What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-05-09 17:17:36 | Kaspersky uncovers fileless malware inside Windows event logs (lien direct) | The cybersecurity company says this is the first time they have seen this type of malware hiding method. | Malware | ★★★★ | |
 |
2022-05-09 14:40:29 | (Déjà vu) Malware evasion techniques - Obfuscated Files and Information (lien direct) |
Obfuscation is one the many techniques used by malware to evade static analysis methods and traditional anti-malware solutions which rely on hashes and strings for malware detection and analysis. This post is part of our series on malware evasion techniques. Feel free to read the other posts in this series which discussed Living off the Land, Sandbox Evasion, and detecting security and forensic tools. |
Malware | ||
 |
2022-05-09 12:17:11 | CERT-UA warns of malspam attacks distributing the Jester info stealer (lien direct) | The Computer Emergency Response Team of Ukraine (CERT-UA) warns of attacks spreading info-stealing malware Jester Stealer. The Computer Emergency Response Team of Ukraine (CERT-UA) has detected malspam campaigns aimed at spreading an info-stealer called Jester Stealer. The malicious messages spotted by the Ukrainian CERT have the subject line “chemical attack” and contain a link to a […] | Malware | ★★★ | |
 |
2022-05-09 05:27:01 | Experts Sound Alarm on DCRat Backdoor Being Sold on Russian Hacking Forums (lien direct) | Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka DarkCrystal RAT) that's offered on sale for "dirt cheap" prices, making it accessible to professional cybercriminal groups and novice actors alike. "Unlike the well-funded, massive Russian threat groups crafting custom malware [...], this remote access Trojan (RAT) appears to be the work of | Malware Threat | ★★★★ | |
|
2022-05-09 03:38:34 | Another Set of Joker Trojan-Laced Android Apps Resurfaces on Google Play Store (lien direct) | A new set of trojanized apps spread via the Google Play Store has been observed distributing the notorious Joker malware on compromised Android devices. Joker, a repeat offender, refers to a class of harmful apps that are used for billing and SMS fraud, while also performing a number of actions of a malicious hacker's choice, such as stealing text messages, contact lists, and device information. | Malware | ||
 |
2022-05-09 02:51:00 | Ce ver informatique se propage, à l\'ancienne, grâce à une clé USB (lien direct) | Camouflé dans un fichier de raccourci Windows, le malware " Raspberry Robin " contacte des serveurs NAS infectés pour prendre le contrôle du système. Mais beaucoup de questions restent en suspens.  |
Malware | ★★★★ | |
|
2022-05-09 01:55:28 | Ukrainian CERT Warns Citizens of a New Wave of Attacks Distributing Jester Malware (lien direct) | The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that deploy an information-stealing malware called Jester Stealer on compromised systems. The mass email campaign carries the subject line "chemical attack" and contains a link to a macro-enabled Microsoft Excel file, opening which leads to computers getting infected with Jester Stealer. The attack, which | Malware Guideline | ||
|
2022-05-08 08:15:14 | Security Affairs newsletter Round 364 by Pierluigi Paganini (lien direct) | A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Raspberry Robin spreads via removable USB devices Malware campaign hides a shellcode into Windows […] | Malware | ||
|
2022-05-07 13:24:57 | Malware campaign hides a shellcode into Windows event logs (lien direct) | Experts spotted a malware campaign that is the first one using a technique of hiding a shellcode into Windows event logs. In February 2022 researchers from Kaspersky spotted a malicious campaign using a novel technique that consists of hiding the shellcode in Windows event logs. The technique allows hiding a fileless Trojan, the experts also […] | Malware | ★★★★ | |
 |
2022-05-07 04:15:09 | CVE-2022-30330 (lien direct) | In the KeepKey firmware before 7.3.2, the bootloader can be exploited in unusual situations in which the attacker has physical access, convinces the victim to install malicious firmware, or knows the victim's seed phrase. lib/board/supervise.c mishandles svhandler_flash_* address range checks. If exploited, any installed malware could persist even after wiping the device and resetting the firmware. | Malware | ||
|
2022-05-06 21:03:52 | This New Fileless Malware Hides Shellcode in Windows Event Logs (lien direct) | A new malicious campaign has been spotted taking advantage of Windows event logs to stash chunks of shellcode for the first time in the wild. "It allows the 'fileless' last stage trojan to be hidden from plain sight in the file system," Kaspersky researcher Denis Legezo said in a technical write-up published this week. The stealthy infection process, not attributed to a known actor, is believed | Malware | ★★★★ | |
 |
2022-05-06 19:25:51 | Scammer Infects His Own Machine With Spyware, Reveals True Identity (lien direct) | An operational slip-up led security researchers to an attacker associated with Nigerian letter scams and malware distribution, after he infected himself with Agent Tesla. | Malware | ||
