What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-12-14 00:00:00 | Probing Weaponized Chat Applications Abused in Supply-Chain Attacks (lien direct) | This report examines the infection chain and the pieces of malware used by malicious actors in supply-chain attacks that leveraged trojanized installers of chat-based customer engagement platforms. | Malware | ★★ | |
 |
2022-12-13 22:16:36 | Cloud Threats Memo: Understanding the Dead Drop Resolver Technique (lien direct) | >If I asked you what the common ways to exploit a cloud app for malicious purposes are, I bet your answer would probably be either to use it to distribute malicious content (such as malware or phishing pages), or to host the command and control (C2) infrastructure. In reality another frequent technique is the dead […] | Malware | ★★★★ | |
 |
2022-12-13 21:28:57 | Cuba Ransomware Gang Abused Microsoft Certificates to Sign Malware (lien direct) | The company has taken measures to mitigate the risks, but security researchers warn of a broader threat. | Ransomware Malware | ★★★ | |
 |
2022-12-13 21:17:27 | Microsoft digital certificates have once again been abused to sign malware (lien direct) | Code-signing is supposed to make people safer. In this case, it made them less so. | Malware | ★★★ | |
 |
2022-12-13 18:00:00 | Je jure solennellement que mon chauffeur ne soit pas bon: chasser pour une attestation signée malveillante I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware (lien direct) |
Lors d'une récente enquête sur la réponse aux incidents, Mandiant a découvert un pilote malveillant utilisé pour terminer certains processus sur les systèmes Windows.Dans ce cas, le pilote a été utilisé pour tenter de mettre fin à l'agent de détection et de réponse (EDR) du point de terminaison sur le point de terminaison.Mandiant suit le conducteur malveillant et son chargeur comme pauvreté et stonestop respectivement.Peu de temps après la découverte initiale, Mandiant a observé un échantillon de pilote pauvre signé avec une signature de compatibilité matérielle Microsoft Windows.Une analyse minutieuse des métadonnées authenticodes du conducteur \\ a conduit à une enquête plus grande
During a recent Incident Response investigation, Mandiant discovered a malicious driver used to terminate select processes on Windows systems. In this case, the driver was used in an attempt to terminate the Endpoint Detection and Response (EDR) agent on the endpoint. Mandiant tracks the malicious driver and its loader as POORTRY and STONESTOP respectively. Soon after the initial discovery, Mandiant observed a POORTRY driver sample signed with a Microsoft Windows Hardware Compatibility Authenticode signature. Careful analysis of the driver\'s Authenticode metadata led to a larger investigation |
Malware | ★★★ | |
 |
2022-12-13 16:00:00 | Anomali Cyber Watch: MuddyWater Hides Behind Legitimate Remote Administration Tools, Vice Society Tops Ransomware Threats to Education, Abandoned JavaScript Library Domain Pushes Web-Skimmers (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Compromised websites, Education, Healthcare, Iran, Phishing, Ransomware, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New MuddyWater Threat: Old Kitten; New Tricks
(published: December 8, 2022)
In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows
Babuk Ransomware Variant in Major New Attack
(published: December 7, 2022)
In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files).
Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | |
Ransomware Malware Tool Threat Medical | APT 38 | ★★★ |
 |
2022-12-13 14:38:00 | Cybersecurity Experts Uncover Inner Workings of Destructive Azov Ransomware (lien direct) | Cybersecurity researchers have published the inner workings of a new wiper called Azov Ransomware that's deliberately designed to corrupt data and "inflict impeccable damage" to compromised systems. Distributed through another malware loader known as SmokeLoader, the malware has been described as an "effective, fast, and unfortunately unrecoverable data wiper," by Israeli cybersecurity company | Ransomware Malware | ★★★ | |
|
2022-12-13 12:30:00 | Malware Strains Targeting Python and JavaScript Developers Through Official Repositories (lien direct) | An active malware campaign is targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains. The typosquatted Python packages all impersonate the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, | Ransomware Malware | ★★★ | |
 |
2022-12-13 12:27:43 | New GoTrim botnet brute forces WordPress site admin accounts (lien direct) | A new Go-based botnet malware named 'GoTrim' is scanning the web for self-hosted WordPress websites and attempting to brute force the administrator's password and take control of the site. [...] | Malware | ★★ | |
 |
2022-12-13 11:00:56 | November 2022\'s Most Wanted Malware: A Month of Comebacks for Trojans as Emotet and Qbot Make an Impact (lien direct) | >Check Point Research reports that Emotet has returned after a quiet summer, now the second most prevalent malware globally. Qbot has also made it back into the index for the first time since 2021, while the Education sector remains under attack Our latest Global Threat Index for November saw the return of Emotet, an ambitious… | Malware Threat | ★★ | |
 |
2022-12-13 11:00:00 | 2023 Cybersecurity predictions (lien direct) | Cybersecurity is a relatively new discipline in the realm of computing. Once computing became more democratized with PCs connected via local area networks (LAN) and client/server environments, adversaries quickly saw opportunities. The more democratized computing – the more risk and the potential for cyber adversaries.
