What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-02-22 17:58:07 | The Energy Department\'s Puesh Kumar on grid hacking, Ukraine and Pipedream malware (lien direct) | Puesh Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response, discusses how the DOE fends off hackers. | Malware | ★★ | |
 |
2023-02-22 16:58:19 | Hackers use fake ChatGPT apps to push Windows, Android malware (lien direct) | Threat actors are actively exploiting the popularity of OpenAI's ChatGPT AI tool to distribute Windows malware, infect Android devices with spyware, or direct unsuspecting victims to phishing pages. [...] | Malware Tool Threat | ChatGPT | ★★★ |
 |
2023-02-22 16:25:56 | Un nouveau malware vole des identifiants de réseaux sociaux en se faisant passer pour une application ChatGPT (lien direct) | Un nouveau malware vole des identifiants de réseaux sociaux en se faisant passer pour une application ChatGPT - Malwares | Malware | ChatGPT | ★★★ |
|
2023-02-22 12:27:52 | New S1deload Stealer malware hijacks Youtube, Facebook accounts (lien direct) | An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency. [...] | Malware | ★★ | |
 |
2023-02-22 12:00:00 | Ukraine Suffered More Wiper Malware in 2022 Than Anywhere, Ever (lien direct) | As Russia has accelerated its cyberattacks on its neighbor, it's barraged the country with an unprecedented volume of different data-destroying programs. | Malware | ★★★ | |
 |
2023-02-22 07:19:07 | (Déjà vu) ASEC Weekly Malware Statistics (February 13th, 2023 – February 19th, 2023) (lien direct) | The AhnLab Security response Center (ASEC) analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 13th, 2023 (Monday) to February 19th, 2023 (Sunday). For the main category, backdoor ranked top with 50.8%, followed by downloader with 41.0%, Infostealer with 7.3%, ransomware with 0.8%, and CoinMiner with 0.2%. Top 1 – RedLine RedLine ranked first place with 49.4%. The malware steals various information such as... | Ransomware Malware | ★★ | |
 |
2023-02-21 16:05:00 | Researchers Discover Dozens Samples of Information Stealer \'Stealc\' in the Wild (lien direct) | A new information stealer called Stealc that's being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers," SEKOIA said in a Monday report. The French cybersecurity company said it discovered more than 40 | Malware Threat | ★★★ | |
|
2023-02-21 07:31:13 | GUEST ESSAY: Too many SMBs continue to pay ransomware crooks - exacerbating the problem (lien direct) | Well-placed malware can cause crippling losses – especially for small and mid-sized businesses. Related: Threat detection for SMBs improves Not only do cyberattacks cost SMBs money, but the damage to a brand's reputation can also hurt growth and trigger the … (more…) | Ransomware Malware | ★★ | |
|
2023-02-21 01:00:00 | HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) (lien direct) | In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. 1. Overview The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the... | Malware Vulnerability Threat Cloud | APT 37 | ★★★ |
 |
2023-02-20 23:26:00 | More Supply Chain Attacks via New Malicious Python Packages in PyPi (lien direct) | Read how the FortiGuard Labs team discovered another 0-day attack in the PyPI packages (Python Package Index) by the malware authors 'Portgual' and 'Brazil'. | Malware | ★★★ | |
 |
2023-02-20 17:00:00 | GoDaddy Announces Source Code Stolen and Malware Installed in Breach (lien direct) | An unauthorized party caused the intermittent redirection of customer websites | Malware | ★ | |
|
2023-02-20 16:32:00 | How to Detect New Threats via Suspicious Activities (lien direct) | Unknown malware presents a significant cybersecurity threat and can cause serious damage to organizations and individuals alike. When left undetected, malicious code can gain access to confidential information, corrupt data, and allow attackers to gain control of systems. Find out how to avoid these circumstances and detect unknown malicious behavior efficiently. Challenges of new threats' | Malware Threat | ★★★ | |
|
2023-02-20 16:27:42 | New Stealc malware emerges with a wide set of stealing capabilities (lien direct) | A new information stealer called Stealc has emerged on the dark web gaining traction due to aggressive promotion of stealing capabilities and similarities with malware of the same kind like Vidar, Raccoon, Mars, and Redline. [...] | Malware | ★★ | |
|
2023-02-20 16:00:00 | Frebniis Malware Exploits Microsoft IIS Feature (lien direct) | The malware was used by a previously unknown threat actor against targets in Taiwan | Malware Threat | ★★ | |
