What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-03-10 16:18:03 | Mobile Malware That Can Spy On Users, Steal Credentials and Intercept Calls Is Up 500% (lien direct) | Pas de details / No more details | Malware | ||
 |
2022-03-10 14:00:00 | Starting at Home: Cybersecurity in the Hybrid Workplace (lien direct) | As people settle into the late stages of the pandemic, the hybrid workplace is not going anywhere. Therefore, the enterprise must address the increasing number of entry points into the network as more employees work remotely. In 2021, 61% of malware directed at organizations targeted remote employees via cloud apps. Since the onset of the pandemic, […] | Malware | ||
 |
2022-03-10 13:00:32 | Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads (lien direct) | The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things. | Malware | ||
 |
2022-03-10 07:12:52 | Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign (lien direct) | The Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems. "The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive | Ransomware Malware Threat | ||
|
2022-03-10 00:01:20 | Ukrainian Hacker Linked to REvil Ransomware Attacks Extradited to United States (lien direct) | Yaroslav Vasinskyi, a Ukrainian national, linked to the Russia-based REvil ransomware group has been extradited to the U.S. to face charges for his role in carrying out the file-encrypting malware attacks against several companies, including Kaseya last July. The 22-year-old had been previously arrested in Poland in October 2021, prompting the U.S. Justice Department (DoJ) to file charges of | Ransomware Malware | ★★ | |
 |
2022-03-09 17:00:00 | Romanian Extradited to US to Face Cybercrime Charge (lien direct) | Defendant accused of selling stolen credit card data obtained using malware | Malware | ||
 |
2022-03-09 11:46:39 | Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools (lien direct) | Executive summary Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised.In one... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Malware | ||
 |
2022-03-08 18:54:00 | Anomali Cyber Watch: Daxin Hides by Hijacking TCP Connections, Belarus Targets Ukraine and Poland, Paying a Ransom is Not a Guarantee, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Belarus, China, Data breach, Data leak, Oil and gas, Phishing, Russia, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the attached IOCs and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Samsung Confirms Galaxy Source Code Breach but Says no Customer Information was Stolen
(published: March 7, 2022)
South American threat actor group Lapsus$ posted snapshots and claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech company Samsung. On March 7, 2022, Samsung confirmed that the company recently suffered a cyberattack, but said that it doesn't anticipate any impact on its business or customers. Earlier, in February 2022, Lapsus$ had stolen 1TB data from GPU giant Nvidia and tried to negotiate with the company.
Analyst Comment: Companies should implement cybersecurity best practices to guard their source code and other proprietary data. Special attention should be paid to workers working from home and the security of contractors who have access to such data.
Tags: Lapsus$, South Korea, South America, Data breach
Beware of Malware Offering “Warm Greetings From Saudi Aramco”
(published: March 5, 2022)
Malwarebytes researchers discovered a new phishing campaign impersonating Saudi Aramco and targeting oil and gas companies. The attached pdf file contained an embedded Excel object which would download a remote template that exploits CVE-2017-11882 to download and execute the FormBook information stealer.
Analyst Comment: Organizations should train their users to recognize and report phishing emails. To mitigate this Formbook campaign, users should not handle emails coming from outside of the organization while being logged on with administrative user rights.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Template Injection - T1221
Tags: FormBook, CVE-2017-11882, Oil And Gas, Middle East, Saudi Aramco, Excel, Phishing, Remote template
Paying a Ransom Doesn’t Put an End to the Extortion
(published: March 2, 2022)
Venafi researchers conducted a survey regarding recent ransomware attacks and discovered that 83% of successful ransomware attacks include additional extortion methods, containing: threatening to extort customers (38%), stolen data exposure (35%), and informing customers that their data has been stolen (32%). 35% of those who paid the ransom were still unable to recover their data, 18% of victims had their data exposed despite the fact that they paid the ransom.
