Tag: 2024-05-04

13 Attack Reports | 13 Vulnerabilities

Attack reports

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and …
rat
evasion
persistence
remcos
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
remote access
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 34

Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

A recent surge of malicious JavaScript code has been observed targeting websites using vulnerable versions of the LiteSpeed Cache plugin for WordPress. The malware injects code into critical WordPress files or the database, creating unauthorized admin users like 'wpsupp-user.' It exploits the vulne…
vulnerability
javascript
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
wordpress
litespeed
plugin
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 6

Tracking the Surge in Non-PE Cyber Threats

This intelligence report details a sophisticated infection chain that culminates in the deployment of AsyncRAT, a potent malware designed to breach computer systems and steal confidential data. The meticulous analysis unravels the intricate sequence, commencing with a spam email containing a malici…
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
asyncrat
analysis
spam
infection chain
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 13

APT28 campaign against Polish government institutions

The CERT Polska team is investigating a large-scale malware campaign carried out by the Russian intelligence group APT28, which has been targeting Polish government institutions in the past year and is believed to be linked to the GRU.
phishing
apt28
russia
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
government
microsoft edge
webhook
bat script
mocky
headlace
poland
campaign
Published: May 8, 2024
Downloadable IOCs: 74

Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers

Amid the rise of bootkits at the time, a dropper was captured in-the-wild and posted on a malware tracker. The malware was called "Guntior", named after the device object its authors had chosen for it (\Device\Guntior). The name also appears in AV detections.
rootkit
windows
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
explorer
dll path
ntfs
payload dll
ime file
ioctl
ata bus
tdl4
rovnix
mebroot
tidserv
findwindow
mbr
guntior
Published: May 8, 2024
Downloadable IOCs: 6

Code Emulation and Cybercrime Infrastructure Discovery

This report details the analysis of a malspam campaign utilizing the Matanbuchus loader, which involved decrypting strings within the malware through emulation techniques. The investigation pivoted to uncover a Russian bulletproof hosting service, Proton66 OOO, that currently hosts various maliciou…
loader
ransomware
stealer
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
socgholish
matanbuchus
emulation
bulletproof
Published: May 8, 2024
Downloadable IOCs: 76

Stealer Distributed via Crafted Minecraft Source Pack

This report details the operation of the zEus stealer malware, which is distributed through a crafted Minecraft source pack. The malware collects sensitive information from victims' systems, including login credentials, browser data, and cryptocurrency wallets. It employs anti-analysis techniques a…
stealer
persistence
anti-analysis
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
screenshots
zeus panda
minecraft
Published: May 8, 2024
Downloadable IOCs: 23

Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server

This report examines a malware strain distributed to web servers in South Korea that redirects users to an illegal gambling site. The threat actor installed a Meterpreter backdoor, a port forwarding tool, and an IIS module malware on a compromised web server. The IIS module inspects HTTP headers an…
korea
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
meterpreter
webserver
iismodulemalware
gamblingredirect
Published: May 8, 2024
Downloadable IOCs: 8

RemcosRAT Distributed Using Steganography

Security researchers have discovered a campaign distributing RemcosRAT through a sophisticated infection chain involving steganography techniques. The attack starts with a malicious Word document exploiting template injection, leading to the download of an RTF file that leverages an equation editor…
obfuscation
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
steganography
remcosrat
process-hollowing
malicious-documents
Published: May 8, 2024
Downloadable IOCs: 4

HijackLoader Updates

HijackLoader, also known as IDAT Loader, is a modular malware loader capable of executing multiple payloads. It utilizes a variety of modules for code injection, execution, and evasion techniques. This report analyzes the updated version of HijackLoader, which includes new modules for bypassing Win…
rat
evasion
rhadamanthys
stealer
remcos
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
amadey
lumma stealer
injection
modular
racoon stealer v2
malware loader
meta stealer
Published: May 7, 2024
Downloadable IOCs: 11

LNK File Disguised as Certificate Distributing RokRAT Malware

This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
backdoor
lnk
rokrat
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
Published: May 7, 2024
Downloadable IOCs: 4

New Pakistan-based Cyber Espionage Group’s Year-Long Campaign Targeting Indian Defense Forces with Android Malware

CYFIRMA researchers identified an Android malware campaign, active for over a year, targeting Indian defense personnel by an unidentified Pakistan-based cyber espionage group. The threat actor utilized Spynote or a modified version called Craxs Rat, obfuscating the app with high complexity. Through…
malware
espionage
android
pakistan
2024-05-03
2024-05-04
2024-05-05
2024-05-06
india
spynote
defense
craxs rat
Published: May 6, 2024
Downloadable IOCs: 3

Smart-sex-toy users targeted by clicker trojan

Virus analysts at Doctor Web uncovered an Android application containing a clicker trojan that silently opens advertising sites and clicks on webpages. Such trojans can be used to stealthily display ads, generate click fraud, sign up unsuspecting victims for paid subscriptions or launch DDoS attack…
2024-05-03
2024-05-04
2024-05-05
2024-05-06
clicker trojan
Published: May 6, 2024
Downloadable IOCs: 13
Click here to see more Attack Reports

Vulnerabilities

CVE-2024-3240

8.8
    ConvertPlug plugin for WordPress
Published: May 4, 2024

CVE-2024-3868

5.4
    Folders Pro plugin for WordPress
Published: May 4, 2024

CVE-2024-3237

5.4
    ConvertPlug plugin for WordPress
Published: May 4, 2024

CVE-2023-7065

5.4
    Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress
Published: May 4, 2024

CVE-2023-27283

5.3
    IBM Aspera Orchestrator
Published: May 4, 2024

CVE-2024-1050

4.3
    WordPress Import and export users and customers plugin
Published: May 4, 2024

CVE-2024-34460

None
    Zenario
Published: May 4, 2024

CVE-2024-34461

None
    Zenario
Published: May 4, 2024

CVE-2024-34462

None
    Alinto SOGo
Published: May 4, 2024

CVE-2024-34467

None
    ThinkPHP
Published: May 4, 2024

CVE-2024-34468

None
    Rukovoditel
Published: May 4, 2024

CVE-2024-34469

None
    Rukovoditel
Published: May 4, 2024

CVE-2023-52729

None
    SimpleNetwork
Published: May 4, 2024
Click here to see more Vulnerabilities