Threat Feed

Yanluowang ransomware, is a recently discovered ransomware family. One interesting aspect of these samples is that the files are code-signed using a valid digital signature, which was either stolen or fraudulently signed. They also terminate various processes including Veeam and SQL, which are related to database and backup management. After being uncovered a few weeks ago, the Yanluowang ransomware (named after the Chinese deity Yanluo Wang) has since been associated with campaigns, and its operators are said to launch targeted attacks on US corporations since at least August this year.

🚨 Yanluowang Ransomware was Detected🚨News

160

idantCommunity Manager

GuLoader, also commonly referred to as CloudEyE or vbdropper, was first noticed in the wild around December 2019, and has since been used to distribute malware at scale around the globe. Loader / downloader malware is first-stage malware that is designed to infect a target, and then help execute second-stage malware or malicious payloads. Loaders are typically used to launch Malware-as-a-Service (MaaS) schemes created by cybercriminals to provide paid access to servers and infrastructures to launch distributed malware campaigns. While GuLoader delivery methods vary, it's most often used via malspam campaigns.

🚨GuLoader Loader Malware 🚨News

idantCommunity Manager

A critical remote code execution vulnerability in the popular Apache Foundation Log4j library has been disclosed. It could allow an attacker to completely take control of an affected server. It can be leveraged in default configurations by an unauthenticated remote attacker to target applications that make use of the Log4j library. This vulnerability, tracked as CVE-2021-44228, received a CVSS severity score of a maximum 10.0, and is widely believed to be easy to exploit.

🚨Apache log4j Critical RCE Vulnerability 🚨News

310

idantCommunity Manager

The ASEC analysis team has introduced malicious PowerPoint files that have been continuously distributed since last year. Recently, the team has discovered that various malicious features were added to the script that is run in the malicious PowerPoint file. The method the malicious file is run remains the same as the previous cases, and it performs features such as Anti-AV, and UAC Bypass, and execution of additional malware by a malicious script.

🚨Researchers discovered malicious PowerPoint files 🚨News

idantCommunity Manager

Recently in the malicious campaign APT37 is being seen targeting it's victims with malicious documents embedded with malicious files in it. The malicious document are about spreading nCoV-19 disinformation to encourage victims not get vaccinated with nCoV-19 vaccine and disinformation impersonating document about "Upbit" 'operations policy changes'. Along with the malicious document APT37 is being seen deploying shell script and dropping malware.

🚨APT37 Targets Victims With Malware 🚨News

idantCommunity Manager

Malicious Excel files are being distributed to companies amid the Black Friday season. Email are being distributed with an Excel file attached that contains an Excel 4.0 Macro (XLM) macro sheet in the form of the XLSB excel binary. It checks whether the system is a domain controller then activates additional malicious features. The filename of the attached Excel file is 'promo details-[number].xlsb,' and its file format is XLSB. XLSB is the Excel Binary File Format that has a different file structure from that of XLS and XLSX files. Unlike XLSX which is a string-based XML file format, XLSB consists of Hex binary, making it harder for analysts or anti-malware software with targeted file scan feature to decrypt its codes.

🚨Distribution of Malicious Excel Files Targeting Companies Amid Black Friday Season🚨News

idantCommunity Manager

The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor first reported in 2016. ScarCruft is known to target North Korean defectors, journalists who cover North Korea-related news and government organizations related to the Korean Peninsula, between others. Recently, Kaspersky were approached by a news organization with a request for technical assistance during their cybersecurity investigations. As a result, Kaspersky had an opportunity to perform a deeper investigation on a host compromised by ScarCruft. The victim was infected by PowerShell malware and they discovered evidence that the actor had already stolen data from the victim and had been surveilling this victim for several months. The actor also attempted to send spear-phishing emails to the victims' associates working in businesses related to North Korea by using stolen login credentials.

🚨 ScarCruft surveilling North Korean defectors and human rights activists 🚨Blog

idantCommunity Manager

IKEA is battling an ongoing cyberattack where threat actors are targeting employees in internal phishing attacks using stolen reply-chain emails. A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients' devices. As the reply-chain emails are legitimate emails from a company and are commonly sent from compromised email accounts and internal servers, recipients' will trust the email and be more likely to open the malicious documents.

🚨IKEA faces a cyber attack 🚨News

idantCommunity Manager

An advanced persistent threat (APT) has been linked to cyberattacks on two biomanufacturing companies that occurred this year with the help of a custom malware loader called "Tardigrade." The malware is actively spreading across the sector with the likely goal of perpetrating intellectual property theft, maintaining persistence for extended periods of time, and infecting the systems with ransomware.

🚨Tardigrade Malware Targets Biomanufacturing Operations 🚨News

idantCommunity Manager

Calling themselves "Memento team", actors use Python-based ransomware that they reconfigured after setbacks. This was a retooling by the ransomware actors, who initially attempted to encrypt files directly-but were stopped by endpoint protection. The Memento actors also waited a long time before executing their attack-so long that at least two different cryptocurrency miners were dropped onto the server they used for initial access during the course of their dwell time by different intruders using similar exploits.

🚨Researchers detected a a new Memento Ransomware 🚨News

idantCommunity Manager

Squirrelwaffle emerged as a new loader that is spread through spam campaigns. It is known for sending its malicious emails as replies to preexisting email chains, a tactic that lowers a victim's guard against malicious activities. To be able to pull this off, analysts believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits. This comes from the fact that all of the intrusions analysts observed originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyLogon and ProxyShell.