Analyst Comment: This survey shows that ransomware payments are not as reliable in preventing further damages to the victimized organization as previously thought. Educate employees on t |
Ransomware Malware Tool Threat | ||
 |
2022-03-08 04:00:00 | Excel Add-ins Deliver JSSLoader Malware (lien direct) | Type: BlogsExcel Add-ins Deliver JSSLoader MalwareThe GOLD NIAGARA threat group has expanded its tactics for delivering the JSSLoader RAT, spoofing legitimate Microsoft Excel add-ins to infect systems.Learn how CTU researchers observed multiple malicious Microsoft Excel add-ins delivering JSSLoader malware. | Malware Threat | ||
 |
2022-03-08 00:40:20 | Nvidia\'s breach might help cybercriminals run malware campaigns (lien direct) | A recent cyberattack has compromised a large amount of Nvidia's data, including a pair of digital-signing certificates. Here's what's at stake and how to react. | Malware | ||
|
2022-03-07 17:46:39 | Nvidia\'s Stolen Code-Signing Certs Used to Sign Malware (lien direct) | Nvidia certificates are being used to sign malware, enabling malicious programs to pose as legitimate and slide past security safeguards on Windows machines. | Malware | ||
 |
2022-03-07 15:46:40 | SharkBot, the new generation banking Trojan distributed via Play Store (lien direct) | SharkBot banking malware was able to evade Google Play Store security checks masqueraded as an antivirus app. SharkBot is a banking trojan that has been active since October 2021, it allows to steal banking account credentials and bypass multi-factor authentication mechanisms. The malware was spotted at the end of October by researchers from cyber security firms […] | Malware | ||
 |
2022-03-07 14:34:22 | RuRAT Malware Used in Spear-phishing Attacks Against US media Organizations (lien direct) | FortiGuard Labs is aware of a report that RuRAT malware was distributed in the recent spear-phishing attack against media organizations in the United States. While the tactic used in this attack is not sophisticated, the installed RuRAT malware provides the attacker a foothold into the victim's network where confidential information will be collected for further activities.Why is this Significant?This is significant because media organizations in the United States are reported to have been targeted in the spear-phishing attack. RuRAT payload provides the attacker an opportunity to collect confidential information from the compromised machine and perform lateral movement in the victim's network. Not connected in any way to this attack, TV broadcasters in South Korea were affected by a wiper malware served through a malicious backdoor program in 2013 in which their operations were significantly disrupted. How does the Attack Work?According to the report by Cluster25, the victims received an email with a link. The email has the following content:"Hello, we are a group of venture capitalists investing in promising projects. We saw your website and were astounded by your product. We want to discuss the opportunity to invest or buy a part of the share in your project. Please get in touch with us by phone or in Vuxner chat. Your agent is Philip Bennett. His username in Vuxner is philipbennett Make sure you contact us ASAP because we are not usually so generous with our offers. Thank you in advance!"Upon clicking the link, the victim is redirected to a Web page where the victim is instructed to click a link to download and install a software Vuxner chat. The downloaded file is an installer for Vuxner Trillian not Vuxner chat. After the victim completes the installation and exits the installer, another remote file, turns out to be an installer for RuRAT, is downloaded and installed onto the victim's machine. What is RuRAT?RuRAT, the first report of which goes back to at least October 2020, is a Remote Access Trojan (RAT) that provides an attacker a remote access to the compromised machine. Functionalities of RuRAT include:- Listening for incoming communications- Taking screenshots- Keylogging- Recording AudioWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage for files involved in this attack: W32/IndigoRose.AP!tr.dldrW32/RemoteUtilities.W!trW32/Agent.9EE5!trAll network IOCs are blocked by the WebFiltering client. | Malware | ||
 |
2022-03-07 12:20:18 | Google Fights Phishing With Updated Workspace Notifications (lien direct) | Google has made some changes to Google Workspace comment notifications in an effort to protect users against malware and phishing attacks. Previously, email notifications that were automatically sent to a user when someone mentioned them in a comment in a Google Workspace document only included the comment and the commenter's name. | Malware | ||
