Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
DLL (Dynamic-Link Library) sideloading is a technique used by Threat Actors to infect users using legitimate applications which load malicious DLL files that spoof legitimate ones. Recently Cyble Research Labs published a blog about Qakbot malware that leverages a calculator to perform DLL Sideloading.…
DLL (Dynamic-Link Library) sideloading is a technique used by Threat Actors to infect users using legitimate applications which load malicious DLL files that spoof legitimate ones. Recently published a blog about Qakbot malware that leverages a calculator to perform DLL Sideloading.
Similarly, we came across a Twitter post wherein researchers mentioned a document file that performs DLL Sideloading using Microsoft applications such as “Teams.exe”…
Hive ransomware is one of the most active financially motivated threat actors of this period, adopting the current Double Extorsion model. They started their malicious activities in June of the past year, and just in a year of activity they collected a big number of victims, demonstrating the capability to hit even critical infrastructures. …
Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through Search Engine Optimization (SEO) poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since it’s a stealthier option compared to Cobalt Strike.
In fact, the eSentire Threat Response Unit (TRU) team recently published a security advisory, The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID, that outlined TRU’s discovery of threat actors deploying IcedID onto a law firm’s IT environment via an employee’s computer.…
In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware.
In March 2022, less than a year after LockBit 2.0 first emerged, researchers caught wind of an upcoming new variant of the LockBit ransomware. LockBit…
Rootkits are malware implants which burrow themselves in the deepest corners of the operating system. Although on paper they may seem attractive to attackers, creating them poses significant technical challenges and the slightest programming error has the potential to completely crash the victim machine. In our APT predictions for 2022, we noted that despite these risks, we expected more attackers to reach the sophistication level required to develop such tools.…
Our X-Ops teams – SophosLabs, SecOps (Sophos Managed Threat Response [MTR] and Sophos Rapid Response), and Sophos AI – operate in a virtuous Observe-Orient-Decide-Act loop, building on each teams’ work to improve customer protections. A recent set of investigations illustrates our OODA-loop process: Attacks against a pair of vulnerabilities in Microsoft SQL were researched, documented, and addressed proactively.…
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
Last Updated: July 20, 2022
IntroductionThe Securonix Threat Research (STR) team has been observing and investigating a new attack campaign exploiting high-value targets, including Czech Republic, Poland, and other countries. The attack campaign has been tracked by STR as STIFF#BIZON.…
In April 2022, ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Following analysis, we named it CloudMensis. Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.…
Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it has been sold in illegal forums and used by various attackers.
The ASEC analysis team previously revealed cases where Amadey was used on attacks in the ASEC blog posted in 2019 (English version unavailable).…
Summary
Actions to take today:
• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.…
Summary
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.…
MS-SQL servers are mainly the attack targets for Windows systems. Attackers scan vulnerable MS-SQL servers that are poorly managed and install malware upon gaining control. Malware strains installed by attackers include CoinMiner, ransomware, backdoor, etc., and may vary depending on the purpose of the attack.
Figure 1.…By Flavio Costa,
In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell.…QakBot, also known as QBot, QuackBot, or Pinkslipbot, is a banking trojan malware that has existed for over a decade. In recent years, QakBot has become one of the leading banking trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.)…
June 15, 2022
by Steven Adair, Thomas Lancaster, Volexity Threat Research
Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or on an irregular basis, while others see a barrage of attacks nearly every week.…
Using a methodology first seen in 2020, an unknown threat actor has been exploiting a three-year-old bug in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons and other malware in the process.
In the weeks following the initial, 2019 disclosure of the vulnerability, attackers scanned the internet for vulnerable applications.…
Purple Fox malware was first discovered in 2018 and was delivered by RIG EK (Exploit Kit). However, it has now become an independent malware with its own exploit kit framework. Like many other exploit kits, Purple Fox is regularly updating its capabilities by using different exploits that are available in the wild to obtain remote code execution and privilege escalation on vulnerable machines as well as installing backdoors and propagating to other machines.…
Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples in the wild.…