Since May 2022, eSentire’s Threat Response Unit (TRU) has observed 11 cases of Raspberry Robin infections. Although the initial access vector is an infected USB drive, however it’s unclear how the USB drives were initially infected. Raspberry Robin hosts its payloads on compromised QNAP servers with the malicious files being stored on USB drives as shortcuts.…
Tag: VULNERABILITY
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).…
This post is also available in: 日本語 (Japanese)
Unit 42 researchers perform a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.…
Executive Summary
Read More
This paper investigates a recent QakBot phishing campaign’s ability to evade Mark-of-the-Web (MoTW) security features, allowing for escape from the designated security zone and successful installation of malicious software on victim device.. Key observations:
EclecticIQ analysts investigated QakBot phishing campaigns switching to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW).…
Winter brings a number of holidays in a short period of time, and many organizations shut down or run a skeleton crew for a week or more at the end of the year and beginning of the new year. This makes it easier for would-be attackers to find success as systems are not as closely monitored.…
BACKGROUND
Read More
In this Threat Analysis report, the Cybereason team investigates a recent IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. IcedID, also known as BokBot, is traditionally known as a banking trojan used to steal financial information from its victims.…
In December 2022, CrowdStrike reported on a campaign by SCATTERED SPIDER, targeting organizations within the telecom and business process outsourcing (BPO) sectors with an end objective of gaining access to mobile carrier networks.
In the weeks since that post, the CrowdStrike Falcon® platform prevented a novel attempt by SCATTERED SPIDER to deploy a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver.…
Read More
Since October 2022, we’ve been observing multiple malware types delivered via a new dropper strain that we are referring to as “NeedleDropper”. Its name references one of the ways the dropper stores data. NeedleDropper is not just a single executable, it carries several files which together create a malicious execution, extracting files to decrypt and inject malicious code.…
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.…
December 30, 2022
Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.…
The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.
The vulnerability, reported by security researcher Dave Jong and publicly disclosed on November 22, 2022, impacts plugin versions up to and including 3.19.0 and allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin.…
Beware of What Is Lurking in the Shadows of Your IT
Five Stages of a Ransomware Attack, during one ransomware incident X-Force uncovered an entrenched advanced adversary that was leveraging a Shadow IT bridged network to maintain access to two organizations for over a year.
During the investigation, X-Force identified the ransomware attack was contained within a single domain of the multi-domain forest.…
NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai.
Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow.…
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1028 is now tracked as Storm-1028.
To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…
RAT capable of stealing Credit Card Information
Read More
A RAT (Remote Access Trojan) is a tool used by Threat Actors (TAs) to gain full access and remote control of a victim’s machine, including mouse and keyboard control, file access, network resources access, etc.
Cyble Research and Intelligence Labs (CRIL) has been actively monitoring such RATs and blogging about them as and when they emerge.…
The Wordfence Threat Intelligence team continually monitors trends in the attack data we collect. Occasionally an unusual trend will arise from this data, and we have spotted one such trend standing out over the Thanksgiving holiday in the U.S. and the first weekend in December. Attack attempts have spiked for vulnerabilities in two plugins.…
This report examines the infection chain and the pieces of malware used by malicious actors in supply-chain attacks that leveraged trojanized installers of chat-based customer engagement platforms.
In late September 2022, threat researchers uncovered a supply-chain attack carried out by malicious actors using a trojanized installer of Comm100, a chat-based customer engagement application.…
Check Point Research (CPR) provides under-the-hood details of its analysis of the infamous Azov Ransomware
Investigation shows that Azov is capable of modifying certain 64-bit executables to execute its own code
Azov is designed to inflict impeccable damage to the infected machine it runs on
CPR sees over 17K of Azov-related samples submitted to VirusTotal
Read More
During the past few weeks, we have shared the preliminary results of our investigation of the Azov ransomware on social media, as well as with Bleeping Computer.…
Introduction
Read More
Specialists at the PT Expert Security Center have been monitoring the Cloud Atlas group since May 2019. According to our data, its attacks have been targeting the government sector of the following countries:
Russia Belarus Azerbaijan Turkey SloveniaThe goals of the group are espionage and theft of confidential information.…
In October 2022, Juniper Threat Labs discovered a backdoor implanted on a VMware ESXi virtualization server. Since 2019, unpatched ESXi servers have been targets of ongoing in-the-wild attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 and CVE-2020-3992. Unfortunately, due to limited log retention on the compromised host we investigated, we can’t be sure which vulnerability allowed hackers access to the server.…