 |
2022-03-07 09:55:04 | The Easy Solution for Stopping Modern Attacks (lien direct) | Modern cyberattacks are multifaceted, leveraging different tools and techniques and targeting multiple entry points. As noted in the CrowdStrike 2022 Global Threat Report, 62% of modern attacks do not use traditional malware and 80% of attacks use identity-based techniques, meaning that attacks target not only endpoints, but also cloud and identity layers with techniques that […] | Malware Threat | ||
 |
2022-03-07 09:15:09 | CVE-2022-0429 (lien direct) | The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability. | Malware Guideline | ||
 |
2022-03-07 05:36:39 | Un cheval de Troie a été découvert sur le Play Store... dans une application antivirus (lien direct) | Le malware SharkBot de l'application Antivirus Super Cleaner peut voler vos identifiants bancaires et effectuer des transferts d'argent à votre place.  |
Malware | ||
|
2022-03-06 23:36:25 | SharkBot Banking Malware Spreading via Fake Android Antivirus App on Google Play Store (lien direct) | The threat actor behind a nascent Android banking trojan named SharkBot has managed to evade Google Play Store security barriers by masquerading as an antivirus app. SharkBot, like its malware counterparts TeaBot, FluBot, and Oscorp (UBEL), belongs to a category of financial trojans capable of siphoning credentials to initiate money transfers from compromised devices by circumventing | Malware Threat | ||
|
2022-03-06 13:20:00 | Security Affairs newsletter Round 356 (lien direct) | A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Charities and NGOs providing support in Ukraine hit by malware Lapsus$ gang leaks data […] | Malware | ||
|
2022-03-06 10:48:53 | Charities and NGOs providing support in Ukraine hit by malware (lien direct) | Malware based attacks are targeting charities and non-governmental organizations (NGOs) providing support in Ukraine Charities and non-governmental organizations (NGOs) that in these weeks are providing support in Ukraine are targeted by malware attacks aiming to disrupt their operations. The news was reported by Amazon that associates the attacks with state-sponsored hackers and confirmed that it […] | Malware | ||
|
2022-03-04 20:57:27 | New Wiper Malware Used Against Ukranian Organizations (lien direct) | On February 24, 2022, ESET reported another destructive wiper detected at a Ukrainian government organization dubbed as IsaacWiper. This is the third sample of malware IBM Security X-Force has analyzed which has been reportedly targeting systems belonging to Ukrainian organizations. IBM Security X-Force obtained a sample of the IsaacWiper ransomware and has provided the following […] | Ransomware Malware | ||
 |
2022-03-03 10:30:15 | ESET Research Podcast: Ukraine\'s past and present cyberwar (lien direct) | Press play to hear Aryeh Goretsky, Jean-Ian Boutin and Robert Lipovsky discuss how recent malware attacks in Ukraine tie into years of cyberattacks against the country | Malware | ||
|
2022-03-03 05:00:00 | Why are Organizations Suffering from a Lack of Threat Intelligence Information? (lien direct) | initIframe('621fae2743ebc30765551e5e'); Welcome to this week's blog, where I'll dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number nine on our “Top 10 List of the Challenges Cybersecurity Professionals Face” is the Lack of threat intelligence information. I gotta admit, when I first saw this on the list, I was scratching my head, as I'm sure any cybersecurity professional might be. But as I sat back and thought about it, it made more sense. There's no shortage of threat intelligence data out there, whether it's from open source or third-party feeds. In fact, I assumed most organizations were suffering from information overload as they're inundated with data. What they may lack is RELEVANT intelligence information specific to them. What do I mean? Well, we're all suffering from information overload. When I go to ESPN, I don't want to see all of the scores, I want to see the scores I care about. I want immediate access to my teams so I can be angry about them. (NY Giants and New Jersey Devils, I'm looking at you.) ESPN enables me to pick and choose my favorites so that I can make my experience relevant to me. Which is similar to what organizations need to do. When security teams log into their dashboard, they don't want to be hit with all the threats. They want to see the potential threats most relevant to them so they can take quick action. And they want threat intelligence to be