|
2022-05-06 13:28:06 | NetDooka framework distributed via a pay-per-install (PPI) malware service (lien direct) | Researchers discovered a sophisticated malware framework, dubbed NetDooka, distributed via a pay-per-install (PPI) malware service known as PrivateLoader. Trend Micro researchers uncovered a sophisticated malware framework dubbed NetDooka that is distributed via a pay-per-install (PPI) service known as PrivateLoader and includes multiple components, including a loader, a dropper, a protection driver, and a full-featured remote […] | Malware | ★★★★ | |
 |
2022-05-06 13:00:00 | The Growing Danger of Data Exfiltration by Third-Party Web Scripts (lien direct) | The theft of personal or sensitive data is one of the biggest threats to online business. This danger, data exfiltration or data extrusion, comes from a wide variety of attack vectors. These include physical theft of devices, insider attacks within a corporate network and phishing, malware or third-party scripts. The risk for regular website users […] | Malware | ★★★★ | |
 |
2022-05-06 11:10:22 | USB-based Wormable Malware Targets Windows Installer (lien direct) | Activity dubbed 'Raspberry Robin' uses Microsoft Standard Installer and other legitimate processes to communicate with threat actors and execute nefarious commands. | Malware Threat | ★★★★ | |
|
2022-05-06 10:02:23 | Vulnerable Docker Installations Are A Playhouse for Malware Attacks (lien direct) | Uptycs researchers identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API. The Uptycs Threat Research team has identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API port 2375. The attacks are related to crypto miners and reverse shells on the vulnerable servers using base64-encoded commands in the cmdline, built […] | Malware Threat | ||
 |
2022-05-06 07:20:39 | What is the simplest malware in the world?, (Fri, May 6th) (lien direct) | During a malware analysis class I taught recently, one of the students asked me what was &#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x9c;the simplest malware in the world&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x9d;. Of course, the answer to this question would depend heavily on one&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;s definitions of &#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x98;simplest&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99; and &#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x98;malware&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;, as well as on a target hardware architecture and its operating system (and potentially additional software and other factors), but I thought that it was conceptually interesting enough to devote today&#;x26;#;39;s diary to. | Malware | ||
 |
2022-05-06 06:43:27 | macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis (lien direct) | Ransomware (43% of analyzed threat data), backdoors (35%) and trojans (17%) were the most popular macOS malware categories spotted by CrowdStrike researchers in 2021 OSX.EvilQuest (ransomware), OSX.FlashBack (backdoor) and OSX.Lador (trojan) were the most prevalent threats in their respective categories To strengthen customer protection, CrowdStrike researchers continuously build better automated detection capabilities by analyzing and […] | Ransomware Malware Threat | ★★★ | |
|
2022-05-06 04:07:04 | Researchers Warn of \'Raspberry Robin\' Malware Spreading via External Drives (lien direct) | Cybersecurity researchers have discovered a new Windows malware with worm-like capabilities and is propagated by means of removable USB devices. Attributing the malware to a cluster named "Raspberry Robin," Red Canary researchers noted that the worm "leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL." The earliest signs of the activity are said to | Malware | ★★★★ | |
|
2022-05-06 02:26:10 | Hackers Using PrivateLoader PPI Service to Distribute New NetDooka Malware (lien direct) | A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices. "The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan ( | Malware | ||
|
2022-05-06 00:17:17 | Experts Uncover New Espionage Attacks by Chinese \'Mustang Panda\' Hackers (lien direct) | The China-based threat actor known as Mustang Panda has been observed refining and retooling its tactics and malware to strike entities located in Asia, the European Union, Russia, and the U.S. "Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report detailing | Malware Threat | ||
 |
2022-05-05 05:01:44 | Mustang Panda deploys a new wave of malware targeting Europe (lien direct) | By Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay. In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Malware Threat | ||
 |
2022-05-05 00:00:00 | NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service (lien direct) | This report focuses on the components and infection chain of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver.
