Malvertising on Microsoft Edge's News Feed pushes tech support scams
We uncovered a campaign on the Microsoft Edge home page where malicious ads are luring victims into tech support scams.
Bumblebee Returns with New Infection Technique
Delivers Payload Using Post Exploitation Framework During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns. Bumblebee is a replacement for the BazarLoader malware, which acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc. It also downloads other types of malware such as ransomware, trojans, etc.
Dead or Alive? An Emotet Story
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started ver…
Shikitega - New stealthy malware targeting Linux
AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.
Mirai Variant MooBot Targeting D-Link Devices
Attackers are leveraging known vulnerabilities in D-Link devices to deliver MooBot, a Mirai variant, potentially leading to further DDoS attacks.
SafeBreach Uncovers New Remote Access Trojan (RAT)
Dubbed CodeRAT, the new RAT is used in attacks targeting Farsi-speaking code developers using a Microsoft Dynamic Data Exchange (DDE) exploit.
TA505 Hackers Using TeslaGun Panel to Manage ServHelper Backdoor Attacks
Cybersecurity researchers have offered insight into a previously undocumented software control panel used by a financially motivated threat group known as TA505. "The group frequently changes its malware attack strategies in response to global cybercrime trends," Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. "It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on."
Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users
A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000 "...the extensions also track the user’s browsing activity."
PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attacks
A new threat actor is spreading infostealer malware through targeted attacks on developers and fraudulent cryptotrading applications.
Break me out of sandbox in old pipe - CVE-2022-22715 Windows Dirty Pipe
In February 2022, Microsoft patched the vulnerability I used in TianfuCup 2021 for escaping Adobe Reader sandbox, assigned CVE-2022-22715. The vulnerability existed in Named Pipe File System nearly 10 years since the AppContainer was born. We called it "Windows Dirty Pipe". In this article, I will share the root cause and exploitation of Windows Dirty Pipe. So let's start our journey.
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
CVE-2022-27925
On May 10, 2022, Zimbra released versions 9.0.0 patch 24 and 8.8.15 patch 31 to address multiple vulnerabilities in Zimbra Collaboration Suite, including CVE-2…
Mēris botnet, climbing to the record
End of June 2021, Qrator Labs started to see signs of a new assaulting force on the Internet – a botnet of a new kind. That is a joint research we conducted together with Yandex to elaborate on the specifics of the DDoS attacks enabler emerging in almost real-time.
Reservations Requested: TA558 Targets Hospitality and Travel
- TA558 is a likely financially motivated small crime threat actor targeting hospitality, hotel, and travel organizations. * Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT. * TA558’s targeting focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America. * TA558 increased operational tempo in 2022 to a higher average than previously observed. * Like other threat actors in 2022, TA558 pivoted away from using macro-enabled documents in campaigns and adopted new tactics, techniques, and procedures.
Making Sense of the Killnet, Russia’s Favorite Hacktivists
Killnet makes three announcements The past month seemed to be a turning point for the pro-Russian hacktivist group “Killnet”—and it was very eager to tell the world about it. First, on July 27, “Killmilk”—the founder and the head of the group who led its transformation from a DDoS-for-hire outlet i
A Detailed Analysis of the RedLine Stealer
RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. The stealer implements the following actions that extend its functionality: Download, RunPE, DownloadAndEx, OpenLink, and Cmd. The extracted information is converted to the XML format and exfiltrated to the C2 server via SOAP messages.
LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities
In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware
![[CVE-2022-34918] A crack in the Linux firewall](https://rdl.ink/render/https%3A%2F%2Fwww.randorisec.fr%2Fimg%2Fblog%2Ftux.jpg?width=92&height=&ar=&mode=&format=avif&dpr=2)
[CVE-2022-34918] A crack in the Linux firewall
In our previous article Yet another bug into Netfilter, I presented a vulnerability found within the netfilter subsystem of the Linux kernel. During my investigation, I found a weird comparison that does not fully protect a copy within a buffer. It led to a heap buffer overflow that was exploited to obtain root privileges on Ubuntu 22.04.
Joker, Facestealer and Coper banking malwares on Google Play store
Joker, Facestealers and Banker swarming Google Play store
How to Assess an E-voting System
If I can shop and bank online, why can’t I vote online? David Jefferson explained in 2011 why internet voting is so difficult to make secure, I summarized again in 2021 why internet voting is still inherently insecure, and many other experts have explained it too. Still, several countries and several U.S. states have offered e-voting to some of their citizens. In many cases they plunge forward without much consideration of whether their e-voting system is really secure, or whether it could be hacked to subvert democracy. It’s not enough just to take the software vendor’s word for it.
The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP
I was checking the 2017 ShadowBrokers leaks when I noticed that one of the EQUATION GROUP tools leaked back then has no public references/analysis (at least as far as I can tell). So, here is what …
Microsoft Plans to Eliminate Face Analysis Tools in Push for ‘Responsible A.I.’
For years, activists and academics have been raising concerns that facial analysis software that claims to be able to identify a person’s age, gender and emotional state can be biased, unreliable or invasive — and shouldn’t be sold.
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.
A closer look at Eternity Malware
In this analysis, Cyble looks at the Eternity Malware suite, listing a wide variety of malware for sale on Telegram.
Analyzing a Pirrit adware installer
While Windows holds the largest market share on malware, macOS has its fair share of threats that mostly exist in an adware/grayware area. In this post I want to walk through how a Pirrit PKG file installer works. There are lots of more complex threats, but this is a good place to start if you’re just jumping into analysis. If you want to follow along at home, I’m working with this file in MalwareBazaar: https://bazaar.abuse.ch/sample/d39426dbceb54bba51587242f8101184df43cc23af7dc7b364ca2327e28e7825/.
Google Online Security Blog: The Package Analysis Project: Scalable detection of malicious open source packages
Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users.
Introducing Package Analysis: Scanning open source packages for malicious behavior
Today we’re pleased to announce the initial prototype version of the Package Analysis project, an OpenSSF project addressing the challenge of identifying malicious packages in popular open source repositories. In just one month of analysis, the project identified more than 200 malicious packages uploaded to PyPI and npm.
AcidRain | A Modem Wiper Rains Down on Europe
As the most impactful cyber attack of the Ukrainian invasion gets downplayed, SentinelLabs uncovers a more plausible explanation.
Complete dissection of an APK with a suspicious C2 Server
During our analysis of the Penquin-related infrastructure we reported in our previous post, we paid special attention to the malicious binaries contacting these IP addresses, since as we showed in the analysis, they had been used as C2 of other threats used by Turla.