operational so that it can be made actionable to inform security teams. So, what needs to be done? First, let's define Threat Intelligence. Threat Intelligence (TI) is the collection of raw data about threats and vulnerabilities that is then transformed into actionable intelligence. Effective threat intelligence programs help organizations detect and respond to cyberattacks before they cause harm. Organizations that fail to invest in TI as part of their security programs risk being blindsided by new threats or vulnerable to existing ones. Intelligence vs Information vs Data One of the reasons organizations might be struggling is that there might be some confusion between data, information, and intelligence, especially if they're managing threat intelligence manually. Let's start by trying to outline the differences. The main differences between data, information, and intelligence come in two forms: volume, and usability. Data is a collection of individual facts, statistics, or items of information, usually available in large quantities, it describes specific and indisputable facts. There is a subtle difference between data and information. Data are the facts or details from which information is derived. Individual pieces of data are rarely useful alone. For data to become information, data needs to be put into context. Information is created when a series of data is combined to answer a simple, straightforward question. Let's use hockey goalies as an example. An individual goalie’s save percentage is one piece of data. Let’s say you’ve used six goalies this year, each with varied save percentages. The average save percentage for the entire team can be derived from the given data. Note that although this output is more useful than the raw data, the GM still might not know exactly what to do with it. Intelligence takes this process one step further by interrogating data to t | Malware Threat | ||
|
2022-03-02 19:56:27 | Daxin: A Chinese-linked malware that is dangerous and nearly impossible to detect (lien direct) | Symantec said that the newly-discovered Daxin exhibits a previously unseen level of complexity, and it's been targeting governments around the world for some time. | Malware | ||
 |
2022-03-02 11:41:42 | Cyberattacks in Ukraine could reach other countries (lien direct) | While the majority of cyberattacks in Ukraine are planned and highly targeted, there are signs that things are set to change. A new Trojan dubbed “FoxBlade” was discovered by Microsoft researchers on Ukrainian government systems that would allow attackers to use infected PCs in DDoS attacks. Experts are concerned that malware operators will try to infect […] | Malware | ||
|
2022-03-02 11:25:45 | TeaBot malware resurfaces on Google Play Store (lien direct) | TeaBot malware has been spotted on the Google Play Store posing as a QR code app, already spreading to more than 10,000 devices. Its distributors used this trick in January, and while Google ousted those entries the malware has found its way back onto the Android repository. Cleafy, an online fraud management and prevention company, […] | Malware | ||
|
2022-03-01 22:20:17 | TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps (lien direct) | An Android banking trojan designed to steal credentials and SMS messages has been observed sneaking past Google Play Store protections to target users of more than 400 banking and financial apps from Russia, China, and the U.S. "TeaBot RAT capabilities are achieved via the device screen's live streaming (requested on-demand) plus the abuse of Accessibility Services for remote interaction and | Malware | ||
 |
2022-03-01 19:24:09 | Microsoft identifies and mitigates new malware targeting Ukraine “within 3 hours” (lien direct) | Company is also removing and deprioritizing info from Russian state media. | Malware | ||
 |
2022-03-01 19:07:44 | (Déjà vu) CyberheistNews Vol 12 #09 [Heads Up] The Ukraine War Started A New Wiper Malware Spillover Risk (lien direct) |
![CyberheistNews Vol 12 #09 [Heads Up] The Ukraine War Started A New Wiper Malware Spillover Risk](https://blog.knowbe4.com/hubfs/CHN-Social.jpg)
[Heads Up] The Ukraine War Started A New Wiper Malware Spillover Risk
Email not displaying? |
CyberheistNews Vol 12 #09 | Mar. 1st., 2022
[Heads Up] The Ukraine War Started A New Wiper Malware Spillover Risk
The war in Ukraine increases the risk of wiper malware to spill over. I'm sure you remember NotPetya, which caused billions of dollars of downtime damage. The WSJ reports that Symantec observed wiper malware was put in motion just hours before Russian tanks arrived in Ukraine.