|
Malware | ||
 |
2022-05-04 19:25:46 | Kaspersky Warns of Fileless Malware Hidden in Windows Event Logs (lien direct) | Threat hunters at Kaspersky are publicly documenting a malicious campaign that abuses Windows event logs to store fileless last stage Trojans and keep them hidden in the file system. | Malware | ||
|
2022-05-04 19:16:02 | Google Sees More APTs Using Ukraine War-Related Themes (lien direct) | Researchers at Google's Threat Analysis Group (TAG) say the number of advanced threat actors using Ukraine war-related themes in cyberattacks went up in April with a surge in malware attacks targeting critical infrastructure. | Malware Threat | ||
|
2022-05-04 13:24:00 | Attackers Use Event Logs to Hide Fileless Malware (lien direct) | A sophisticated campaign utilizes a novel anti-detection method. | Malware | ||
 |
2022-05-04 13:00:29 | 3 most dangerous types of Android malware (lien direct) | Here's what you should know about some of the nastiest mobile malware – from malicious software that takes phones and data hostage to RATs that allow hackers to control devices remotely | Malware | ||
|
2022-05-04 11:20:20 | Chinese Hackers Abuse Cybersecurity Products for Malware Execution (lien direct) | Researchers at cybersecurity firm SentinelOne have observed a Chinese hacking group taking a trial-and-error approach to abusing antivirus applications for the sideloading of malicious DLLs. | Malware | ||
 |
2022-05-04 11:15:24 | New Sophisticated Malware (lien direct) | Mandiant is reporting on a new botnet. The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including: The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult. ... | Malware | ||
|
2022-05-04 10:37:29 | Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption (lien direct) | A researcher has shown how a type of vulnerability affecting many ransomware families can be exploited to control the malware and terminate it before it can encrypt files on compromised systems. | Ransomware Malware Vulnerability | ||
 |
2022-05-04 10:00:59 | A new secret stash for “fileless” malware (lien direct) | We observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. | Malware | ||
|
2022-05-04 09:58:57 | An expert shows how to stop popular ransomware samples via DLL hijacking (lien direct) | A security researcher discovered that samples of Conti, REvil, LockBit ransomware were vulnerable to DLL hijacking. The security researcher John Page aka (hyp3rlinx) discovered that malware from multiple ransomware operations, including Conti, REvil, LockBit, AvosLocker, and Black Basta, are affected by flaws that could be exploited block file encryption. Page shared its findings through its […] | Ransomware Malware | ||
 |
2022-05-04 04:02:00 | Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (lien direct) |
Cybersecurity often focuses on malware campaigns or the latest zero-day exploit. Surveys and reports reveal the average cost of a data breach or how much it typically costs to recover from a ransomware attack. Those are the attacks that make noise and capture attention, though. The attacks that fly under the radar are often more insidious and much more costly. |
Ransomware Data Breach Malware | ||
|
2022-05-04 04:00:00 | Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive (lien direct) |
In part one of this research, the Cybereason Nocturnus Incident Response Team provided a unique glimpse into the Wintti intrusion playbook, covering the techniques that were used by the group from initial compromise to stealing the data, as observed and analyzed by the Cybereason Incident Response team. |
Malware | APT 41 | |
|
2022-05-04 01:34:17 | Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers (lien direct) | A growing number of threat actors are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted. "Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open | Malware Threat | ||
 |
2022-05-04 00:01:57 | Instagram Credentials Stealer: Disguised as Mod App (lien direct) | 
Authored by Dexter Shin McAfee's Mobile Research Team introduced a new Android malware targeting Instagram users who want to increase...
