Up to the minute information on new cyber threats, hackers and ransomware.
- 119 Topics
- 1 Reply
THREAT ALERT 🚨 WEEKLY THREADNews
Dotrunpex – Demystifying new virtualized .net injector used in the wildDotRunpeX injector commonly comes as a second stage of the original infection.The typical first stages are very different variants of .NET loaders/downloaders.The first-stage loaders are primarily being delivered via phishing emails as malicious attachments (usually as a part of “.iso”, “.img”, “.zip”, and “.7z”) or via websites masquerading as regular program utilities.Apart from the most common infection vectors, the customers of dotRunpeX are not ashamed to abuse Google Ads or even target other potential attackers via trojanized malware builders.All of the trojanized programs contain the main .NET application enlarged with an overlay to avoid scanning with sandboxes very likely.The .NET applications with overlay are the typical first stages, behaving as dotnet loaders with simple obfuscation.These different variants of loaders use reflection to load the dotRunpeX injector in the second stage.Some of them are v
Advanced Scenario - APT 32Blog
APT 32 initiates its attack by downloading and executing a VBA script. It then proceeds to execute commands using the Windows Event Log, downloads a file from the internet, and executes a batch script. APT 32 creates persistence in the registry run keys and verifies the success of the created persistence. Then attempts to discover domain admins, steal credentials from the local machine, and use them to attempt lateral movement. It also maps admin shares, logs key inputs, discovers the file and directory structure, receives system information, encrypts files, and compresses and exfiltrates data in parallel. Finally, it lists credential files stored in current user AppData folders, performs DLL Search Order Hijacking, enumerates non-default installed applications, installs and runs a service, and creates a new user.
THREAT ALERT 🚨 WEEKLY THREAD
NEW IMMEDIATE THREAT DISCOVERED TONTO TEAMS FAILED ATTEMPT TO COMPROMISE GROUP IBActivity attributed to the Chinese espionage group the Tonto Team has targeted various strategic sectors including healthcare government financial education military energy and Information technology since at least 2009.In a recent campaign the threat group targeted the security firm Group IB by sending weaponized attachments to employees.Masquerading as employees of legitimate organizations the Tonto team used fake email ID created with GMX Mail.The malicious attachments were created with the Royal Road weaponizer which can create documents that attempt to exploit CVEs related to the MS Equation Editor vulnerabilities.The campaign further used the Bisonal DoubleT backdoor as well as the TontoTeam.Downloader (akaQuickMute) to obtain the threat actors objective which included collecting GroupIB intellectual property. 🚨 HARDBIT 2.0 RANSOMWAREWhen first observed HardBit is a ransomware threat that targets or
THREAT ALERT 🚨 WEEKLY THREAD
APT15 Targets Multiple Sectors With Turian BackdoorAPT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a variety of cyber operations across multiple regions around the world.The threat actor was discovered targeting the Iranian telecommunications and diplomatic sectors with the Turian backdoor.The backdoor is packed with VMProtect to obfuscate the Application Programming Interface (API), thus making analysis difficult.The malware contains a wide range of capabilities from spawning reverse shells to executing commands from the command-and-control server.🚨Vice Society Ransomware Group Targets Manufacturing CompaniesThe Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil.The actor has been active since 2021 deploying variants from the Hello Kitty, Five Hands, and Zeppelin ransomware families.In late 2022 the adversary developed and deployed their own custom ransomware known as PolyVice.The m
Gamaredon Abuses Telegram To Target Ukrainian Government OrganizationsNews
The Gamaredon APT group was discovered targeting Ukrainian government entities using the Telegram messaging service to avoid traditional network detection.The Telegram messaging application was used in several stages, from victim profiling to delivering the final payload.The initial infection vector was weaponized spear-phishing documents written in the Russian and Ukrainian languages.The threat actor exploited a remote template injection vulnerability to compromise adversarial infrastructure with malware and bypass Microsoft Word macro protection.After the malicious document was opened, the malware downloaded a Visual Basic script from a specific address which connected to a Telegram account to get additional instructions.
NeedleDropper: A New Dropper-as-a-Service Uncovered
Avast's Threat Research Team has since October 2022 been observing a new strain of dropper malware, which they referred to as "NeedleDropper" due to how it stores the data to be dropped into the victim's device. Within itself, it stores several files that are used to drop and load the malware, as well some files to hide its execution.Furthermore, within the malicious files it mixes a large amount of unimportant or unused data together with the data necessary for the malicious payload, this is done with the intent of hampering analysis.The Avast's Threat Research Team, believes that the developers behind the NeedleDropper adopted the "-as-a-service" business model and is sold in hacking forums as a way for potential buyers to hide their final payload.
Aurora Stealer Leverages Shapeshifting Tactics And Popular Applications To Target Users
A threat actor was discovered mimicking legitimate websites to host and deliver the 9002 RAT, also known as Aurora, Hydraq, and McRat.Binary padding, system checks, and obfuscation were used in an attempt to evade antivirus software detection.The malicious software exfiltrates a range of data including system information and data from web browsers, crypto wallets, and certain user directories.
Shikitega - New stealthy malware targeting LinuxNews
AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems.Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one.An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.The malware downloads and executes the Metasploit's "Mettle" meterpreter to maximize its control on infected machines.Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.Shikitega abuse legitimate cloud services to store some of its command and control servers (C&C).
