A Noteworthy Threat: How Cybercriminals are Abusing OneNote
Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting
We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.
Lumma Stealer targets YouTubers via Spear-phishing Email | by S2W | S2W BLOG | Feb, 2023 | Medium
Lumma Stealer sellers use the name “LummaC” on an underground forum called XSS, which is based in Russia. The seller has been actively promoting the malware since April 2022. In August of that year…
PureCrypter targets government entities through Discord - Blog | Menlo Security
Menlo Labs has uncovered an unknown threat actor leveraging an evasive threat campaign distributed via Discord featuring the PureCrypter downloader and targeting government entities.
TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish. * In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service * TA569 may remove injections from compromised websites only to later re-add them to the same websites. * There are multiple opportunities for defense against TA569: educating users about the activity, using Proofpoint’s Emerging Threats ruleset to block the payload domains, and blocking .js files from executing in anything but a text editor.
ThreatLabz observed a new campaign targeting a Government organization in which the threat actors utilized a new Command & Control (C2) framework named Havoc
On 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was fairly generic - a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on scheduled task creation - but further analysis revealed a more interesting set of circumstances. By investigating the event in question and pursuing root cause analysis (RCA), Huntress was able to link this intrusion to a recently-announced vulnerability as well as to a long-running post-exploitation framework linked to prominent ransomware groups.
Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations - ASEC BLOG
Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team is monitoring attacks against systems with either unpatched vulnerabilities or misconfigured settings. During this process, we have recently discovered a Sliver backdoor being installed through what is presumed to be vulnerability exploitation on certain software. Not only did threat actors use the Sliver backdoor, but they also used the BYOVD (Bring Your Own Vulnerable Driver) malware to incapacitate security products and install reverse shells.
Malware-Traffic-Analysis.net - 2023-02-03 - DEV-0569 activity: Google ad -- FakeBat Loader -- Redline Stealer & Gozi/ISFB/Ursnif
NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. IOCs are listed on this page below all of the images.
The Titan Stealer: Notorious Telegram Malware Campaign
The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.
While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. A closer look at the LNK files illustrates how their metadata could be used to identify and track new campaigns.
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Summary Three key takeaways from our analysis of Vidar infrastructure: Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more challenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to Tor. Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights. We expect a new wave of customers and as a result, an increase of campaigns in the upcoming weeks
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection
We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses. The sample was first uploaded to VT on November 23, 2022 and tagged by the VT community as a possible variant of the Pandora Ransomware. The assumed connection to the Pandora Ransomware was due to some similarities between the CatB and Pandora ransom notes. However, the similarities pretty much end there. The CatB ransomware implements several anti-VM techniques to verify execution on a “real machine”, followed by a malicious DLL drop and DLL hijacking to evade detection.
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
New RisePro Stealer distributed by the prominent PrivateLoader
PrivateLoader is an active malware in the loader market, used by multiple threat actors to deliver various payloads, mainly information stealer. Since our previous investigation, we keep tracking the malware to map its ecosystem and delivered payloads. Starting from this tria.ge submission, we recognized a now familiar first payload, namely PrivateLoader. However, the dropped stealer was not part of our stealer growing collection, notably including RedLine or Raccoon. Eventually SEKOIA.IO realised it was a new undocumented stealer, known as RisePro. This article aims at presenting SEKOIA.IO RisePro information stealer analysis.
In this blog post we will dive into the latest Microsoft Exchange 0-day vulnerability, dubbed #ProxyNotShell, how it relates to other Exchange vulnerabilities and finally demonstrate how ProxyRelay can combined with ProxyNotShell, even with Extended Protection and IIS rewrite rules enabled.
Although Flash Player reached end of life for macOS in 2020, this has not stopped Shlayer operators from continuing to abuse it for malvertising campaigns.
L’art de l’évasion How Shlayer hides its configuration inside Apple proprietary DMG files
While conducting routine threat hunting for macOS malware on Ad networks, I stumbled upon an unusual Shlayer sample. Upon further analysis, it became clear that this variant was different from the known Shlayer variants such as OSX/Shlayer.D, OSX/Shlayer.E, or ZShlayer. We have dubbed it OSX/Shlayer.F.
Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins
As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code.
Raspberry Robin Malware Targets Telecom, Governments
We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.
An infostealer comes to town: Dissecting a highly evasive malware targeting Italy
Cluster25 researchers analyzed several campaigns (also publicly reported by CERT-AGID) that used phishing emails to spread an InfoStealer malware written in .NET through an infection chain that involves Windows Shortcut (LNK) files and Batch Scripts (BAT). Taking into account the used TTPs and extracted evidence, the attacks seem perpetrated by the same adversary (internally named AUI001).
