Tag: malware

A new malware campaign attributed to the Romanian-speaking Diicot threat group has been discovered targeting Linux systems. The campaign shows significant advancements compared to previous iterations, including modified UPX headers with corrupted checksums, advanced payload staging, and environment…

The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices…

A groundbreaking discovery has been made in the realm of cybersecurity: the first UEFI bootkit specifically targeting Linux systems. Named 'Bootkitty,' this proof-of-concept malware marks a significant evolution in stealthy and hard-to-remove bootkit threats. Although currently limited to certain U…

Researchers have discovered a new .NET-based information stealer called Glove Stealer that targets browser extensions and local software to steal sensitive data like cookies, passwords, and cryptocurrency wallets. It uses a novel technique to bypass Chrome's App-Bound encryption by exploiting the I…

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys P…

Security researchers have detected new attacks involving the Bumblebee malware loader, just four months after Europol disrupted its operations in Operation Endgame. The malware has resurfaced with updated tactics, using MSI files disguised as legitimate software installers to deliver its payload di…

A recent analysis reveals a new variant of the FASTCash malware, designed to compromise financial networks by manipulating payment transactions. Developed by threat actors potentially linked to North Korean hacking groups, this Linux version specifically targets Ubuntu 20.04 systems in ATMs. It int…

IBM X-Force observed Hive0147, a highly active threat group in Latin America, distributing a new Golang-based downloader named Picanha to deploy the Mekotio banking trojan. Picanha is a two-stage malware that uses advanced techniques like direct syscalls and supports multiple download URLs, reliabl…

This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded ma…

This analysis uncovers a novel malware distribution mechanism utilizing VBE scripts stored in archive files to spread various malware families, including AgentTesla, Remcos, Snake, and NjRat. It details the infection chain, which involves downloading encoded files from a command-and-control server,…

A newly identified variant of FASTCash "payment switch" malware specifically targets the Linux operating system, as well as Microsoft Windows, according to CISA and the Department of Homeland Security (DHS).

This report examines a campaign called 'ErrorFather' that utilizes an undetected variant of the Cerberus Android Banking Trojan. The campaign employed a sophisticated multi-stage dropper technique to deploy the malicious payload, which incorporated features like keylogging, overlay attacks, VNC, an…

The IMEEX framework is a newly discovered, custom-built malware targeting Windows systems. Delivered as a 64-bit DLL, it offers extensive control over compromised machines, featuring execution of additional modules, file manipulation, process management, registry modification, and remote command ex…

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to …

This report delves into the technical aspects of the NOOPDOOR and NOOPLDR malwares employed by the APT10 threat actor in the Cuckoo Spear campaign. The analysis reveals how these tools operate and the potential risks they pose, helping cybersecurity professionals better understand and defend agains…

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…

The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…

This article provides an analysis of the Atomic Infostealer malware family, which has been targeting macOS users throughout 2024. It discusses the various evolving variants, such as Amos, Banshee, Cthulu, Poseidon, and RodrigoStealer, developed and distributed by competing threat actor groups. The …

This report provides an in-depth technical analysis of a new variant of the CryptBot infostealer, dubbed Yet Another Silly Stealer (YASS). It details the delivery chain, involving the MustardSandwich downloader, and dissects the YASS payload's functionalities, including its data gathering, encrypti…

Trend Micros discusses analysis of Earth Preta’s enhancements in their attacks by introducing new tools, malware variants and strategies to their worm-based attacks and their time-sensitive spear-phishing campaign.

This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…

In August 2024, eSentire's Threat Response Unit observed a sophisticated attack involving LummaC2 stealer malware and a malicious Google Chrome browser extension. The attack leveraged DLL side-loading to execute a loader delivering the malware and a PowerShell script that installed the extension. T…

This analysis examines a newly identified threat dubbed 'Ailurophile Stealer,' a malware designed to compromise victims' systems by extracting sensitive browser data including stored credentials, cookies, and browsing history. The stealer utilizes various techniques like placing malicious files in …

Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…

Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure, involving newly registered domains designed to resemble legit…

The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…

This report discusses the latest updates to the Latrodectus malware, including a different string deobfuscation approach, a new C2 endpoint, and two new backdoor commands. It provides an in-depth analysis of the new version 1.4, focusing on the new features added or updated in this variant. The rep…

This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…

ESET researchers uncovered a crimeware campaign targeting bank customers in Czechia. The NGate Android malware can relay NFC data from victims' payment cards to attackers' devices, enabling unauthorized ATM withdrawals. It's the first time this capability has been observed in the wild. The campaign…

An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations inv…

The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persist…

This report analyzes the D3F@ck Loader, a malware-as-a-service (MaaS) offering orchestrated by an individual going by the alias Sergei Panteleevich. The loader utilizes various evasion techniques, including the use of Extended Validation certificates, Inno Setup installers with custom Pascal script…

