What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-03-02 05:49:51 | ObliqueRAT returns with new campaign using hijacked websites (lien direct) | By Asheer Malhotra.
Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT.
This campaign targets organizations in South Asia.ObliqueRAT has been linked to the Transparent Tribe APT group in the past.This campaign hides the ObliqueRAT payload in seemingly benign image files hosted on compromised websites.
What's new?Cisco Talos recently discovered another new campaign distributing the...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware | APT 36 | |
|
2021-02-05 08:27:34 | A ransomware primer (lien direct) | Ransomware defenseCyber security is continually a relevant topic for Cisco customers and other stakeholders. Ransomware is quickly becoming one of the hottest topics in the technology space as these malware families target high-leverage companies and organizations. We at Cisco are often contacted for guidance and recommendations for ways organizations can prepare for, detect and prevent ransomware attacks. Some of Cisco's vendors have also been affected by ransomware and have looked to Cisco...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Ransomware Malware | ||
|
2021-02-02 07:08:45 | Interview with a LockBit ransomware operator (lien direct) | By Azim Khodjibaev, Dymtro Korzhevin and Kendall McKay.
Ransomware is still highly prevalent in our current threat landscape - it's one of the top threats Cisco Talos Incident Response responds to. One such ransomware family we encounter is called LockBit, a ransomware-as-a-service (RaaS) platform that's known for its automation and the speed at which it attacks its victims.
At Cisco Talos, we strive to understand the malware utilized in ransomware, the infrastructure leveraged...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Ransomware Malware Threat | ||
|
2020-12-21 14:38:16 | 2020: The year in malware (lien direct) | By Jon Munshaw.
Nothing was normal in 2020. Our ideas of working from offices, in-person meetings, hands-on learning and basically everything else was thrown into disarray early in the year. Since then, we defenders have had to adapt. But so have workers around the globe, and those IT and security professionals in charge of keeping those workers' information secure.
Adversaries saw all these changes as an opportunity to capitalize on strained health care systems, schools scrambling...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware | ||
|
2020-11-18 10:21:43 | Back from vacation: Analyzing Emotet\'s activity in 2020 (lien direct) | By Nick Biasini, Edmund Brumaghin, and Jaeson Schultz.
Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems attempting to infect new systems with Emotet to continue growing the size of the botnets associated with this threat. Emotet is often the initial...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware | ||
|
2020-11-17 10:56:55 | Nibiru ransomware variant decryptor (lien direct) | Nikhil Hegde developed this tool.
Weak encryption
The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant.
Ransomware
Nibiru ransomware is a poorly...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Ransomware Malware | ||
|
2020-11-12 05:52:48 | CRAT wants to plunder your endpoints (lien direct) | By Asheer Malhotra.
Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT.Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint.One of the plugins is a ransomware known as "Hansom."CRAT has been attributed to the Lazarus APT Group in the past.The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions,...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Ransomware Malware | APT 38 | |
|
2020-10-29 05:22:28 | DoNot\'s Firestarter abuses Google Firebase Cloud Messaging to spread (lien direct) | By Warren Mercer, Paul Rascagneres and Vitor Ventura.
The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location.Even if the command and control (C2) is taken down, the DoNot team can still redirect the malware to another C2 using Google infrastructure.The approach in the final payload upload denotes a highly personalized targeting policy.
What's new? The DoNot APT group is making strides to experiment with new methods of...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware | ||
|
2020-10-06 07:52:14 | PoetRAT: Malware targeting public and private sector in Azerbaijan evolves (lien direct) | By Warren Mercer, Paul Rascagneres and Vitor Ventura.
The Azerbaijan public sector and other important organizations are still targeted by new versions of PoetRAT.This actor leverages malicious Microsoft Word documents alleged to be from the Azerbaijan government.The attacker has moved from Python to Lua script.The attacker improves their operational security (OpSec) by replacing protocol and performing reconnaissance on compromised systems.
Executive summary
Cisco Talos discovered PoetRAT...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware | ||
|
2020-10-01 11:00:07 | Threat Source newsletter for Oct. 1, 2020 (lien direct) | Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
In the past, we've covered what disinformation (otherwise known as “fake news”) is and who spreads it. Now, we're diving into why it works, and why it's so easy for people to spread. Check out our full paper here to gain a lot of insight into the psychology of social media.
On the malware front, we also have an update on LodaRAT. We've seen several new variants of this threat in the wild. Here's what to look out for...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware Threat | ||
|
2020-09-03 11:00:09 | Threat Source newsletter for Sept. 3, 2020 (lien direct) | Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Check out our complete details of the threat and our protections here.
We are also excited to show off our fancy new Talos Email Status...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware Threat | ||
|
2020-09-03 08:06:35 | Salfram: Robbing the place without removing your name tag (lien direct) | By Holger Unterbrink and Edmund Brumaghin.
Threat summary
Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware.The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others.Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware | ||
|
2020-09-01 08:00:07 | Quarterly Report: Incident Response trends in Summer 2020 (lien direct) | By David Liebenberg and Caitlin Huey.
For the fifth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. Infections involved a wide variety of malware families including Ryuk, Maze, LockBit, and Netwalker, among others. In a continuation of trends observed in last quarter's report, these ransomware attacks have relied much less on commodity trojans such as Emotet and Trickbot. Interestingly, 66 percent of all ransomware attacks this...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Ransomware Malware Threat | ||
|
2020-07-01 08:21:25 | Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks (lien direct) | By Nick Biasini, Edmund Brumaghin and Mariano Graziano.
Threat summary
Attackers are actively distributing the Valak malware family around the globe, with enterprises, in particular, being targeted.These campaigns make use of existing email threads from compromised accounts to greatly increase success.The additional use of password-protected ZIP files can create a blind spot in security protections.The overwhelming majority of campaigns occurred over the last couple of months and targeted...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware Threat |
To see everything:
Our RSS (filtrered)
