Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures.…
Tag: TOOL
Since February 2023, Microsoft has observed password spray activity against thousands of organizations carried out by an actor we track as Peach Sandstorm (HOLMIUM). Peach Sandstorm is an Iranian nation-state threat actor who has recently pursued organizations in the satellite, defense, and pharmaceutical sectors around the globe.…
Authored by Yashvi Shah
Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.…
A new ransomware family calling itself 3AM has emerged. To date, the ransomware has only been used in a limited fashion. Symantec’s Threat Hunter Team, part of Broadcom, has seen it used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a target’s network and then switched to 3AM when LockBit was blocked.…
Research by: Niv Asraf
Abstract
In the last two months, Check Point researchers encountered a new large-scale phishing campaign that recently targeted more than 40 prominent companies across multiple industries, in Colombia. The attackers’ objective was to discreetly install the notorious “Remcos” malware on victims’ computers.…
Espionage actors are continuing to mount attacks on critical national infrastructure (CNI) targets, a trend that has become a source of concern for governments and CNI organizations worldwide. Symantec’s Threat Hunter Team has found evidence that a threat actor group Symantec calls Redfly used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year.…
This year has seen an explosion of infostealers targeting the macOS platform. Throughout 2023, we have observed a number of new infostealer families including MacStealer, Pureland, Atomic Stealer and RealStealer (aka Realst). Over the last few months, we have also been tracking a family of macOS infostealers we call ‘MetaStealer’.…
Introduction
Read More Zscaler ThreatLabz recently discovered a new stealing campaign dubbed as the “Steal-It” campaign. In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang’s Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs.
Through an in-depth analysis of the malicious payloads, our team observed a geofencing strategy employed by the campaign, with specific focus on targeting regions including Australia, Poland, and Belgium.…
BlueShell is a backdoor developed in Go. It is available on GitHub and supports Windows, Linux, and Mac operating systems. Currently, it seems the original GitHub repository has been deleted, but the BlueShell source code can be downloaded from other repositories. Notably, the ReadMe file containing the guidelines is in Chinese, and this suggests that the creator may be a Chinese speaker.…
Investigating the Senders
Read More Using Microsoft Purview’s eDiscovery tool we searched for the senders (participants) in Microsoft Teams.
The senders of the external Microsoft Teams chat messages were identified as “Akkaravit Tattamanas” (63090101@my.buu.ac.th) and “ABNER DAVID RIVERA ROJAS” (adriverar@unadvirtual.edu.co). Truesec Threat Intelligence confirmed the accounts were compromised via an unknown malware and put up for sale on the Dark Web in August 2023.…
Hàng tháng, Chúng tôi – GTSC tổng hợp lại các thông tin về bảo mật về APT, Malware, CVEs và gói gọn nó vào trong một bài tổng hợp.
1.1 Chimera GroupNCC Group và Fox-IT đã và đang theo dõi một nhóm tấn công với nhiều mục tiêu đa dạng, từ các sở hữu trí tuệ (IP) của các nạn nhân trong ngành công nghiệp chất bán dẫn cho đến dữ liệu từ ngành công nghiệp hàng không.…
A burgeoning attack involving Google Looker Studio is making the rounds. In the last few weeks, we’ve seen over a hundred of these attacks.
Google Looker Studio is a tool that converts information—slideshows, spreadsheets, etc—into visualized data, such as charts and graphs.
Hackers are utilizing it to create fake crypto pages that are designed to steal money and credentials.…
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. This activity has been ongoing since at least November 2021.
The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max and SketchUp Pro, with malicious scripts and uses Advanced Installer’s Custom Actions feature to make the software installers execute the malicious scripts.…
Read More Affected platforms: Windows and macOSImpacted parties: Users of vulnerable versions of Adobe ColdFusionImpact: Remote attackers gain control of vulnerable systemsSeverity level: Critical
This past July, Adobe responded to reports of exploits targeting pre-authentication remote code execution (RCE) vulnerabilities in their ColdFusion solution by releasing a series of security updates: APSB23-40, APSB23-41, and APSB23-47.…
Scarleteel 2.0 and the MITRE ATT&CK framework | Sysdig
In this blog post, we will take a comprehensive dive into a real-world cyber attack that reverberated across the digital realm – SCARLETEEL. Through an in-depth analysis of this notorious incident using the MITRE ATT&CK framework, we aim to unearth invaluable insights into the operational tactics of cyber adversaries.…
In early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases. …
In ancient Greek mythology, Medusa stands as one of the most iconic and feared figures. With a head full of venomous snakes in place of hair, she had the power to turn anyone who gazed upon her into stone. This Gorgon, once a beautiful maiden, became synonymous with terror and dread. …
This post is also available in: 日本語 (Japanese)
Executive SummaryEarlier this month, our quiz Crossing the Line: Unit 42 Wireshark Quiz for RedLine Stealer introduced a packet capture (pcap) from July 2023 with a RedLine Stealer infection. This article provides answers to the quiz, and it offers a more in-depth look at RedLine Stealer traffic.…
Introduction
Read More In our persistent quest to decode DuckTail’s maneuvers, Zscaler ThreatLabz began an intelligence collection operation in May 2023. Through an intensive three-month period of monitoring, we obtained critical details about DuckTail’s operational framework. This expedition granted us unprecedented visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise.…
Targeted attacks
Gopuram backdoor deployed through 3CX supply-chain attack
Read More Earlier this year, a Trojanized version of the 3CXDesktopApp, a popular VoIP program, was used in a high-supply-chain attack. The attackers were able to embed malicious code into the libffmpeg media processing library to download a payload from their servers.…