Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
In 2006, the term “data is the new oil” was coined. Ever since then, the value of data has just increased. We live in a world where many corporations collect data on users in an attempt to monetize it.…
Raccoon Stealer was one of the most prolific information stealers in 2021, being used by multiple cybercriminal actors. Due to its wide stealing capabilities, the customizability of the malware and its ease of use, Raccoon Stealer was highly popular among threat actors. The malware was mainly distributed using fake installers, or as cracked versions of popular software.…
We look into a recent attack orchestrated by the Black Basta ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.
Since it became operational in April, Black Basta has garnered notoriety for its recent attacks on 50 organizations around the world and its use of double extortion, a modern ransomware tactic in which attackers encrypt confidential data and threaten to leak it if their demands are not met.…
CERT-UA broke news on June 10, 2022 that various media outlets in Ukraine were targeted with emails containing a malicious document “СПИСОК_посилань_на_інтерактивні_карти.docx” (translated to English as “LIST_of_links_interactive_maps.docx”). According to the report, the document leverages a then zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), CVE-2022-30190 (Follina).…
ReversingLabs recently discovered instances of the AstraLocker 2.0 malware distributed directly from Microsoft Word files used in phishing attacks.
Executive SummaryReversingLabs recently discovered of a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
Cyble Research Labs has constantly been tracking emerging threats and their delivery mechanisms. We have observed a surge in the use of .lnk files by various malware families. Some of the prevalent malware families using .lnk files for their payload delivery of late are:
Additionally, we have seen many APT instances where the Threat Actors (TAs) leverage .lnk…
ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.…
By Flavio Costa,
In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell.…FortiGuard Labs has encountered version 3.0 of what is now dubbed IceXLoader, a new malware loader being advertised in malware hacking forums.
IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.…
Author: S2W TALON
Last Modified : 2022.06.16.
Photo by Gary Bendig on Unsplash Executive SummaryOn March 25, 2022, the operator of Raccoon Stealer, who was active on the dark web forum, temporarily suspended his activities since a key developer died in the Russia-Ukraine War. On May 17, 2022, the operator mentioned that the development of a new version of the stealer was completed, and uploaded details of changes, improvements, and prices to their Telegram channel.…We found updated samples of the CopperStealer malware infecting systems via websites hosting fake software.
We noticed a new version of CopperStealer and analyzed these samples to be related to a previous campaign we’ve documented. We examined this new version reusing parts of code and observed the following similarities from previous versions:
The same cryptor Use of Data Encryption Standard (DES) with the same key The same name of the DLL export function (for later versions of CopperStealer) Data exfiltration to a Telegram channel (for later versions of CopperStealer) Use of the executable utility MiniThunderPlatformFirst Stage: Cryptor
We observed CopperStealer‘s binary being encrypted and appended to a legitimate application with its entry point overwritten by a shellcode.…
A new remote code execution vulnerability called “Follina” has been found lurking in most Microsoft products. In this blog, we examine a potential attack vector as well as technical details of Follina, and chart the ability to detect this new vulnerability using both Qualys Multi-Vector EDR and Qualys Context XDR.…
Saitama is a backdoor that uses the DNS protocol to encapsulate its command and control (C2) messages – a technique known as DNS Tunneling (MITRE ATT&CK T1071). Spotted and documented by MalwareBytes in two articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan Government using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government official from Jordan’s foreign ministry on an attack attributed to the Iranian group APT34.…
Check Point Research uncovers a recent Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens. The attacks use a custom phishing infrastructure, as well as a wide array of fake email accounts to impersonate trusted parties.…
During the course of our work at Confiant, we see malicious activity on a daily basis. What matters the most for us is the ability to:
Protect our existing customers. Share unique threat intelligence. Keep finding unique vantage points for better detection.…PureCrypter is actively being developed by a threat actor using the moniker “PureCoder”.…
Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples in the wild.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
Unit 42 actively monitors infrastructure associated with several APT groups. One group in particular, GALLIUM (also known as Softcell), established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa.…
This research is a joint effort between Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Research & Intelligence Team. It can be found on the Intezer blog here as well.
In biology, a symbiote is an organism that lives in symbiosis with another organism. The symbiosis can be mutually beneficial to both organisms, but sometimes it can be parasitic when one benefits and the other is harmed.…