|
2023-02-20 15:41:00 | North Korean Cyber Espionage Group Deploys WhiskerSpy Backdoor in Latest Attacks (lien direct) | The cyber espionage threat actor tracked as Earth Kitsune has been observed deploying a new backdoor called WhiskerSpy as part of a social engineering campaign. Earth Kitsune, active since at least 2019, is known to primarily target individuals interested in North Korea with self-developed malware such as dneSpy and agfSpy. Previously documented intrusions have entailed the use of watering holes | Malware Threat | ★★ | |
|
2023-02-20 11:20:00 | Samsung Introduces New Feature to Protect Users from Zero-Click Malware Attacks (lien direct) | Samsung has announced a new feature called Message Guard that comes with safeguards to protect users from malware and spyware via what's referred to as zero-click attacks. The South Korean chaebol said the solution "preemptively" secures users' devices by "limiting exposure to invisible threats disguised as image attachments." The security feature, available on Samsung Messages and Google | Malware | ★★ | |
 |
2023-02-19 15:41:52 | GoDaddy: Hackers Grabbed Source Code And Inserts Malware (lien direct) | GoDaddy, a major provider of web hosting services, claims that a multi-year attack on its cPanel shared hosting environment resulted in a breach where unidentified attackers took source code and put malware on its servers. Even though the attackers had access to the company’s network for a while, GoDaddy didn’t become aware of the security […] | Malware | ★★★★ | |
|
2023-02-18 14:51:00 | GoDaddy Discloses Multi-Year Security Breach Causing Malware Installations and Source Code Theft (lien direct) | Web hosting services provider GoDaddy on Friday disclosed a multi-year security breach that enabled unknown threat actors to install malware and siphon source code related to some of its services. The company attributed the campaign to a "sophisticated and organized group targeting hosting services." GoDaddy said in December 2022, it received an unspecified number of customer complaints about | Malware Threat | ★★★★ | |
|
2023-02-18 10:14:24 | New WhiskerSpy malware delivered via trojanized codec installer (lien direct) | Security researchers have discovered a new backdoor called WhiskerSpy used in a campaign from a relatively new advanced threat actor tracked as Earth Kitsune, known for targeting individuals showing an interest in North Korea. [...] | Malware Threat | ★★★ | |
 |
2023-02-18 03:02:00 | Malware Arsenal used by Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) in attacks targeting Ukraine (samples) (lien direct) |  2023-02-18Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) is an Advanced Persistent Threat (APT) group believed to be based in Russia. Their primary targets have been diplomatic and government entities in Europe, particularly Ukraine, and the United States. They have also targeted various industries, including defense, energy, and technology. Download the full collectionEmail me if you need the password (see in my profile) (209 MB. 218 samples listed in the hash tables below).The malware arsenal collected here includes:Elephant framework (GrimPlant (Backdoor) and GraphSteel (Stealer).)Graphiron BackdoorOutSteel (LorecDocStealer)BabaDedaCobalt Strike (Beacon)SaintBot DownloaderWhisperGate WiperAPT Group DescriptionAPT Group aliases:UAC-0056 (UA CERT)Ember Bear (Crowdstrike)Saint Bear (F-Secure)UNC2589 (Fireeye, IBM)Lorec53 (NSFOCUS)TA471 (Proofpoint)Nodaria (Symantec)Nascent Ursa (Palo Alto)LorecBearBleeding Bear (Elastic)DEV-0586 (MIcrosoft)The group is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021.The group primarily targets Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations.The group is known for using various malicious implants such as GrimPlant, GraphSteel, and CobaltStrike Beacon, as well as spear phishing attacks with macro-embedded Excel documents.In January 2022, the group performed a destructive wiper attack on multiple Ukrainian government computers and websites, known as WhisperGate.The Lorec53 group is a new type of APT group fi |
Ransomware Malware Hack Tool Vulnerability Threat Medical | ★★ | |
|
2023-02-17 21:21:00 | Experts Warn of RambleOn Android Malware Targeting South Korean Journalists (lien direct) | Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign. The findings come from South Korea-based non-profit Interlab, which coined the new malware RambleOn. The malicious functionalities include the "ability to read and leak target's contact list, SMS, voice call content, location and others from | Malware | ★★ | |
