Microsoft analyzes a threat group tracked as DEV-0196, the actor’s iOS malware “KingsPawn”, and their link to an Israel-based private sector offensive actor (PSOA) known as QuaDream, which reportedly sells a suite of exploits, malware, and infrastructure called REIGN, that’s designed to exfiltrate data from mobile devices.

North Korean-sponsored actors believed to be linked to attack that Trojanized several versions of 3CX DesktopApp

ESET researchers are the first to publish an analysis of BlackLotus, the first in-the-wild UEFI bootkit capable of bypassing UEFI Secure Boot.

Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs. This vulnerability allows remote code execution as the root user. (advisory https://www.fortiguard.com/psirt?date=02-2023)

NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. IOCs are listed on this page below all of the images.

In this week's Ransomware Roundup, FortiGuardLabs covers Trigona ransomware along with protection recommendations. Read the blog to find out more.

Key Findings: * The use of Microsoft OneNote documents to deliver malware via email is increasing. * Multiple cybercriminal threat actors are using OneNote documents to deliver malware. * While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages. * In order to detonate the payload, an end-user must interact with the OneNote document. * Campaigns have impacted organizations globally, including North America and Europe. * TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023.

The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.

Although Flash Player reached end of life for macOS in 2020, this has not stopped Shlayer operators from continuing to abuse it for malvertising campaigns.

While conducting routine threat hunting for macOS malware on Ad networks, I stumbled upon an unusual Shlayer sample. Upon further analysis, it became clear that this variant was different from the known Shlayer variants such as OSX/Shlayer.D, OSX/Shlayer.E, or ZShlayer. We have dubbed it OSX/Shlayer.F.

Cluster25 researchers analyzed several campaigns (also publicly reported by CERT-AGID) that used phishing emails to spread an InfoStealer malware written in .NET through an infection chain that involves Windows Shortcut (LNK) files and Batch Scripts (BAT). Taking into account the used TTPs and extracted evidence, the attacks seem perpetrated by the same adversary (internally named AUI001).

Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset.

RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, and priced according to users' needs.