Microsoft Defender falsely detects Electron apps in Google Chrome as Win32/Hive.ZYNews
Windows Defender is alerting people of a "threat detected" for "Behavior:Win32/Hive.ZY". The issue is tied to a recent listing in Microsoft's Defender update file, which is making a wrong detection. The trigger seems tied to Defender detecting "Electron-based or Chromium-based applications as malware"Microsoft Defender falsely detecting Win32/Hive.ZYSource: TwitterIn order to address this issue, Microsoft released an update and advised that customers using automatic updates for Microsoft Defender are not required to take any additional action.In addition Microsoft shared that enterprise customers managing their updates should ensure they are using detection build 1.373.1537.0 or newer.
A Tale of PivNoxy and Chinoxy Puppeteer
An attack against a telecommunications agency in South Asia began with a simple email that initially appeared to be a standard malicious spam email message.However, the attached Word doc was weaponized using a malicious tool, Royal Road, and is equipped with an exploit for an Equation Editor vulnerability (CVE-2018-0798).While a payload was unavailable at the time of the investigation, OSINT research points to the Poison Ivy RAT, which FortiGuard Labs has previously highlighted.Based on analysis, Asian organizations, and potentially some in Mexico, were a reconnaissance target of a threat actor that we believe was also involved in Operation NightScout in 2021.This threat actor, who uses Chinoxy and PivNoxy in their arsenal, has been active since at least mid-2016.
LockBit Ransomware Abuses Legitimate Windows Defender UtilityNews
The LockBit ransomware-as-a-service was identified using a legitimate Windows Defender command line utility to decrypt and side-load a Cobalt Strike payload.Initial entry was made using the Log4j vulnerability, CVE-2021-44228, which allowed the threat actors to gain access, attempt to run post exploitation tools like Meterpreter, Empire and Cobalt Strike and collect data from the infected device to exfiltrate to the attacker controlled C2.
Manjusaka: A Chinese sibling of Sliver and Cobalt StrikeNews
Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.The implants for the new malware family are written in the Rust language for Windows and Linux.A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.
macOS Targeted With The CloudMensis Multi-Staged MalwareNews
ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators.Following analysis, ESET named it CloudMensis.Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures.
Trello From the Other Side: APT29 Phishing CampaignsNews
Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic entity.During the investigation, Mandiant identified the deployment and use of the BEATDROP and BOOMMIC downloaders.Shortly following the identification of this campaign, Mandiant discovered APT29 targeting multiple additional diplomatic and government entities through a series of phishing waves.
Follina to Rozena - Leveraging Discord to Distribute a BackdoorNews
In May 2022, Microsoft published an advisory about CVE-2022-30190, which is about a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability.Attackers can inject a malicious external link to an OLE Object in a Microsoft Office document, then lure victims to click or simply preview the document in order to trigger this exploit.It will then execute a payload on the victim's machine.During Forti tracking last month, they found a document that exploited CVE-2022-30190, aka Follina, then downloaded Rozena to deploy a fileless attack and leverage the public Discord CDN attachment service.Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine.
Red-Teaming Tool Being Abused by Malicious ActorsNews
Unit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics.One such sample was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it.Beyond the obvious detection concerns, specialists believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market.
The SessionManager IIS backdoor
During 2022 ESET noticed a trend among several threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities within Microsoft Exchange servers.Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure.
AstraLocker 2.0 infects users directly from Word attachmentsBlog
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products.According to ReversingLabs, which has been following AstraLocker operations, the adversaries don't seem to care about reconnaissance, evaluation of valuable files, and lateral network movement.Instead, they are performing "smash-n-grab" attacks to his immediately hit with maximum force aiming for a quick payout.
US CERT Alert - MedusaLockerNews
The FBI, the CISA, the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware.Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims' networks.
Bronze starlight Ransomware Operations Use HUI LoaderNews
The BRONZE RIVERSIDE threat group is likely responsible for stealing intellectual property from Japanese organizations.The other cluster involves deployment of LockFile, AtomSilo, Rook, Night Sky, and Pandora post-intrusion ransomware.CTU researchers attribute this activity to the Chinese BRONZE STARLIGHT threat group
Gallium APT GroupNews
Researchers from Palo Alto Networks defined the PingPull RAT as a "difficult-to-detect" backdoor that leverages the Internet Control Message Protocol (ICMP) for C2 communications.Experts also found PingPull variants that use HTTPS and TCP for C2 communications instead of ICMP.The cyberespionage group has started targeting financial institutions and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Unlike past attacks, the group started using the PingPull RAT.
US Cert Alert - Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon SystemsNews
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information StealersNews
PureCrypter is a fully-featured loader being widely soldThe malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google's Protocol Buffer message format.
CERT-IL Alert: an active phishing campaign in Israel leads to malwareNews
Recently new information was passed to the CERT-IL team indicating that there is an active phishing campaign against various users in Israel.The phishing campaign starts with a malicious email sent from "Israel Post" which contains a malicious attachment that leads to malware installation on the computer.
Msiexec Impersonation - Exploit Leads to Data ExfiltrationNews
In this multi-day intrusion, The DFIR Report observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus.The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.The FBI and CISA published an advisory noting that APT attackers were using CVE-2021-44077 to gain initial access to the networks of organizations of Critical Infrastructure Sectors such as healthcare, financial, electronics and IT consulting industries.
Already have an account? Login
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Login to the community
No account yet? Create an account
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.