 |
2023-02-17 14:20:13 | \'Frebniis\' Malware Hijacks Microsoft IIS Function to Deploy Backdoor (lien direct) | The Frebniis malware abuses a Microsoft IIS feature to deploy a backdoor and monitor all HTTP traffic to the system. | Malware | ★★ | |
 |
2023-02-17 13:00:54 | Search ads abused to spread malware – Week in security with Tony Anscombe (lien direct) | >Threat actors used search engine ads to impersonate makers of popular software and direct internet users to malicious websites | Malware | ★★ | |
|
2023-02-17 12:27:16 | GoDaddy: Hackers stole source code, installed malware in multi-year breach (lien direct) | Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack. [...] | Malware | ★★★ | |
|
2023-02-17 10:30:08 | Cry Havoc and let slip dogs of war ... there\'s an upgraded malware server in town (lien direct) | ThreatLabz finds free alternative to Cobalt Strike and other tools used in the wild There's a fresh open-source command-and-control (C2) framework on the loose, dubbed Havoc, as an alternative to the popular Cobalt Strike, and other mostly legitimate tools, that have been abused to spread malware.… | Malware | ★★ | |
|
2023-02-17 10:29:56 | ESET Research découvre un cheval Troie caché dans deux fausses applications très populaires en Asie du Sud-Est et Asie de l\'Est (lien direct) | ESET Research découvre un cheval Troie caché dans deux fausses applications très populaires en Asie du Sud-Est et Asie de l'Est ● Les chercheurs d'ESET ont découvert une campagne de malwares ciblant des utilisateurs sinophones en Asie du Sud-Est et Asie de l'Est. ● Les attaquants ont acheté des publicités pour positionner leurs sites web malveillants dans la section sponsorisée des résultats de recherche de Google. ESET a signalé ces annonces à Google, qui les a rapidement supprimées. ● Les sites web et les programmes d'installation téléchargés à partir de ces sites sont pour la plupart en chinois et dans certains cas, proposent à tort, des versions en chinois de logiciels qui ne sont pas disponibles en Chine. ● Nous avons observé que les victimes se trouvaient principalement en Asie du Sud-Est et de l'Est, ce qui suggère que les publicités ciblaient cette région. ● Le malware diffusé par cette campagne est FatalRAT, un cheval de Troie d'accès à distance qui fournit un ensemble de fonctionnalités permettant d'effectuer différentes opérations malveillantes sur l'ordinateur de la victime. - Malwares | Malware | ★★ | |
 |
2023-02-16 21:54:11 | Hackers target Chinese language speakers with FatalRAT malware (lien direct) |  Chinese-speaking users are being targeted with FatalRAT malware, spread via fake websites of popular apps, new research has found. First discovered in August 2021, FatalRat malware can capture keystrokes, change a victim's screen resolution, download and execute files, and steal or delete data stored in browsers. So far, the researchers from cybersecurity company ESET have [… |
Malware | ★★★ | |
|
2023-02-16 20:35:07 | Espionage malware targeted telecoms in Middle East using Microsoft, Google, Dropbox tools (lien direct) |  An espionage campaign targeting telecommunications providers across the Middle East hid its activities through a range of popular tools from Microsoft, Google and Dropbox, according to a report released Thursday. Researchers at cybersecurity company SentinelOne named the campaign “WIP26” - work in progress - because they were unable to attribute it to any actor or [… |
Malware | ★★★★ | |
 |
2023-02-16 20:20:34 | Security warning: Beep malware can evade detection (lien direct) | >Find out how Beep malware can evade your security system, what it can do and how to protect your business. | Malware | ★★★ | |
|
2023-02-16 19:12:00 | Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps (lien direct) | Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines. The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published | Malware | ★★ | |
|
2023-02-16 18:07:49 | Cryptocurrency users in the US hit by ransomware and Clipper malware (lien direct) | >Learn how to protect your business and staff from the MortalKombat ransomware and Laplas Clipper malware. | Ransomware Malware | ★★ | |
 |
2023-02-16 18:00:00 | Detecting the Undetected: The Risk to Your Info (lien direct) | >IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories […] | Malware Threat | ★★★ | |
|
