Attackers are increasingly using OneNote documents to distribute malware, due to the heightened security measures against macro-based attacks and the widespread adoption and popularity of the platform. Analyzing several related case studies, this article showcases the obfuscation techniques used by threat actors to bypass threat detection measures and deceive users into executing malware on their systems via OneNote.…
Tag: SPAM
Microsoft OneNote is a file type now entrenched in the ongoing saga of abused file formats leveraged by adversaries to reach through defenses and deliver malware payloads to end users. Recently, we have seen OneNote’s sudden rise to prominence, following a pattern of other types of files used in the same capacity.…
Summary
APT-C-36, also known as Blind Eagle, has been actively targeting organizations in Colombia and Ecuador since at least 2019. It relies on spear-phishing emails sent to specific and strategic companies to conduct its campaigns. On Feb. 20, the BlackBerry Research and Intelligence team witnessed a new campaign where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.…
Unveiling the Latest NPM Ecosystem Threat: Thousands of SPAM Packages Flood the Network, A New Discovery by Checkmarx
What Happened?A sudden surge of thousands of SPAM packages were uploaded to the NPM open-source ecosystem from multiple user accounts within hours. Further investigation uncovered a recurring attack method, in which cyber attackers utilize spamming techniques to flood the open-source ecosystem with packages that include links to phishing campaigns in their README.md…
Threat Actor Uses Digital Certificate as a Cover to Hide Malicious Script
Read More Threat Actors (TAs) are constantly devising new methods to infect users for various reasons, such as avoiding detection from anti-virus solutions, increasing the chances of successfully infecting their targets, and inventive ways to compromise their victims.…
Sophisticated Malware Employs Multi-Pronged Data Exfiltration
Read More DarkCloud is an Information Stealer Malware. It was first spotted by researchers in 2022. Such malware is designed to collect sensitive information from a victim’s computer or mobile device. Information stealers can be used to gather a variety of data, including passwords, credit card numbers, social security numbers, and other personal or financial information.…
In recent years, efforts to apprehend threat groups and shrink their operating landscape have gone international. As authorities across multiple countries continue to implement sanctions and openly communicate current trends to the public, threat groups increasingly resort to rebranding or creating similar variants under different names to sidestep crackdowns and obfuscate their identities.…
Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware.
Views: 0…
Key FindingsProofpoint began tracking a new threat actor, TA866.
Proofpoint researchers first observed campaigns in October 2022 and activity has continued into 2023.
The activity appears to be financially motivated, largely targeting organizations in the United States and Germany.
With its custom toolset including WasabiSeed and Screenshotter, TA866 analyzes victim activity via screenshots before installing a bot and stealer.…
Read More The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 30th, 2023 (Monday) to February 5th, 2023 (Sunday).
For the main category, downloader ranked top with 39.3%, followed by Infostealer with 28.8%, backdoor with 27.0%, ransomware with 2.6%, and CoinMiner with 2.2%.…
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 23rd, 2023 (Monday) to January 29th, 2023 (Sunday).
For the main category, downloader ranked top with 44.2%, followed by Infostealer with 34.3%, backdoor with 18.5%, ransomware with 2.6%, and CoinMiner with 0.4%.…
Threat Actors Ramp Up OneNote Attachment Usage in their Attacks
Read More Threat Actors (TAs) are using spam emails to trick individuals into downloading malware, such as Remote Access Trojans (RATs) and Stealers, to infect their devices and steal sensitive information. Cyble Research & Intelligence Labs (CRIL) closely monitors different malware families and routinely publishes informative blogs to educate our readers.…
Threat Actor Leveraging Microsoft OneNote To infect Users
Read More Threat Actors (TAs) continuously adopt new tactics for infecting users for several reasons, including avoiding detection by anti-virus solutions, increasing the likelihood of successful infections, and seeking the challenge of creating new methods of infecting victims.
Recently, several malware families have been spotted using OneNote attachments in their spam campaigns.…
Evasive Malware Targeting Remote Desktop Files
Read More Information stealers are malware designed to steal sensitive information from infected computers, such as login credentials, financial data, and personal information. They typically do this by searching for specific types of files and data on the infected computer and then exfiltrating that information to a remote server controlled by the attackers.…
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 16th, 2022 (Monday) to January 22nd, 2023 (Sunday).
For the main category, Infostealer ranked top with 43.0%, followed by downloader with 30.06%, backdoor with 19.9%, ransomware with 3.8%, CoinMiner 2.4%, and baking malware with 0.3%.…
Summary
Emotet, a Trojan that is primarily spread through spam emails, has been a prevalent issue since its first appearance in 2014. With a network made up of multiple botnets, denoted as “epochs” by security research team Cryptolaemus, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks.…
Key TakeawaysTA444 is a North Korea state-sponsored threat actor that tested numerous infection methods in 2022 with varying degrees of success.
TA444 is a unicorn among state-aligned actors as its primary operations are financially motivated, and their infection chains are often a microcosm of the cybercrime threat landscape at large. …
Read More
Botnet with Clipper Capabilities being pushed via Phishing Sites
Read More The Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the infected device. Initially, it was found to be distributed through exploit kits, and Threat Actors (TAs) utilized it to deploy other malware, such as the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan.…
Research by: Karthickkumar Kathiresan and Shilpesh Trivedi
The Uptycs threat research team recently discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes. The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.…
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 9th, 2023 (Monday) to January 15th, 2023 (Sunday).
For the main category, downloader ranked top with 38.4%, followed by Infostealer with 37.0%, backdoor with 18.2%, ransomware with 4.0%, CoinMiner with 1.5%.…