Up to the minute information on new cyber threats, hackers and ransomware.
- 102 Topics
- 1 Reply
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products.According to ReversingLabs, which has been following AstraLocker operations, the adversaries don't seem to care about reconnaissance, evaluation of valuable files, and lateral network movement.Instead, they are performing "smash-n-grab" attacks to his immediately hit with maximum force aiming for a quick payout.
The FBI, the CISA, the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware.Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims' networks.
The BRONZE RIVERSIDE threat group is likely responsible for stealing intellectual property from Japanese organizations.The other cluster involves deployment of LockFile, AtomSilo, Rook, Night Sky, and Pandora post-intrusion ransomware.CTU researchers attribute this activity to the Chinese BRONZE STARLIGHT threat group
Researchers from Palo Alto Networks defined the PingPull RAT as a "difficult-to-detect" backdoor that leverages the Internet Control Message Protocol (ICMP) for C2 communications.Experts also found PingPull variants that use HTTPS and TCP for C2 communications instead of ICMP.The cyberespionage group has started targeting financial institutions and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Unlike past attacks, the group started using the PingPull RAT.
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information StealersNews
PureCrypter is a fully-featured loader being widely soldThe malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google's Protocol Buffer message format.
Recently new information was passed to the CERT-IL team indicating that there is an active phishing campaign against various users in Israel.The phishing campaign starts with a malicious email sent from "Israel Post" which contains a malicious attachment that leads to malware installation on the computer.
In this multi-day intrusion, The DFIR Report observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus.The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.The FBI and CISA published an advisory noting that APT attackers were using CVE-2021-44077 to gain initial access to the networks of organizations of Critical Infrastructure Sectors such as healthcare, financial, electronics and IT consulting industries.
Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus.This turned out to be a zero day vulnerability in Office and/or Windows.Defender for Endpoint missed execution.The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.
ISO file downloads are advertised via QR codes on Twitter and on supposedly free gaming sites, but they don't contain what they promise.QR codes on Twitter and malvertisingThe loader for the malicious Chrome extension was initially analysed by @x3ph1 who dubbed it ChromeLoader.To avoid misunderstandings with legitimate Chrome components we hereby refer to it as Choziosi loader.The analysis on the loader is detailed but x3ph1 does not describe the Chrome extension Choziosi.Twitter user @th3_protoCOL found QR codes that circulate on Twitter and advertise pirated software to lure people into downloading an ISO.Reddit users also complain about malicious ISO files on websites that provide Steam games.This tweet by @StopMalvertisin says the ISOs are downloaded via malicious advertisements.hxxps://www.gdatasoftware.com/fileadmin/web/general/images/blog/2022/01/chromeloader_twitter2.pnghxxps://www.gdatasoftware.com/fileadmin/_processed_/7/1/chromeloader_reddit_c4998c051d.png
Cybersecurity researchers have disclosed details of the latest version of the Chaos ransomware line, dubbed Yashma.While it's purportedly a .NET version of Ryuk, closer examination of the sample reveals that it doesn't share much with the notorious ransomware. In fact, early versions of Chaos, which is now in its fourth iteration, were more akin to a destructive trojan than to traditional ransomware. Yashma version adds some new capabilities.
Check Point Research (CPR) details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation.The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months.CPR researchers estimate with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT.
PaloAlto Unit42 discovered a malicious HTML help file delivering Agent Tesla.The attack is interesting because attackers are often looking for creative ways to deliver their payloads.Their purpose in doing so is twofold:An attempt to bypass security products.An attempt to bypass security training.Potential victims may have been trained to avoid documents, scripts and executables from unknown senders, but it is important to be careful of almost any filetype.Agent Tesla is well-known malware that has been around for a while.Agent Tesla focuses on stealing sensitive information from a victim's computer and sending that information to the attacker over FTP, SMTP or HTTP.It does this primarily via keystroke logging, screen capturing, camera recording and accessing sensitive data.
A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign.
In this attack analyzed by C25, the Chinese APT used a spear phishing email to deliver a beacon of a Red Team framework known as "Viper".The kill chain includes an artifact that is already known and that was attributed to Naikon one year ago and it is used to load and execute a custom shellcode.The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country.
The Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems. "The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive malware in an enterprise," Cisco Talos researchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec said in a report. The group, which has been active since at least 2017, is known for its attacks on various sectors that help further advance Iran's geopolitical and national security objectives.