2023-02-16 17:57:40 | New Mirai botnet variant has been very busy, researchers say (lien direct) |  Researchers have discovered a new variant of the infamous Mirai malware that compromises smart devices and adds them to a botnet. Called V3G4, the variant exploits 13 known vulnerabilities, according to research by Palo Alto Networks' Unit 42. Mirai typically allows for full control of devices, adding them to its network of remotely controlled bots [… |
Malware | ★★ | |
|
2023-02-16 17:12:12 | New Mirai malware variant infects Linux devices to build DDoS botnet (lien direct) | A new Mirai botnet variant tracked as 'V3G4' targets 13 vulnerabilities in Linux-based servers and IoT devices to use in DDoS (distributed denial of service) attacks. [...] | Malware | ★★★ | |
|
2023-02-16 16:03:35 | Microsoft Exchange ProxyShell flaws exploited in new crypto-mining attack (lien direct) | A new malware dubbed 'ProxyShellMiner' exploits the Microsoft Exchange ProxyShell vulnerabilities to deploy cryptocurrency miners throughout a Windows domain to generate profit for the attackers. [...] | Malware | ★★★ | |
|
2023-02-16 14:00:00 | What are the Duties of a Malware Analyst? (lien direct) | >Malware breaches begin in many ways. Recently, multiple fake antivirus apps in the Google Play Store were infected with malware. Earlier this year, malware deployed through satellites shut down modems in Ukraine. Destructive malware attacks have an average lifecycle of 324 days (233 days to identify and 91 days to contain), compared to the global […] | Malware | ★★ | |
|
2023-02-16 13:56:56 | Mirai Variant V3G4 Targets 13 Vulnerabilities to Infect IoT Devices (lien direct) | >A recent variant of the Mirai malware has been observed targeting 13 IoT vulnerabilities to ensnare devices into a botnet. | Malware | ★★★ | |
|
2023-02-16 11:38:40 | Hackers backdoor Microsoft IIS servers with new Frebniis malware (lien direct) | Hackers are deploying a new malware named 'Frebniss' on Microsoft's Internet Information Services (IIS) that stealthily executes commands sent via web requests. [...] | Malware | ★★ | |
 |
2023-02-16 10:57:13 | Check Point Research uncovers a malicious campaign targeting Armenian based targets (lien direct) | >Highlights: Amid rising tensions between Azerbaijan and Armenia, Check Point Research identified a malicious campaign against entities in Armenia Malware used in the campaign aims to remotely control compromised machines and carry out surveillance operations CPR analysis shows clear indication of these attackers targeting corporate environments of Armenian targets Rising tension between Azerbaijan and Armenia… | Malware | ★★ | |
|
2023-02-16 10:56:45 | Operation Silent Watch: Desktop Surveillance in Azerbaijan and Armenia (lien direct) | >Executive summary Amid rising tensions between Azerbaijan and Armenia over the Lachin corridor in late 2022, Check Point Research identified a malicious campaign against entities in Armenia. The malware distributed in this campaign is a new version of a backdoor we track as OxtaRAT, an AutoIt-based tool for remote access and desktop surveillance. Key findings: […] | Malware Tool | ★★ | |
|
2023-02-16 10:00:00 | Experts Warn of Surge in Multipurpose Malware (lien direct) | The average malware variant now utilizes 11 TTPs | Malware | ★★ | |
|
2023-02-16 07:31:05 | (Déjà vu) ASEC Weekly Malware Statistics (February 6th, 2023 – February 12th, 2023) (lien direct) | The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 6th, 2023 (Monday) to February 12th, 2023 (Sunday). For the main category, downloader ranked top with 54.7%, followed by backdoor with 27.7%, Infostealer with 12.8%, ransomware with 4.6%, and CoinMiner with 0.1%. Top 1 – Amadey This week, Amadey Bot ranked first place with 43.9%. Amadey is a downloader that can receive commands... | Ransomware Malware | ★★ | |
 |
2023-02-16 00:00:00 | WatchGuard lance une nouvelle gamme de firewalls pour améliorer la sécurité unifiée des entreprises distantes et multisites (lien direct) | Paris, le 16 février 2023 - WatchGuard® Technologies, leader mondial de la cybersécurité unifiée, annonce la sortie de ses nouveaux firewalls Firebox T25/T25-W, T45/T45-POE/T45-W-POE et T85-POE en version tabletop. Propulsés par l'architecture Unified Security Platform® de WatchGuard pour offrir une sécurité complète et une gestion simplifiée via WatchGuard Cloud, ces nouveaux firewalls sont conçus pour offrir les performances dont les environnements professionnels distants et multisites ont besoin pour mieux se protéger contre les menaces de sécurité réseau les plus récentes. Avec plus de mémoire et des vitesses de traitement plus rapides pour un meilleur débit, cette nouvelle gamme d'appliances Firebox