AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 5th, 2023 to March 11th, 2023 and provide statistical information on each type.…
Tag: SOCIAL ENGINEERING
Key Takeaways
Proofpoint has observed recent espionage-related activity by TA473, including yet to be reported instances of TA473 targeting US elected officials and staffers. TA473 is a newly minted Proofpoint threat actor that aligns with public reporting on Winter Vivern.
TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe.…
Read More
Executive Summary
Our insights into a recent NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers’ perspective.
In thirty days, the operation we monitored was capable to establish initial access to over 8 thousand endpoints and steal sensitive data that are now reaching the underground black markets.…
Read More
Intezer has been tracking activity targeting the energy sector and noted a campaign with techniques that align with those of Bitter APT, operating in the Asia-Pacific region.
We have made the connection to Bitter APT through tactics, techniques, and procedures (TTPs) that have been observed in other publications, such as the use of Microsoft Office exploits through Excel files, and the use of CHM and Windows Installer (MSI) files.…
Recently, InQuest Labs analysts responded to a credential phishing attack discovered by a municipal government organization. The following threat sequence was observed:
The email arrived from a compromised sender account address. The sender organization in the observed samples is the municipality’s county health agency.
The email is a lure posing as a payment invoice, with subjects including: Payment Due Payment The HTML email contains a URL pointing to a PDF document stored on Raven (app.raven[.]com),…
Summary
Read More
At Zscaler ThreatLabz, we have been closely monitoring the tools, techniques and procedures (TTPs) of APT37 (also known as ScarCruft or Temp.Reaper) – a North Korea-based advanced persistent threat actor. This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations.…
In November 20211 and February 2022,2 Microsoft announced that by default it would block Excel 4 and VBA macros in files that were downloaded from the internet. Following these changes, CrowdStrike Intelligence and the CrowdStrike Falcon® Complete managed detection and response team observed eCrime adversaries that had previously relied on macro execution for malware delivery adapt their tactics, techniques and procedures (TTPs). …
Research by: Shilpesh Trivedi and Tejaswini Sandapolla
The Uptycs Threat Research Team has discovered a new infostealer. Spread by multiple bundlers and new on cybercrime forums, HookSpoofer has keylogging and clipper abilities. (A bundler combines two or more files in a single package.) It sends its stolen data to a Telegram bot.…
By Daksh Kapur · February 28, 2023
Figure 1 (image from freepik.com and flaticon.com)
The current economic climate globally is grim because of the ongoing recession. In this environment, job-themed emails have become a prime target for cybercriminals looking to exploit vulnerable individuals.
Trellix Advanced Research Center has observed cybercriminals using phishing and malware campaigns to target job seekers in a bid to steal sensitive information.…
FortiGuard Labs has observed a new LockBit ransomware campaign during last December and January using a combination of techniques effective against AV and EDR solutions. LockBit has been one of the more dangerous ransomware, active since 2019. It was part of several successful attacks against a large variety of industries, including critical infrastructure.…
Microsoft OneNote is a file type now entrenched in the ongoing saga of abused file formats leveraged by adversaries to reach through defenses and deliver malware payloads to end users. Recently, we have seen OneNote’s sudden rise to prominence, following a pattern of other types of files used in the same capacity.…
While monitoring different malicious packages found in public software repositories, ReversingLabs researchers have noticed an increase of malicious HTTP libraries on the Python Package Index (PyPI) repository. Actually, we should air-quote “HTTP libraries.” In reality, most of these are simple, malicious packages bearing names that are Frankenstein-like amalgamations of the acronym “HTTP”.…
Microsoft Office documents are used worldwide by both corporates and home-users alike. It’s different office versions, whether licensed or unlicensed offers users an easy way to create and modify files. However, this software is also susceptible to cyberattacks.
Cybercriminals often take advantage of its vulnerability and use VBA (Visual Basic Application) macros as entry points to gain access to targeted systems and devices.…
Executive Summary
Read More
EclecticIQ researchers observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation – a Ukrainian aviation company. Multiple overlaps between these incidents and previous attacks of the Gamaredon APT group (4), such as command and control infrastructures and adversary techniques, helped analysts to highly likely attribute these latest attacks to the Gamaredon group.…
We discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.
IntroductionWe discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before.…
As part of the ReversingLabs research team’s ongoing surveillance of open source repositories, we have identified aabquerys, a malicious npm package that downloads second and third stage malware payloads to systems that have downloaded and run the npm package. …
Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware.…
In September of last year, our Incident Response team was called to an incident that was identified as an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, we were able to push back these threats. By ingesting the tactics, techniques & procedures (TTPs) of the incident into our autonomous enrichment technology, Arpia, we were able to detect and respond to three other incidents, preventing our clients from being compromised by the mysterious threat actor.…
Threat Actors Ramp Up OneNote Attachment Usage in their Attacks
Read More
Threat Actors (TAs) are using spam emails to trick individuals into downloading malware, such as Remote Access Trojans (RATs) and Stealers, to infect their devices and steal sensitive information. Cyble Research & Intelligence Labs (CRIL) closely monitors different malware families and routinely publishes informative blogs to educate our readers.…
EXECUTIVE SUMMARY
Since at least 2019, the Mustang Panda threat actor group has targeted government and public sector organizations across Asia and Europe [3] with long-term cyberespionage campaigns in line with strategic interests of the Chinese government.
In November 2022, Mustang Panda shifted from using archive files to using malicious optical disc image (ISO) files containing a shortcut (LNK) file to deliver the modified version of PlugX malware.…
Read More