Введение
Общие сведения
Анализ ВПО и инструментов
MyKLoadClient
Схема 1
Схема 2
Тестовый образец
Полезная нагрузка
Zupdax
Полезная нагрузка
Связь с Redsip
Связи с Winnti и FF-RAT
Связи с Bronze Union и TA428
Загрузчики
Downloader.Climax.A
Downloader.Climax.B
RtlShare
Дроппер rtlstat.dll
Инжектор rtlmake.dll
Полезная нагрузка rtlmain.dll (rtlmainx64.dll)
Использование RtlShare
PlugX
Demo dropper
BH_A006
Стадия 0.…
Read More
Tag: PROXY
Summary
Update June 2, 2022:
This Cybersecurity Advisory (CSA) has been updated with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and procedures (TTPs) from trusted third parties.
Update End
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this CSA to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.…
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
cybercriminal group ITG23, also known as Wizard Spider, DEV-0193, or simply the “Trickbot Group”. The results of this research, along with evidence gained from the disclosure of internal ITG23 chat logs (“Contileaks”), provide new insight into the connections and cooperation between prominent cybercriminal groups whose attacks often lead to ransomware.…
Fortinet’s FortiGuard Labs captured a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, they are able to steal sensitive information from that device.
In this analysis, I’ll reveal how the phishing campaign manages to transfer the fileless malware to the victim’s device, what mechanism it uses to load, deploy, and execute the fileless malware in the target process, and how it maintains persistence on the victim’s device.…
Secureworks® Counter Threat Unit™ (CTU) researchers are investigating attacks by the Iranian COBALT MIRAGE threat group, which has been operating since at least June 2020. COBALT MIRAGE is linked to the Iranian COBALT ILLUSION threat group, which predominantly uses persistent phishing campaigns to obtain initial access.…
Table of Contents
Read More
Ursnif (aka Gozi, Dreambot, ISFB) is one of the most widespread banking trojans. It has been observed evolving over the past few years. Ursnif has shown incredible theft capabilities. In 2020 Ursnif rose to prominence becoming one of the top ten most prolific pieces of malware.…
SystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks in the past. When an attacker attempts to access a certain address with malicious intent, the system can be used as a passage if the infected system utilizes SystemBC, which acts as a Proxy Bot.…
Remcos RAT (Remote Access Trojan) was originally designed as a professional tool to remotely control computers. Remcos RAT is recognized as a malware family because it has been abused by hackers to secretly control victims’ devices since its first version was published on July 21, 2016.…
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions.…
By Securonix Threat Labs, Threat Research
IntroductionThe Securonix Threat Research team has identified a currently unpatched zero-day vulnerability in Spring Core, a widely used Java-based platform with cross platform support. Early details claim that the bug would allow full remote code execution (RCE) to affected systems.…
This post describes the technical analysis of a new campaign detected by Intezer’s research team, which initiates attacks with a phishing email that uses conversation hijacking to deliver IcedID.
The underground economy is constantly evolving with threat actors specializing in specific fields. One field that has bloomed in the last few years is initial access brokers.…
We recently discovered an APT campaign we are calling Operation Dragon Castling. The campaign is targeting what appears to be betting companies in South East Asia, more specifically companies located in Taiwan, the Philippines, and Hong Kong. With moderate confidence, we can attribute the campaign to a Chinese speaking APT group, but unfortunately cannot attribute the attack to a specific group and are not sure what the attackers are after.…
This is the story of piecing together information and research leading to the discovery of one of the largest botnet-as-a-service cybercrime operations we’ve seen in a while. This research reveals that a cryptomining malware campaign we reported in 2018, Glupteba malware, significant DDoS attacks targeting several companies in Russia, including Yandex, as well as in New Zealand, and the United States, and presumably also the TrickBot malware were all distributed by the same C2 server.…
The ASEC analysis team has recently discovered BitRAT which is being distributed via webhards. Because the attacker disguised the malware as Windows 10 license verification tool from the development stage, users who download illegal crack tools from webhard and install it to verify Windows license are at risk of having BitRAT installed into their PC.…
In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks was remarkably similar to that observed in our previous report, “Exchange Exploit Leads to Domain Wide Ransomware“.…
Key Findings
Proofpoint identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor.
The attack targeted French entities in the construction, real estate, and government industries.
The attacker used a resume themed subject and lure purporting to be GDPR information.
The attacker used steganography, including a cartoon image, to download and install the Serpent backdoor. …
Read More
STEELHOUND, STEELCORGI and Environment Variable Keying
Read More
UNC2891 often made use of the STEELCORGI in-memory dropper which decrypts its embedded payloads by deriving a ChaCha20 key from the value of an environment variable obtained at runtime. In many cases, Mandiant was unable to recover the requisite environment variables to decrypt the embedded payloads.…
This report discusses the technical capabilities of this Cyclops Blink malware variant that targets ASUS routers and includes a list of more than 150 current and historical command-and-control (C&C) servers of the Cyclops Blink botnet.
With additional insights from Philippe Z Lin
Note: This article has been updated on March 17, 2022, 2:00 a.m.…
The DirtyMoe malware is deployed using various kits like PurpleFox or injected installers of Telegram Messenger that require user interaction. Complementary to this deployment, one of the DirtyMoe modules expands the malware using worm-like techniques that require no user interaction.
This research analyzes this worming module’s kill chain and the procedures used to launch/control the module through the DirtyMoe service.…
The ASEC analysis team is constantly monitoring malware distributed to vulnerable database servers (MS-SQL, MySQL servers). This blog will explain the RAT malware named Gh0stCringe[1].
Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. It was first discovered in December 2018, and it is known to have been distributed via SMB vulnerability (using the SMB vulnerability tool of ZombieBoy).[2]…