permet aux partenaires WatchGuard, MSP et administrateurs informatiques de sécuriser les succursales, les équipements de bureau, les appareils distants, les logiciels de point de vente et les utilisateurs distants contre les menaces complexes et émergentes, tout en réduisant autant que possible les exigences de configuration et de gestion du réseau. " Les environnements informatiques de tous types et de toutes tailles sont confrontés à des cybermenaces avancées et sophistiquées mais les PME et les succursales ne disposent généralement pas de compétences dédiées pour configurer, installer et gérer les solutions de sécurité réseau ", explique Ryan Poutre, Product Manager chez WatchGuard Technologies. " Cette nouvelle génération de Firebox tire pleinement parti de l'architecture de notre plateforme de sécurité unifiée. Les MSP peuvent ainsi proposer les solutions robustes et la gestion simplifiée dont ils ont besoin pour répondre aux besoins d'un large éventail de clients et de scénarios de déploiement. " Grâce à des services de sécurité comme APTBlocker (sandbox malware detection) et ThreatSync (partage des connaissances entre l'endpoint et le réseau), les nouvelles Firebox sont idéales pour les petites entreprises qui ne disposent pas d'une équipe de sécurité dédiée. En plus d'offrir une protection avancée contre les logiciels malveillants en environnement multisites, les nouvelles solutions intègrent des fonctionnalités SD-WAN pour optimiser les performances du réseau en distribuant dynamiquement le trafic réseau sur plusieurs connexions en fonction de politiques définies. Ces nouvelles Firebox tirent parti des dernières mises à jour de WatchGuard Cloud pour afficher graphiquement et en temps réel l'état des liens SD-WAN et de tout basculement. Elles prennent également en charge les dernières fonctionnalités Fireware pour le partage de la charge sur plusieurs liens. Ces capacités sont incluses dans toutes les offres de services de WatchGuard. " Les appliances Firebox portables de WatchGuard nous offrent toutes les fonctionnalités et la protection de sécurité des appliances en rack, et nous rendent plus efficaces avec le provisioning Zero Touch pour déployer et configurer les appareils, mettre à jour le firmware et appliquer les politiques après qu'un utilisateur distant ait activé un appareil. Nous pouvons rapidement déployer et configurer le SD-WAN via WatchGuard Cloud à partir de sites distants ", explique Troy Midwood, Chief Technology Officer chez Aabyss. " Ces appliances sont un autre exemple de l'attention que WatchGuard porte à l'élaboration d'excellents produits qui soutiennent notre activité MSP ". Les principales caractéristiques de chacune des nouvelles appliances Firebox : WatchGuard Firebox T25/T25-W : fourn | Malware Tool Threat Cloud | ★★ | |
|
2023-02-15 20:29:00 | North Korea\'s APT37 Targeting Southern Counterpart with New M2RAT Malware (lien direct) | The North Korea-linked threat actor tracked as APT37 has been linked to a piece of new malware dubbed M2RAT in attacks targeting its southern counterpart, suggesting continued evolution of the group's features and tactics. APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea's Ministry of State Security (MSS) unlike the Lazarus and | Malware Threat Cloud | APT 38 APT 37 | ★★ |
|
2023-02-15 19:03:00 | Financially Motivated Threat Actor Strikes with New Ransomware and Clipper Malware (lien direct) | A new financially motivated campaign that commenced in December 2022 has seen the unidentified threat actor behind it deploying a novel ransomware strain dubbed MortalKombat and a clipper malware known as Laplas. Cisco Talos said it "observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389." The attacks, per the cybersecurity company, | Ransomware Malware Threat | ★★★ | |
|
2023-02-15 17:25:14 | Beep: New Evasive Malware That Can Escape Under The Radar (lien direct) | Beep 4 was discovered last week, a brand-new stealthy virus with several capabilities to avoid analysis and detection by security tools. After a flurry of samples were posted to VirusTotal, an internet portal for file scanning and harmful content identification, Minerva analysts became aware of the infection. Even though Beep is still under development and […] | Malware | ★★ | |
 |
