A new remote code execution vulnerability called “Follina” has been found lurking in most Microsoft products. In this blog, we examine a potential attack vector as well as technical details of Follina, and chart the ability to detect this new vulnerability using both Qualys Multi-Vector EDR and Qualys Context XDR.…
Tag: TOOL
Saitama is a backdoor that uses the DNS protocol to encapsulate its command and control (C2) messages – a technique known as DNS Tunneling (MITRE ATT&CK T1071). Spotted and documented by MalwareBytes in two articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan Government using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government official from Jordan’s foreign ministry on an attack attributed to the Iranian group APT34.…
Introduction
Read More
Check Point Research uncovers a recent Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens. The attacks use a custom phishing infrastructure, as well as a wide array of fake email accounts to impersonate trusted parties.…
Photo by Sara Kurfeß on Unsplash
Read More
During the course of our work at Confiant, we see malicious activity on a daily basis. What matters the most for us is the ability to:
Protect our existing customers. Share unique threat intelligence. Keep finding unique vantage points for better detection.…
Key points
PureCrypter is a fully-featured loader being sold since at least March 2021
The malware has been observed distributing a variety of remote access trojans and information stealers
The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products
PureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format
Summary
Read More
PureCrypter is actively being developed by a threat actor using the moniker “PureCoder”.…
Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples in the wild.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
Unit 42 actively monitors infrastructure associated with several APT groups. One group in particular, GALLIUM (also known as Softcell), established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa.…
This research is a joint effort between Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Research & Intelligence Team. It can be found on the Intezer blog here as well.
In biology, a symbiote is an organism that lives in symbiosis with another organism. The symbiosis can be mutually beneficial to both organisms, but sometimes it can be parasitic when one benefits and the other is harmed.…
Active since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle Eastern organizations in the energy and telecommunication sectors and mostly relying on .NET based malwares.
Zscaler ThreatLabz recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET…
Executive Summary
Aoqin Dragon, a threat actor SentinelLabs has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.…
Read More
Sophisticated loader delivers Cobalt-Strike Beacons
Read More
In March 2022, a new malware named “Bumblebee” was discovered and reportedly distributed via spam campaigns. Researchers identified that Bumblebee is a replacement for BazarLoader malware, which has delivered Conti Ransomware in the past. Bumblebee acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc.…
This post is also available in: 日本語 (Japanese)
Executive SummaryTo better detect attacks that affect the actions of signed applications – such as supply-chain attacks, dynamic-link libraries (DLL) hijacking, exploitation and malicious thread injection – we have devised a suite of analytics detectors that are able to detect global statistical anomalies.…
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.…
Sitting on a sunny beach full of sparkling sand. Exploring the jungle looking for exotic animals and plants. Diving into a deep blue sea where sunlight has a difficult time reaching. Partying all night at clubs in a city you have never been to. Holding hands with friends around a campfire singing Kumbaya.…
UNC2165 Overlaps with Evil Corp Activity
Read More
OFAC sanctions against Evil Corp in December 2019 were announced in conjunction with the Department of Justice’s (DOJ) unsealing of indictments against individuals for their roles in the Bugat malware operation, updated versions of which were later called DRIDEX. DRIDEX was believed to operate under an affiliate model with multiple actors involved in the distribution of the malware.…
In a recent blog post by Microsoft, a new Zero-Day vulnerability (CVE-2022-30190) was discussed. This vulnerability affects Microsoft Support Diagnostic Tool (MSDT), and the blog post provides some guidance on mitigating the impact of this vulnerability.
The post mentions that a Remote Code Execution (RCE) vulnerability present in MSDT allows the attackers to execute arbitrary code by exploiting it.…
Users of WSO2 products are advised to update their respective products and platforms or to apply the temporary mitigation steps immediately.
We observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products.…
Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.…
Given the current fluctuations in the energy market and the related rise in prices to consumers, it should be no surprise that threat actors are using lures to exploit the global interest in this issue.
FortiGuard Labs recently discovered an e-mail using this tactic. The message was delivered to a coffee company in Ukraine that was seemingly sent by an oil provider in Saudi Arabia.…