What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-03-01 10:30:00 | Just Because It\'s Old Doesn\'t Mean You Throw It Away (Including Malware!) (lien direct) | There are still fresh infections of MyDoom (also known as Novarg and Mimail) occurring along with corresponding phishing events. Learn how this malware is continuing to operate in 2023. | Malware | ★★★ | |
 |
2023-03-01 07:00:00 | Why Organisations Must Get to Grips With Cloud Delivered Malware (lien direct) | >Netskope has just published the Monthly Threat Report for February, with this month's report focused on what is going on in Europe. I don't intend to summarise the report in this blog, instead I want to zoom in and study a continuing trend that was highlighted in there; one that is unfortunately heading in the […] | Malware Threat Prediction Cloud | ★★★ | |
 |
2023-03-01 00:34:26 | Victims of MortalKombat ransomware can now decrypt their locked files for free (lien direct) |  Cybersecurity firm Bitdefender released a universal decryptor for the MortalKombat ransomware – a strain first observed by threat researchers in January 2023. The malware has been used on dozens of victims across the U.S., United Kingdom, Turkey and the Philippines, according to a recent report from Cisco. Bogdan Botezatu, director of threat research and reporting [… |
Ransomware Malware Threat | ★★ | |
 |
2023-03-01 00:00:00 | Iron Tiger\'s SysUpdate Reappears, Adds Linux Targeting (lien direct) | We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems. | Malware Threat | APT 27 | ★ |
 |
2023-02-28 20:12:31 | Intelligence Insight: Tax-themed phishing emails delivering GuLoader (lien direct) | Red Canary is detecting adversaries delivering tax season-themed phishing emails to distribute GuLoader malware | Malware | ★★ | |
 |
2023-02-28 18:55:00 | WannaCry Hero & Kronos Malware Author Named Cybrary Fellow (lien direct) | Marcus Hutchins, who set up a "kill switch" that stopped WannaCry's spread, later pled guilty to creating the infamous Kronos banking malware. | Malware | Wannacry Wannacry | ★★★ |
 |
2023-02-28 16:15:00 | Anomali Cyber Watch: Newly-Discovered WinorDLL64 Backdoor Has Code Similarities with Lazarus GhostSecret, Atharvan Backdoor Can Be Restricted to Communicate on Certain Days (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, DLL sideloading, Infostealers, Phishing, Social engineering, and Tunneling. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
WinorDLL64: A Backdoor From The Vast Lazarus Arsenal?
(published: February 23, 2023)
When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group.
Analyst Comment: Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware. It makes it important for network defenders to leverage the knowledge of a wider security community by adding relevant premium feeds and leveraging the controls automation via Anomali Platform integrations.
MITRE ATT&CK: [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 - Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1087.001 - Account Discovery: Local Account | [MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1135 - Network Share Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1614.001 - System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1016 - System Network Configuration Discovery | [MITRE ATT&CK] T1049 - System Network Connections Discovery | |
Ransomware Malware Tool Threat Medical Medical Cloud | APT 38 | ★ |
 |
2023-02-28 14:00:00 | CyberheistNews Vol 13 #09 [Eye Opener] Should You Click on Unsubscribe? (lien direct) |
CyberheistNews Vol 13 #09 | February 28th, 2023
[Eye Opener] Should You Click on Unsubscribe?
By Roger A. Grimes.
Some common questions we get are "Should I click on an unwanted email's 'Unsubscribe' link? Will that lead to more or less unwanted email?"
The short answer is that, in general, it is OK to click on a legitimate vendor's unsubscribe link. But if you think the email is sketchy or coming from a source you would not want to validate your email address as valid and active, or are unsure, do not take the chance, skip the unsubscribe action.
In many countries, legitimate vendors are bound by law to offer (free) unsubscribe functionality and abide by a user's preferences. For example, in the U.S., the 2003 CAN-SPAM Act states that businesses must offer clear instructions on how the recipient can remove themselves from the involved mailing list and that request must be honored within 10 days.
Note: Many countries have laws similar to the CAN-SPAM Act, although with privacy protection ranging the privacy spectrum from very little to a lot more protection. The unsubscribe feature does not have to be a URL link, but it does have to be an "internet-based way." The most popular alternative method besides a URL link is an email address to use.
