Threat Feed

The LockBit ransomware-as-a-service was identified using a legitimate Windows Defender command line utility to decrypt and side-load a Cobalt Strike payload.Initial entry was made using the Log4j vulnerability, CVE-2021-44228, which allowed the threat actors to gain access, attempt to run post exploitation tools like Meterpreter, Empire and Cobalt Strike and collect data from the infected device to exfiltrate to the attacker controlled C2.

LockBit Ransomware Abuses Legitimate Windows Defender UtilityNews

2 days ago

idantCommunity Manager

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.The implants for the new malware family are written in the Rust language for Windows and Linux.A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.

Manjusaka: A Chinese sibling of Sliver and Cobalt StrikeNews

16 days ago

idantCommunity Manager

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators.Following analysis, ESET named it CloudMensis.Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures.

macOS Targeted With The CloudMensis Multi-Staged MalwareNews

16 days ago

idantCommunity Manager

Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic entity.During the investigation, Mandiant identified the deployment and use of the BEATDROP and BOOMMIC downloaders.Shortly following the identification of this campaign, Mandiant discovered APT29 targeting multiple additional diplomatic and government entities through a series of phishing waves.

Trello From the Other Side: APT29 Phishing CampaignsNews

30 days ago

idantCommunity Manager

In May 2022, Microsoft published an advisory about CVE-2022-30190, which is about a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability.Attackers can inject a malicious external link to an OLE Object in a Microsoft Office document, then lure victims to click or simply preview the document in order to trigger this exploit.It will then execute a payload on the victim's machine.During Forti tracking last month, they found a document that exploited CVE-2022-30190, aka Follina, then downloaded Rozena to deploy a fileless attack and leverage the public Discord CDN attachment service.Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine.

Follina to Rozena - Leveraging Discord to Distribute a BackdoorNews

idantCommunity Manager

Unit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics.One such sample was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it.Beyond the obvious detection concerns, specialists believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market.

Red-Teaming Tool Being Abused by Malicious ActorsNews

idantCommunity Manager

During 2022 ESET noticed a trend among several threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities within Microsoft Exchange servers.Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure.

The SessionManager IIS backdoor

120

idantCommunity Manager

A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products.According to ReversingLabs, which has been following AstraLocker operations, the adversaries don't seem to care about reconnaissance, evaluation of valuable files, and lateral network movement.Instead, they are performing "smash-n-grab" attacks to his immediately hit with maximum force aiming for a quick payout.

AstraLocker 2.0 infects users directly from Word attachmentsBlog

idantCommunity Manager

The FBI, the CISA, the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware.Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims' networks.

US CERT Alert - MedusaLockerNews

idantCommunity Manager

The BRONZE RIVERSIDE threat group is likely responsible for stealing intellectual property from Japanese organizations.The other cluster involves deployment of LockFile, AtomSilo, Rook, Night Sky, and Pandora post-intrusion ransomware.CTU researchers attribute this activity to the Chinese BRONZE STARLIGHT threat group

Bronze starlight Ransomware Operations Use HUI LoaderNews

130

idantCommunity Manager

Researchers from Palo Alto Networks defined the PingPull RAT as a "difficult-to-detect" backdoor that leverages the Internet Control Message Protocol (ICMP) for C2 communications.Experts also found PingPull variants that use HTTPS and TCP for C2 communications instead of ICMP.The cyberespionage group has started targeting financial institutions and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Unlike past attacks, the group started using the PingPull RAT.

Gallium APT GroupNews

100

idantCommunity Manager

The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.

US Cert Alert - Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon SystemsNews

idantCommunity Manager

PureCrypter is a fully-featured loader being widely soldThe malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google's Protocol Buffer message format.

PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information StealersNews

100

idantCommunity Manager

Recently new information was passed to the CERT-IL team indicating that there is an active phishing campaign against various users in Israel.The phishing campaign starts with a malicious email sent from "Israel Post" which contains a malicious attachment that leads to malware installation on the computer.

CERT-IL Alert: an active phishing campaign in Israel leads to malwareNews

idantCommunity Manager

In this multi-day intrusion, The DFIR Report observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus.The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.The FBI and CISA published an advisory noting that APT attackers were using CVE-2021-44077 to gain initial access to the networks of organizations of Critical Infrastructure Sectors such as healthcare, financial, electronics and IT consulting industries.