Dealing with cyber risk and adversaries is now part of a normal business plan. Gone are the days of instilling fear, uncertainty, and doubt (FUD) about the potential of a bad actor. The days of nefarious hackers in hoodies lurking in the shadows are gone.
Businesses of all types and sizes now know that cybersecurity is part of a solid business plan. Security is no longer relegated to a team of really smart experts; security is a business enabler and builder of digital trust.
As we move to 2023, we will continue to see computing more democratized. With the advent of more edge computing (according to the 2022 AT&T Cybersecurity Insights Report, 75% of organizations are on a journey to the edge, the way we interact with technology is rapidly shifting. We are moving from input/output types of functions to more seamless interactions that deliver outcomes.
With more of a focus on outcomes, security becomes the center of focus in the new democratized era of computing. We are just getting started with ideas for edge computing. And, by association, we are just getting started with what security means.
Here are my predictions for some of the trends and highlights we will see in cybersecurity landscape in the year ahead.
Move to the edge
A new paradigm of computing is upon us. This new era is underpinned by 5G and edge.
Edge is a word we have heard for quite some time, but in general conversation lacks a consistent definition. Vendors and business users alike tend to define edge in accordance with the technology stack being sold or used.
When thinking about edge, consider these three characteristics as a starting point:
A distributed model of management, intelligence, and networks
Applications, workloads, and hosting closer to users and assets that are generating or consuming the data – may be on-premise or in the cloud
Software defined
Edge use cases are largely driven by the world of the internet of things (IoT) that collect and transmit data to make logical and rational decisions to derive an outcome.
In 2023, we should expect to see an accelerated full-scale rollout of edge use cases in areas such as:
Real-time fraud detection for financial services
Automated warehousing with near real-time inventory management
Near real-time visual inspections for uses as varied as manufacturing assembly lines, passport control at border crossing, and available parking spaces
These use cases require connected systems from the network layer through to application monitoring/management, and require each component to be secure in order to derive the desired outcome.
With more democratized computing, security is no longer isolated, it is central to delivering strong business outcomes.
In 2023, expect to see more edge use cases and applications. For successful implementation and with security at the core, expect to see the erosion of decades-old siloes such as networking, IT, app development, and security begin to fade away and enable more cross-functional work and roles.
Read more about the edge ecosystem in the upcoming 2023 AT&T Cybersecurity Insights Report due out January 24, 2023. Check out our previous reports available here for: 2022 and |
Malware Hack Threat Medical | ★★★ | |
 |
2022-12-13 10:45:00 | Experts Warn ChatGPT Could Democratize Cybercrime (lien direct) | Researchers claim AI bot can write malware and craft phishing emails | Malware | ChatGPT | ★★★ |
 |
2022-12-13 08:32:10 | Researchers smell a cryptomining Chaos RAT targeting Linux systems (lien direct) | Smells like Russian miscreants A type of cryptomining malware targeting Linux-based systems has added capabilities by incorporating an open source remote access trojan called Chaos RAT with several advanced functions that bad guys can use to control remote operating systems.… | Malware | ★★★ | |
 |
2022-12-12 23:44:44 | Effective, fast, and unrecoverable: Wiper malware is popping up everywhere (lien direct) | Wiper malware from no fewer than 9 families has appeared this year. Now there are 2 more. | Malware | ★★ | |
|
2022-12-12 19:21:00 | Cryptocurrency Mining Campaign Hits Linux Users with Go-based CHAOS Malware (lien direct) | A cryptocurrency mining attack targeting the Linux operating system also involved the use of an open source remote access trojan (RAT) dubbed CHAOS. The threat, which was spotted by Trend Micro in November 2022, remains virtually unchanged in all other aspects, including when it comes to terminating competing malware, security software, and deploying the Monero (XMR) cryptocurrency miner. "The | Malware | ★★ | |
 |
