This post is also available in: 日本語 (Japanese)
Executive SummaryTrigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware …
This post is also available in: 日本語 (Japanese)
Executive SummaryTrigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware …
The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November. The group’s activities have gained attention …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers recently discovered a new sample of Golang-based malware. We have dubbed it GoBruteforcer, and it targets web …
Find out how the Managed XDR team uncovered RedLine Stealer’s evasive spear-phishing campaign that targets the hospitality industry.
Recently, we noticed a spike in the number of emails received by …
Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX.
Introduction…Starting on January 20 2023, Bitdefender Labs started to notice a global increase in attacks using the ManageEngine exploit CVE-2022-47966. This Remote Code Execution (RCE) vulnerability (CVSSv3 critical score 9.8) allows …
In January 2023, through our Dark Web monitoring routine, Sekoia.io identified a new information stealer advertised as Stealc by its alleged developer, going by the handle …
Morphisec has recently identified a highly evasive malware campaign delivering ProxyShellMiner to Windows endpoints.…
Last week, unknown threat actors started targeting, en masse, VMware ESXi hypervisors using CVE-2021-21974, an easily exploitable pre-authorization remote code execution vulnerability. Experts from Bitdefender …
This post is also available in: 日本語 (Japanese)
Executive SummaryRecently, our Unit 42 incident response team was engaged in a Black Basta breach response that uncovered several tools and …
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the …
This post is also available in: 日本語 (Japanese)
Executive SummaryPlayful Taurus, also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL, is a Chinese advanced persistent threat group that …
We analyzed the infection routine used in recent Gootkit loader attacks on the Australian healthcare industry and found that Gootkit leveraged SEO poisoning for its initial access and abused legitimate …
Recent attacks documented in previous months seem to be orchestrated by hacking groups using a framework called Raspberry Robin. This well-designed automated framework allows attackers post-infection capabilities to evade detection, …
NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai.
Botnet malware operations are …
From September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we discuss findings from our investigation of this ransomware and the tools that …
This post is also available in: 日本語 (Japanese)
Executive SummarySince our last blog in early February covering the advanced persistent threat (APT) group Trident Ursa (aka Gamaredon, UAC-0010, Primitive …
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1028 is now tracked as Storm-1028.
To learn …
This post is also available in: 日本語 (Japanese)
Executive SummaryCloud breaches often stem from misconfigured storage services or exposed credentials. A growing trend of attacks specifically targets cloud compute …
The Cybereason Global Security Operations Center (GSOC) issues a Purple Team Series of its Threat Analysis reports to provide a technical overview of the technologies and techniques threat actors use …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers introduce a machine learning model that predicts the maliciousness of .NET samples based on specific structures in …
In July 2022, Sekoia.io discovered a new Golang botnet advertised by its alleged developer as Aurora botnet since April 2022. Since we published an analysis of the …
This post is also available in: 日本語 (Japanese)
Executive SummaryIn early August 2022, Cyble Research Labs (a cybercrime monitoring service) uncovered a new crypto miner/stealer for hire that the …
This post is also available in: 日本語 (Japanese)
Executive SummaryWhile advanced persistent threats get the most breathless coverage in the news, many threat actors have money on their mind …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers recently discovered a Guloader variant that contains a shellcode payload protected by anti-analysis techniques, which are meant …
This post is also available in: 日本語 (Japanese)
Executive SummaryRansom Cartel is ransomware as a service (RaaS) that surfaced in mid-December 2021. This ransomware performs double extortion attacks and …
We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.
SummaryQAKBOT’s …
This post is also available in: 日本語 (Japanese)
Executive SummaryMalware authors regularly evolve their techniques to evade detection and execute more sophisticated attacks. We’ve commonly observed one method over …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently observed a polyglot Microsoft Compiled HTML Help (CHM) file being employed in the infection process used by …
This post is also available in: 日本語 (Japanese)
Executive SummaryCybercriminals compromise domain names to attack the owners or users of the domains directly, or use them for various nefarious …
Pay-Per-Install (PPI) is a malware service widely used in the cybercrime ecosystem that monetises the installation of malicious software. As generally observed, a malware operator provides …
This post is also available in: 日本語 (Japanese)
Executive SummaryOn March 4, 2019, one of the most well-known keyloggers used by criminals, called Agent Tesla, closed up shop due …
This post is also available in: 日本語 (Japanese)
Executive SummaryThere is a constant debate between usability and security in the software world. Many third-party programs can make their users’ …
The Cybereason Global Security Operations Center (GSOC) Team issues Threat Analysis Reports to inform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical recommendations for protecting …
Play is a new ransomware that takes a page out of Hive and Nokoyawa’s playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same …
Corporate espionage, also known as industrial espionage, is espionage conducted for commercial or financial purposes. One of the common misconceptions is that espionage is affecting only large corporations or government …
This is the second blog post in a four-part series. Read Part 1 | Part 3 | Part 4.
In Part 1 of this four-part blog series examining wiper malware, …
The DoNot Team (a.k.a APT-C-35) are advanced persistent threat actors who’ve been active since at least 2016. They’ve targeted many attacks against individuals and organizations in South Asia. DoNot are …
This post is also available in: 日本語 (Japanese)
Executive SummaryBlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.
Ransomware is a malicious program …
This post is also available in: 日本語 (Japanese)
Executive SummaryBeginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using …
This post is also available in: 日本語 (Japanese)
Executive SummaryAmong the threat actors distributing Bumblebee is Projector Libra. Also known as EXOTIC LILY, Projector Libra is a criminal group …
Gootkit has been known to use fileless techniques to drop Cobalt Strike and other malicious payloads. Insights from a recent attack reveal updates in its tactics.
Our in-depth analysis of …
This post is also available in: 日本語 (Japanese)
Executive SummaryOrganizations around the world rely on the use of trusted, reliable online storage services – such as DropBox and Google …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics. …
Raccoon Stealer was one of the most prolific information stealers in 2021, being used by multiple cybercriminal actors. Due to its wide stealing capabilities, the customizability of the malware and …
A new remote code execution vulnerability called “Follina” has been found lurking in most Microsoft products. In this blog, we examine a potential attack vector as well …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat …
This post is also available in: 日本語 (Japanese)
Executive SummaryHelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple …