Found 228 bookmarks
Custom sorting
Flubot: the evolution of a notorious Android Banking Malware
Flubot: the evolution of a notorious Android Banking Malware
Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the victim’s credentials, by detecting when the official banking application is open to show a fake web injection, a phishing website similar to the login form of the banking application. An important part of the popularity of Flubot is due to the distribution strategy used in its campaigns, since it has been using the infected devices to send text messages, luring new victims into installing the malware from a fake website. In this article we detail its development over time and recent developments regarding its disappearance, including new features and distribution campaigns.
#foxit#EN#2022#Flubot#Android#Banking#Malware#evolution#research
·blog.fox-it.com·
Flubot: the evolution of a notorious Android Banking Malware
MuddyWater’s “light” first-stager targetting Middle East
MuddyWater’s “light” first-stager targetting Middle East
Since the last quarter of 2020 MuddyWater has mantained a “long-term” infection campaign targeting Middle East countries. We have gathered samples from November 2020 to January 2022, and due to the recent samples found, it seems that this campaign might still be currently active. The latest campaigns of the Muddy Water threat group, allegedly sponsored by the Iranian government and linked to the Iranian revolutionary guard (the main armed forces of the Iranian government), could be framed within the dynamics of maintaining Iran’s regional sovereignty.
#lab52#EN#2022#muddywaters#research#Middle-East
·lab52.io·
MuddyWater’s “light” first-stager targetting Middle East
Microsoft Diagnostic Tool "DogWalk" Package Path Traversal Gets Free Micropatches (0day/WontFix)
Microsoft Diagnostic Tool "DogWalk" Package Path Traversal Gets Free Micropatches (0day/WontFix)
With the "Follina" / CVE-2022-30190 0day still hot, i.e., still waiting for an official fix while apparently already getting exploited by nation-backed attackers, another related unfixed vulnerability in Microsoft's Diagnostic Tool (MSDT) bubbled to the surface. In January 2020, security researcher Imre Rad published an article titled "The trouble with Microsoft’s Troubleshooters," describing a method for having a malicious executable file being saved to user's Startup folder, where it would subsequently get executed upon user's next login. What the user has to do for this to happen is open a "diagcab" file...
#0patch#EN#2022#Follina#diagcab#CVE-2022-30190#0-day#0day#Diagnostic#research
·blog.0patch.com·
Microsoft Diagnostic Tool "DogWalk" Package Path Traversal Gets Free Micropatches (0day/WontFix)
Put an io_uring on it: Exploiting the Linux Kernel - Blog |
Put an io_uring on it: Exploiting the Linux Kernel - Blog |
At Grapl we believe that in order to build the best defensive system we need to deeply understand attacker behaviors. As part of that goal we're investing in offensive security research. Keep up with our blog for new research on high risk vulnerabilities, exploitation, and advanced threat tactics.
#Graplsecurity#en#2022#0-day#Linux#kernel#exploit#redteam#research
·graplsecurity.com·
Put an io_uring on it: Exploiting the Linux Kernel - Blog |
XLoader Botnet: Find Me If You Can
XLoader Botnet: Find Me If You Can
In July 2021, CPR released a series of three publications covering different aspects of how the Formbook and XLoader malware families function. We described how XLoader emerged in the Darknet community to fill the empty niche after Formbook sales were abruptly stopped by its author. We did a deep technical analysis followed by a description of XLoader for macOS along with common points and differences in how both malware families conceal the heart of the whole operation, the Command-and-Control (C&C) infrastructure. However, the world does not stand still, and this applies to the malware cyber-world as well.
#checkpoint#EN#2022#XLoader#malware#Research
·research.checkpoint.com·
XLoader Botnet: Find Me If You Can
Large-scale Analysis of DNS-based Tracking Evasion - broad data leaks included?
Large-scale Analysis of DNS-based Tracking Evasion - broad data leaks included?