In some cases, there are specific instructions you have to follow, such as put "Unsubscribe" in the subject of the email. Other times you are expected to craft your own message. Luckily, most of the time simply sending any email to the listed unsubscribe email address is enough to remove your email address from the mailing list.
[CONTINUED] at the KnowBe4 blog:https://blog.knowbe4.com/should-you-click-on-unsubscribe
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, March 1, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approac |
Malware Hack Tool Vulnerability Threat Guideline Prediction | APT 38 ChatGPT | ★★★ |
 |
2023-02-28 10:00:00 | Experts Spot Half a Million Novel Malware Variants in 2022 (lien direct) | Overall malware detections also rise after three years of decline | Malware | ★★ | |
 |
2023-02-27 20:40:16 | LastPass Says DevOps Engineer Home Computer Hacked (lien direct) | >LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources. | Malware Cloud | LastPass | ★ |
|
2023-02-27 18:30:46 | Mobile Banking Trojans Surge, Doubling in Volume (lien direct) | Mobile malware developers were busy bees in 2022, flooding the cybercrime landscape with twice the number of banking trojans than the year before. | Malware | ★★★ | |
 |
2023-02-27 16:23:00 | ChromeLoader Malware Targeting Gamers via Fake Nintendo and Steam Game Hacks (lien direct) | A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk (VHD) files, marking a deviation from the ISO optical disc image format. "These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games," AhnLab Security Emergency response Center (ASEC) said in a report last week. ChromeLoader (aka | Malware | ★★★★ | |
|
2023-02-27 16:00:00 | ChromeLoader Malware Poses as Steam, Nintendo Game Mods (lien direct) | Asec said the malicious activity observed relied on VHD disk image files | Malware | ★★ | |
|
2023-02-27 15:52:00 | (Déjà vu) PureCrypter Malware Targets Government Entities in Asia-Pacific and North America (lien direct) | Government entities in Asia-Pacific and North America are being targeted by an unknown threat actor with an off-the-shelf malware downloader known as PureCrypter to deliver an array of information stealers and ransomware. "The PureCrypter campaign uses the domain of a compromised non-profit organization as a command-and-control (C2) to deliver a secondary payload," Menlo Security researcher | Malware Threat | ★★ | |
 |
2023-02-27 14:56:57 | Etude Threat Labs Netskope : les entreprises européennes ciblées par des chevaux de Troie (lien direct) | Etude Threat Labs Netskope : les entreprises européennes ciblées par des chevaux de Troie ● Les attaquants utilisent de plus en plus les applications cloud comme vecteurs de diffusion de malwares en Europe avec une hausse de 33 % à 53 % en une année. ● Totalisant 78 % des menaces bloquées en 2022, les chevaux de Troie ont constitué le type de malware le plus répandu en Europe, suivis par les exploits, les backdoors et les téléchargements furtifs. ● Microsoft OneDrive est l'application cloud la plus populaire en Europe, talonnée par Google Drive. Les produits et services qui forment Google Workspace sont davantage utilisés en Europe que dans le reste du monde. - Malwares | Malware Threat Cloud | ★★★ | |
|
2023-02-27 14:13:43 | \'PureCrypter\' Downloader Used to Deliver Malware to Governments (lien direct) | Threat actor uses the PureCrypter downloader to deliver malware to government entities in Asia-Pacific and North America. | Malware | ★★ | |
 |
2023-02-27 10:05:35 | The mobile malware threat landscape in 2022 (lien direct) | Android threat report by Kaspersky for 2022: malware on Google Play and inside the Vidmate in-app store, mobile malware statistics. | Malware Threat | ★★★ | |
|
2023-02-27 10:00:00 | Governments Targeted by Discord-Based Threat Campaign (lien direct) | Threat actor delivers multiple malware types via PureCrypter | Malware Threat | ★★ | |
 |
2023-02-27 04:15:15 | When Low-Tech Hacks Cause High-Impact Breaches (lien direct) | Web hosting giant GoDaddy made headlines this month when it disclosed that a multi-year breach allowed intruders to steal company source code, siphon customer and employee login credentials, and foist malware on customer websites. Media coverage understandably focused on GoDaddy's admission that it suffered three different cyberattacks over as many years at the hands of the same hacking group. But it's worth revisiting how this group typically got in to targeted companies: By calling employees and tricking them into navigating to a phishing website. | Malware | ★★ | |
