By Securonix Threat Labs, Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov
TL;DRThe Securonix Threat Research team (STR) has recently observed a new attack campaign tracked by Securonix as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier [1].…
ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.…
Summary
Since the beginning of January 2023, the BlackBerry Threat Research and Intelligence team has been following two parallel malicious campaigns that use the same infrastructure but have different purposes.
The first campaign is related to a malvertising Google Ads Platform campaign which began several months ago and distributed fake versions of legitimate software products like AnyDesk (remote desktop software), Libre Office (an open-source office productivity software suite), TeamViewer (remote access and remote-control software), and Brave (a free and open-source web browser) among others.…
In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French.…
Affected platforms: Microsoft WindowsImpacted parties: Targeted Windows usersImpact: Compromised machines are under the control of the threat actorSeverity level: Medium
As part of our ongoing research on malware being used in the Russian-Ukrainian conflict, FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants.…
In this blog post, we’ll provide a detailed analysis of a malicious payload we’ve dubbed “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign we’ve exposed in our previous post. The sophisticated campaign targeted .NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of our regular activity of exposing supply chain attacks.…
Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.…
By John Fokker, Ernesto Fernández Provecho and Max Kersten · April 05, 2023
We would like to thank Steen Pedersen and Mo Cashman for their remediation advice.
On the 4th and the 5th of April, a law enforcement taskforce spanning agencies across 17 countries – including the FBI, Europol and the Dutch Police – have disrupted the infamous browser cookie market known as Genesis Market and approached hundreds of its users.…
Proxyjacking has Entered the Chat | Sysdig
Did you know that you can effortlessly make a small passive income by simply letting an application run on your home computers and mobile phones? It lets others (who pay a fee to a proxy service provider) borrow your Internet Protocol (IP) address for things like watching a YouTube video that isn’t available in their region, conducting unrestricted web scraping and surfing, or browsing dubious websites without attributing the activity to their own IP.…
[Update: Following additional analysis of shellcode used in ICONIC, in conjunction with other observations from the wider security community, Volexity now attributes the activity described in this post to the Lazarus threat actor. Specifically, in addition to other claims of similarity, the shellcode sequence {E8 00 00 00 00 59 49 89 C8 48 81 C1 58 06 00 00} appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known to be linked to Lazarus.…
IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and some new techniques and tooling, which led to domain wide ransomware.
This case shares similarities of the IcedID campaign detailed by Malware-Traffic-Analysis.net,…
AhnLab Security Emergency response Center (ASEC) has shared an APT attack case that has recently used CHM (Compiled HTML Help File).
Malware Distributed Disguised as a Password File
CHM is a Help screen that is in an HTML format. Threat actors are able to input malicious scrip codes in HTMLs with the inclusion of CHM.…
Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.…
By Securonix Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov
Sept. 25, 2023, updated Sept. 27, 2023, updated Oct. 6, 2023
tldr:Securonix Threat Research recently discovered an attack campaign appearing to originate from the threat group UAC-0154 targeting victims using a Pilot-in-Command (PIC) Drone manual document lure to deliver malware.…
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
March 30, 2023, updated April 5, 2023, updated April 18, 2023
While today is the last day for US income tax submissions, the TACTICAL#OCTOPUS campaign continues to target US victims. New samples have once again emerged related to this ongoing threat. …
Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion. Two of these victims were under the protection of Managed Defense who identified and responded to the threat before significant impact occurred.…
We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée.
We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious Winnti group.
In this blogpost we will first analyze the capabilities offered by this malware family, which include a kernel mode rootkit, and then deep dive in an infrastructure pivot maze to discover related adversary toolsets.…
Code 1 – Configuration for the proxy plugin (proxy_cfg).
Most of the traffic is over HTTPS to popular websites, including several Russian ones. Figure 2 lists the top hostnames contacted by the bot.
Figure 2 – Most requested HOST:PORT pairs.
While looking through the traffic, we spotted an interesting pattern.…
February 15, 2024 update – On January 20, 2024, the US government conducted a disruption operation against infrastructure used by a threat actor we track as Forest Blizzard (STRONTIUM), a Russian state-sponsored threat actor, as detailed here: https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
December 4, 2023 update – Microsoft has identified a nation-state activity group tracked as Forest Blizzard (STRONTIUM), based in Russia, actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers.…