|
Malware | NotPetya | |
|
2022-03-01 17:55:46 | Daxin Espionage Backdoor Ups the Ante on Chinese Malware (lien direct) | Via node-hopping, the espionage tool can reach computers that aren't even connected to the internet. | Malware Tool | ||
|
2022-03-01 16:01:00 | Anomali Cyber Watch: Information-Stealing and Wiping Campaigns Target Ukraine, Electron Bot Is After Social Media Accounts, Attackers Poison Application and Library Repositories, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Iran, Russia, Spearphishing, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
(published: February 25, 2022)
Researchers at Unit 42 identified an attack targeting an energy organization in Ukraine. Ukrainian CERT has attributed this attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to organization employees containing a malicious JavaScript file that would download and install a downloader known as SaintBot and a document stealer called OutSteel. Actors leverage Discord’s content delivery network (CDN) to host their payload. Goal of this attack was data collection on government organizations and companies involved with critical infrastructure.
Analyst Comment: Administrators can block traffic to discordapp[.]com if their organization doesn’t have a current legitimate use of Discord. Implement attack surface reduction rules for Microsoft Office. Train users to recognize, safely process, and report potential spearphishing emails.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Modify Registry - T1112
Tags: Russia, Ukraine, OutSteal, SaintBot, UAC-0056, TA471, Lorec53, SaintBear, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
(published: February 25, 2022)
Researchers at Secureworks have identified and investigated reports of Ukrainian government and financial organizations being impacted by distributed denial of service and wiper attacks. Between 15-23 Feb intermittent loss of access to a large number of government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers. PrivatBank and Oschadbank. Along with this, the threat actors also targeted some government and financial organizations in Ukraine to deploy a novel wiper dubbed ‘HermeticWiper’ which abuses a legitimate & signed EaseUS partition management driver. In other attacks targeting Ukraine researchers also observed 13 Ukrainian government websites defaced and Tor forums listing data for Ukrainian citizens being available for sale.
Analyst Comment: Organizations exposed to war between Russia and Ukraine should be on high alert regarding the ongoing cyberattacks. Implement defense-in-depth approach including patch management, anti-phishing training, disaster recovery plans, and backing up your information and systems.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | |
Ransomware Malware Tool Vulnerability Threat | ★★★★ | |
|
2022-03-01 15:35:11 | Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper With Ransomware Smokescreen (lien direct) | Cybersecurity researchers tracking destructive data-wiping malware attacks in Ukraine are finding signs of new malware with worm-spreading capabilities and what appears to be a rudimentary ransomware decoy. | Ransomware Malware | ||
|
2022-03-01 15:00:06 | Destructive “HermeticWiper” malware strikes Ukraine (lien direct) | A new type of malware attack is hitting Ukraine, and it renders the victim's machine useless. | Malware | ||
|
2022-03-01 14:30:26 | Three Ways to Defeat Ransomware (lien direct) | Ransomware is very difficult to stop, mostly because the attackers are adept at locking up a network long before anybody in an organization even sees a ransom note. In many attacks, the malware combines an encryption payload with automated propagation. | Ransomware Malware | ||
 |
2022-03-01 10:00:00 | ESET details new IsaacWiper malware used on Ukraine (lien direct) | Pas de details / No more details | Malware | ★★★★ | |
|
2022-03-01 08:46:53 | Second New \'IsaacWiper\' Data Wiper Targets Ukraine After Russian Invasion (lien direct) | A new data wiper malware has been observed deployed against an unnamed Ukrainian government network, a day after destructive cyber attacks struck multiple entities in the country preceding the start of Russia's military invasion. Slovak cybersecurity firm ESET dubbed the new malware "IsaacWiper," which it said was detected on February 24 in an organization that was not affected by HermeticWiper | Malware | ||
|