Msiexec Impersonation - Exploit Leads to Data ExfiltrationNews

160

idantCommunity Manager

Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus.This turned out to be a zero day vulnerability in Office and/or Windows.Defender for Endpoint missed execution.The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.

Follina - a Microsoft Office code execution zero day, now exploited in the wildNews

240

idantCommunity Manager

ISO file downloads are advertised via QR codes on Twitter and on supposedly free gaming sites, but they don't contain what they promise.QR codes on Twitter and malvertisingThe loader for the malicious Chrome extension was initially analysed by @x3ph1 who dubbed it ChromeLoader.To avoid misunderstandings with legitimate Chrome components we hereby refer to it as Choziosi loader.The analysis on the loader is detailed but x3ph1 does not describe the Chrome extension Choziosi.Twitter user @th3_protoCOL found QR codes that circulate on Twitter and advertise pirated software to lure people into downloading an ISO.Reddit users also complain about malicious ISO files on websites that provide Steam games.This tweet by @StopMalvertisin says the ISOs are downloaded via malicious advertisements.hxxps://www.gdatasoftware.com/fileadmin/web/general/images/blog/2022/01/chromeloader_twitter2.pnghxxps://www.gdatasoftware.com/fileadmin/_processed_/7/1/chromeloader_reddit_c4998c051d.png

QR codes on Twitter deliver malicious Chrome extensionNews

210

idantCommunity Manager

Cybersecurity researchers have disclosed details of the latest version of the Chaos ransomware line, dubbed Yashma.While it's purportedly a .NET version of Ryuk, closer examination of the sample reveals that it doesn't share much with the notorious ransomware. In fact, early versions of Chaos, which is now in its fourth iteration, were more akin to a destructive trojan than to traditional ransomware. Yashma version adds some new capabilities.

New Chaos Ransomware Builder Variant "Yashma" Discovered in the WildNews

200

idantCommunity Manager

Check Point Research (CPR) details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation.The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months.CPR researchers estimate with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT.

Twisted Panda: Chinese APT espionage operation against RussiaNews

260

idantCommunity Manager

PaloAlto Unit42 discovered a malicious HTML help file delivering Agent Tesla.The attack is interesting because attackers are often looking for creative ways to deliver their payloads.Their purpose in doing so is twofold:An attempt to bypass security products.An attempt to bypass security training.Potential victims may have been trained to avoid documents, scripts and executables from unknown senders, but it is important to be careful of almost any filetype.Agent Tesla is well-known malware that has been around for a while.Agent Tesla focuses on stealing sensitive information from a victim's computer and sending that information to the attacker over FTP, SMTP or HTTP.It does this primarily via keystroke logging, screen capturing, camera recording and accessing sensitive data.

Malicious Compiled HTML Help File Delivering Agent TeslaNews

270

3 months ago

idantCommunity Manager

A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign.

Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K.News

300

3 months ago

idantCommunity Manager

In this attack analyzed by C25, the Chinese APT used a spear phishing email to deliver a beacon of a Red Team framework known as "Viper".The kill chain includes an artifact that is already known and that was attributed to Naikon one year ago and it is used to load and execute a custom shellcode.The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country.

The Lotus Panda is awake, againNews

450

3 months ago

idantCommunity Manager

The Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems. "The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive malware in an enterprise," Cisco Talos researchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec said in a report. The group, which has been active since at least 2017, is known for its attacks on various sectors that help further advance Iran's geopolitical and national security objectives.

🚨 Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign Iranian🚨News

2080

5 months ago

DaveKleinEmployee

In this newscast we are going in-depth on the cyber threat the current conflict poses on the Ukraine 🇺🇦and abroad globally. Watch this newscast to learn:History of cyberattacks against the Ukraine Current DDoS and Wiper cyber weapons in use in today’s conflict. What global sanctions in effect against Russia? What are examples of Russia using it’s cyberweapons outside of Ukraine? What are the potential Russian targets globally? What additional offensive cyber options are open the US and its allies?

This Week's Newscast: Cyberthreat - Current Conflict in UkraineNews

610

5 months ago

idantCommunity Manager