Malware Family PDB Path / Project Path Carberp bootkit.old/FJ/ ISFB d:workprojectsbk2binreleasei386FJ.pdb (The bk2 project name in the file path stands for “Bootkit v2”)

FJ.exe is the tool responsible for creating the JJ, J1, J2, or WD fields on URSNIF payloads based on the variant. But in LDR4 those magic bytes are missing, and the hidden files usually hardcoded at the end of the payload are now gone.…

Read More

ESET-Forscher entdeckten und analysierten eine Reihe bösartiger Tools, die von der berüchtigten Lazarus APT-Gruppe bei Angriffen im Herbst 2021 eingesetzt wurden. Die Kampagne begann mit Spearphishing-E-Mails. Diese kamen in Form von gefälschten Amazon-Mails und zielten auf einen Mitarbeiter eines Luft- und Raumfahrtunternehmens in den Niederlanden und einen politischen Journalisten in Belgien ab.…

Read More

Author:  Tomer Bar, VP Security Research, SafeBreach

As part of our ongoing commitment to conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks, the SafeBreach Labs research team recently discovered a new fully undetectable (FUD) PowerShell backdoor that leverages a novel approach of disguising itself as part of the Windows update process.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Ransom Cartel is ransomware as a service (RaaS) that surfaced in mid-December 2021. This ransomware performs double extortion attacks and exhibits several similarities and technical overlaps with REvil ransomware. REvil ransomware disappeared just a couple of months before Ransom Cartel surfaced and just one month after 14 of its alleged members were arrested in Russia.…

Read More

A new adversary simulation tool is steadily growing in the ranks of popularity among red teamers and most recently adversaries. Brute Ratel states on its website that it “is the most advanced Red Team & Adversary Simulation Software in the current C2 Market.” Many of these products are marketed to assist blue teams in validating detection, prevention, and gaps of coverage.…

Read More

This is the fourth blog post in a four-part series. Read Part 1 | Part 2 | Part 3.

In Part 3, CrowdStrike’s Endpoint Protection Content Research Team covered the finer points of Input/Output Control (IOCTL) usage by various wipers. The fourth and final part of the wiper series covers some of the rarely used “helper” techniques implemented by wipers, which achieve secondary goals or facilitate a smaller portion of the wiping process.…

Read More
Dubbed information stealer spotted stealing sensitive Data

Phishing sites are becoming an increasingly attractive target for Threat Actors (TAs) to lure victims into stealing sensitive information, and downloading other malware, such as RAT, Ransomware, etc., to damage the victim’s machine. Generally, the link of these phishing pages arrives to users via SMS, Email, social networks, etc.…

Read More
Windows Shortcut files used to deliver payload

Online digital tools are used by many people today simply due to their ease of use and the fact that they provide a platform for the user to perform various operations effectively. These tools are web-based software hosted on websites and can be accessed via the internet without having to download and install anything on the user’s machine.…

Read More

Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”.

This attack group has been operating for over a year with multiple hacking objectives:

Credit card information Discord “Nitro” (premium) upgrades Streaming services accounts (e.g. Disney+), Minecraft accounts, and more.…
Read More

Contributions from Matt Thaxton.

Cisco Talos  discovered a new attack framework including a command and control (C2) tool called “Alchimist” and a new malware “Insekt” with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines.…
Read More

By Joey Chen and Amitai Ben Shushan Ehrlich, with additional insights from QGroup

Executive Summary A new threat cluster we track as WIP19 has been targeting telecommunications and IT service providers in the Middle East and Asia. We assess it is highly likely this activity is espionage-related and that WIP19 is a Chinese-speaking threat group.…
Read More

CVE-2021-44228 and CVE-2021-45105) to compromise the Apache Tomcat service on servers in order to install web shells. The attackers used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C&C) servers.

Budworm’s main payload continues to be the HyperBro malware family, which is often loaded using a technique known as dynamic-link library (DLL) side-loading.…

Read More
개요

일반적으로 공격자들은 스피어 피싱 메일의 첨부 파일이나 멀버타이징, 취약점, 정상 소프트웨어로 위장하여 악성코드를 웹사이트에 업로드하는 등 다양한 방식으로 악성코드를 설치한다. 설치되는 악성코드로는 감염 시스템의 정보를 탈취하기 위한 인포스틸러나 파일들을 암호화해 금전을 요구하는 랜섬웨어, DDoS 공격에 사용하기 위한 DDoS Bot 등이 있다. 이외에도 백도어 및 RAT 도 공격자들이 사용하는 대표적인 악성코드 중 하나이다.…

Read More

FortiGuard Labs has observed an increasing number of campaigns targeting either side of the ongoing Russian-Ukrainian conflict. These may be a cyber element to the conflict or simply opportunistic threat actors taking advantage of the war to further their malicious objectives.

Recently, we encountered a malicious Excel document masquerading as a tool to calculate salaries for Ukrainian military personnel.…

Read More

For over 10 years, security researchers have been observing and keeping tabs of APT group Earth Aughisky’s malware families and the connections, including previously documented malware that have yet to be attributed.

For security researchers and analysts monitoring advanced persistent threat (APT) groups’ attacks and tools, Earth Aughisky (also known as Taidoor) is among the more active units that consistently make security teams vigilant.…

Read More
Threat Actor Leveraging Discord Channel to Spread Malware

Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute different malware families such as stealer, proxyware, among others.

Recently, CRIL identified a malicious site hxxps://cloud-spoofer[.]xyz, which redirects the user to a discord channel where the announcement is made by the Threat Actor (TA) for selling the spoofer to get unban from FiveM.…

Read More