Tag: SPAM

Botnet with Clipper Capabilities being pushed via Phishing Sites

The Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the infected device. Initially, it was found to be distributed through exploit kits, and Threat Actors (TAs) utilized it to deploy other malware, such as the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan.…

Read More

Research by: Karthickkumar Kathiresan and Shilpesh Trivedi

The Uptycs threat research team recently discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes. The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.…

Read More

The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 9th, 2023 (Monday) to January 15th, 2023 (Sunday).

For the main category, downloader ranked top with 38.4%, followed by Infostealer with 37.0%, backdoor with 18.2%, ransomware with 4.0%, CoinMiner with 1.5%.…

Read More
Evasive Infostealer leveraging Phishing and Spam Campaigns for its Delivery

Threat Actors (TAs) are increasingly using spam emails and phishing websites to trick users into downloading malware such as Stealer and Remote Access Trojan (RAT) to infect users’ machines and steal sensitive information.

Cyble Research & Intelligence Labs (CRIL) is actively monitoring various stealer malware and publishing blogs about them to inform and educate its readers.…

Read More

Since October 2022, we’ve been observing multiple malware types delivered via a new dropper strain that we are referring to as “NeedleDropper”. Its name references one of the ways the dropper stores data. NeedleDropper is not just a single executable, it carries several files which together create a malicious execution, extracting files to decrypt and inject malicious code.…

Read More

First identified in 2014 (as the Geodo banking Trojan) and considered by the U.S. Department of Homeland Security (DHS) to be one of the “most costly and destructive malwares” in the world, Emotet appears to be back after four months of inactivity.

Indeed, the spam campaigns had come to an abrupt halt on July 13th, 2022, after being responsible for the compromise of more than one million computers worldwide.…

Read More
Modified Zoom App Employed In Phishing Attack To Deliver IcedID Malware

Zoom is a video conferencing and online meeting platform that allows users to host virtual meetings, webinars, and video conference calls. It is available on various devices, such as desktop computers, laptops, tablets, and smartphones, and can be used for personal and business purposes.…

Read More
Italians Users Targeted by PureLogs Stealer Through Spam Campaigns Executive Summary

During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022.…

Read More
GuLoader is an advanced malware downloader that uses a polymorphic shellcode loader to dodge traditional security solutions CrowdStrike researchers expose complete GuLoader behavior by mapping all embedded DJB2 hash values for every API used by the malware New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings New redundant code injection mechanism means to ensure code execution by using  inline assembly to bypass user mode hooks from security solutions

CrowdStrike analyzes malware to augment the behavior and machine learning-based detection and protection capabilities built into the CrowdStrike Falcon® platform to deliver automated, world-class protection to customers. …

Read More
Malware Modifies User’s .LNK files to Establish persistence

During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign where we observed Threat Actors (TAs) dropping DarkTortilla malware. DarkTortilla is a complex .NET-based malware that has been active since 2015. The malware is known to drop multiple stealers and Remote Access Trojans (RATs) such as AgentTesla, AsyncRAT, NanoCore, etc.…

Read More
What Happened? Joint research of Checkmarx and Illustria resulted with an anomaly discovered in the open-source ecosystem Over 144,000 packages were published to NuGet, NPM, and PyPi by the same threat actors Investigation revealed a new attack vector – attackers spam open-source ecosystem with packages containing links to phishing campaigns All packages and related user accounts were most likely created using automation The packages share similar project description and auto-generated names The threat actors refer to retail websites with referral ids to benefit the threat actors with referral rewards Our teams disclosed the findings in this report and most of the packages were unlisted Working Together, Keeping the Ecosystem Safe

The ongoing battle against software supply chain attackers continues to be challenging as attackers constantly adapt and surprise with new techniques.…

Read More
 RAT capable of stealing Credit Card Information

A RAT (Remote Access Trojan) is a tool used by Threat Actors (TAs) to gain full access and remote control of a victim’s machine, including mouse and keyboard control, file access, network resources access, etc.  

Cyble Research and Intelligence Labs (CRIL) has been actively monitoring such RATs and blogging about them as and when they emerge.…

Read More
Ransomware potentially targeting organizations dealing in Critical Infrastructure

“TargetCompany” is a type of ransomware that was first identified in June 2021. The researchers named it TargetCompany ransomware because it adds the targeted company name as a file extension to the encrypted files. In September 2022, researchers identified a TargetCompany ransomware variant targeting Microsoft SQL servers and adding the “Fargo” extension to the encrypted files.…

Read More

Cybercriminals have long used Microsoft documents to pass along malware and they are always experimenting with new ways to deliver malicious packages. As defenders, Trustwave SpiderLabs’ researchers are always looking out for new or unusual file types, and through this ongoing research, we uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service.…

Read More