Found 14 bookmarks
Custom sorting
HijackLoader evolution: abusing genuine signing certificates
HijackLoader evolution: abusing genuine signing certificates
Since mid-September 2024, our telemetry has revealed a significant increase in “Lumma Stealer”1 malware deployments via the “HijackLoader”2 malicious loader. On October 2, 2024, HarfangLab EDR detected and blocked yet another HijackLoader deployment attempt – except this time, the malware sample was properly signed with a genuine code-signing certificate. In response, we initiated a hunt for code-signing certificates (ab)used to sign malware samples. We identified and reported more of such certificates. This report briefly presents the associated stealer threat, outlines the methodology for hunting these certificates, and providees indicators of compromise.
#harfanglab#EN#2024#HijackLoader#captcha#fake#malicious#loader#campaign
·harfanglab.io·
HijackLoader evolution: abusing genuine signing certificates
Emmenhtal: a little-known Emmenhtal distributing commodity infostealers worldwide
Emmenhtal: a little-known Emmenhtal distributing commodity infostealers worldwide
  • Following detections from our Managed Threat Detection (CyberSOC) teams, our CERT analysts were able to uncover several recent campaigns leading to CryptBot and Lumma infostealers. Some of these campaigns are still active and target various organizations worldwide. These campaigns leverage a little-documented loader we dubbed “Emmenhtal”, (because we are cheese lovers), which hides in the padding of a modified legitimate Windows binary and uses HTA. Emmenhtal likely surfaced at the beginning of 2024 and is possibly being distributed by several financially motivated threat actors through various means (from traditional email phishing lures to fake videos). IoCs can be found on our dedicated GitHub page here. Note: The analysis cut-off date for this report was August 07, 2024.
#orangecyberdefense#EN#2024#Emmenhtal#loader#infostealers
·orangecyberdefense.com·
Emmenhtal: a little-known Emmenhtal distributing commodity infostealers worldwide
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
#cybereason#EN#2022#THREAT#ANALYSIS#REPORT#Bumblebee#Loader#CobaltStrike
·cybereason.com·
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
#cybereason#EN#2022#THREAT#ANALYSIS#REPORT#Bumblebee#Loader#CobaltStrike
·cybereason.com·
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
#cybereason#EN#2022#THREAT#ANALYSIS#REPORT#Bumblebee#Loader#CobaltStrike
·cybereason.com·
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control