2022-03-01 06:03:02 | Conti Ransomware Gang\'s Internal Chats Leaked Online After Siding With Russia (lien direct) | Days after the Conti ransomware group broadcasted a pro-Russian message pledging its allegiance to Vladimir Putin's ongoing invasion of Ukraine, a disgruntled member of the cartel has leaked the syndicate's internal chats. The file dump, published by malware research group VX-Underground, is said to contain 13 months of chat logs between affiliates and administrators of the Russia-affiliated | Ransomware Malware | ||
|
2022-03-01 05:22:15 | Trickbot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail (lien direct) | Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware. IBM Security X-Force, which discovered the revamped version of the criminal gang's AnchorDNS backdoor, dubbed the new, upgraded variant AnchorMail. AnchorMail "uses an email-based [ | Malware | ||
|
2022-03-01 02:49:28 | A Free-for-All But No Crippling Cyberattacks in Ukraine War (lien direct) | Russia has some of the best hackers in the world, but in the early days of the war in Ukraine, its ability to create mayhem through malware hasn't had much of a noticeable impact. | Malware | ||
|
2022-03-01 01:18:08 | Microsoft Finds FoxBlade Malware Hit Ukraine Hours Before Russian Invasion (lien direct) | Microsoft on Monday disclosed that it detected a new round of offensive and destructive cyberattacks directed against Ukraine's digital infrastructure hours before Russia launched its first missile strikes last week. The intrusions involved the use of a never-before-seen malware package dubbed FoxBlade, according to the tech giant's Threat Intelligence Center (MSTIC), noting that it added new | Malware Threat | ||
|
2022-03-01 00:12:28 | FoxBlade malware targeted Ukrainian networks hours before Russia\'s invasion (lien direct) | Microsoft revealed that Ukrainian entities were targeted with a previous undetected malware, dubbed FoxBlade, several hours before the invasion. The Microsoft Threat Intelligence Center (MSTIC) continues to investigate the attacks that are targeting Ukrainian networks and discovered that entities in Ukraine were targeted with a previously undetected malware, dubbed FoxBlade, several hours before Russia’s invasion. […] | Malware Threat | ||
|
2022-03-01 00:01:03 | China-linked Daxin Malware Targeted Multiple Governments in Espionage Attacks (lien direct) | A previously undocumented espionage tool has been deployed against selected governments and other critical infrastructure targets as part of a long-running espionage campaign orchestrated by China-linked threat actors since at least 2013. Broadcom's Symantec Threat Hunter team characterized the backdoor, named Daxin, as a technologically advanced malware, allowing the attackers to carry out a | Malware Tool Threat | ||
|
2022-02-28 21:51:06 | Microsoft: Cyberattacks in Ukraine Hitting Civilian Digital Targets (lien direct) | Microsoft is calling attention to a surge in cyber attacks on Ukrainian civilian digital targets, warning that the new “digital war” includes destructive malware attacks on emergency response services and humanitarian aid efforts. The Redmond, Wash. software giant said the attacks on civilian targets raise serious concerns under the Geneva Convention. | Malware | ||
|
2022-02-28 16:52:01 | Symantec: Super-Stealthy \'Daxin\' Backdoor Linked to Chinese Threat Actor (lien direct) | Threat hunters at Symantec are calling global attention to a new, highly sophisticated piece of malware being used by a Chinese threat actor to burrow into -- and hijack data from -- government and critical infrastructure targets. | Malware Threat | ||
|
2022-02-28 16:06:59 | CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks (lien direct) | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released indicators of compromise to help threat hunters look for signs of WhisperGate and HermeticWiper, two destructive malware files seen in recent attacks against organizations in Ukraine. | Malware Threat | ||
 |
2022-02-28 15:00:00 | Prêt, définissez, allez - les internes de Golang et la récupération des symboles Ready, Set, Go - Golang Internals and Symbol Recovery (lien direct) |
golang (go) est une langue compilée introduite par Google en 2009. Le langage, l'exécution et l'outillage ont évolué considérablement depuis lors.Ces dernières années, les fonctionnalités GO telles que la compilation croisée facile à utiliser, les exécutables autonomes et l'excellent outillage ont fourni aux auteurs malveillants un nouveau langage puissant pour concevoir des logiciels malveillants multiplateformes.Malheureusement pour les indexes, l'outillage pour séparer le code d'auteur malware du code d'exécution GO a pris du retard.