In this newscast we are going in-depth on the cyber threat the current conflict poses on the Ukraine 🇺🇦and abroad globally. Watch this newscast to learn:History of cyberattacks against the Ukraine Current DDoS and Wiper cyber weapons in use in today’s conflict. What global sanctions in effect against Russia? What are examples of Russia using it’s cyberweapons outside of Ukraine? What are the potential Russian targets globally? What additional offensive cyber options are open the US and its allies?
🚨 TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates🚨News
Proofpoint researchers have observed TA416, an actor assessed to be aligned with the Chinese state, utilizing web bugs to profile their targets. Commonly referred to as tracking pixels, web bugs embed a hyperlinked non-visible object within the body of an email that, when enabled, will attempt to retrieve a benign image file from an actor-controlled server. This provides a "sign of life" to threat actors and indicates that the targeted account is valid with the user being inclined to open emails that utilize social engineering content. TA416 has been using web bugs to target victims prior to delivering malicious URLs that have installed a variety of PlugX malware payloads. The operational tempo of these campaigns, specifically those against European governments, have increased sharply since Russian troops began amassing on the border of Ukraine. The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malwa
Avast Threat Research announced the discovery of new Golang ransomware, which they called HermeticRansom. This malware was found around the same time the HermeticWiper was found, and based on publicly available information from security community it was used in recent cyberattacks in Ukraine. The new ransomware was likely used as a smokescreen for the HermeticWiper attack due to its non-sophisticated style and poor implementation. Findings in a nutshell: Elections GoRansom (aka HermeticRansom) was used to target assets on the same day as HermeticWiper; The developers used a sarcastic function-naming scheme related to US presidential elections; The malware does not use any kind of obfuscation and has pretty straightforward functionality, suggesting it was created in a short amount of time.
New research by the Symantec Threat Hunter team, has uncovered a highly sophisticated piece of malware being used by China-linked threat actors, exhibiting technical complexity previously unseen by such actors. The malware appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets. There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 by attackers linked to China. Most of the targets appear to be organizations and governments of strategic interest to China. In addition, other tools associated with Chinese espionage actors were found on some of the same computers where Daxin was deployed. Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor. Considering its capabilities and the nature of its
Lorenz is a ransomware strain, believed to be a rebranding of the ".sZ40" ransomware. Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars, and even millions in ransom fee. The group is targeting victims mostly in English-speaking countries, and according to their website, the group has published stolen data from more than 20 victims, although the estimated number of successful attacks is believed to be higher.
TA402, a likely Palestinian-aligned advance persistent threat actor, has recently engaged in campaigns leveraging a new implant, dubbed by Proofpoint analysts as NimbleMamba. NimbleMamba is likely a replacement for the group's previously used LastConn implant. These campaigns have a complex attack chain that leverages geofencing and URL redirects to legitimate sites in order to bypass detection efforts.
PrivateLoader is a modular downloader programmed in the C++ programming language connected to an unidentified PPI service. PrivateLoader sits at the front of this operation and communicates with its back-end infrastructure to retrieve URLs for the malicious payloads to "install" on the infected host. As is the case with downloaders tied to PPI services, PrivateLoader communicates a variety of statistics such as which payloads were downloaded and launched successfully. Distribution campaigns generally rely on a network of search engine optimization (SEO) enhanced websites that lure unsuspecting victims searching for warez aka pirated software to download and execute malware. A password-protected archive typically is delivered that contains a setup file that embeds and executes multiple malicious payloads on the infected host such as GCleaner, PrivateLoader, Raccoon, Redline, Smokeloader and Vidar malware.
Following news that members of the infamous 'big-game hunter' ransomware group REvil have been arrested by Russian law enforcement, effectively dismantling the group and their operations, it is likely that the group's affiliates will migrate to other ransomware-as-a-service (RaaS) providers. Varonis Threat Labs has observed one such RaaS provider, ALPHV (aka BlackCat ransomware), gaining traction since late 2021, actively recruiting new affiliates and targeting organizations across multiple sectors worldwide.
MuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe, Middle East and South Asia. A typical TTP employed by the group is the heavy use of scripting in their infection chains using languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins). Cisco Talos recently observed a campaign operated by MuddyWater targeting users in Turkey. This campaign consists of the use of malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection vector. These maldocs were named in such a way as to masquerade as legitimate documents from the Turkish Health and Interior Ministries. Next, the malware executes a series of scripts deployed on the infected endpoint to serve as downloaders and instrumentors for additional payloads.
Login to the community
No account yet? Create an account
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.