 |
2023-02-27 02:30:00 | War tests Ukrainian telecom, internet resilience (lien direct) | One year after Russia's invasion of Ukraine, the country's overall resilience and defiance has been inspiring, but telecommunications and internet connectivity has grown much more difficult.Initially the country's internet network mostly withstood with some outages and slowdowns, but that has changed over time as the aggressors devote more effort in destroying physical locations and deploying malware and other cybersecurity weapons.For example, researchers at Top10VPN recently reported some distressing analysis including:To read this article in full, please click here | Malware | ★★ | |
 |
2023-02-25 10:16:22 | PureCrypter malware hits govt orgs with ransomware, info-stealers (lien direct) | A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. [...] | Ransomware Malware Threat | ★★ | |
 |
2023-02-24 20:24:50 | Desde Chile con Malware (From Chile with Malware) (lien direct) | Spoiler Alert: They weren't actually from Chile. Introduction This blog post provides a short update on our ongoing tracking of... | Malware | ★★★★ | |
 |
2023-02-24 16:07:11 | New S1deload Malware Hijacking Youtube And Facebook Accounts (lien direct) | A new malware campaign called S1deload Stealer has been discovered by Bitdefender’s Advanced Threat Control (ATC) team, targeting YouTube and Facebook users. The malware infects computers, hijacks social media accounts, and uses devices to mine cryptocurrency. Security researchers discovered that the malware uses DLL sideloading to evade detection. Bitdefender products detected over 600 unique users […] | Malware Threat | ★★★ | |
 |
2023-02-24 12:35:31 | macOS : ce malware mine des cryptos sur votre Mac, au détriment de ses performances (lien direct) |  Un malware conçu pour miner des cryptomonnaies vise actuellement les Macs, et spécialement les ordinateurs avec une puce M conçue par Apple. Pour se protéger du virus, les experts recommandent d'installer la mise à jour Ventura sans tarder. |
Malware | ★ | |
 |
2023-02-24 10:30:09 | A year of wiper attacks in Ukraine (lien direct) | >ESET Research has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia's invasion of Ukraine in 2022 | Malware | ★★ | |
 |
2023-02-23 23:30:05 | Suspected Russian NLBrute malware boss extradited to US (lien direct) | Dariy Pankov accused of infiltrating systems, selling tool and passwords to other miscreants A Russian national accused of developing the NLBrute brute-force hacking tool has made his first court appearance this week in Florida over accusations that he used the tool to spawn a criminal empire.… | Malware Tool | ★★★ | |
|
2023-02-23 22:19:00 | Hackers Using Trojanized macOS Apps to Deploy Evasive Cryptocurrency Mining Malware (lien direct) | Trojanized versions of legitimate applications are being used to deploy evasive cryptocurrency mining malware on macOS systems. Jamf Threat Labs, which made the discovery, said the XMRig coin miner was executed as Final Cut Pro, a video editing software from Apple, which contained an unauthorized modification. "This malware makes use of the Invisible Internet Project (i2p) [...] to download | Malware Threat | ★ | |
|
2023-02-23 21:57:12 | Russian accused of developing password-cracking tool extradited to US (lien direct) |  A 28-year-old Russian malware developer was extradited to the U.S. where he could face up to 47 years in federal prison for allegedly creating and selling a malicious password-cracking tool. Dariy Pankov, also known as “dpxaker,” developed what the Department of Justice called “powerful” password-cracking program that he marketed and sold to other cybercriminals for a [… |
Malware Tool | ★★ | |
|
2023-02-23 21:54:44 | Pirated Final Cut Pro for macOS Offers Stealth Malware Delivery (lien direct) | The number of people who have made the weaponized software available for sharing via torrent suggests that many unsuspecting victims may have downloaded the XMRig coin miner. | Malware | ★★ | |
|
2023-02-23 19:54:00 | Hydrochasma Threat Group Bombards Targets with Slew of Commodity Malware, Tools (lien direct) | A previously unidentified threat group uses open source malware and phishing to conduct cyber-espionage on shipping and medical labs associated with COVID-19 treatments and vaccines. | Malware Threat Medical | ★★★ | |
