Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples in the wild.…
Tag: TROJAN
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
Unit 42 actively monitors infrastructure associated with several APT groups. One group in particular, GALLIUM (also known as Softcell), established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa.…
Introduction
On May 31, a critical unpatched vulnerability, which affects all confluence server and data center supported versions was reported to Atlassian by Volexity, a security company.
Atlassian warned their customers of the critical vulnerability on June 2 and issued a patch a day later. CISA added this vulnerability to their list of Known Exploited Vulnerabilities on June 3.…
Executive SummaryAoqin Dragon, a threat actor SentinelLabs has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.…
Read More Broadcom Software, has uncovered a cyber-criminal operation that has potentially made the actors behind it at least $1.7 million in illicit gains from cryptocurrency mining and theft via clipboard hijacking.
The malware being used, tracked by Symantec as Trojan.Clipminer, has a number of similarities to another crypto-mining Trojan called KryptoCibule, suggesting it may be a copycat or evolution of that threat.…
Sitting on a sunny beach full of sparkling sand. Exploring the jungle looking for exotic animals and plants. Diving into a deep blue sea where sunlight has a difficult time reaching. Partying all night at clubs in a city you have never been to. Holding hands with friends around a campfire singing Kumbaya.…
The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.
The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.…
UNC2165 Overlaps with Evil Corp Activity
Read More OFAC sanctions against Evil Corp in December 2019 were announced in conjunction with the Department of Justice’s (DOJ) unsealing of indictments against individuals for their roles in the Bugat malware operation, updated versions of which were later called DRIDEX. DRIDEX was believed to operate under an affiliate model with multiple actors involved in the distribution of the malware.…
Research by: Alexey Bukhteyev & Raman Ladutska
In July 2021, CPR released a series of three publications covering different aspects of how the Formbook and XLoader malware families function. We described how XLoader emerged in the Darknet community to fill the empty niche after Formbook sales were abruptly stopped by its author.…
Fortinet’s FortiGuard Labs captured a phishing campaign that delivers three fileless malware onto a victim’s device. Once executed, they are able to control and steal sensitive information from that device to perform other actions according to the control commands from their server.
In Part I of this analysis, I introduced how these three fileless malware are delivered to the victim’s device via a phishing campaign, and what mechanism it uses to load, deploy, and execute these fileless malware in the target process.…
Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.…
Users of WSO2 products are advised to update their respective products and platforms or to apply the temporary mitigation steps immediately.
We observed vulnerability CVE-2022-29464 being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE). Disclosed and patched in April, the security gap was ranked Critical at 9.8 and affects a number of WSO2 products.…
An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.
The campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely.…
This week, Sonatype’s automated malware detection bots have discovered malicious Python package ‘pymafka’ in the PyPI registry.…
In December last year, the vulnerability (CVE-2021-44228) of Java-based logging utility Log4j became a worldwide issue. It is a remote code execution vulnerability that can include the remote Java object address in the log message and send it to the server using Log4j to run the Java object in the server.…
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
cybercriminal group ITG23, also known as Wizard Spider, DEV-0193, or simply the “Trickbot Group”. The results of this research, along with evidence gained from the disclosure of internal ITG23 chat logs (“Contileaks”), provide new insight into the connections and cooperation between prominent cybercriminal groups whose attacks often lead to ransomware.…
This post is also available in: 日本語 (Japanese)
Executive SummaryEmotet is one of the most prolific email-distributed malware families in our current threat landscape. Although a coordinated law enforcement effort shut down this malware in January 2021, Emotet resumed operations in November 2021. Since then, Emotet has returned to its status as a prominent threat.…
Trend Micro’s Managed XDR team addressed a Kingminer botnet attack conducted through an SQL exploit. We discuss our findings and analysis in this report.
We observed malicious activities in a client’s SQL server that flagged a potential exploit in one public-facing device. A quick look at the Trend Micro Vision One™ Workbench showed that a Microsoft SQL server process created an obfuscated PowerShell command.…
This blog post was authored by Hossein Jazi and Jérôme Segura
Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.
Although all countries have reasons to be concerned, the situation is Germany is more complicated than most.…
The Quantum Locker is a ransomware strain that was first discovered in July 2021. Since then, the ransomware was observed used in fast ransomware attacks, in some cases even Time-to-Ransom (TTR) of less than 4 hours, leaving defenders little time to react.…