Tag: PROXY

Author: Jamie Arndt

A man-in-the-middle (MitM) attack is an adversary’s attempt to steal information by inserting themselves between victims and their legitimate, expected destination. Threat actors combining credential phishing with man-in-the-middle attacks have been another evolution in the threat landscape. In this context, rather than setting up one fake login page, the attacker lures victims to their web server which will broker the entire authentication process between the user and the actual destination.…

Read More

After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi’s resilience as a noteworthy threat.

We discovered a new campaign by Earth Longzhi (a subgroup of APT41) that targets organizations based in Taiwan, Thailand, the Philippines, and Fiji.…

Read More

We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.

Our team deploys containers and containerized honeypots to monitor any unwanted activities, as well as to reinforce cloud security solutions and recommendations. While these honeypots frequently capture cryptocurrency miners trying to exploit computational resources, we recently discovered a different type of attack: a piece of software that leverages Docker containers to generate money through monetized traffic.…

Read More
Introduction

Infoblox analyzes over 70 billion DNS records each day, along with millions of domain-related records from other sources, to identify suspicious and malicious domains throughout the internet. Our algorithms work in series, making near-real time decisions on some domains using our Threat Insight infrastructure, while other decisions are made over time, leveraging a longitudinal profile of the domain.…

Read More

By Securonix Threat Labs, Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov

TL;DR 

The Securonix Threat Research team (STR) has recently observed a new attack campaign tracked by Securonix as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier [1].…

Read More

ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.…

Read More

Summary

Since the beginning of January 2023, the BlackBerry Threat Research and Intelligence team has been following two parallel malicious campaigns that use the same infrastructure but have different purposes.

The first campaign is related to a malvertising Google Ads Platform campaign which began several months ago and distributed fake versions of legitimate software products like AnyDesk (remote desktop software), Libre Office (an open-source office productivity software suite), TeamViewer (remote access and remote-control software), and Brave (a free and open-source web browser) among others.…

Read More

Affected platforms: Microsoft WindowsImpacted parties: Targeted Windows usersImpact: Compromised machines are under the control of the threat actorSeverity level: Medium

As part of our ongoing research on malware being used in the Russian-Ukrainian conflict, FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants.…

Read More

In this blog post, we’ll provide a detailed analysis of a malicious payload we’ve dubbed “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign we’ve exposed in our previous post. The sophisticated campaign targeted .NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of our regular activity of exposing supply chain attacks.…

Read More

By John Fokker, Ernesto Fernández Provecho and Max Kersten · April 05, 2023

We would like to thank Steen Pedersen and Mo Cashman for their remediation advice.

On the 4th and the 5th of April, a law enforcement taskforce spanning agencies across 17 countries – including the FBI, Europol and the Dutch Police – have disrupted the infamous browser cookie market known as Genesis Market and approached hundreds of its users.…

Read More

Proxyjacking has Entered the Chat | Sysdig

Did you know that you can effortlessly make a small passive income by simply letting an application run on your home computers and mobile phones? It lets others (who pay a fee to a proxy service provider) borrow your Internet Protocol (IP) address for things like watching a YouTube video that isn’t available in their region, conducting unrestricted web scraping and surfing, or browsing dubious websites without attributing the activity to their own IP.…

Read More

[Update: Following additional analysis of shellcode used in ICONIC, in conjunction with other observations from the wider security community, Volexity now attributes the activity described in this post to the Lazarus threat actor. Specifically, in addition to other claims of similarity, the shellcode sequence {E8 00 00 00 00 59 49 89 C8 48 81 C1 58 06 00 00} appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known to be linked to Lazarus.…

Read More