2022-12-12 16:50:35 | TrueBot malware delivery evolves, now infects businesses in the US and elsewhere (lien direct) | >New research from Cisco Talos reveals that the infamous TrueBot malware has updated its modus operandi and now hits the U.S. with additional payloads such as the infamous Clop ransomware. | Malware | ★★ | |
|
2022-12-12 16:26:33 | New Python malware backdoors VMware ESXi servers for remote access (lien direct) | A previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system. [...] | Malware | ★★★ | |
|
2022-12-12 10:55:50 | From disruption to destruction- Azov Ransomware presents a new shift towards destructive wipers (lien direct) | >Highlights: Check Point Research (CPR) provides under-the-hood details of its analysis of the infamous Azov Ransomware Using advanced wipers, Azov is designed to inflict immense damage to the infected machine it runs on Check Point Research flags a worrying shift towards sophisticated malware designed to destroy the compromised system, and advises organizations to take appropriate… | Ransomware Malware | ★★★ | |
 |
2022-12-12 06:49:00 | GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites (lien direct) | FortiGuard Labs encountered an unreported CMS scanner and brute forcer written in the Go programming language. Read our analysis of the malware and how this active botnet scans and compromises websites. | Malware | ★★ | |
|
2022-12-11 11:22:33 | (Déjà vu) Clop ransomware uses TrueBot malware for access to networks (lien direct) | Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. [...] | Ransomware Malware | ★★ | |
|
2022-12-11 11:22:33 | Clop ransomware partners with TrueBot malware for access to networks (lien direct) | Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. [...] | Ransomware Malware | ★ | |
|
2022-12-10 17:16:00 | Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant (lien direct) | Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks targeting law firms throughout 2020 and 2021 involved a revamped variant of a malware called Janicab that leverages a number of public services like YouTube as dead drop resolvers, | Malware | ★★★ | |
|
2022-12-09 22:46:00 | New Truebot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm (lien direct) | Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S. Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm. " | Malware | ★★ | |
|
2022-12-09 22:00:08 | Legit Android apps poisoned by sticky \'Zombinder\' malware (lien direct) | Sure, go ahead and load APKs instead of using an app store. You won't enjoy the results Threat researchers have discovered an obfuscation platform that attaches malware to legitimate Android applications to lure users to install the malicious payload and make it difficult for security tools to detect.… | Malware | ★★★ | |
|
2022-12-09 18:00:00 | Truebot Malware Activity Increases With Possible Evil Corp Connections (lien direct) | The campaigns observed by Cisco Talos have resulted in the creation of two botnets | Malware | ★★★ | |
|
2022-12-09 16:55:00 | Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver (lien direct) | The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands. "The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said. "All the | Malware | ★★ | |
|
2022-12-09 16:00:00 | Cobalt Mirage Affiliate Uses GitHub to Relay Drokbk Malware Instructions (lien direct) | Secureworks said the malicious code is written in .NET and comprises a dropper and a payload | Malware | APT 15 | ★★★ |
 |
2022-12-09 11:17:25 | Un groupe soutenu par l\'Iran utilise Github pour relayer les instructions de logiciels malveillants (lien direct) | Un groupe soutenu par l'Iran utilise Github pour relayer les instructions de logiciels malveillants Un sous-groupe du groupe iranien Cobalt Mirage, Cluster B, cible les organisations américaines avec un malware Drokbk personnalisé - Malwares | Malware | APT 15 | ★★ |
|
2022-12-09 09:00:00 | Holiday 2022 deal: 20% off Zero2Automated malware analysis training (lien direct) | Zero2Automated, the creators of the popular malware analysis and reverse-engineering course, is having a Christmas special where you can get 20% off all courses on their site, with additional goodies thrown in. [...] | Malware | ★★★ | |
 |
2022-12-09 04:00:00 | Drokbk Malware Uses GitHub as Dead Drop Resolver (lien direct) | Type: BlogsDrokbk Malware Uses GitHub as Dead Drop ResolverA subgroup of the Iranian COBALT MIRAGE threat group leverages Drokbk for persistence.A subgroup of the Iranian COBALT MIRAGE threat group leverages Drokbk for persistence. | Malware Threat | APT 15 | ★★ |
 |
2022-12-09 00:00:00 | Cyber Skills Ireland lance un nouveau service pour les consommateurs pour soutenir les achats en ligne plus sûrs Cyber Skills Ireland launches new service for consumers to support safer online shopping (lien direct) |
