Tag: 2024-09-24

A threat actor is targeting transportation and logistics companies in North America with malware campaigns. The actor uses compromised email accounts to inject malicious content into existing conversations, making messages appear legitimate. Campaigns primarily deliver Lumma Stealer, StealC, NetSup…

The report discusses recent attacks by APT-C-00 (OceanLotus), a state-sponsored hacking group. It analyzes two types of loaders used in their 2024 campaigns: a double loader and a VMP-protected version. The double loader consists of two modules: an MSVC DLL for initial information gathering and a G…

This analysis examines the evolution of Kryptina, a ransomware-as-a-service platform, from a free tool on public forums to being actively used in enterprise attacks under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing their Linux ransomware was b…

The RansomHub ransomware, attributed to a group tracked as Water Bakunawa, employs sophisticated anti-EDR techniques to evade security solutions. Its attack chain includes exploiting vulnerabilities like Zerologon, using EDRKillShifter to disable endpoint protection, and employing various evasion s…

A ransomware attack was observed in September 2024, targeting an endpoint with limited visibility. The threat actor used stolen Administrator credentials to enable RDP and deploy malicious executables. They installed a vulnerable driver, TrueSight RogueKiller Antirootkit, to disable security applic…

A malicious host mimicking ICICI Bank has been discovered, along with a fraudulent app disguised as ICICI Helpdesk. The phishing domain, cppcccare.com, is hosted on an ASN known for various malicious activities. The fraudulent app, named 'ICICI.apk', is detected as a Trojan Banker, Keylogger, and S…

A sophisticated infection chain dubbed ClickFix has been observed using fake CAPTCHA pages to distribute Lumma Stealer malware. The campaign targets multiple countries through two main vectors: cracked game download URLs and phishing emails impersonating GitHub. Users are tricked into executing mal…

MuddyWater, a threat group active since 2017, has been utilizing various Remote Monitoring and Management (RMM) software for attacks, particularly in the Middle East. Their tactics include spear-phishing emails with malicious attachments or links, leading to the installation of RMM tools like Atera…

A new version of the Necro Trojan has infected various popular applications, including game mods and apps on Google Play, potentially affecting over 11 million Android devices. The multi-stage loader uses steganography to hide payloads and obfuscation to evade detection. Its modular architecture al…

A novel version of the RomCom malware family called SnipBot has been discovered, revealing post-infection activity from attackers on victim systems. This new strain employs new tricks and unique code obfuscation methods beyond those seen in previous RomCom versions. The infection chain begins with …