Tag: SOCIAL ENGINEERING

Infoblox’s DNS Early Detection Program utilizes proprietary techniques to identify potentially malicious domains at the earliest opportunity. The program shares our recent analysis of malicious domains disclosed through public OSINT, contrasting it with our preliminary identification of these domains as suspicious.

Threat actors have refined their techniques, causing most of the potential damage before malicious domains are identified and shared through open source intelligence (OSINT) and the majority of commercial threat intel feeds.…

Read More
Key Takeaways Cyble Research and Intelligence Labs (CRIL) has recently identified a website called Persian Remote World engaged in the sale of a variety of malicious tools. Persian Remote World provides an extensive range of malicious tools, including Remote Access Trojans (RATs), loaders, and crypters. The site developers offer these malicious tools under different subscription models at varying prices.…
Read More

As Black Friday and the holiday shopping season approaches, the threat of online scams is on the rise, with a 22% increase in consumer scam losses reported during the 2022 Black Friday and Cyber Monday sales. Recorded Futures Insikt Group has analyzed recent high-impact scam website campaigns, revealing three key themes in how scammers operate and offering insights into how consumers and businesses can protect themselves.…

Read More

North Korean-aligned threat actors targeting macOS have had a busy 2023, with two major campaigns noted so far: RustBucket and KandyKorn. The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust.…

Read More

Authors: Shilpesh Trivedi and Nisarga C M

In April 2023, the cybersecurity community faced a significant challenge with the discovery of CVE-2023-38831, a vulnerability affecting versions of WinRAR prior to 6.23. This security flaw has become a critical concern due to its exploitation by various advanced persistent threat (APT) groups, who have used it to gain control of victim systems through deceptive methods.…

Read More
Key takeaways  From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode.   During the same period, TA402 adjusted its delivery methods, moving from using Dropbox links to using XLL and RAR file attachments, likely to evade detection efforts.  …
Read More

The contents of this blog post were originally scheduled to be presented during an upcoming cybersecurity conference. However, interest in this topic has heightened due to the war in Israel and a suspected ongoing attack against Israeli targets. As such, we have decided to publish the relevant findings from the presentation now.…

Read More

Published On : 2023-11-03

EXECUTIVE SUMMARY

At CYFIRMA, our mission is to equip you with the most cutting-edge insights into the evolving landscape of cybersecurity threats, both targeting organizations and individuals. Our research team identified a new RAT on GitHub, available for purchase. This in-depth report investigates the Millenium-RAT, particularly version 2.4; a Win32 executable built on .NET.…

Read More

Research led by Ferdous Saljooki.

Background

Jamf Threat Labs has identified a new malware variant attributed to the BlueNoroff APT group. BlueNoroff’s campaigns are financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms and banks. During our routine threat hunting, we discovered a Mach-O universal binary communicating with a domain that Jamf has previously classified as malicious.…

Read More
Executive summary: Deep Instinct’s Threat Research team has identified a new campaign from the “MuddyWater” group The campaign has been observed attacking two Israeli targets The campaign exhibits updated TTPs to previously reported MuddyWater activity Figure 1: Campaign overview Introduction

Previous research showed that MuddyWater has sent spear-phishing emails, starting back in 2020, with direct links, as well as PDF, RTF, and HTML attachments containing links to archives hosted on various file-sharing platforms.…

Read More
Key Takeaways Cyble Research and Intelligence Labs (CRIL) has discovered a new Advanced Persistent Threat (APT) campaign focusing on luring unsuspecting victims through phishing websites mimicking well-known software applications. In this campaign, a phishing website was observed masquerading as OpenVPN software tailored for Chinese users and serves as a host to deliver the malicious payload.…
Read More

This blog discusses how threat actors abuse Discord’s content delivery network (CDN) to host and spread Lumma Stealer, and talks about added capabilities to the information stealing malware.

Our latest investigation revealed that threat actors are now delivering an information-stealing malware called Lumma Stealer via Discord, a popular chat platform for online gamers, content creators, and streamers.…

Read More

Published On : 2023-10-20

Executive Summary

At Cyfirma, we are committed to providing up-to-date information on the most prevalent threats and tactics used by malicious actors to target both organizations and individuals. In this analysis, we delve into a python-based information stealer, Akira. This report is a comprehensive investigation of this information stealer malware, unfolding its functionality and capabilities.…

Read More

The Iranian Crambus espionage group (aka OilRig, APT34) staged an eight-month-long intrusion against a government in the Middle East between February and September 2023. During the compromise, the attackers stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results  to the attackers.…

Read More