In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions.…
Tag: PRIVILEGE
We recently discovered an APT campaign we are calling Operation Dragon Castling. The campaign is targeting what appears to be betting companies in South East Asia, more specifically companies located in Taiwan, the Philippines, and Hong Kong. With moderate confidence, we can attribute the campaign to a Chinese speaking APT group, but unfortunately cannot attribute the attack to a specific group and are not sure what the attackers are after.…
A Cobalt Strike Cybercrime Syndicate and the Ransomware Hackers’ Favorite Weapon
On March 9, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service issued an updated alert about the Conti ransomware group, encouraging organizations to review their advisory and apply the recommended mitigations.…
In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks was remarkably similar to that observed in our previous report, “Exchange Exploit Leads to Domain Wide Ransomware“.…
Dragos has observed consistent network communication between Emotet Command and Control (C2) servers and numerous auto manufacturing companies. These Emotet servers are suspected to be controlled by the Conti ransomware group.
At this stage, Dragos has not yet observed any confirmed initial access methods being utilized and does not have any evidence of ransomware encryption being initiated.…
The DirtyMoe malware is deployed using various kits like PurpleFox or injected installers of Telegram Messenger that require user interaction. Complementary to this deployment, one of the DirtyMoe modules expands the malware using worm-like techniques that require no user interaction.
This research analyzes this worming module’s kill chain and the procedures used to launch/control the module through the DirtyMoe service.…
Pandora ransomware came into the spotlight in March 2022 after targeting some high-profile victims on its leak site. The ransomware group announced its first victim on 21 Feb 2022 and has posted around five victims to date.
Figure 1: Pandora ransomware data leak siteDuring a routine threat hunting exercise, Cyble Research Labs came across the sample for this ransomware.…
Summary
Multifactor Authentication (MFA): A Cybersecurity Essential• MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised.• Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available.•…
For additional information regarding deserialization exploits and our new hunting rule generation tool ‘HeySerial’, read our blog post, Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits.
USAHerds (CVE-2021-44207) Zero-DayIn three investigations from 2021, APT41 exploited a zero-day vulnerability in the USAHerds web application.…
Since the dawn of phishing, fraudulent invoicing and purchasing schemes have been one of the most common lures. The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially where a business may be involved.
FortiGuard Labs recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals.…
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware.
Read More Soon after execution of the Qbot payload, the malware established C2 connectivity and created persistence on the beachhead. Successful exploitation of the Zerologon vulnerability (CVE-2020-1472) allowed the threat actors to obtain domain admin privileges.…
On February 4th, 2022, the FBI issued a flash report on LockBit 2.0 ransomware and its indicators of compromise (IOCs). Although Picus Labs updated the Picus Threat Library with attack simulations for LockBit 2.0 back in August 2021, the increasing number of attacks led us to write this blog post.…
These websites host Smokeloader payloads as part of three categories named “pab1”, “pab2” and “pab3”. These are not necessarily linked to the analogous “pub*” affiliate IDs, since we have seen some “pab2” payloads with the “555” affiliate ID. While tracking PrivateLoader, we only received links to download the “pab2” payloads from these websites.…
Attribution
Read More In August 2021, a disgruntled CONTI affiliate leaked training documents, playbooks, and tools used to assist in CONTI ransomware operations. Mandiant has determined that some of the activity listed above overlaps with techniques in the playbooks disclosed in August.
At this time, due to the public release of this information, other unaffiliated actors may be replicating the techniques for their own motives and objectives.…
case study below, Antlion compromised the networks of at least two other organizations in Taiwan, including another financial organization and a manufacturing company. The activity the group carried out on those networks was largely similar to the activity that is detailed in the case study, with the xPack backdoor frequently deployed and a lot of evidence of credential dumping.…
Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following links: Microsoft & Red Canary
In this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an environment, while stealing browser information and emails.…
StellarParticle is a campaign tracked by CrowdStrike as related to the SUNSPOT implant from the SolarWinds intrusion in December 2020 and associated with COZY BEAR (aka APT29, “The Dukes”).
The StellarParticle campaign has continued against multiple organizations, with COZY BEAR using novel tools and techniques to complete their objectives, as identified by CrowdStrike incident responders and the CrowdStrike Intelligence team.…
Read More On November 11th, Google TAG published a blogpost about watering-hole attacks leading to exploits for the Safari web browser running on macOS. ESET researchers had been investigating this campaign the week before that publication, uncovering additional details about the targets and malware used to compromise its victims.…
Co-authored by Gustavo Palazolo and Ghanashyam Satpathy
SummaryIn 2021, malicious Office documents accounted for 37% of all malware downloads detected by Netskope, showing favoritism for this infection vector among attackers. This is likely due to the ubiquitous usage of Microsoft Office in enterprises across the globe.…
TrickBot Bolsters Layered Defenses to Prevent Injection Research
Limor Kessem and Charlotte Hammond.
The cyber crime gang that operates the TrickBot Trojan, as well as other malware and ransomware attacks, has been escalating activity. As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls.…