|
2023-02-23 19:02:13 | Hackers use ChatGPT phishing websites to infect users with malware (lien direct) |  Cyble says cybercriminals are setting up phishing websites that mimic the branding of ChatGPT, an AI tool that has exploded in popularity |
Malware Tool | ChatGPT | ★★★ |
|
2023-02-23 18:50:35 | Wiper Malware Surges Ahead, Spiking 53% in 3 Months (lien direct) | Cybercriminals and hacktivists have joined state-backed actors in using sabotage-bent malware in destructive attacks, new report shows. | Malware | ★★ | |
 |
2023-02-23 18:20:55 | Russian national accused of developing, selling malware appears in U.S. court (lien direct) | >Dariy Pankov faces up to 47 years in prison on charges linked to credential sales and offering access to the NLBrute malware. | Malware | ★★★ | |
|
2023-02-23 17:17:00 | Lazarus Group Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data (lien direct) | A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. | Malware Tool Medical | APT 38 | ★ |
|
2023-02-23 16:28:45 | Malware Report: The Number of Unique Phishing Emails in Q4 Rose by 36% (lien direct) |
|
Malware | ★★★ | |
|
2023-02-23 16:15:00 | New S1deload Malware Hijacking Users\' Social Media Accounts and Mining Cryptocurrency (lien direct) | An active malware campaign has set its sights on Facebook and YouTube users by leveraging a new information stealer to hijack the accounts and abuse the systems' resources to mine cryptocurrency. Bitdefender is calling the malware S1deload Stealer for its use of DLL side-loading techniques to get past security defenses and execute its malicious components. "Once infected, S1deload Stealer steals | Malware | ★ | |
|
2023-02-23 14:47:00 | Stealthy Mac Malware Delivered via Pirated Apps (lien direct) | >Cybercriminals are delivering stealthy cryptojacking malware to Macs using pirated apps and they could use the same method for other malware. | Malware | ★★ | |
 |
2023-02-23 14:29:50 | (Déjà vu) Ukraine suffered more data-wiping malware than anywhere, ever (lien direct) | Russia has greatly accelerated cyberattacks on its neighbor in the wake of its invasion. | Malware | ★★ | |
|
2023-02-23 13:34:26 | Pirated Final Cut Pro infects your Mac with cryptomining malware (lien direct) | Security researchers discovered a cryptomining operation targeting macOS with a malicious version of Final Cut Pro that remains largely undetected by antivirus engines. [...] | Malware | ★★★ | |
|
2023-02-23 13:17:09 | Bitdefender - Nouveau Malware - S1deload Stealer - visant les comptes Facebook et YouTube (lien direct) | Bitdefender - Nouveau Malware - S1deload Stealer - visant les comptes Facebook et YouTube - Malwares | Malware | ★★ | |
|
2023-02-23 12:59:09 | Russian Accused of Developing NLBrute Malware Extradited to US (lien direct) | >A Russian malware developer behind the NLBrute brute-forcing tool has been extradited to the United States from Georgia. | Malware Tool | ★★ | |
|
2023-02-23 12:36:04 | Russian malware dev behind NLBrute hacking tool extradited to US (lien direct) | A Russian malware developer accused of creating and selling the NLBrute password-cracking tool was extradited to the United States after being arrested in the Republic of Georgia last year on October 4. [...] | Malware Tool | ★★★ | |
 |
2023-02-23 11:00:00 | Stories from the SOC - The case for human response actions (lien direct) | Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
As we move towards more automation, we should remember the risk of over-automating, or at least make a conscious decision to accept the risks. This is especially important in automating response actions, which left unchecked could wreak havoc with day-to-day business operations.
Investigation
The alarm
One evening after normal business hours, an alarm came in indicating a software package attempting to execute on a server was auto-mitigated by SentinelOne. The software package was behaving in a way that was taken as attempting to evade detection by the SentinelOne agent and therefore rated as “Malicious” by the SentinelOne Artificial Intelligence logic. Since the server on which the software package was attempting to execute had a “Protect” policy applied, the auto-mitigation steps for a dynamically detected “Malicious” rating included killing and quarantining the process.
