DJVU ransomware arrives on the scene masquerading as legitimate services or applications, or bundled with decoy files, in order to appear benign. The malware group also partners with other threats, giving them the option to download and deploy information stealers to exfiltrate data, giving threat actors a second way to benefit at victims’ expense.…
NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper.…
This post is also available in: 日本語 (Japanese)
Executive SummaryCybercriminals compromise domain names to attack the owners or users of the domains directly, or use them for various nefarious endeavors, including phishing, malware distribution, and command and control (C2) operations. A special case of DNS hijacking is called domain shadowing, where attackers stealthily create malicious subdomains under compromised domain names.…
Things not always being as they seem is a common adage that lends itself well to the cyber world. Phishing tries explicitly to convince an email recipient that a message is legitimate and trustworthy when it is not. This applies equally to cases where the sender is interested in criminal exploits or nation-state activity.…
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report profiles the unique infrastructure used by the threat activity group UAC-0113, which is linked with moderate confidence by CERT-UA to Sandworm.…
Українська (Ukrainian)
Cisco Talos recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT that infects Ukrainian users with information-stealing malware. The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine. LNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.…Broadcom Software, has gained insight into the current activities of a group we call Webworm. The group has developed customized versions of three older remote access Trojans (RATs), including Trochilus, Gh0st RAT, and 9002 RAT. At least one of the indicators of compromise (IOCs) observed by Symantec was used in an attack against an IT service provider operating in multiple Asian countries, while others appear to be in pre-deployment or testing stages.…
The Cybereason Global Security Operations Center (GSOC) Team issues Threat Analysis Reports to inform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical recommendations for protecting against them.…
It has now been six months since the war in Ukraine began. Since then, pro-Russian and pro-Ukrainian hacker groups, like KillNet, Anonymous, IT Army of Ukraine, Legion Spetsnaz RF, have carried out cyberattacks. A lesser-known group called NoName057(16) is among the pro-Russian groups attacking Ukraine and the countries surrounding it and siding with Ukraine.…
Raspberry Robin and Dridex: Two Birds of a Feather
IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality.…
As we continue to monitor the cyber situation in Ukraine, the data we are seeing shows some interesting trends. Not only has the volume of attacks continued rising throughout the war in Ukraine, the types of attacks have been varied. A common tactic of cyber criminals is to run automated exploit attempts, hitting as many possible targets as they can to see what gets a result.…
Broadcom Software, and aimed at Ukraine appears to be delivering information-stealing malware to targeted networks. This activity was ongoing as recently as August 8, 2022 and much of the activity observed in this campaign is consistent with activity that was highlighted by CERT-UA on July 26.…
概述
奇安信威胁情报中心一直在对俄语威胁者以及活跃的地下论坛保持高强度的跟踪,最近我们观察到闻名全球的Conti Group在这半年内使用Exchange漏洞对风险投资公司、奢侈品企业、芯片制造业、外企合资制造业发起定向性攻击活动,这些被攻击的企业都有一个共同的特点:“富有”。Conti Group是现阶段最活跃的勒索团伙之一,根据境外友商cyberint去年的发布的报告[1],Conti Group在2021年成功开展了600次攻击活动,共盈利27亿美元。由于在2022年2月份Conti Group的高管宣称在俄乌战争中站队俄罗斯一侧,导致其内部数据被人在Twitter上公开。
cyberint对泄露的信息进行分析后发现,Conti Group内部人员高达400余人,分工之细堪比一家小型科技公司。美国《连线》杂志称[2]泄露的聊天记录表明Conti Group与APT29存在临时性的合作。
除了Conti Group,我们也观察到其他俄语威胁者通过爆破主流数据库或者利用Nday漏洞的形式植入CobaltStrike或者anydesk远程控制软件,等到时机成熟后下发GlobeImposter或者Leakthemall勒索软件,我们将其命名为BruteSql Group。我们在上半年曾经发表过《死灰复燃!新型REvil勒索软件在野攻击活动分析》[3]介绍了REvil勒索软件最新的攻击活动,但是在之后的数月里并没有看到类似的攻击活动,暗网页面也没有更新,攻击团伙转入了不活跃的状态。与之前的文章类似,本文内容也仅仅是对Conti Group在过去半年时间内攻击手法做一个分享。文末会分享该团伙历史使用的IOC,供友商追踪溯源。
Conti Group
Conti Group通过Exchange漏洞与目标机器建立隧道连接,之后向windowssystem32目录下投递名为lsass.dll的密码窃取后门。执行的命令行如下:命令行
cmd.exe /c !uplaod D:UchebkaworkSOFTLSASSlsass.dll -dest C:Windowssystem32lsass.dll
reg.exe add “HKLMSYSTEMCurrentControlSetServiceslogincontrollNetworkProvider” /v “ProviderPath” /t “REG_EXPAND_SZ” /d “C:Windowssystem32lsass.dll”
cmd.exe /c dir c:windowstemptmpQWER.tmp
rundll32 C:WindowsSysnativecomsvcs.dll, MiniDump 668 c:windowstemptmpQWER.dmp full
从命令行中可以看到Conti Group攻击者的工作路径,Uchebka经过查询是东欧地区人的姓氏。
Md5
文件名
0838b1a1618c5ea3137ece85f83686c0
lsass.dll…
日本語 (Japanese)
Update History Date Description of Updates Aug. 10th 2022 Adding clarifying details on activity involving active directory. Aug. 10th 2022 Update made to the Cisco Response and Recommendations section related to MFA. Executive summary On May 24, 2022, Cisco became aware of a potential compromise.…On July 7, 2022, the CISA published an alert, entitled, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector,” related to a Stairwell report, “Maui Ransomware.” Later, the Department of Justice announced that they had effectively clawed back $500,000 in ransom payments to the group, partly thanks to new legislation.…
In April 2022, PT Expert Security Center detected an attack on a number of Russian media and energy companies that used a malicious document called «list.docx» to extract a malicious payload packed with VMProtect. Having analyzed the network packet, we found it to be identical to the one we studied in our report on APT31 tools, suggesting that these may belong to one and the same group.…
This blog post was authored by Ankur Saini and Hossein Jazi
The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.
This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.…
In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware.
In March 2022, less than a year after LockBit 2.0 first emerged, researchers caught wind of an upcoming new variant of the LockBit ransomware. LockBit…