In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry.…
Tag: UNIX
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.…
Introduction
Read More In October 2022, during an investigation into an incident at a Russian industrial enterprise, samples of previously unseen malware were discovered running on compromised computers of this organization. The names of this malware’s executable files were similar to the names of legitimate software installed on the infected machines, and a number of samples had valid digital signatures. Also, the identified executable files and libraries were processed by the Themida protector to make them more difficult to detect and analyze.…
We examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.
In this blog entry, we examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.…
UPDATE 13.09.2023. Free Download Manager team issued an official statement regarding this incident.
Over the last few years, Linux machines have become a more and more prominent target for all sorts of threat actors. According to our telemetry, 260,000 unique Linux samples appeared in the first half of 2023.…
Notification
Read More This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.…
Threat Researchers: Nischay Hegde and Siddartha Malladi…
During routine detection maintenance, our Mac researchers stumbled upon a small set of files with backdoor capabilities that seem to form part of a more complex malware toolkit. The following analysis is incomplete, as we are trying to identify the puzzle pieces that are still missing.…
Bitdefender security researchers have discovered a threat group likely based in Romania that’s been active since at least 2020. They’ve been targeting Linux-based machines with weak SSH credentials, mainly to deploy Monero mining malware, but their toolbox allows for other kinds of attacks.
Hackers going after weak SSH credentials is not uncommon.…
AhnLab Security Emergency response Center (ASEC) has recently discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner.…
Affected Platforms: LinuxImpacted Users: Any organizationImpact: Remote attackers gain control of the vulnerable systemsSeverity Level: Critical
FortiGuard Labs has encountered new samples of the RapperBot campaign active since January 2023. RapperBot is a malware family primarily targeting IoT devices. It has been observed in the wild since June 2022.…
ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.…
On December 10, 2021, the Apache Software Foundation disclosed CVE-2021-44228, aka “Log4Shell”, a critical vulnerability in Apache’s Log4j version 2.14.1 and earlier that affects a large number of products that utilize this logging library.
Through our Consulting and Managed Defense clients, Mandiant observed four unique applications targeted and exploited using CVE-2021-44228.…
By Securonix Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov
Sept. 25, 2023, updated Sept. 27, 2023, updated Oct. 6, 2023
tldr:Securonix Threat Research recently discovered an attack campaign appearing to originate from the threat group UAC-0154 targeting victims using a Pilot-in-Command (PIC) Drone manual document lure to deliver malware.…
Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion. Two of these victims were under the protection of Managed Defense who identified and responded to the threat before significant impact occurred.…
We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée.
We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious Winnti group.
In this blogpost we will first analyze the capabilities offered by this malware family, which include a kernel mode rootkit, and then deep dive in an infrastructure pivot maze to discover related adversary toolsets.…
The scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has, thankfully, not been replicated on Mac devices. With a few unsuccessful exceptions, the notion of locking a Mac device and holding its owner to ransom in return for access to the machine and its data has not yet proven an attractive proposition for attackers.…
Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers recently discovered a new sample of Golang-based malware. We have dubbed it GoBruteforcer, and it targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services. The sample was originally captured from our Next-Generation Firewall.…
Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog.
Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions.…