Tag: 2024-05-10

18 Attack Reports | 0 Vulnerabilities

Attack reports

Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain

The Ebury malware gang is continuing to expand, with hundreds of thousands of servers compromised and used to steal cryptocurrency and credit card data, according to a paper published by ESET Research on 14 May 2024.
linux
bitcoin
2024-05-15
2024-05-10
apache
ebury
windigo
apachemodule
Published: May 15, 2024
Downloadable IOCs: 141

The Overlapping Cyber Strategies Of Transparent Tribe And SideCopy Against India

CRIL's analysis revealed SideCopy APT group's sophisticated malware campaign, employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities, suggesting potenti…
malware
apt
rat
action rat
india
infection chain
2024-05-15
2024-05-10
reverserat
Published: May 15, 2024
Downloadable IOCs: 21

Ongoing Malvertising Campaign leads to Ransomware

Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
malware
ransomware
python
cobalt strike
2024-05-15
2024-05-10
msi package
winscp
sliver
putty
service
execution
localappdata
dropped
c2 address
sliver beacon
dnstwist
Published: May 15, 2024
Downloadable IOCs: 78

Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns

A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
powershell
plugx
ransom
mallox
purecrypter
2024-05-09
2024-05-14
bitcoin
trigona
mssql
mssql server
maestro
as208091
mallox raas
unsafe
shutdown
clr sqlshell
sqlshell
xollam
link http
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 10

PDF “Flawed Design” Exploitation

Check Point Research identified an unusual pattern involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive users into executing harmful commands. The exploitation occurs through a flawed design in Foxit Reader, showing 'OK' as t…
malware
xworm
campaigns
remcos
asyncrat
2024-05-09
2024-05-14
njrat
dcrat
pdf
venomrat
exploitation
nanocore rat
pony
bladabindi
foxit
agent-tesla
njw0rm
lv
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 40

Exploring the Depths of Multi-tiered Infrastructure

This report provides an in-depth analysis of SolarMarker, a highly persistent and evolving malware family. It delves into the malware's evolution since 2020, detailing its functionality, evasion tactics, and targeting strategies. The report also highlights the multi-tiered infrastructure supporting…
modular
2024-05-09
solarmarker
persistent
solarphantom
evasive
multi-tiered
information-stealing
2024-05-14
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 45

Distribution of DanaBot Malware via Word Files Detected

This analysis examines the infection process of the DanaBot malware, distributed through sophisticated spam emails containing malicious Word documents. The documents leverage external links to download and execute macro files, which subsequently fetch and run the DanaBot payload. The infection chai…
malware
evasion
data theft
spam
2024-05-09
macros
danabot
2024-05-14
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 0

Leveraging DNS Tunneling for Tracking and Scanning

This article presents a case study on new applications of domain name system (DNS) tunneling PaloAlto Unit42 have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.
exploit
cobalt strike
dns query
trojan
2024-05-08
oilrig
dns tunneling
dns traffic
trkcdn campaign
alliance
attack
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 63

Security Brief: Millions of Messages Distribute LockBit Black Ransomware

In late April 2024, Proofpoint observed high-volume email campaigns facilitated by the Phorpiex botnet, distributing millions of messages with attachments leading to LockBit Black ransomware infections. The messages appeared to originate from 'Jenny Green' and contained ZIP attachments with executa…
ransomware
lockbit
botnet
2024-05-08
malspam
phorpiex
lockbit black
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 16

GoTo Meeting loads RAT via Shellcode Loader

A malicious campaign has been discovered that exploits the legitimate GoTo Meeting online conferencing software to deploy the Remcos remote access trojan (RAT). The attack chain involves utilizing lures like porn downloads, software setup files, and tax forms with Russian and English file names. It…
rat
remcos
2024-05-08
dll sideloading
shellcode
rust
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 17

Romance Scams Urging Investment

The report details an investigation into romance scams that exploit emotional connections to solicit money under the guise of cryptocurrency investments. Perpetrators pose as potential romantic partners or friends to gain trust and eventually introduce victims to fake cryptocurrency exchanges desig…
phishing
social engineering
impersonation
cryptocurrency
2024-05-08
scam
fraud
romance
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 3

StopRansomware: Black Basta

This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Publ…
phishing
ransomware
exfiltration
encryption
2024-05-08
qakbot
qbot
CVE-2020-1472
quackbot
pinkslipbot
CVE-2024-1709
healthcare
CVE-2021-34527
CVE-2021-42278
CVE-2021-42287
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2024-1709, CVE-2021-34527, CVE-2020-1472
Downloadable IOCs: 174

Threat Actors Hack YouTube Channels to Distribute Infostealers

This analysis reveals that malicious groups have been exploiting popular YouTube channels, including some with over 800,000 subscribers, to distribute various infostealer malware strains like Vidar and LummaC2. The attackers upload videos promoting cracked software with links to malicious payloads …
lummac2
malware distribution
2024-05-05
2024-05-06
2024-05-07
2024-05-08
vidar
youtube
infostealers
compromised accounts
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 13

Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack

The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), pr…
obfuscation
rat
xmrig
persistence
2024-05-05
2024-05-06
2024-05-07
2024-05-08
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 12

Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation

Juniper Threat Labs has observed attempts to exploit Ivanti Pulse Secure authentication bypass and remote code execution vulnerabilities (CVE-2023-46805 and CVE-2024-21887), leading to the delivery of Mirai botnet payloads. This analysis explores the vulnerabilities, exploitation methods, observed …
botnet
2024-05-05
2024-05-06
2024-05-07
2024-05-08
mirai
ivanti
CVE-2024-21887
CVE-2023-46805
2024-05-09
2024-05-10
Published: May 10, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805
Downloadable IOCs: 23

Profiling Trafficers: Cerberus

This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
malware
infostealer
russia
2024-05-05
2024-05-06
2024-05-07
lumma stealer
2024-05-08
aurora stealer
redline
hacking
cybercrime
rhadamanthys stealer
casbaneiro
metamorfo
dracula stealer (samurai)
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 24

New Campaigns from Scattered Spider

Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing cr…
phishing
social engineering
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
telecom targeting
lookalike domains
2024-05-09
2024-05-10
Published: May 10, 2024
Linked vulnerabilities : CVE-2024-22024
Downloadable IOCs: 118

macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge

This analysis discusses the emergence of a new macOS malware family called 'Cuckoo Stealer', which acts as an infostealer and spyware. It describes Cuckoo Stealer's main features, logic, and provides indicators of compromise to assist threat hunters and defenders. The malware employs techniques lik…
obfuscation
infostealer
persistence
macos
spyware
2024-05-05
2024-05-06
2024-05-07
2024-05-08
cuckoo stealer
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 4
Click here to see more Attack Reports