AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
Cyble analyzes a new wave of ransomware attacks being led by AXLocker, Octocrypt, and Alice ransomware and how they target Discord tokens.
New RapperBot Campaign – We Know What You Bruting for this Time
FortiGuard Labs provides an analysis on RapperBot focusing on comparing samples for different campaigns, including one aiming to launch Distributed Denial of Service (DDoS) attacks. Read our blog to learn more about the differences observed in this campaign vs previous RapperBot and similar campaigns in the past.
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment.
Exploring ZIP Mark-of-the-Web Bypass Vulnerability (CVE-2022-41049)
Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet.
PNG Steganography Hides Backdoor
Our deep analysis of the Worok toolset (previously described by ESET Research) reveals the final stage, hidden in a PNG file, that steals data and provides a multifunctional backdoor using the DropBox repository and API.
![Massive ois[.]is Black Hat Redirect Malware Campaign](https://rdl.ink/render/https%3A%2F%2Fblog.sucuri.net%2Fwp-content%2Fuploads%2F2022%2F11%2FBlogPost_Feature-Image_1490x700_PHP-Login-Stealer.png?width=92&height=&ar=&mode=&format=avif&dpr=2)
Massive ois[.]is Black Hat Redirect Malware Campaign
Learn how attackers are redirecting WordPress website visitors to fake Q&A sites via ois[.]is. Nearly 15,000 websites affected by this malware so far.
The Case of Cloud9 Chrome Botnet
The Zimperium zLabs team recently discovered a malicious browser extension, originally called Cloud9, which not only steals the information available during the browser session but can also install malware on a user's device and subsequently assume control of the entire device. In this blog, we will take a deeper look into this malicious browser extension.
Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1
Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published an out-of-band patch for Cobalt Strike which stated that there was potential for Remote Code Execution (RCE).
Reverse Engineering the Apple MultiPeer Connectivity Framework
Some time ago I was using Logic Pro to record some of my music and I needed a way to start and stop the recording from an iPhone, so I found about Logic Remote and was quite happy with it.
Archive Sidestepping: Emotet Botnet Pushing Self-Unlocking Password-Protected RAR
Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.
APT27 - One Year To Exfiltrate Them All: Intrusion In-Depth Analysis
During Spring 2022, a company discovered that one of their equipments was communicating with a known command and control server. As a result, the company decided to contact CERT Intrinsec in order to get help to handle the security breach and manage the crisis. CERT Intrinsec gathered information about malicious activities that were discovered on victim’s information system, and past incidents. Our in-depth analysis led us to conclude that an advanced persistent threat dubbed APT27 (a.k.a LuckyMouse, EmissaryPanda) actually compromised the company’s internal network for more than a year by exploiting a public facing application. Our analysis showed that the threat actor managed to compromise five different domains and to gain persistence on many equipments while trying to hide in plain sight. Besides, APT27 operators collected technical and business-related informations and exfiltrate almost three terabytes of data. As investigations went on, we observed tactics, techniques and procedures that had already been documented in papers, but we discovered new ones as well. CERT Intrinsec wanted to share with the community fresh and actionnable threat-intelligence related to APT27. That is why this report presents a timeline of actions taken by the attackers and the tactics, techniques and procedures seen during our incident response. It provides as well a MITRE ATT&CK diagram and several recommendations to follow if you came across such incident, and to prevent them.
Cyble Phishing ERMAC Android Malware Increasingly Active
CRIL Investigates the resurgence of ERMAC Android Malware as an increasing number of users are falling prey to their phishing attacks.
Technical Analysis of BlueSky Ransomware - CloudSEK
BlueSky Ransomware is a modern malware using advanced techniques to evade security defences. It predominantly targets Windows hosts and utilizes the Windows multithreading model for fast encryption.
New PHP Variant of Ducktail Infostealer Targeting Facebook Business Accounts
ThreatLabz has discovered, hiding in app stores, a PHP variant of the Ducktail infostealer used to hijack Facebook Business accounts.
Fake Ransomware Infection Under widespread
Cyble Research and Intelligence Labs analyzes Fake ransomware, a destructive malware capable of wiping out system drives.
MAR-10365227-3.v1 China Chopper Webshells
CISA analyzed 15 files associated with China Chopper malware. The files are modified Offline Address Book (OAB) Virtual Directory (VD) configuration files for Microsoft Exchange servers. The files have been modified with a variant of the China Chopper webshell. The webshells allow an attacker to remotely access the server and execute arbitrary code on the system(s).referenced in this bulletin or otherwise.
MAR-10365227-2.v1 HyperBro
CISA analyzed 4 files associated with HyperBro malware. The files creates a backdoor program that is capable of uploading and downloading files to and from the system. The RAT is also capable of logging keystrokes and executing commands on the system.
Bumblebee: increasing its capacity and evolving its TTPs
The spring of 2022 saw a spike in activity of Bumblebee loader, a recent threat that has garnered a lot of attention due to its many links to several well-known malware families.
MAR-10400779-1.v1 – Zimbra 1
CISA received seven files for analysis. Six Java Server Pages (JSP) webshells and a Bourne Again SHell (bash) file. Five JSP webshell files are designed to parse inbound requests for commands for execution, download files, and upload files. One JSP webshell file contains a form with input fields that prompts the attacker to enter the command in the input box and click "run" to execute. The command output will be displayed in a JSP page. The bash file is designed to perform ldapsearch queries and store the output into a newly created directory.
In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants
Analysis of APT28/Fancy Bear PowerPoint mouse-over campaign
GRU: Rise of the (Telegram) MinIOns
Multiple self-proclaimed hacktivist groups are conducting attacks in support of Russian interests.
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime
Domain shadowing is a special case of DNS hijacking where attackers stealthily create malicious subdomains under compromised domain names.
Azure Cloud Shell Command Injection Stealing User’s Access Tokens
This post describes how I took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users’ terminals.
Threat Alert: New Malware in the Cloud By TeamTNT
Could TeamTNT be back? Our honeypots were attacked by malware that bears a resemblance to these threat actors and we analyze the possible connection.
The Evolution of the Chromeloader Malware - VMware Security Blog - VMware
The VMware Carbon Black MDR team goes in depth on the latest variants of the Chromeloader malware and how to detect them.
Six months into Breached: The legacy of RaidForums?
On March 14, 2022, a new English-language cybercrime forum called Breached (also known as BreachForums) launched, as a response to the closure and seizure of the popular RaidForums. Breached was launched with the same design by the threat actor “pompompurin” as “an alternative to RaidForums,” offering large-scale database leaks, login credentials, adult content, and hacking tools.
Credential Gathering From Third-Party Software
Users often store passwords in third-party software for convenience – but credential gathering techniques can target this behavior.
Malvertising on Microsoft Edge's News Feed pushes tech support scams
We uncovered a campaign on the Microsoft Edge home page where malicious ads are luring victims into tech support scams.
Bumblebee Returns with New Infection Technique
Delivers Payload Using Post Exploitation Framework During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns. Bumblebee is a replacement for the BazarLoader malware, which acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc. It also downloads other types of malware such as ransomware, trojans, etc.
Dead or Alive? An Emotet Story
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started ver…