A “policy” setting in SentinelOne is the defined level of automated response activity the endpoint detection and response tool (EDR) has permission to perform for each grouping of assets. Whereas a “Detect” policy will create an alert that can be managed for post-investigation response actions, a policy setting of “Protect” will take automated response actions. The intrusion level of those automated response actions can be customized, but they all perform an automated action without a person looking at the situation first.
The below image is for an alarm for malware which ended up being process automation software
but nonetheless was automitigated (process killed) by SentinelOne as shown in the log excerpt below.
The business impact
The next morning, with business hours back in full swing, the customer reached out to us concerned about the result of the automated response action. The customer stated that the software package is a critical part of their business infrastructure and should never be stopped from executing. The software had been running on that same server the prior several months, since entering SOC monitoring.
The customer questioned why after several months with the SentinelOne agent running on the server did the agent suddenly believe the software package was malicious. We were not able the answer the question specifically since the decision-making behind identifying and rating a process as “Malicious” versus “Suspicious” or benign is a proprietary logic.
What we could state is that any EDR solution worth its price will continually update indicator of compromise (IOC) signatures. Any worthwhile EDR solution will also include not only static detection but also behavior-based dynamic detection. In the case of SentinelOne, there is the pre-execution behavior analysis that allows for process termination pre-execution as well. And of course, any software package run on a server is subject to updates for security, efficiency, or product feature upgrades.
Taken as a whole, it means any endpoint being protected is a very dynamic battleground with the potential for an updated software package that did not trigger IOC rules yesterday triggering tehm today. Or a non-updated software package may suddenly be identified as potently malicious due to updated machine learning IOC behavior analysis. Remember when |
Malware Tool | ★★★ | |
 |
2023-02-23 09:57:34 | Russia V Ukraine: Round two – Gamma Edition (lien direct) | >By Nilaa Maharjan; Logpoint Global Services & Security ResearchContentsWhat has happened?Anticipating the anniversaryGamaredon: Who are they?The impact of these malware strains?Download Report: Russia V Ukraine: Round two - Gamma EditionA year on since the first attack on Ukrainian territory and the unofficial beginning of the cyber war, the Secretary of Ukraine's National Security and Defense [...] | Malware | ★★ | |
|
2023-02-23 09:50:00 | Russian Invasion Sparks Global Wiper Malware Surge (lien direct) | Fortinet detected a 50% increase in destructive attacks in H2 2022 | Malware | ★★ | |
|
2023-02-23 09:25:51 | Une fausse app ChatGPT pour Windows menace de pirater vos comptes Facebook, TikTok et Google (lien direct) |  Une fausse application ChatGPT pour PC Windows se propage sur les réseaux sociaux. Elle cache un malware capable de voler les identifiants des comptes Facebook, TikTok et Google. |
Malware | ChatGPT | ★★ |
|
2023-02-23 09:20:00 | Phishing Sites and Apps Use ChatGPT as Lure (lien direct) | Campaigns designed to steal card information and install malware | Malware | ChatGPT | ★★ |
 |
2023-02-23 09:07:44 | Fake ChatGPT apps spread Windows and Android malware (lien direct) | OpenAI's ChatGPT chatbot has been a phenomenon, taking the internet by storm. Whether it is composing poetry, writing essays for college students, or finding bugs in computer code, it has impressed millions of people and proven itself to be the most accessible form of artificial intelligence ever seen. Yes, there are plenty of fears about how the technology could be used and abused, questions to be answered about its ethical use and how regulators might police its use, and worries that some may not realise that ChatGPT is not as smart as it initially appears. But no-one can deny that it has... | Malware | ChatGPT | ★★ |
|
2023-02-23 06:00:00 | Clasiopa hackers use new Atharvan malware in targeted attacks (lien direct) | Security researchers have observed a hacking group targeting companies in the materials research sector with a unique toolset that includes a custom remote access trojan (RAT) called Atharvan. [...] | Malware | ★★ | |
 |
2023-02-23 02:00:00 | Anti-Forensic Techniques Used By Lazarus Group (lien direct) | Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. Overview Definition of Anti-Forensics Anti-forensics refers to the tampering of evidence in... | Malware Threat Medical | APT 38 | ★★ |
To see everything:
Our RSS (filtrered)
