SVG Phishing Malware Being Distributed with Analysis Obstruction Feature
AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format. SVG is an XML-based vector image file format commonly used for icons, logos, charts, and graphs, and it allows the use of CSS and JS scripts within the code. In November 2024, the ASEC Blog introduced SVG […]
How Adversary Telegram Bots Help to Reveal Threats: Case Study - ANY.RUN's Cybersecurity Blog
Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape. While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts. Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog. The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign. Key outcomes of this analysis include: Examination and technical analysis of a lesser known phishing campaign Demonstration of Telegram API-based data interception techniques Collection of threat intelligence (TI) indicators to help identify the actor Recommendations for detecting this type of threat
Malware Analysis Report - LockBit Ransomware v4.0 In this blog post, I’m going over my analysis for the latest variant of LockBit ransomware - version 4.0. Throughout this blog, I’ll walk through all the malicious functionalities discovered, complete with explanations and IDA screenshots to show my reverse engineering process step by step. This new version of LockBit 4.0 implements a hybrid-cryptography approach, combining Curve25519 with XChaCha20 for its file encryption scheme. This version shares similarities with the older LockBit Green variant that is derived from Conti ransomware. While the multi-threading architecture seems more streamlined than previous versions, it still delivers an encryption speed that outpaces most other ransomware families. As always, LockBit is still my most favorite malware to look at, and I certainly enjoyed doing a deep dive to understand how this version works.
Threat actors misuse Node.js to deliver malware and other malicious payloads | Microsoft Security Blog
Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.
Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany. The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware. The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence. The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions. We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion.
Inside FireScam : An Information Stealer with Spyware Capabilities
FireScam is an information stealing malware with spyware capabilities. It is distributed as a fake ‘Telegram Premium’ APK via a phishing website hosted on the GitHub.io domain, mimicking the RuStore app store. The phishing website delivers a dropper that installs the FireScam malware disguised as the Telegram Premium application. The malware exfiltrates sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint. FireScam monitors device activities such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to gather valuable information covertly. Captures notifications across various apps, including system apps, to potentially steal sensitive information and track user activities. It employs obfuscation techniques to hide its intent and evade detection by security tools and researchers. FireScam performs checks to identify if it is running in an analysis or virtualized environment. The malware leverages Firebase for command-and-control communication, data storage, and to deliver additional malicious payloads. Exfiltrated data is temporarily stored in the Firebase Realtime Database, filtered for valuable content, and later removed. The Firebase database reveals potential Telegram IDs linked to the threat actors and contains URLs to other malware specimens hosted on the phishing site. By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide.