2023-02-15 16:36:32 | Les dangers cachés de la messagerie professionnelle : comment éviter les cyberattaques ? (lien direct) | >L’outil indispensable pour une entreprise est la messagerie professionnelle. C’est un moyen primordial pour la communication et la collaboration. Cependant, les cyberattaques profitent de ce canal de diffusion pour nuire à la sécurité de ces messageries professionnelle si celle-ci n’est pas protégée. Beaucoup d’entreprises subissent des attaques d’hameçonnage, de rançongiciels et de malware via leur […] The post Les dangers cachés de la messagerie professionnelle : comment éviter les cyberattaques ? first appeared on UnderNews. | Malware | ★★★ | |
|
2023-02-15 14:55:00 | Experts Warn of \'Beep\' - A New Evasive Malware That Can Fly Under the Radar (lien direct) | Cybersecurity researchers have unearthed a new piece of evasive malware dubbed Beep that's designed to fly under the radar and drop additional payloads onto a compromised host. "It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find," Minerva Labs researcher Natalie Zargarov said. "One such technique | Malware | ★★ | |
|
2023-02-15 14:31:19 | MortalKombat Ransomware Infects Computer, Steals Crypto From Users (lien direct) | Organizations in the Philippines, Turkey, the Philippines, and the United Kingdom have recently been affected by MortalKombat, a new ransomware that cybersecurity experts are pointing out. Using MortalKombat and a brand-new piece of malware called Laplas Clipper, researchers from Cisco’s Talos security team claim to have tracked a ransomware organization that has been stealing cryptocurrency […] | Ransomware Malware | ★★★ | |
 |
2023-02-15 11:00:00 | GuLoader – a highly effective and versatile malware that can evade detection (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
This blog was jointly authored with Arjun Patel.
GuLoader is a malware downloader that is primarily used for distributing other shellcode and malware such as ransomware and banking Trojans. It was first discovered in the wild in late 2019 and has since become a popular choice among cybercriminals due to its effectiveness and ease of use. Researchers at cybersecurity firm CrowdStrike have recently published a technical write-up detailing the various techniques used by GuLoader to avoid detection.
One of the key features of GuLoader is its ability to evade detection by traditional security solutions. It uses several techniques to avoid being detected, including packing and encryption, as well as utilizing legitimate websites and services as command and control (C2) servers. It also employs advanced anti-debugging and anti-analysis techniques, which makes it difficult for security researchers to reverse engineer and analyze its code.
GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails or links containing a Visual Basic script file. It can also be distributed through other means, such as drive-by downloads, where the malware is delivered to a victim's computer through a web browser without the victim's knowledge.
GuLoader utilizes a three-stage process to deliver the final payload to the infected host. During the first stage, the VBScript dropper file gets downloaded into a registry key as a persistence mechanism and delivers a next-stage payload. The second stage payload performs anti-analysis checks before injecting shellcode into memory.
If these checks are successful, the shellcode then downloads the final payload from a remote server and executes it on the compromised host. The shellcode incorporates various anti-analysis and anti-debugging measures, including checks for the presence of a remote debugger and breakpoints, scans for virtualization software, and the use of a "redundant code injection mechanism" to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.
*encrypted final payload
NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs that are known to be abused by threat actors. The method involves using assembly instructions to invoke the necessary Windows API function to allocate memory and inject arbitrary shellcode into that location via process hollowing. GuLoader's "redundant code injection mechanism" is designed to avoid these NTDLL.dll hooks, making it more difficult for EDR solutions to detect and flag the malware.
One of the ways that GuLoader evades detection is through its use of legitimate websites and services such as C2 servers. This means that it uses websites that are not known to be malicious as a means of communicating with its command-and-control (C2) center. This can make it difficult for security researchers to identify the C2 servers being used by the malware, as they are not typically flagged as malicious.
In addition to its advanced evasion techniques, GuLoader is also highly customizable |
Ransomware Malware Threat | ★★ |
To see everything:
Our RSS (filtrered)
