Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
Upon execution of Base-Update.exe, it proceeds to download, Base64-decode, and execute another time stomped downloader written in Go from http://194.31.98.124:443/i with the arguments –a 0CyCcrhI/6B5wKE8XLOd+w==:
%TEMP%java-sdk.exe (MD5: 36ff9ec87c458d6d76b2afbd5120dfae)Downloader written in Go Base64 encoded – MD5: 2f14b3d5ab01568e2707925783f8eafe Compile time: 1970-01-01 00:00:00 C&C: 194.31.98.124:443Java-sdk.exe sets persistence for itself via setting a Run registry key.…
Fortinet’s FortiGuard Labs captured a phishing email as part of a phishing campaign spreading a new variant of QakBot. Also known as QBot, QuackBot, or Pinkslipbot, QakBot is an information stealer and banking Trojan that has been captured and analyzed by security researchers since 2007.
I performed a deep analysis on this phishing campaign and the new QakBot variant using the captured email.…
Cyble Research Labs discovered a new Remote Access Trojan (RAT) dubbed ApolloRAT. The RAT is written in Python and uses Discord as its Command and Control (C&C) Server. The TAs are selling this RAT for $15 on Telegram and their site, as shown in Figure 1.…
Authored by Lakshya Mathur
An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. These files can be created manually using the standard right-click create shortcut option or sometimes they are created automatically while running an application.…
During our routine threat-hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher mentioned an interesting infection chain of Xloader malware.
The malware uses multiple file types such as PDF, XLSX, and RTF for its initial infection and execution. It is also designed to drop three modules in memory and execute the final payload using the Process-Hollowing technique.…
During our routine Threat-Hunting exercise, Cyble Research Labs came across a new stealer named “PennyWise” shared by a researcher. The stealer appears to have been developed recently. Though this stealer is fresh, the Threat Actor(s) (TA) has already rolled an updated version, 1.3.4.
Our investigation indicates that the stealer is an emerging threat, and we have witnessed multiple samples of this stealer active in the wild.…
Cyble Research Labs has constantly been tracking emerging threats and their delivery mechanisms. We have observed a surge in the use of .lnk files by various malware families. Some of the prevalent malware families using .lnk files for their payload delivery of late are:
Additionally, we have seen many APT instances where the Threat Actors (TAs) leverage .lnk…
Zero-day exploits or recently patched/unpatched vulnerabilities are attractive targets for Threat Actors (TAs) to deploy malware efficiently. TAs leverages these vulnerabilities and exploits them to deliver the various types of malware to steal sensitive information for financial gain.
On June 11th, 2022, Microsoft tweeted a post where they mentioned that CVE-2022-26134 was being exploited to download and deploy the Cerber2021 ransomware (also known as “CerberImposter”).…
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.
The downloaded app has the same functionality as recently encountered Hydra variants targeting Columbia.…
[This is a Guest Diary by Robert Riley, an ISC intern as part of the SANS.edu BACS program]
Introduction
Honeypot file uploads can be like opening pandoras box, never knowing what may get uploaded. Malware comes in all sorts of varieties and flavors, many suited for specific purposes and some for multiple.…
This research was conducted by Ross Inman (@rdi_x64) and Peter Gurney from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
tl;drThis blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.…
OFAC sanctions against Evil Corp in December 2019 were announced in conjunction with the Department of Justice’s (DOJ) unsealing of indictments against individuals for their roles in the Bugat malware operation, updated versions of which were later called DRIDEX. DRIDEX was believed to operate under an affiliate model with multiple actors involved in the distribution of the malware.…
In a recent blog post by Microsoft, a new Zero-Day vulnerability (CVE-2022-30190) was discussed. This vulnerability affects Microsoft Support Diagnostic Tool (MSDT), and the blog post provides some guidance on mitigating the impact of this vulnerability.
The post mentions that a Remote Code Execution (RCE) vulnerability present in MSDT allows the attackers to execute arbitrary code by exploiting it.…
Recently Cyble researchers came across a post where a researcher mentioned about fake Proof of Concept (POC) of CVE-2022-26809. Upon further investigation, we discovered that it’s malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500.…
In the past two months, we observed multiple APT groups attempting to leverage the Russia and Ukraine war as a lure for espionage operations. It comes as no surprise that Russian entities themselves became an attractive target for spear-phishing campaigns that are exploiting the sanctions imposed on Russia by western countries.…
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
cybercriminal group ITG23, also known as Wizard Spider, DEV-0193, or simply the “Trickbot Group”. The results of this research, along with evidence gained from the disclosure of internal ITG23 chat logs (“Contileaks”), provide new insight into the connections and cooperation between prominent cybercriminal groups whose attacks often lead to ransomware.…
The ASEC analysis team has recently discovered the constant distribution of malware strains that spread the infection when Excel file is opened. Besides infecting normal Excel files, they can also perform additional malicious behaviors such as acting as a downloader and performing DNS Spoofing, therefore, users need to take great caution.…
Information stealing malware is on the rise. Cyble Research Labs recently discovered a new malware dubbed “AvD crypto stealer” on a cybercrime forum. Upon further investigation, however, we observed that this does not function as a Crypto Stealer. This is, in fact, a disguised variant of well-known Clipper malware that can read and edit any text copied by the victim i.e.…