La recherche récente des consommateurs * montre que près de 40% des acheteurs irlandais prévoient de faire un mélange de magasins en magasin vs en ligne cette année.Alors que nous approchons de la saison des fêtes et que de plus en plus de gens achètent en ligne des cadeaux, Cyber Skills lance un nouveau service national en ligne pour aider les acheteurs à vérifier si les sites sont légitimes et sûrs à utiliser.L'initiative s'adresse aux acheteurs en ligne, qui peuvent visiter des sites Web pour promouvoir des offres et des prix de négociation. CheckMyLink (Check.Cyberskills.ie) est un nouveau service national qui sera dirigé par des cyber compétences en association avec Scamadviser et un Garda S & iacute; Och & Aacute; Na.L'objectif est d'augmenter les consommateurs \\ 'la confiance qu'un site Web en ligne qu'ils achètent est authentique et de s'assurer que le site Web n'est pas infecté par des logiciels malveillants.Le service est facile à utiliser et demande simplement aux utilisateurs en ligne de ne fournir que l'URL du site Web qu'ils visitent.Le service génère ensuite un rapport en ligne à partir de sources de confiance qui vise à accroître la confiance des consommateurs que le site Web ou le lien est authentique et sûr à parcourir. S'exprimant sur l'annonce, la professeure Donna O \\ 'Shea, présidente de la cybersécurité, MTU a déclaré: «Cette année, les escrocs et les fraudeurs tenteront probablement d'exploiter le fait que davantage d'entre nous sont sous pression financièrement avec une augmentation des coûts énergétiques et de l'inflation, le sensNous avons moins d'argent dans nos poches.Ils essaieront d'exploiter notre réponse comportementale naturelle en devenant plus savoureuse avec notre argent et rechercher des bonnes affaires dans les ventes et les achats en ligne. » "Cependant, pour vous occuper de votre argent ce Noël, les acheteurs en ligne avertis doivent être conscients que les escrocs sont très bons pour rendre les faux sites Web réels et que les sites Web inconnus devraient être vérifiés avant de remettre des liquidités bien méritées ou de fournir des informations sur les cartes de crédit." William Dalton, vice-président et directeur général de Trend Micro, qui parraine l'initiative, a ajouté: «Trend Micro est ravi de s'associer à CheckMylink dans notre mission conjointe pour protéger les consommateurs irlandais contre le crime lié à la fraude.À mesure que Noël se rapproche, nos amis et nos proches tenteront d'acheter des cadeaux difficiles à trouver et pourraient être tentés de les acheter sur un faux site Web.Il est important que nous soyons conscients des sites Web que nous utilisons. » Le surintendant en chef du détective, Barry Walsh, chef du Bureau national du cyber-crime de Garda, a également souligné: «Il y a un risque accru pour les consommateurs, en particulier vers cette période de l'année, car les pirates utilisent des liens contaminés cachés dans les e-mails, les médias sociaux et d'autres plateformes en ligne traditionnelles en lignePour accéder aux mots de passe, aux détails de la carte de crédit ou à d'autres informations sensibles. Un Garda S & iacute; Och & aacute; NA prend en charge la nouvelle initiative pour permettre aux utilisateurs de vérifier l'authenticité des adresses Web et des domaines de clics avant de s'engager avec les sites.Il permettra également aux utilisateurs de valider qu'ils sont des entités légitimes. » Le Service national est parrainé par le Lero de la Science Foundation of Ireland \'s (SFI), Centre (Center for Software), Connect (Center for Future Networks) et Confirm (Center for Smart Manufacturing) et Trend Micro etest disponible en anglais et en irlandais.Pour plus d'informations, veuillez visiter Check.Cyberskills.ie Cyber Skills est financé par l'initiative de capital humain (HAL) (HCI).Cyber Skills est hébergé par MTU avec un partenaire EIS, notamment UL, UCD et TU Dublin.Son objectif est de traiter la pénurie de compétences essentielles des pr | Malware Threat Prediction | ★★ | |
|
2022-12-08 21:46:00 | Researchers Uncover Darknet Service Allowing Hackers to Trojonize Legit Android Apps (lien direct) | Researchers have shed light on a new hybrid malware campaign targeting both Android and Windows operating systems in a bid to expand its pool of victims. The attacks entail the use of different malware such as ERMAC, Erbium, Aurora, and Laplas, according to a ThreatFabric report shared with The Hacker News. "This campaign resulted in thousands of victims," the Dutch cybersecurity company said, | Malware | ★★ | |
|
