In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment using an admin account.
The Ursnif malware family (also commonly referred to as Gozi or ISFB) is one of the oldest banking trojans still active today.…
During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022.…
BlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. We have published technical details of how this notorious group steals cryptocurrency before. We continue to track the group’s activities and this October we observed the adoption of new malware strains in its arsenal.…
Deriving Threat Actor TTPs from Management Infrastructure Tracking
You can find our previous work on Stage 1 and Stage 2 of IcedID’s initial infection chain in our Dragons News Blog. Data on Stage 1 C2 infrastructure is now also shared as part of our Botnet Analysis and Reporting Service (BARS).…
Introduction
Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware. This week’s infection involved a downloaded JavaScript (.js)…
We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.
After closely tracking the activities of the IcedID botnet, we have discovered some significant changes in its distribution methods. Since December 2022, we observed the abuse of Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.…
After nearly a year of being disrupted by Google, the Glupteba malware botnet has again become active, infecting devices worldwide. As a result of Google’s efforts, the blockchain-enabled botnet could be seriously disrupted in December 2021 by securing court orders for control of its infrastructure as well as filing legal claims against two Russian operators. …
This post is also available in: 日本語 (Japanese)
Executive SummaryWe’ve probably all received advice for how to avoid phishing, such as to be on the lookout for spelling errors or other mistakes that would alert us to the presence of fraudsters. However, this advice is only helpful for traditional phishing techniques.…
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1028 is now tracked as Storm-1028.
To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…
A RAT (Remote Access Trojan) is a tool used by Threat Actors (TAs) to gain full access and remote control of a victim’s machine, including mouse and keyboard control, file access, network resources access, etc.
Cyble Research and Intelligence Labs (CRIL) has been actively monitoring such RATs and blogging about them as and when they emerge.…
Cloud Atlas (or Inception) is a cyber-espionage group. Since its discovery in 2014, they have launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts. The group’s tactics, techniques and procedures (TTPs) have remained relatively static over the years. However, since the rapid escalation of the conflict between Russia and Ukraine in 2021 and especially after the outbreak of war in February 2022, the scope of the group’s activities has narrowed significantly, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova.…
This report examines the infection chain and the pieces of malware used by malicious actors in supply-chain attacks that leveraged trojanized installers of chat-based customer engagement platforms.
In late September 2022, threat researchers uncovered a supply-chain attack carried out by malicious actors using a trojanized installer of Comm100, a chat-based customer engagement application.…
Secureworks® Counter Threat Unit™ (CTU) researchers are investigating the Drokbk malware, which is operated by a subgroup of the Iranian government-sponsored COBALT MIRAGE threat group. This subgroup is known as Cluster B. Drokbk is written in .NET and is made up of a dropper and a payload.…
The public key used for the attestation signing (Appendix C: POORTRY Certificate Details) contains two object identifiers (OIDs) of interest within the key usage value:
X509v3 Extended Key Usage: 1.3.6.1.4.1.311.10.3.5, 1.3.6.1.4.1.311.10.3.5.1, Code SigningFigure 4: Extended Key Usage
RFC 5280 Section 4.2.1.12 defines Extended Key Usage (EKU).…
In October 2022, Juniper Threat Labs discovered a backdoor implanted on a VMware ESXi virtualization server. Since 2019, unpatched ESXi servers have been targets of ongoing in-the-wild attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 and CVE-2020-3992. Unfortunately, due to limited log retention on the compromised host we investigated, we can’t be sure which vulnerability allowed hackers access to the server.…
Authored by SangRyol Ryu and Yukihiro Okutomi
McAfee’s Mobile Research team recently analyzed new malware targeting mobile payment users in Japan. The malware which was distributed on the Google Play store pretends to be a legitimate mobile security app, but it is in fact a payment fraud malware stealing passwords and abusing reverse proxy targeting the mobile payment services.…
Just to clarify, the above subheading isn’t a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers (DDRs).
While hunting for less common Deathstalker intrusions that use the Janicab malware family, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020, possibly active during 2021 and potentially extending an extensive campaign that has been traced back to early 2015 and targeted legal, financial, and travel agencies in the Middle East and Europe.…
On December 1, 2022, CISA and FBI released a joint Cybersecurity Advisory (CSA) on Cuba ransomware [1]. Security researchers have track downed a new variant of the Cuba ransomware as Tropical Scorpius. This Cuba ransomware group mainly targets manufacturing, professional and legal services, financial services, construction, high technology, and healthcare sectors [2].…