Tag: SOCIAL ENGINEERING

From September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks.

Royal ransomware may have been first observed by researchers around September 2022, but it has seasoned cybercriminals behind it: The threat actors running this ransomware — who used to be a part of Conti Team One, according to a mind map shared by Vitali Kremez — initially dubbed it Zeon ransomware, until they rebranded it to Royal ransomware.…

Read More

Cloud Atlas (or Inception) is a cyber-espionage group. Since its discovery in 2014, they have launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts. The group’s tactics, techniques and procedures (TTPs) have remained relatively static over the years. However, since the rapid escalation of the conflict between Russia and Ukraine in 2021 and especially after the outbreak of war in February 2022, the scope of the group’s activities has narrowed significantly, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova.…

Read More

December 14, 2022

Joshua Miller, Crista Giering and the Proofpoint Threat Research Team

Key Takeaways From at least late 2020 and through 2022, TA453 has engaged in campaigns that deviate from the group’s expected phishing techniques and target victimology.  In these campaigns, TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.  …
Read More
Latest Strain Spreading Bumblebee and IcedID Malware

Emotet malware strain was first discovered by cyber security researchers in 2014. Initially designed as banking malware to steal sensitive and private information from the victim’s system without their knowledge.

Later versions of Emotet can spam and deliver malware services that download other malware families, including banking trojans and ransomware.…

Read More
What is FormBook malware?

FormBook stealer is an infostealer‍ trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines.

Despite how easy it is to set up and use, the malware has advanced stealing and evasion functions including the ability to pull stored and recorded user input.…

Read More

Raccoon is an information stealer malware — a virus that threat actors use to retrieve sensitive data from infected machines. Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019.

Although some consider this a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard, helped make Raccoon quite popular.…

Read More

This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework.

IntroductionWith the rise in attention to Cobalt Strike from network defenders, attackers have been looking to alternative command-and-control (C&C) frameworks Among these, Brute Ratel and Sliver are growing in popularity, having recently been featured in a number of publications.…
Read More
Executive SummarySince mid-2022, SocGholish operators have been significantly diversifying and expanding their infrastructure for staging malware with new servers. This helps the operators to counter defensive operations against known servers and scale up their operation.SocGholish operators have been introducing on average 18 new malware-staging servers per month, with varying server uptimes.…
Read More
Summary

APT-36 (also known as Transparent Tribe) is an advanced persistent threat group attributed to Pakistan that primarily targets users working at Indian government organizations. Zscaler ThreatLabz has been closely monitoring the activities of this group throughout 2022. Our tracking efforts have yielded new intelligence about this APT group that has not previously been documented.…

Read More

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather.

DEV-0206 is now tracked as Mustard Tempest DEV-0243 is now tracked as Manatee Tempest DEV-0950 is now tracked as Lace Tempest DEV-0651 is now tracked as Storm-0651 DEV-0856 is now tracked as Storm-0856

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…

Read More

Our latest Brand Phishing Report for Q3 2022 highlights the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September.

While LinkedIn was the most imitated brand in both Q1 and Q2 2022, it’s shipping company DHL that took the top spot in Q3, accounting for twenty-two percent of all phishing attempts worldwide.…

Read More

By Nati Tal (Guardio Labs) — BadEx II

TL;DR

The “Dormant Colors” is yet another vast campaign of malicious extensions with millions of active installations worldwide, this time with a color-related theme and full of deception all through the chain. It starts with the trickery malvertising campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!),…

Read More

Published On : 2022-10-14

Infostealer Prynt Malware a Deep Dive into Its Process Injection Technique EXECUTIVE SUMMARY

CYFIRMA Research team has seen an uptick in threat actor orchestrated cyber campaigns aimed at stealing confidential and sensitive information. Infostealers like “Prynt” are used to exfiltrate information as the first step leading into orchestration of sophisticated attacks which may include deployment of ransomwares.…

Read More

By Daksh Kapur · October 6, 2022

What is BazarCall?

As nicely defined in this article by Microsoft:

BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number.…

Read More