2022-12-08 13:26:00 | Iranian Hackers Strike Diamond Industry with Data-Wiping Malware in Supply-Chain Attack (lien direct) | An Iranian advanced persistent threat (APT) actor known as Agrius has been attributed as behind a set of data wiper attacks aimed at diamond industries in South Africa, Israel, and Hong Kong. The wiper, codenamed Fantasy by ESET, is believed to have been delivered via a supply chain attack targeting an Israeli software suite developer as part of a campaign that began in February 2022. Victims | Malware Threat | ★★★ | |
 |
2022-12-08 12:08:24 | Leaked Signing Keys Are Being Used to Sign Malware (lien direct) | A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware. Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like ... | Malware Vulnerability | ★★★ | |
|
2022-12-08 05:00:00 | New \'Zombinder\' platform binds Android malware with legitimate apps (lien direct) | A darknet platform dubbed 'Zombinder' allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion. [...] | Malware Threat | ★★★ | |
 |
2022-12-08 02:10:30 | (Déjà vu) ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022) (lien direct) | The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 28th, 2022 (Monday) to December 4th, 2022 (Sunday). For the main category, Infostealer ranked top with 34.8%, followed by downloader with 28.2%, backdoor with 21.1%, ransomware with 14.6%, and CoinMiner with 0.3%. Top 1 – SmokeLoader SmokeLoader is an infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with... | Ransomware Malware | ★★ | |
 |
2022-12-07 15:44:32 | Archives Overtake Office Documents as the Most Popular File Type to Deliver Malware (lien direct) |
|
Malware | ★★★ | |
|
2022-12-07 14:19:32 | New Zerobot malware has 21 exploits for BIG-IP, Zyxel, D-Link devices (lien direct) | A new Go-based malware named 'Zerobot' has been spotted in mid-November using exploits for almost two dozen vulnerabilities in a variety of devices that include F5 BIG-IP, Zyxel firewalls, Totolink and D-Link routers, and Hikvision cameras. [...] | Malware | ★★ | |
|
2022-12-07 01:41:18 | Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE) (lien direct) | In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions, with its distribution still being continued to this day. RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github As of November 30th, 2022, when the keywords based on the last... | Malware Tool | ★★★ | |
|
2022-12-07 01:18:35 | \'Resume.xll\' File Being Distributed in Korea (LockBit 2.0) (lien direct) | In mid-2022, the ASEC analysis team shared that malware with the XLL file format (file extension: .xll) was being distributed via email. The XLL file has a DLL form of a PE (Portable Executable) file but is executed with Microsoft Excel. Since then, this type of malware had not been distributed actively, but for the first time in a long while, we found that it was being distributed with the filename, ‘Resume.xll‘. Post from May 20th, 2022: XLL Malware Distributed... | Malware | ★★★ | |
|
2022-12-06 18:08:00 | Darknet\'s Largest Mobile Malware Marketplace Threatens Users Worldwide (lien direct) | Cybersecurity researchers have shed light on a darknet marketplace called InTheBox that's designed to specifically cater to mobile malware operators. The actor behind the criminal storefront, believed to be available since at least January 2020, has been offering over 400 custom web injects grouped by geography that can be purchased by other adversaries looking to mount attacks of their own. " | Malware | ★★★ | |
|
2022-12-06 17:09:00 | Anomali Cyber Watch: Infected Websites Show Different Headers Depending on Search Engine Fingerprinting, 10 Android Platform Certificates Abused in the Wild, Phishing Group Impersonated Major UAE Oil (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, In-memory evasion, Infostealers, North Korea, Phishing, Ransomware, Search engine optimization, and Signed malware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Chinese Gambling Spam Targets World Cup Keywords
(published: December 2, 2022)
Since 2018, a large-scale website infection campaign was affecting up to over 100,000 sites at a given moment. Infected websites, mostly oriented at audiences in China, were modified with additional scripts. Compromised websites were made to redirect users to Chinese gambling sites. Title and Meta tags on the compromised websites were changed to display keywords that the attackers had chosen to abuse search engine optimization (SEO). At the same time, additional scripts were switching the page titles back to the original if the visitor fingerprinting did not show a Chinese search engine from a preset list (such as Baidu).
