ThreatLabz recently discovered a sample of the multi-function malware LilithBot in our database. Further research revealed that this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian “Jester Group,” that has been active since at least January 2022.…
Tag: PRIVILEGE
With reports of a new data-leak site published by actors behind the BlackByte ransomware, we decided to take another look at the most recent variant written in Go.
We found a sophisticated technique to bypass security products by abusing a known vulnerability in the legitimate vulnerable driver RTCore64.sys.…
ESET researchers uncovered and analyzed a set of malicious tools that were used by the infamous Lazarus APT group in attacks during the autumn of 2021. The campaign started with spearphishing emails containing malicious Amazon-themed documents and targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium.…
Key Takeaways
Read More Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.
‘Emperor Dragonfly’ (A.K.A. DEV-0401 / BRONZE STARLIGHT) deployed open-source tools that were written by Chinese developers for Chinese users.…
DJVU ransomware arrives on the scene masquerading as legitimate services or applications, or bundled with decoy files, in order to appear benign. The malware group also partners with other threats, giving them the option to download and deploy information stealers to exfiltrate data, giving threat actors a second way to benefit at victims’ expense.…
Doenerium Stealer masquerading as Windows Malicious Software Removal Tool
Read More Cyble Research and Intelligence Labs (CRIL) spotted a malicious domain being used in a spear-phishing email campaign targeting Office365 users to steal credentials. The same domain was observed hosting multiple other malware variants, for example, a new stealer called “Doenerium stealer.”…
Broadcom Software, tracks as Coreid (aka FIN7, Carbon Spider). Darkside was used in the Colonial Pipeline ransomware attack in May 2021. The extreme amount of public and law enforcement attention that attack attracted led Coreid to shut down Darkside and replace it with BlackMatter. Coreid runs a ransomware-as-a-service (RaaS) operation, which means it develops the ransomware but it is deployed by affiliates for a cut of the profits.…
Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.
We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence.…
Ransomware is unique in the malware world, as it deliberately makes its presence known to the victim. But while the online extortionists behind these attacks need to announce their intentions in order to achieve their nefarious ends, that does not mean they wish to draw undue attention to themselves.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
Application abuses Windows Defender Executable to perform DLL Sideloading
Read More During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations.…
Summary
Actions to take today to protect against ransom operations:
• Keep systems and software updated and prioritize remediating known exploited vulnerabilities.• Enforce MFA.• Make offline backups of your data.
This joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S.…
Cybereason GSOC team analysts have analyzed a specific technique that leverages Notepad++ plugins to persist and evade security mechanisms on a machine. Following this introduction, we describe in detail how to reproduce this attack and implement detection and prevention mechanisms.…
Key TakeawaysArctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access
Lorenz waited nearly a month after obtaining initial access to conduct additional activity
Lorenz exfiltrated data via FileZilla
Encryption was done via BitLocker and Lorenz ransomware on ESXi
Lorenz employed a high degree of Operational Security (OPSEC)
Ransomware groups continue to use Living Off the Land Binaries (LOLBins) and gaining access to 0day exploits
Process and PowerShell Logging can significantly aid incident responders and potentially help decrypt encrypted filesBackground
Read More The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption.…
a well-known technique that involves attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application themselves (having installed it themselves in most cases). The legitimate application then loads and executes the payload.…
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet.
The post-exploitation started very soon after the initial compromise. The threat actors began enumerating the network once Emotet deployed a Cobalt Strike beacon on the beachhead host.…
Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government.
This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.
Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.…
Read More Summary
Actions to take today to mitigate cyber threats from ransomware:
• Prioritize and remediate known exploited vulnerabilities.• Train users to recognize and report phishing attempts.• Enable and enforce multifactor authentication.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
Play is a new ransomware that takes a page out of Hive and Nokoyawa’s playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware.…
In March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. However, in our recent investigations, we have discovered a controller application that expands its capabilities.
Updated on Sept. 6, 2022, at 11:55 p.m.…