Corporate espionage, also known as industrial espionage, is espionage conducted for commercial or financial purposes. One of the common misconceptions is that espionage is affecting only large corporations or government entities, but it is more common than expected. In this article, we provide an analysis of one such exfiltration and explain why these attacks are on the rise. …
Tag: RAAS
LockBit has been receiving a fair share of attention recently. Last week, SentinelLabs reported on LockBit 3.0 (aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series of anti-analysis and anti-debugging routines. Our research was quickly followed up by others reporting similar findings.…
This blog entry offers a technical analysis of a new SolidBit variant that is posing as different applications to lure gamers and social media users. The SolidBit ransomware group appears to be planning to expand its operations through these fraudulent apps and its recruitment of ransomware-as-a-service affiliates.…
In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware.
In March 2022, less than a year after LockBit 2.0 first emerged, researchers caught wind of an upcoming new variant of the LockBit ransomware. LockBit…
By Jim Walter & Aleksandar Milenkoski
LockBit 3.0 ransomware (aka LockBit Black) is an evolution of the prolific LockBit ransomware-as-a-service (RaaS) family, which has roots that extend back to BlackMatter and related entities. After critical bugs were discovered in LockBit 2.0 in March 2022, the authors began work on updating their encryption routines and adding several new features designed to thwart researchers.…
By Securonix Threat Labs, Threat Research: Den Iuzvyk, Tim Peck
July 5, 2022
IntroductionA new malware loader named BumbleBee is actively being used to target businesses using mass phishing or spear-phishing campaigns as an initial attack vector. Malware loaders (or droppers) are commonly used by ransomware groups and other APTs to distribute payloads as they are extremely effective during the initial stages of compromise.…
ReversingLabs recently discovered instances of the AstraLocker 2.0 malware distributed directly from Microsoft Word files used in phishing attacks.
Executive SummaryReversingLabs recently discovered of a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks.…
By Flavio Costa,
In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell.…Zero-day exploits or recently patched/unpatched vulnerabilities are attractive targets for Threat Actors (TAs) to deploy malware efficiently. TAs leverages these vulnerabilities and exploits them to deliver the various types of malware to steal sensitive information for financial gain.
On June 11th, 2022, Microsoft tweeted a post where they mentioned that CVE-2022-26134 was being exploited to download and deploy the Cerber2021 ransomware (also known as “CerberImposter”).…
UNC2165 Overlaps with Evil Corp Activity
Read More
OFAC sanctions against Evil Corp in December 2019 were announced in conjunction with the Department of Justice’s (DOJ) unsealing of indictments against individuals for their roles in the Bugat malware operation, updated versions of which were later called DRIDEX. DRIDEX was believed to operate under an affiliate model with multiple actors involved in the distribution of the malware.…
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
cybercriminal group ITG23, also known as Wizard Spider, DEV-0193, or simply the “Trickbot Group”. The results of this research, along with evidence gained from the disclosure of internal ITG23 chat logs (“Contileaks”), provide new insight into the connections and cooperation between prominent cybercriminal groups whose attacks often lead to ransomware.…
Since the beginning of the ongoing Russia-Ukraine War, some ransomware and hacking groups have publicly declared which side they are on. Such actions have created tension internally within the threat actor groups as it has caused dissension, and externally, as organizations fear being targeted due to the political nature of the war.…
In early December 2021, a new ransomware actor started advertising its services on a Russian underground forum. They presented themselves as ALPHV, a new generation Ransomware-as-a-Service (RaaS) group. Shortly afterwards, they dialed up their activity, infecting numerous corporate victims around the world. The group is also known as BlackCat.…
Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.
The Trend MicroTM Managed XDR team has made a series of discoveries involving the BLISTER loader and SocGholish.…
Malicious email and phishing scams are usually topical and follow a pattern of current events, and they typically are crafted around calendar and/or trending issues as attackers realize that victims are interested in all things relevant to the moment. Threat actors are aware that not all recipients will bite, but some will, hence the origin of the term “phishing.”…
Key Takeaways: An in-depth analysis of Midas and trends across other Thanos ransomware variants reveals how ransomware groups shifted tactics in 2021 to:
lower sunk costs by using RaaS builders to reduce development time increase payouts with double extortion tactics by using their own data leak sites extend the length and effectiveness of campaigns to get the highest investment returns by updating payloads and/or rebranding their own ransomware groupAdvertised on the darkweb for Ransomware-as-a-Service (RaaS), Thanos ransomware was first identified in February 2020.…
Update 05.27.22: An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the conflict in Ukraine. Source: Security Affairs.
OverviewBlackBerry Threat Intelligence has identified a new Ransomware-as-a-Service (Raas) family, and tracked its lineage to its probable beta stage release.…
BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months.
There are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups, infamous for attacking the Colonial Pipeline last year. According to a BlackCat representative, BlackCat is not a rebranding of BlackMatter, but its team is made from affiliates of other RaaS groups (including BlackMatter).…
Read More
In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps.
Hive, which is one of the more notable ransomware families of 2021, made waves in the latter half of the year after breaching over 300 organizations in just four months — allowing the group to earn what could potentially be millions of US dollars in profit.…
On February 4th, 2022, the FBI issued a flash report on LockBit 2.0 ransomware and its indicators of compromise (IOCs). Although Picus Labs updated the Picus Threat Library with attack simulations for LockBit 2.0 back in August 2021, the increasing number of attacks led us to write this blog post.…