Analyst Comment: Website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. Implement secure storage for website backups.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: SEO hack, HTML entities, Black hat SEO, Fraudulent redirects, Visitor fingerprinting, Gambling, Sports betting, World Cup, China, target-country:CN, JavaScript, Baidu, baiduspider, Sogou, 360spider, Yisou
Leaked Android Platform Certificates Create Risks for Users
(published: December 2, 2022)
On November 30, 2022, Google reported 10 different Android platform certificates that were seen actively abused in the wild to sign malware. Rapid7 researchers found that the reported signed samples are adware, so it is possible that these platform certificates may have been widely available. It is not shared how these platform certificates could have been leaked.
Analyst Comment: Malware signed with a platform certificate can enjoy privileged execution with system permissions, including permissions to access user data. Developers should minimize the number of applications requiring a platform certificate signature.
Tags: Android, Google, Platform certificates, Signed malware, malware-type:Adware
Blowing Cobalt Strike Out of the Water With Memory Analysis
(published: December 2, 2022)
The Cobalt Strike attack framework remains difficult to detect as it works mostly in memory and doesn’t touch the disk much after the initial loader stage. Palo Alto researchers analyzed three types of Cobalt Strike loaders: KoboldLoader which loads an SMB beacon, MagnetLoader loading an HTTPS beacon, and LithiumLoader loading a stager beacon. These beacon samples do not execute in normal sandbox environments and utilize in-me |
Spam Malware Tool Threat Medical | APT 38 | ★★★ |
 |
2022-12-06 16:41:01 | ChatGPT shows promise of using AI to write malware (lien direct) | >Large language models pose a major cybersecurity risk, both from the vulnerabilities they risk introducing and the malware they could produce. | Malware | ChatGPT | ★★★★ |
|
2022-12-06 15:30:10 | Want to detect Cobalt Strike on the network? Look to process memory (lien direct) | Security analysts have tools to spot hard-to-find threat, Unit 42 says Enterprise security pros can detect malware samples in environments that incorporate the highly evasive Cobalt Strike attack code by analyzing artifacts in process memory, according to researchers with Palo Alto Networks' Unit 42 threat intelligence unit.… | Malware Threat | ★★★ | |
|
2022-12-06 12:04:33 | CryWiper Data Wiper Targeting Russian Sites (lien direct) | Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks. The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives, and user documents. So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets... | Ransomware Malware | ★★★ | |
|
2022-12-06 11:41:00 | Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware (lien direct) | A version of an open source ransomware toolkit called Cryptonite has been observed in the wild with wiper capabilities due to its "weak architecture and programming." Cryptonite, unlike other ransomware strains, is not available for sale on the cybercriminal underground, and was instead offered for free by an actor named CYBERDEVILZ until recently through a GitHub repository. The source code and | Ransomware Malware | ★★★ | |
 |
2022-12-06 09:26:19 | Technical Analysis of the Winbox Payload in WindiGo (lien direct) | >WindiGo is a malware that exploits CVE-2018-14847 to gain access to MikroTik routers, which has been used in several campaigns by multiple actors. This blog provides a technical analysis of WindiGo as well as Indicators of Compromise (IoCs) you can use to detect WindiGo in your network. | Malware | ★★★ | |
 |
2022-12-06 08:28:00 | Flaws in MegaRAC baseband management firmware impact many server brands (lien direct) | Researchers have found three vulnerabilities in AMI MegaRAC, a baseband management controller (BMC) firmware used by multiple server manufacturers. If exploited, the flaws could allow attackers to remotely control servers, deploy malware and firmware implants, or trigger damaging actions that leave them inoperable.BMCs are microcontrollers present on server motherboards that have their own firmware, dedicated memory, power, and network ports and are used for out-of-band management of servers when their main operating systems are shut down. They are essentially small independent computers running inside bigger computers that allow administrators to remotely perform a variety of maintenance and diagnostic tasks including reinstalling operating systems, restarting servers when they're unresponsive, deploying firmware updates and more.To read this article in full, please click here | Malware | ★★★ | |
 |
2022-12-06 00:15:10 | CVE-2022-4173 (lien direct) | A vulnerability within the malware removal functionality of Avast and AVG Antivirus allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avast and AVG Antivirus version 22.10. | Malware Vulnerability | ||
|
2022-12-05 22:30:13 | Google warns stolen Android keys used to sign info-stealing malware (lien direct) | OEMs including Samsung, LG and Mediatek named and shamed Compromised Android platform certificate keys from device makers including Samsung, LG and Mediatek are being used to sign malware and deploy spyware, among other software nasties.… | Malware | ★★★ |
To see everything:
Our RSS (filtrered)
