What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-02-09 15:30:00 | US and UK Sanction Seven Russian Cyber-Criminals (lien direct) | The seven Russian nationals are members of the notorious Trickbot malware gang | Malware | ★★ | |
 |
2023-02-09 13:52:13 | Malware Analysis: LummaC2 Stealer (lien direct) | >By SOCRadar Research In our article about Stealer-as-a-Service, as the SOCRadar Research team, we looked at Lumma... | Malware | ★★★★ | |
 |
2023-02-09 13:01:38 | Russian Hackers Steal Data In Ukraine With New Graphiron Malware (lien direct) | There is evidence that hackers with ties to Russia are using new software designed to steal information to launch attacks against Ukraine. This malware, discovered by the Computer Emergency Response Team of Ukraine (CERT-UA) and dubbed Graphiron by Broadcom-owned Symantec, was developed by an espionage group called Nodaria and is known as UAC-0056. According to […] | Malware | ★★ | |
 |
2023-02-09 12:39:25 | Hacker develops new \'Screenshotter\' malware to find high-value targets (lien direct) | A new threat actor tracked as TA886 targets organizations in the United States and Germany with new custom malware to perform surveillance and data theft on infected systems. [...] | Malware Threat | ★★ | |
 |
2023-02-09 11:00:00 | ESXiArgs Ransomware Hits Over 3,800 Servers as Hackers Continue Improving Malware (lien direct) | >There have been some new developments in the case of the ESXiArgs ransomware attacks, including related to the encryption method used by the malware, victims, and the vulnerability exploited by the hackers. After the US Cybersecurity and Infrastructure Security Agency (CISA) announced the availability of an open source tool designed to help some victims of […] | Ransomware Malware Tool Vulnerability | ★★★ | |
|
2023-02-09 10:21:02 | U.S. and U.K. sanction TrickBot and Conti ransomware operation members (lien direct) | The United States and the United Kingdom have sanctioned seven Russian individuals for their involvement in the TrickBot cybercrime group, whose malware was used to support attacks by the Conti and Ryuk ransomware operation. [...] | Ransomware Malware | ★ | |
 |
2023-02-09 09:45:00 | Transforming Threat Data into Actionable Intelligence (lien direct) | Introduction In today's digital age, the threat of cyber-attacks is greater than ever. Traditional security operations, which have focused on reactive measures such as patching vulnerabilities and responding to breaches, are no longer sufficient to meet the challenges of the modern threat landscape. As a result, security organizations are shifting their focus to proactive measures to stay ahead of emerging threats. This shift towards proactive security operations is the focus of a new five-article series written by analysts at TAG Cyber. The series examines the latest trends and challenges for cybersecurity teams and explores the cutting-edge solutions that are helping security organizations become more proactive in their defense against cyber-attacks. Anomali's solutions are important in helping security operations (secops) teams move from a reactive to a proactive security program. Anomali, a leading threat intelligence provider and incident management software, offers a viable solution. Anomali's platform enables security teams to quickly and easily identify and respond to emerging threats by providing real-time visibility into the latest cyber threats and vulnerabilities, allowing organizations to take proactive measures to protect themselves from potential attacks instead of simply reacting to breaches after they have occurred. The series also delves into the strategies and technologies that can help CISOs and secops teams improve their operations. Anomali's platform is a key element in integrating threat intelligence with other technologies, such as Extended Detection and Response (XDR) and Attack Surface Management (ASM), to enhance the overall security posture of an organization. Additionally, Anomali's solutions assist with digital risk protection (DRP) in identifying and mitigating the risks associated with third-party vendors and partners. In summary, the series provides an in-depth look at the latest strategies and technologies to help CISOs and security teams become more proactive in their defense against cyber attacks. Anomali's solutions play a crucial role in this shift and assist organizations in identifying and mitigating emerging threats, integrating with other technologies, while addressing the skills gap. Article 1: Transforming Threat Data into Actionable Intelligence Christopher R. Wilder, TAG Cyber This article is the first in a series of guest blogs written by TAG Cyber analysts in conjunction with our colleagues at Anomali. Our five-part series of blogs focus on how threat-intelligence management integrates with extended detection and response (XDR) to increase operational efficiencies