In July 2024, eSentire's Threat Response Unit observed a phishing attack leading to a 0bj3ctivity Stealer malware infection. The attack involved a malicious JavaScript file that retrieved and executed Ande Loader and the 0bj3ctivity Stealer. Ande Loader created persistence, downloaded additional pa…

Volexity detected and responded to multiple incidents involving systems infected with malware linked to StormBamboo, a threat actor known for compromising internet service providers (ISPs) and leveraging DNS poisoning to redirect software update traffic to attacker-controlled servers hosting malici…

This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…

The report provides in-depth details about the malware used by the threat actor MirrorFace in targeted attacks against Japanese organizations. It describes the NOOPDOOR malware's execution flow, obfuscation techniques, functionality, and the tactics, techniques, and procedures employed by the attac…

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…

The report details a recent cyber attack campaign attributed to the APT-C-09 (Mozambique) threat group, which has historically targeted Pakistan and surrounding nations. The campaign employed a novel Golang malware payload and Quasar RAT to gather sensitive information. The analysis covers the tech…

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…

n April 2024, Securelist discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any …

This intelligence report discusses SocGholish, a JavaScript downloader used by threat actors to deliver malware payloads disguised as fake browser updates. It analyzes the recent tactics, techniques, and procedures employed by threat groups like Evil Corp in compromising WordPress websites, fingerp…

This report details a malicious campaign exploiting the CVE-2024-21412 vulnerability in Microsoft Windows SmartScreen to bypass security warnings and deliver malware. Attackers employ crafted links, LNK files, and HTA scripts to download decoy PDFs and shell code injectors, ultimately injecting ste…

ESET researchers discovered a vulnerability named EvilVideo that allows attackers to share malicious Android payloads disguised as video files through Telegram for Android. The exploit makes the malicious files appear as multimedia content, tricking users into installing malware. The vulnerability …

This advisory cautions about the distribution of malware masquerading as crack programs for software. The malicious actors aim to prevent the installation of V3 Lite, an anti-malware solution, by terminating its installation process. This tactic allows them to maintain persistence and continue upda…

This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…

This report provides an in-depth analysis of a newly discovered information stealer named Kematian-Stealer, actively developed on GitHub and distributed as open-source software. The malware employs various techniques to collect sensitive data from compromised systems, evade detection, and maintain …

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled…

The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components invo…

In March 2024, the cybersecurity firm Zscaler observed a new activity from Kimsuky, a North Korean state-sponsored hacker group. They employed a malicious Google Chrome extension named 'TRANSLATEXT' specifically crafted to steal email addresses, usernames, passwords, cookies, and capture browser sc…

Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.

Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …

This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…

Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …

This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript…

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency m…

An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…

Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…

This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…

A sophisticated multi-stage cyberattack was identified, utilizing an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker employed various evasion techniques and a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload, establishing communication w…

Vidar Stealer is a potent malware written in C++, capable of stealing a wide range of data from the compromised system. Vidar Stealer targets user’s personal data, web-browser data, cryptocurrency wallets, financial data, sensitive files within user directories, communication applications, process …

This report details Cloudforce One's real-time effort to detect, deny, degrade, disrupt, and delay a phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine. The campaign aimed to capitalize on anxiety over potential loss of housing and utilities by enticing targets to ope…

An investigation by Bitdefender Labs uncovered a previously unidentified cyber threat actor called Unfading Sea Haze. This group has systematically targeted high-level organizations across countries in the South China Sea region. The extensive analysis spanned several years, revealing their evolvin…

This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …

This comprehensive analysis delves into the continuous evolution and refinement of sophisticated malware entities employed by a persistent cyberespionage group targeting organizations in the Asia-Pacific region. The malware, known as Waterbear and its latest iteration, Deuterbear, have undergone si…

LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…

This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…

This analysis examines the types of malicious payloads that attackers embed within Microsoft OneNote files to deceive users into executing malicious code. By analyzing approximately 6,000 malicious OneNote samples, it reveals that attackers frequently employ images resembling buttons to lure victim…

Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote acce…

CRIL's analysis revealed SideCopy APT group's sophisticated malware campaign, employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities, suggesting potenti…

Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…

Check Point Research identified an unusual pattern involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive users into executing harmful commands. The exploitation occurs through a flawed design in Foxit Reader, showing 'OK' as t…

This analysis examines the infection process of the DanaBot malware, distributed through sophisticated spam emails containing malicious Word documents. The documents leverage external links to download and execute macro files, which subsequently fetch and run the DanaBot payload. The infection chai…

This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…

CYFIRMA researchers identified an Android malware campaign, active for over a year, targeting Indian defense personnel by an unidentified Pakistan-based cyber espionage group. The threat actor utilized Spynote or a modified version called Craxs Rat, obfuscating the app with high complexity. Through…