Aujourd'hui, Mandiant publie un outil nommé Goresym Pour analyser les informations sur les symboles GO et autres métadonnées intégrées.Ce billet de blog
Golang (Go) is a compiled language introduced by Google in 2009. The language, runtime, and tooling has evolved significantly since then. In recent years, Go features such as easy-to-use cross-compilation, self-contained executables, and excellent tooling have provided malware authors with a powerful new language to design cross-platform malware. Unfortunately for reverse engineers, the tooling to separate malware author code from Go runtime code has fallen behind. Today, Mandiant is releasing a tool named GoReSym to parse Go symbol information and other embedded metadata. This blog post |
Malware Tool | ★★★★ | |
|
2022-02-28 03:10:56 | Reborn of Emotet: New Features of the Botnet and How to Detect it (lien direct) | One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. Law enforcement sent a destructive update to the Emotet's executables. And it looked like the end of the trojan's story. But the malware never ceased to surprise. November 2021, it was reported that TrickBot no longer works alone and delivers Emotet. And ANY.RUN with colleagues | Malware | ||
|
2022-02-27 22:52:31 | Iranian Hackers Using New Spying Malware That Abuses Telegram Messenger API (lien direct) | An Iranian geopolitical nexus threat actor has been uncovered deploying two new targeted malware that come with "simple" backdoor functionalities as part of an intrusion against an unnamed Middle East government entity in November 2021. Cybersecurity company Mandiant attributed the attack to an uncategorized cluster it's tracking under the moniker UNC3313, which it assesses with "moderate | Malware Threat | ||
|
2022-02-27 22:30:37 | Previously Unseen Backdoor Bvp47 Potentially Victimized Global Targets (lien direct) | FortiGuard Labs is aware of a report by Pangu Lab that a new Linux backdoor malware that reportedly belongs to the Equation group was used to potentially compromise more than 200 organizations across over 40 countries around the globe. The Equation group is regarded as one of the most highly skilled threat actors, which some speculate have close connections with National Security Agency (NSA). The threat actor is also reported have been tied to the Stuxnet malware that was used in 2010 cyber attack on a nuclear centrifuge facility in Iran.Why is this Significant?Bvp47 is a previously undiscovered backdoor malware that was reportedly used in cyber attacks carried out by the Equation group. According to the report and information available in the documents that presumably leaked from the Equation group, over 200 organizations spread across more than 40 countries may have been infected with the Bvp47 malware.The Bvp47 file called out in the report was first submitted to VirusTotal in late 2013, which indicates that Bvp47 was used and undiscovered for close to a decade.How was the Connection between the Bvp47 malware and the Equation Group Established?Pangu Lab concluded that Bvp47 belongs to the Equation group because one of the folders included in the documents leaked by the Shadow Brokers in 2017 contained a RSA private key required by Bvp47 for its command execution and other operations.What is the Shadow Brokers?The Shadow Brokers is a threat actor who claimed to have stolen highly classified information from the Equation group in 2016. The stolen information includes zero-day exploits, operation manuals and description of tools used by the Equation group. The Shadow Brokers then attempted to sell the information to the highest bidder. After no one purchased the information, The threat actor released the information to the public after the auction attempt failed.One of the most famous exploits included in the leaked documents is EternalBlue. Within a few weeks of the leak, EternalBlue was incorporated in Wannacry ransomware which caused global panic in 2017.What are the Characteristics of Bvp47?Bvp is a Linux backdoor that performs actions upon receiving commands from Command and Control (C2) servers.Because the Bvp47 framework is incorporated with components such as "dewdrops" and "solutionchar_agents" that are included in the Shadow Brokers leaks, the backdoor is for mainstream Linux distributions, FreeBSD, Solaris as well as JunOS,.Bvp47 also runs various environment checks. If the requirements are not met, the malware deletes itself.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Bvp47:ELF/Agent.16DC!tr | Ransomware Malware Threat | Wannacry Wannacry | |
|
2022-02-26 18:44:00 | Fileless SockDetour backdoor targets U.S.-based defense contractors (lien direct) | Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors. Cybersecurity researchers from Palo Alto Networks’ Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors. According to the experts, the SockDetour backdoor has been in the wild since at least July 2019. Unit 42 attributes […] | Malware |
To see everything:
Our RSS (filtrered)
