Threat Reports

Threat Reports

95 bookmarks
Custom sorting
A Dive into Earth Baku’s Latest Campaign
A Dive into Earth Baku’s Latest Campaign
Since late 2022, Earth Baku has broadened its scope from the Indo-Pacific region to Europe, the Middle East, and Africa. Their latest operations demonstrate sophisticated techniques, such as exploiting public-facing applications like IIS servers for initial access and deploying the Godzilla webshell for command and control.
·trendmicro.com·
A Dive into Earth Baku’s Latest Campaign
DodgeBox | ThreatLabz
DodgeBox | ThreatLabz
Part 1 | ThreatLabz uncovers new tooling from APT41 including DodgeBox, which uses advanced evasion techniques to deploy the MoonWalk backdoor that leverages Google Drive
·zscaler.com·
DodgeBox | ThreatLabz
New Diamorphine rootkit variant seen undetected in the wild - Avast Threat Labs
New Diamorphine rootkit variant seen undetected in the wild - Avast Threat Labs
Introduction Code reuse is very frequent in malware, especially for those parts of the sample that are complex to develop or hard to write with an essentially different alternative code. By tracking both source code and object code, we efficiently detect new malware and track the evolution of existing malware in-the-wild.  Diamorphine is a well-known […]
·decoded.avast.io·
New Diamorphine rootkit variant seen undetected in the wild - Avast Threat Labs
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks | Microsoft Security Blog
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks | Microsoft Security Blog
icrosoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that combines many tried-and-true techniques used by other North Korean threat actors, as well as unique attack methodologies to target companies for its financial and cyberespionage objectives.
·microsoft.com·
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks | Microsoft Security Blog
LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader
LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader
By Anna Bennett, Nicole Hoffman, Asheer Malhotra, Sean Taylor and Brandon White.  * Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.”   * LilacSquid’s victimology includes a diverse set of victims consisting
·blog.talosintelligence.com·
LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader
Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence
Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence
This blog entry will examine Trend Micro MDR team's investigation that successfully uncovered the intrusion sets employed by Earth Kapre in a recent incident, as well as how the team leveraged threat intelligence to attribute the extracted evidence to the cyberespionage threat group.
·trendmicro.com·
Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence
New details on TinyTurla’s post-compromise activity reveal full kill chain
New details on TinyTurla’s post-compromise activity reveal full kill chain
We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises.
·blog.talosintelligence.com·
New details on TinyTurla’s post-compromise activity reveal full kill chain
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day - Avast Threat Labs
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day - Avast Threat Labs
The Lazarus Group is back with an upgraded variant of their FudModule rootkit, this time enabled by a zero-day admin-to-kernel vulnerability for CVE-2024-21338. Read this blog for a detailed analysis of this rootkit variant and learn more about several new techniques, including a handle table entry manipulation technique that directly targets Microsoft Defender, CrowdStrike Falcon, and HitmanPro.
·decoded.avast.io·
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day - Avast Threat Labs
WatchTower End of Year Report 2023
WatchTower End of Year Report 2023
In this year-end edition of the WatchTower Digest, we discuss the threats we observed in 2023 and look ahead to the 2024 threat landscape.
·sentinelone.com·
WatchTower End of Year Report 2023
Raspberry Robin Keeps Riding the Wave of Endless 1-Days - Check Point Research
Raspberry Robin Keeps Riding the Wave of Endless 1-Days - Check Point Research
Key Findings Introduction Raspberry Robin is a widely distributed worm first reported by Red Canary in 2021. Its capabilities and evasions in addition to its very active distribution made it one of the most intriguing malware out there. We at Check Point Research published an article a couple of months ago using Raspberry Robin as an example […]
·research.checkpoint.com·
Raspberry Robin Keeps Riding the Wave of Endless 1-Days - Check Point Research
Fileless Revenge RAT Malware - ASEC BLOG
Fileless Revenge RAT Malware - ASEC BLOG
AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’ and ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred. As shown in the code below, the threat actor creates and runs Setup.exe (malicious file) before executing smtp-verifier.exe (legitimate tool). The created file’s property changes to ‘Hidden’ and the file becomes hidden from typical Windows Explorer environments. The figure below shows the overall flow of the malicious activities that follow afterward. Many files...
·asec.ahnlab.com·
Fileless Revenge RAT Malware - ASEC BLOG
The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis - Researcher Blog - ITOCHU Cyber & Intelligence Inc.
The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis - Researcher Blog - ITOCHU Cyber & Intelligence Inc.
What is the LODEINFO malware? Analysis of LODEINFO The infection flow Update of the Downloader Shellcode Remote Template Injection Maldoc VBA code embedded in M…
·blog-en.itochuci.co.jp·
The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis - Researcher Blog - ITOCHU Cyber & Intelligence Inc.
New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog
New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, the threat actor used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files.
·microsoft.com·
New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog
Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash.
Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash.
This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash. - GitHub - Bert-JanP/O...
·github.com·
Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash.