new. The infamous Shamoon wiper dates back more than a decade ago.…
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators.…
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
In early 2022, we investigated an incident that compromised a company in Taiwan.…
We have observed multiple attacks targeting government organizations in Asia, all involving DLL sideloading – historically a favorite technique of China-based APT groups — as far back as 2013 and as recently as 2020. In this article, we look at the evidence that connects five of them, showing how threat actors base their attacks on well-known, effective techniques, adding complexity and variation over time.…
During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) encountered data-destructive ransomware linked to the pro-Russian Threat Actors (TA) group named “Killnet”. The ransomware is a modified version of notorious Chaos Ransomware. Upon execution, the Killnet Ransomware drops a note which contains a link to a pro-Russian Telegram channel containing propaganda posts related to the conflict in Ukraine.…
In my latest analysis report, “Fake Hungarian Government Email Drops Warzone RAT”, I discussed a fake Hungarian government phishing email that drops the Warzone RAT. It does this using multiple intermittent .NET binaries that are increasingly obfuscated. While my report would be far too long if I attempted to describe all the reverse engineering techniques used during my analysis, but I still think they provide a great opportunity for learning.…
This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework.
IntroductionWith the rise in attention to Cobalt Strike from network defenders, attackers have been looking to alternative command-and-control (C&C) frameworks Among these, Brute Ratel and Sliver are growing in popularity, having recently been featured in a number of publications.…By Antonio Cocomazzi and Antonio Pirozzi
Executive SummarySentinelLabs researchers describe Black Basta operational TTPs in full detail, revealing previously unknown tools and techniques. SentinelLabs assesses it is highly likely the Black Basta ransomware operation has ties with FIN7. Black Basta maintains and deploys custom tools, including EDR evasion tools.…In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware.
This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in the internal network, and also using vulnerable drivers to disable anti-malware software.…
FortiGuard Labs recently discovered an email pretending to come from the Hungarian government. It informs the user that their new credentials to a governmental portal are attached. The attachment, however, is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it.…
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed.…
Overview
One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems.[1] This post will cover cases where RDP (Remote Desktop Protocol), a default service provided by baseline Windows OS, was used.…