User tracking technologies are ubiquitous on the web. In recent times web browsers try to fight abuses. This led to an arms race where new tracking and anti-tracking measures are being developed. The use of one of such evasion techniques, the CNAME cloaking technique is recently quickly gaining popularity. Our evidence indicates that the use of the CNAME scheme threatens web security and privacy systematically and in general
#lukaszolejnik#EN#2022#research#privacy#web-browser#web#w3c#consent#data-breach#gdpr#dns#cname#cloacking
·blog.lukaszolejnik.com·
Large-scale Analysis of DNS-based Tracking Evasion - broad data leaks included?
Multi-factor Authentication to Generate $27 Billion Globally for Mobile Operators in 2022, Juniper Research Study Finds
Multi-factor Authentication to Generate $27 Billion Globally for Mobile Operators in 2022, Juniper Research Study Finds
A new study by Juniper Research has found operators will generate $27 billion from the termination of SMS messages related to multi-factor authentication in 2022; an increase from $25 billion in 2021. The research predicts this 5% growth will be driven by increased pressure on digital service providers to offer secure authentication that reduces risk of data breaches and protects user identity. Multi-factor authentication combines multiple credentials to verify a user or transaction. This includes sending an SMS that contains a one‑time password or code to a user’s unique phone number.
#businesswire#Juniper#EN#2022#Multi-factor#MFA#SMS#Research#Study#Authentication#Mobile
·businesswire.com·
Multi-factor Authentication to Generate $27 Billion Globally for Mobile Operators in 2022, Juniper Research Study Finds
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.
#microsoft#EN#2022#LAPSUS$#DEV-0537#extortion#research#activity#threat#group
·microsoft.com·
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction
Gas Is Too Expensive; Let’s Make It Cheap!
Gas Is Too Expensive; Let’s Make It Cheap!
A search online lead me to a discovery I didn’t think was possible nowadays. I realized almost immediately that critical security issues were probably involved. I found that out of the many tens of thousands of gas stations the company claimed to have installed their product in, 1,000 are remotely hackable.
#Internet-of-Things#securelist#gas-station#EN#2022#shodan#IoT#research#hacking
·securelist.com·
Gas Is Too Expensive; Let’s Make It Cheap!
Raccoon Stealer: “Trash panda” abuses Telegram
Raccoon Stealer: “Trash panda” abuses Telegram
We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses.  Raccoon Stealer is a password stealer capable of stealing not just passwords, but various types of data, including: Cookies, saved logins and forms data from […]
#avast#stealer#EN#2022#RaccoonStealer#Telegram#research#malware#passwordstealer
·decoded.avast.io·
Raccoon Stealer: “Trash panda” abuses Telegram
Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
Cisco Talos has observed new cyber attacks targeting Turkey and other Asian countries we believe with high confidence are from groups operating under the MuddyWater umbrella of APT groups. U.S. Cyber Command recently connected MuddyWater to Iran's Ministry of Intelligence and Security (MOIS).
#talosintelligence#Iranian#EN#2022#APT#research#MuddyWater#Turkey#SloughRAT#RAT
·blog.talosintelligence.com·
Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult sites and Google ads to infect systems. Evidence of the new campaign was first seen around early November 2021. The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine.
#checkpoint#EN#Zloader#Altera#Antik.Corp#research
·research.checkpoint.com·
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
Rorschach – A New Sophisticated and Fast Ransomware
Rorschach – A New Sophisticated and Fast Ransomware
* Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously unnamed ransomware strain, we dubbed Rorschach, deployed against a US-based company. Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups. * The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). In the past, similar functionality was linked to LockBit 2.0. * The ransomware is highly customizable and contains technically unique features, such as the use of direct syscalls, rarely observed in ransomware. Moreover, due to different implementation methods, Rorschach is one of the fastest ransomware observed, by the speed of encryption. * The ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, a loading method which is not commonly used to load ransomware. The vulnerability was properly reported to Palo Alto Networks.
#checkpoint#research#EN#2023#Rorschach#ransomware#DLL#side-loading#Cortex#XDR
·research.checkpoint.com·
Rorschach – A New Sophisticated and Fast Ransomware