By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
TL;DRToday ransomware continues to gain traction and organizations are faced with a barrage of constantly evolving tactics. There are however, several tried-and-true methods of detection or indicators of compromise (IoCs) that many ransomware variants have been using for years with no sign of letting up, relying on the fact that new users will fall for the same old tricks.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
In recent weeks OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns.I first observed this OneNote abuse in the media via Didier’s post. This was later also mentioned in Xavier’s ISC diary and on the podcast.…
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
Figure 1: Spot the PowerShell invoke expression
IntroductionWhile the image above appears to be purely nonsense, believe it or not, it is a simple “ipconfig” statement. Hidden somewhere in that code is an “invoke expression”, which directs execution flow.…
8220 Gang is a low-skill crimeware actor known for infecting cloud hosts through n-day vulnerabilities and remote access brute forcing. We have previously detailed how 8220 expanded its botnet and rotated its infrastructure. Since our last write up in October, the group has again switched to new infrastructure and samples, providing us with an opportunity to share an educational walkthrough of the process of investigating cybercrime activity that may be useful to new or lesser experienced SOC teams, analysts and researchers.…
First introduced in July 2022, Icarus Stealer is an infostealer malware that uses an hVNC capability so that the threat actor can create a new hidden desktop to navigate through the infected computer system without interacting with the main desktop. Icarus Stealer is also significantly cheaper compared to other popular infostealers like Redline Stealer and Raccoon Stealer, making it easier for inexperienced cybercriminals to use.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
jQuery is a popular JavaScript library that is widely used to create dynamic and interactive web pages. However, like any other software, it can also be used by cybercriminals to spread malware.
One common tactic used by attackers is to inject malicious JavaScript code into legitimate websites, often through vulnerabilities in the website’s content management system.…
Since May 2022, eSentire’s Threat Response Unit (TRU) has observed 11 cases of Raspberry Robin infections. Although the initial access vector is an infected USB drive, however it’s unclear how the USB drives were initially infected. Raspberry Robin hosts its payloads on compromised QNAP servers with the malicious files being stored on USB drives as shortcuts.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
We analyzed the infection routine used in recent Gootkit loader attacks on the Australian healthcare industry and found that Gootkit leveraged SEO poisoning for its initial access and abused legitimate tools like VLC Media Player.
Known for using search engine optimization (SEO) poisoning for its initial access, Gootkit loader (aka Gootloader) resurfaced in a recent spate of attacks on organizations in the Australian healthcare industry.…
In this Threat Analysis report, the Cybereason team investigates a recent IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. IcedID, also known as BokBot, is traditionally known as a banking trojan used to steal financial information from its victims.…
A malicious Python file found on the PyPI repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.…
The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.…
Redline Stealer is one of the most popular stealers being sold and used by cybercriminals. The command and control (C2) panel does not require an attacker to log in via the Web UI; everything can be managed via the Redline client on the attacker’s virtual private server (VPS).…
This post is also available in: 日本語 (Japanese)
Executive SummaryCloud breaches often stem from misconfigured storage services or exposed credentials. A growing trend of attacks specifically targets cloud compute services to steal associated credentials and illicitly gain access to cloud infrastructure. These attacks could cost targeted organizations both in terms of unexpected charges for extra cloud resources added by the threat actor, as well as time required to remediate the damage.…
On December 2, 2022, one of our 24/7 SOC Cyber Analysts escalated an incident involving the GootLoader malware at a pharmaceutical company. eSentire’s Threat Response Unit (TRU) responded quickly and proceeded with an in-depth threat investigation of GootLoader.
eSentire leveraged Microsoft Defender for Endpoint to quarantine and prevent the threat (Figure 1).…
The Cybereason Global Security Operations Center (GSOC) issues a Purple Team Series of its Threat Analysis reports to provide a technical overview of the technologies and techniques threat actors use to compromise victims’ machines. …
Большинство кибератак имеют финансовую мотивацию, однако в последнее время возросло число атак, цель которых — не обогащение, а нанесение ущерба жертве. Одним из инструментов таких атак являются вайперы (от англ. wiper) — программы, которые уничтожают данные без возможности восстановления. К наиболее известным вайперам, появившимся в 2022 году, относятся DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2 и RuRansom.…
The Cybereason Global SOC (GSOC) team is investigating Qakbot infections observed in customer environments related to a potentially widespread ransomware campaign run by Black Basta. The campaign is primarily targeting U.S.-based companies. …