|
Malware | ||
 |
2022-05-03 16:31:00 | Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity
(published: April 28, 2022)
ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | |
Ransomware Malware Tool Vulnerability Threat Guideline Cloud | APT 37 APT 10 APT 10 | |
 |
2022-05-03 15:45:00 | NortonLifeLock Willfully Infringed Malware Patents (lien direct) | Jury finds cybersecurity company violated Columbia University's rights over two patents | Malware | ★★★★ | |
|
2022-05-03 15:37:31 | A new BluStealer Loader Uses Direct Syscalls to Evade EDRs (lien direct) |
BluStealer malware was first detected in May 2021 by James_inthe_box. Back then, it was delivered through a phishing mail, either as an attachment or a Discord link leading to the malware download URL. According to Avast 2021 analysis, it “consists of a core written in Visual Basic and the C# .NET inner payload(s). The VB core reuses a large amount of code from a 2004 SpyEx project. Its capabilities to steal crypto wallet data, swap crypto addresses present in the clipboard, find and upload document files, exfiltrate data through SMTP and the Telegram Bot API, as well as anti-analysis/anti-VM tactics” |
Malware Guideline | ||
|
2022-05-03 10:56:27 | China-linked Moshen Dragon abuses security software to sideload malware (lien direct) | A China-linked APT group, tracked as Moshen Dragon, is exploiting antivirus products to target the telecom sector in Asia. A China-linked APT group, tracked as Moshen Dragon, has been observed targeting the telecommunication sector in Central Asia with ShadowPad and PlugX malware, SentinelOne warns. Both PlugX and ShadowPad malware are very common among China-linked cyberespionage […] | Malware | ||
|
2022-05-03 10:08:45 | Russian Cyberspies Target Diplomats With New Malware (lien direct) | Russian cyberespionage group APT29 has been observed using new malware and techniques in phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia, Mandiant reports. | Malware | APT 29 | |
 |
2022-05-03 09:33:45 | Cyber-espionage group targets Asian telecomms (lien direct) | Researchers at Sentinel Labs have identified a new cluster of malicious cyber activity tracked as Moshen drago, with its efforts aimed at telecommunication service providers in Central Asia. The new threat group does have overlaps with “RedFoxtrot” and “Nomad Panda,” notably including the use of ShadowPad and PlugX malware variants, their activities’ differentiate enough to […] | Malware Threat | ||
|
2022-05-03 04:15:09 | CVE-2022-20748 (lien direct) | A vulnerability in the local malware analysis process of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device. This vulnerability is due to insufficient error handling in the local malware analysis process of an affected device. An attacker could exploit this vulnerability by sending a crafted file through the device. A successful exploit could allow the attacker to cause the local malware analysis process to crash, which could result in a DoS condition. Notes: Manual intervention may be required to recover from this situation. Malware cloud lookup and dynamic analysis will not be impacted. | Malware Vulnerability Threat | ||
|
2022-05-02 22:32:30 | Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector (lien direct) | A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX. Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot). "PlugX and | Malware Threat | ||
|
2022-05-02 10:05:30 | New \'Bumblebee\' Malware Loader Used by Several Cybercrime Groups (lien direct) | Cybersecurity companies have analyzed “Bumblebee,” a relatively new custom malware downloader that appears to have been used by several cybercrime groups. | Malware | ||
 |
2022-04-29 15:17:45 | Bumblebee malware emerges as replacement to Conti gang\'s BazalLoader (lien direct) | Pas de details / No more details | Malware | ★★ | |
|
2022-04-29 08:30:00 | Bumblebee Malware Loader Has a Sting in the Tail (lien direct) | Researchers warn that malware appears to have replaced BazarLoader | Malware | ||
 |
2022-04-28 21:04:33 | Responding to CHERNOVITE\'s PIPEDREAM with Dragos Global Services (lien direct) | PIPEDREAM is the seventh known ICS-specific malware. Developed by the Threat Group that Dragos has designated CHERNOVITE, PIPEDREAM malware can... The post Responding to CHERNOVITE's PIPEDREAM with Dragos Global Services first appeared on Dragos. | Malware Threat | ||
|
2022-04-28 16:40:59 | Microsoft Warns of \'Nimbuspwn\' Security Flaws Haunting Linux (lien direct) | Vulnerability researchers at Microsoft are documenting the discovery of a pair of Linux privilege escalation flaws that could be chained together to plant dangerous malware or backdoors. | Malware | ||
|
2022-04-28 16:15:08 | CVE-2022-1514 (lien direct) | Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account. | Malware |
To see everything:
Our RSS (filtrered)