🚨Squirrelwaffle uses ProxyLogon and ProxyShell exploits on Microsoft Exchange Servers 🚨News

idantCommunity Manager

Back in January 2021, law enforcement and judicial authorities worldwide took down the Emotet botnet. Although some Emotet emails still went out in the weeks after that, those were remnants from the inactive botnet infrastructure. Suddenly, new indicators arrived showing that Emotet has returned.

🚨Emotet Botnet has Returned 🚨News

idantCommunity Manager

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.

🚨Iran-backed Hackers Accused Of Targeting US Companies 🚨News

idantCommunity Manager

Hacker group MosesStaff began targeting Israeli organizations, joining a wave of attacks which was started about a year ago by the Pay2Key and BlackShadow attack groups. Those actors operated mainly for political reasons in attempt to create noise in the media and damage the country's image, demanding money and conducting lengthy and public negotiations with the victims. MosesStaff behaves differently. The group openly states that their motivation in attacking Israeli companies is to cause damage by leaking the stolen sensitive data and encrypting the victim's networks, with no ransom demand. In the language of the attackers, their purpose is to "Fight against the resistance and expose the crimes of the Zionists in the occupied territories."

🚨New Moses Staff group targets Israeli organizations in destructive attacks 🚨News

idantCommunity Manager

Lyceum backdoors appear to have targeted ISPs and telecommunication operators in Israel, Morocco, Tunisia, and Saudi Arabia as well as a ministry of foreign affairs (MFA) in Africa. At least two of the identified compromises are assessed to be ongoing. Domain name system (DNS) tunneling appears to be used only during the early stages of backdoor deployment; subsequently, the Lyceum operators use the HTTP(S) command and control (C2) functionality encoded in the backdoors.

🚨 Iran's Lyceum Hackers Target Telecoms, ISPs in Israel, Saudi Arabia, and Africa 🚨News

idantCommunity Manager

Analysts have found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices. Key Takeaways: BotenaGo has more than 30 different exploit functions to attack a target. The malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine. It is yet unclear which threat actor is behind the malware and number of infected devices.

🚨BotenaGo botnet targets millions of IoT devices with 33 exploits 🚨News

idantCommunity Manager

Snake Keylogger is a malware developed using .NET. It first appeared in late 2020 and focused on stealing sensitive information from a victim's device, including saved credentials, the victim's keystrokes, screenshots of the victim's screen, and clipboard data.

🚨 New Malware: Snake Keylogger 🚨News

idantCommunity Manager

A banking Trojan called "Mekotio" that targeted Latin America countries in the past, now making a comeback with a change in its infection flow. Check Point Research (CPR) detected over 100 attacks using the Trojan's new technique The infection starts out and distributed with a phishing email containing a link to a zip archive or a zip file as an attachment. One of the main characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection.

🚨Trojan Mekotio Revives with Updated Code🚨News

idantCommunity Manager

US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. The alert explained that malicious actors were observed deploying a specific webshell and other techniques to maintain persistence in victim environments.

🚨ATTACKERS EXPLOIT MANAGEENGINE FLAW TO STEAL SENSITIVE DATA 🚨News

idantCommunity Manager

Recently, a new threat, referred to as "SquirrelWaffle" is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and could become the next big player in the spam space. SquirrelWaffle provides threat actors with an initial foothold onto systems and their network environments that can then be used to facilitate further compromise or additional malware infections depending on how adversaries choose to attempt to monetize their access. In many cases, these infections are also being used to deliver and infect systems with other malware like Qakbot and the penetration-testing tool Cobalt Strike.

🚨 New Threat ‘SquirrelWaffle’ Deploys Qakbot and Cobalt Strike Through Malspam 🚨News

idantCommunity Manager

A new threat actor is exploiting ProxyShell flaws in attacks aimed at Microsoft Exchange servers to deploy the Babuk Ransomware in corporate networks. Analysts warn of a new threat actor that is hacking Microsoft Exchange servers by exploiting ProxyShell flaws to gain access to corporate and deploy the Babuk Ransomware. Over the past months, other ransomware gangs, including Conti and Lockfile, exploited ProxyShell flaws to deliver their malware. The attacks were carried out by a Babuk ransomware affiliate tracked as Tortilla.

🚨 A new variant of Babuk ransomware targeting Exchange servers 🚨News

idantCommunity Manager

Development of custom tool suggests ransomware attackers are attempting to increase the speed of their attacks. At least one affiliate of the BlackMatter ransomware operation has begun using a custom data exfiltration tool in its attacks. Exmatter, which was discovered by Symantec's Threat Hunter Team, is designed to steal specific file types from a number of selected directories and upload them to an attacker-controlled server prior to deployment of the ransomware itself on the victim's network.

🚨 BlackMatter Group Speeds Up Data Theft with New Tool 🚨News

idantCommunity Manager

Analysts identified the large cybercrime actor TA575 distributing Dridex malware using Squid Game lures. The threat actor is purporting to be entities associated with the Netflix global phenomenon using emails enticing targets to get early access to a new season of Squid Game or to become a part of the TV show casting.

🚨 TA575 is Using Squid Game Lures to Drop Dridex Malware 🚨News

150

idantCommunity Manager

FortiGuard Labs recently discovered a variant of the Chaos ransomware that appears to target Minecraft gamers in Japan. This variant not only encrypts certain files but also destroys others, rendering them unrecoverable. If gamers fall prey to the attack, choosing to pay the ransom may still lead to a loss of data.

🚨 Chaos ransomware targets Minecraft gamers in Japan 🚨News

idantCommunity Manager

Karma is a relatively new ransomware threat actor, having first been observed in June of 2021. The group has targeted numerous organizations across different industries. Reports of a group with the same name from 2016 are not related to the actors currently using the name.

🚨 New Threat Actor: Karma Ransomware 🚨News