Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer
What happened Proofpoint identified TA547 targeting German organizations with an email campaign delivering Rhadamanthys malware. This is the first time researchers observed TA547 use Rhadamanthys,...
Rhadamanthys v0.5.0 - a deep dive into the stealer’s components
The Rhadamanthys stealer is a multi-layer malware, sold on the black market, and frequently updated. Recently the author released a new major version, 0.5.0. In the new version, the malware expands its stealing capabilities and also introduces some general-purpose spying functions. A new plugin system makes the malware expandable for specific distributor needs. The custom executable formats, used for modules, are unchanged since our last publication (XS1 and XS2 formats are still in distribution). Check Point Research (CPR) provides a comprehensive review of the agent modules, presenting their capabilities and implementation, with a focus on how the stealer components are loaded and how they work.
Lumma Stealer targets YouTubers via Spear-phishing Email | by S2W | S2W BLOG | Feb, 2023 | Medium
Lumma Stealer sellers use the name “LummaC” on an underground forum called XSS, which is based in Russia. The seller has been actively promoting the malware since April 2022. In August of that year…
The Titan Stealer: Notorious Telegram Malware Campaign
The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.
New RisePro Stealer distributed by the prominent PrivateLoader
PrivateLoader is an active malware in the loader market, used by multiple threat actors to deliver various payloads, mainly information stealer. Since our previous investigation, we keep tracking the malware to map its ecosystem and delivered payloads. Starting from this tria.ge submission, we recognized a now familiar first payload, namely PrivateLoader. However, the dropped stealer was not part of our stealer growing collection, notably including RedLine or Raccoon. Eventually SEKOIA.IO realised it was a new undocumented stealer, known as RisePro. This article aims at presenting SEKOIA.IO RisePro information stealer analysis.
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX - Avast Threat Labs
ViperSoftX is a multi-stage stealer that exhibits interesting hiding capabilities. Other than stealing cryptocurrencies, it also spreads the VenomSoftX browser extension, which performs man-in-the-browser attacks.
RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, and priced according to users' needs.
The Zimperium zLabs team recently discovered a malicious browser extension, originally called Cloud9, which not only steals the information available during the browser session but can also install malware on a user's device and subsequently assume control of the entire device. In this blog, we will take a deeper look into this malicious browser extension.
RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. The stealer implements the following actions that extend its functionality: Download, RunPE, DownloadAndEx, OpenLink, and Cmd. The extracted information is converted to the XML format and exfiltrated to the C2 server via SOAP messages.
Lumma Stealer targets YouTubers via Spear-phishing Email | by S2W | S2W BLOG | Feb, 2023 | Medium
Lumma Stealer sellers use the name “LummaC” on an underground forum called XSS, which is based in Russia. The seller has been actively promoting the malware since April 2022. In August of that year…
The Titan Stealer: Notorious Telegram Malware Campaign
The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.
New RisePro Stealer distributed by the prominent PrivateLoader
PrivateLoader is an active malware in the loader market, used by multiple threat actors to deliver various payloads, mainly information stealer. Since our previous investigation, we keep tracking the malware to map its ecosystem and delivered payloads. Starting from this tria.ge submission, we recognized a now familiar first payload, namely PrivateLoader. However, the dropped stealer was not part of our stealer growing collection, notably including RedLine or Raccoon. Eventually SEKOIA.IO realised it was a new undocumented stealer, known as RisePro. This article aims at presenting SEKOIA.IO RisePro information stealer analysis.
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX - Avast Threat Labs
ViperSoftX is a multi-stage stealer that exhibits interesting hiding capabilities. Other than stealing cryptocurrencies, it also spreads the VenomSoftX browser extension, which performs man-in-the-browser attacks.
RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, and priced according to users' needs.
The Zimperium zLabs team recently discovered a malicious browser extension, originally called Cloud9, which not only steals the information available during the browser session but can also install malware on a user's device and subsequently assume control of the entire device. In this blog, we will take a deeper look into this malicious browser extension.
RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. The stealer implements the following actions that extend its functionality: Download, RunPE, DownloadAndEx, OpenLink, and Cmd. The extracted information is converted to the XML format and exfiltrated to the C2 server via SOAP messages.
RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. The stealer implements the following actions that extend its functionality: Download, RunPE, DownloadAndEx, OpenLink, and Cmd. The extracted information is converted to the XML format and exfiltrated to the C2 server via SOAP messages.