QakBot is a banking trojan that has been evolving since its first version was discovered in 2008. According to the 2022 report published by CISA, it was one of the most active variants in 2021, and during 2022 and so far in 2023 it has remained quite active. Taking a brief look at the latests news of QakBot it has been updating its tactics constantly, for example, using a Windows zero-day to avoid displaying the MoTW or the most recent one, using OneNote files to drop QakBot. In this case we are particularly interested in the anti-analysis techniques used by QakBot during the early stages of its execution. These techniques can make malware analysis harder if they are not known, so learning to identify and bypass them is essential to get to see the malware’s operation at its full potential. Furthermore, there are techniques that can replicate / adopt different types of malware, so knowking them opens the door to the study of different samples.

Dive into the analysis and exploitation of a vulnerability in the Windows Ancillary Function Driver for Winsock for Local Privilege Escalation on Windows 11. More from X-Force Red experts.

The high-profile botnet, focused on mining cryptocurrency, is back with new Linux versions.

Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.

A cryptominer that uses the Invisible Internet protocol, Honkbox variants could still be evading some detection solutions.

Lumma Stealer sellers use the name “LummaC” on an underground forum called XSS, which is based in Russia. The seller has been actively promoting the malware since April 2022. In August of that year…

Menlo Labs has uncovered an unknown threat actor leveraging an evasive threat campaign distributed via Discord featuring the PureCrypter downloader and targeting government entities.

* TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish. * In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service * TA569 may remove injections from compromised websites only to later re-add them to the same websites. * There are multiple opportunities for defense against TA569: educating users about the activity, using Proofpoint’s Emerging Threats ruleset to block the payload domains, and blocking .js files from executing in anything but a text editor.

Executive Summary The CYFIRMA Research team has provided a preliminary analysis of a new post- exploitation framework called EXFILTRATOR-22 a.k.a....

ThreatLabz observed a new campaign targeting a Government organization in which the threat actors utilized a new Command & Control (C2) framework named Havoc

On 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was fairly generic - a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on scheduled task creation - but further analysis revealed a more interesting set of circumstances. By investigating the event in question and pursuing root cause analysis (RCA), Huntress was able to link this intrusion to a recently-announced vulnerability as well as to a long-running post-exploitation framework linked to prominent ransomware groups.

Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team is monitoring attacks against systems with either unpatched vulnerabilities or misconfigured settings. During this process, we have recently discovered a Sliver backdoor being installed through what is presumed to be vulnerability exploitation on certain software. Not only did threat actors use the Sliver backdoor, but they also used the BYOVD (Bring Your Own Vulnerable Driver) malware to incapacitate security products and install reverse shells.

NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. IOCs are listed on this page below all of the images.

Cyble analyzes 'InTheBox' as part of its thorough research on Web Injects and their role in targeting Android Banking applications worldwide,

PlugX remains an active threat. A newly discovered variant infects USB devices and a similar variant makes copies of PDF and Microsoft Word files.