EDR Bypass Testing Reveals Extortion Actor's Toolkit
A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor.
Jumpy Pisces Engages in Play Ransomware
A first-ever collaboration between DPRK-based Jumpy Pisces and Play ransomware signals a possible shift in tactics.
Lynx Ransomware: A Rebranding of INC Ransomware
Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics. Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics.
Muddled Libra’s Evolution to the Cloud
Unit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments. Organizations often store a variety of data in SaaS applications and use services from CSPs. The threat actors have begun attempting to leverage some of this data to assist with their attack progression, and to use for extortion when trying to monetize their work.
Large-Scale StrelaStealer Campaign in Early 2024
We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript. #2024 #Campaign #EN #JScript #StrelaStealer #analysis #paloaltonetworks
Fighting Ursa Aka APT28: Illuminating a Covert Campaign
In three campaigns over the past 20 months, Russian APT Fighting Ursa has targeted over 30 organizations of likely strategic intelligence value using CVE-2023-23397.
CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief
On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Transfer product. MOVEit Transfer is a managed file transfer (MFT) application intended to provide secure collaboration and automated file transfers of sensitive data.
Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
We analyze Mirai variant IZ1H9, which targets IoT devices. Our overview includes campaigns observed, botnet configuration and vulnerabilities exploited.
GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers
New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility.
Vice Society: Profiling a Persistent Threat to the Education Sector
Vice Society, a ransomware gang, has been involved in high-profile activity against schools this year.
Blowing Cobalt Strike Out of the Water With Memory Analysis
Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss the evasion tactics used by these threats, and other issues that make their analysis problematic.
Banking Trojan Techniques: Financially Motivated Malware
Understanding banking Trojan techniques can help detect other activities of financially motivated threat groups.
Ransom Cartel Ransomware: A Possible Connection With REvil
Ransom Cartel is ransomware as a service (RaaS) that exhibits several similarities to and technical overlaps with REvil ransomware. Read our overview.
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime
Domain shadowing is a special case of DNS hijacking where attackers stealthily create malicious subdomains under compromised domain names.
Mirai Variant MooBot Targeting D-Link Devices
Attackers are leveraging known vulnerabilities in D-Link devices to deliver MooBot, a Mirai variant, potentially leading to further DDoS attacks.
Legitimate SaaS Platforms Being Used to Host Phishing Attacks
Platform-abuse phishing is on the rise. We analyze how attackers use services such as website builders to host phishing pages.
Palo Alto bug used for DDoS attacks and there's no fix yet
A high-severity Palo Alto Networks denial-of-service (DoS) vulnerability has been exploited by miscreants looking to launch DDoS attacks, and several of the affected products won't have a patch until next week
New Emotet Infection Method
As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. Emotet is high-volume malware that often changes and modifies its attack patterns. This latest modification of the Emotet attack follows suit.
GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers
New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility.
Vice Society: Profiling a Persistent Threat to the Education Sector
Vice Society, a ransomware gang, has been involved in high-profile activity against schools this year.
Blowing Cobalt Strike Out of the Water With Memory Analysis
Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss the evasion tactics used by these threats, and other issues that make their analysis problematic.
Banking Trojan Techniques: Financially Motivated Malware
Understanding banking Trojan techniques can help detect other activities of financially motivated threat groups.
Ransom Cartel Ransomware: A Possible Connection With REvil
Ransom Cartel is ransomware as a service (RaaS) that exhibits several similarities to and technical overlaps with REvil ransomware. Read our overview.
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime
Domain shadowing is a special case of DNS hijacking where attackers stealthily create malicious subdomains under compromised domain names.
Mirai Variant MooBot Targeting D-Link Devices
Attackers are leveraging known vulnerabilities in D-Link devices to deliver MooBot, a Mirai variant, potentially leading to further DDoS attacks.
Legitimate SaaS Platforms Being Used to Host Phishing Attacks
Platform-abuse phishing is on the rise. We analyze how attackers use services such as website builders to host phishing pages.
Palo Alto bug used for DDoS attacks and there's no fix yet
A high-severity Palo Alto Networks denial-of-service (DoS) vulnerability has been exploited by miscreants looking to launch DDoS attacks, and several of the affected products won't have a patch until next week
New Emotet Infection Method
As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. Emotet is high-volume malware that often changes and modifies its attack patterns. This latest modification of the Emotet attack follows suit.
Legitimate SaaS Platforms Being Used to Host Phishing Attacks
Platform-abuse phishing is on the rise. We analyze how attackers use services such as website builders to host phishing pages.
Palo Alto bug used for DDoS attacks and there's no fix yet
A high-severity Palo Alto Networks denial-of-service (DoS) vulnerability has been exploited by miscreants looking to launch DDoS attacks, and several of the affected products won't have a patch until next week