Published On : 2022-11-10
Prestige Ransomware Analysis Executive SummaryCYFIRMA Research team has seen an uptick in threat actor-orchestrated ransomware campaigns. We have reasons to believe that Prestige Ransomware has been used with notable features that differentiate it from other ransomware campaigns targeting transportation and other logistics industries in Ukraine and Poland.…
LNK files are based on the Shell Link Binary file format, also known as Windows shortcuts. But what seems a relatively simple ability to execute other binaries on the system can inflict great harm when abused by threat actors.
Microsoft’s decision to block macros by default for files downloaded from the internet in Office applications provoked malware developers to shift to other techniques.…
QBot, also known as Qakbot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a vicious and persistent threat to organizations and has become one of the leading Banking Trojans globally. Over the years, it has changed its initial techniques to deliver payloads like using VBA macros, Excel 4 macros, VBS files, exploits like Follina, etc.…
In our newest category #ShortAndMalicious DCSO CyTec aims to briefly highlight new and interesting samples we come across in our daily hunt for malware.
For the first entry in the series, we take a brief look at an undocumented custom malware we have been analysing under the moniker “StrelaStealer” (“Стрела” == arrow) which appears to be purpose-built to steal mail login data.…
The ASEC analysis team uploaded a post on October 25th to inform the users of the changes that have been made to the Magniber ransomware. Magniber, which is still actively being distributed, has undergone many changes to evade the detection of anti-malware software. Out of these changes, this blog will cover the script format found from September 8th to September 29th, 2022, which bypassed Mark of the Web (MOTW), a feature offered by Microsoft that identifies the source of files.…
Share this blog
Web browsers contain the most lucrative pieces of information about a user and thus are becoming an interesting target for malware developers. Every keystroke or session cookie can contain very private information about a user, and access to such information can create critical security and privacy issues.…
We have observed multiple attacks targeting government organizations in Asia, all involving DLL sideloading – historically a favorite technique of China-based APT groups — as far back as 2013 and as recently as 2020. In this article, we look at the evidence that connects five of them, showing how threat actors base their attacks on well-known, effective techniques, adding complexity and variation over time.…
FormBook stealer is an infostealer trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines.
Despite how easy it is to set up and use, the malware has advanced stealing and evasion functions including the ability to pull stored and recorded user input.…
This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework.
IntroductionWith the rise in attention to Cobalt Strike from network defenders, attackers have been looking to alternative command-and-control (C&C) frameworks Among these, Brute Ratel and Sliver are growing in popularity, having recently been featured in a number of publications.…11/07: Updated article to provide clarity around hunting techniques
Key points from our research:
Following our reporting on Robin Banks in July, Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations. In response, Robin Banks administrators made several changes, including relocating its infrastructure to a notorious Russian provider and changing features of its kits to be more evasive.…APT-36 (also known as Transparent Tribe) is an advanced persistent threat group attributed to Pakistan that primarily targets users working at Indian government organizations. Zscaler ThreatLabz has been closely monitoring the activities of this group throughout 2022. Our tracking efforts have yielded new intelligence about this APT group that has not previously been documented.…
Cyble Research and Intelligence Labs (CRIL) has continuously monitored malware campaigns that distribute different malware families, such as stealer, clipper, and ransomware.
Recently, CRIL observed a malware strain known as SmokeLoader, which carries popular malware family samples such as SystemBC and Raccoon Stealer 2.0, along with a new clipper malware dubbed Laplas Clipper that targets cryptocurrency users.…
By Antonio Cocomazzi and Antonio Pirozzi
Executive SummarySentinelLabs researchers describe Black Basta operational TTPs in full detail, revealing previously unknown tools and techniques. SentinelLabs assesses it is highly likely the Black Basta ransomware operation has ties with FIN7. Black Basta maintains and deploys custom tools, including EDR evasion tools.…This post is also available in: 日本語 (Japanese)
Executive SummaryWhile advanced persistent threats get the most breathless coverage in the news, many threat actors have money on their mind rather than espionage. You can learn a lot about the innovations used by these financially motivated groups by watching banking Trojans.…
This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. The goal of the report is to inform our customers about techniques used by attackers. We hope that learning about the attacks that took place in the wild helps you to stay up to date on the modern threat landscape and to be better prepared for attacks.…
While performing routine security research, one of our threat analysts discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This is the seventh version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers recently discovered a Guloader variant that contains a shellcode payload protected by anti-analysis techniques, which are meant to slow human analysts and sandboxes processing this sample. To help speed analysis for this sample and others like it, we are providing a complete Python script to deobfuscate the Guloader sample that is available on GitHub.…
The sophistication of threat actors’ DDoS strategy and tactics continues to evolve rapidly in response to improved mitigation-side efforts. Actors have complicated filtering and firewalling by bringing a more diverse set of vectors to the attack, attacking at multiple network layers at the same time and automating changes to the mix of vectors at attack time – perhaps even in response to the ongoing mitigation efforts.…
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain.
Qbot, also known as Qakbot or Pinksliplot is actively developed and capable of a number of functions from reconnaissance, lateral movement, data exfiltration, to delivering other payloads acting as an initial access broker.…