in an enterprise security operations environment and drive actionable prevention, detection, and response. The commercial Anomali platform demonstrates how integration between threat intelligence and XDR can work in the field. Threat intelligence is divided into three main categories: strategic, operational, and tactical. Strategic threat intelligence focuses on understanding the overall threat landscape and identifying long-term trends. It informs strategic decisions and helps organizations understand the potential risks they face. Operational threat intelligence identifies and responds to specific threats in real-time. It informs an organization’s day-to-day operations and helps protect against immediate threats. Tactical threat intelligence provides detailed information about specific threats, such as the tools, techniques, and procedures used by attackers. It also apprises tactical decisions and helps organizations respond to incidents. Threat intelligence is essential to any security program, providing organizations with the information they need to identify and respond to potential threats proactively. Threat intelligence provides operational and tactical threat intelligence to help organizations respond to specific dangers in real-time an | Malware Threat Patching Guideline | ★★★ | |
 |
2023-02-09 09:00:00 | VMware ESXi server ransomware evolves, after recovery script released (lien direct) | After the FBI and CISA on Wednesday released a recovery script for organizations affected by a massive ransomware attack targeting VMWare ESXi servers worldwide, reports surfaced that the malware evolved in a way that made earlier recovery procedures ineffective.The attacks, aimed at VMware's ESXi bare metal hypervisor, were first made public February 3 by the French Computer Emergency Response Team (CERT-FR), and target ESXi instances running older versions of the software, or those that have not been patched to current standards. Some 3,800 servers have been affected globally, CISA and the FBI said.To read this article in full, please click here | Ransomware Malware | ★★★ | |
 |
2023-02-09 07:58:00 | HTML smuggling campaigns impersonate well-known brands to deliver malware (lien direct) | Trustwave SpiderLabs researchers have cited an increased prevalence of HTML smuggling activity whereby cybercriminal groups abuse the versatility of HTML in combination with social engineering to distribute malware. The firm has detailed four recent HTML smuggling campaigns attempting to lure users into saving and opening malicious payloads, impersonating well-known brands such as Adobe Acrobat, Google Drive, and the US Postal Service to increase the chances of users falling victim.HTML smuggling uses HTML5 attributes that can work offline by storing a binary in an immutable blob of data (or embedded payload) within JavaScript code, which is decoded into a file object when opened via a web browser. It is not a new attack method, but it has grown in popularity since Microsoft started blocking macros in documents from the internet by default, Trustwave SpiderLabs wrote. The four malware strains that have recently been detected using HTML smuggling in their infection chain are Cobalt Strike, Qakbot, IcedID, and Xworm RAT, the firm added.To read this article in full, please click here | Malware | ★★ | |
 |
2023-02-08 22:31:00 | CISA Releases Recovery Script for Victims of ESXiArgs Ransomware (lien direct) | The malware has affected thousands of VMware ESXi hypervisors in the last few days. | Ransomware Malware | ★★★ | |
 |
2023-02-08 21:30:12 | Among the thousands of ESXiArgs ransomware victim orgs? FBI and CISA to the rescue (lien direct) | The malware has hit more than 3,800 servers globally, according to the Feds The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script to help companies whose servers were scrambled in the recent ESXiArgs ransomware outbreak.… | Ransomware Malware | ★★★ | |
 |
2023-02-08 21:17:09 | New info-stealing malware used against Ukraine organizations (lien direct) |  A new information-stealing malware named Graphiron is being used against a wide range of targets in Ukraine, according to new research. Researchers from Symantec declined to say which sorts of organizations are being targeted but confirmed that the attacks are being launched by an espionage group named Nodaria. They added that there is “limited evidence” [… |
Malware | ★★★ | |
|
2023-02-08 20:42:52 | Hackers used fake websites to target state agencies in Ukraine and Poland (lien direct) |  Hackers attempted last week to infect Ukrainian government computer systems with malware hosted on fake websites impersonating legitimate state services. Ukraine's computer emergency response team, CERT-UA, attributed the attack to a group called WinterVivern. The group has been active since at least June and includes Russian-speaking members. In addition to its Ukrainian targets, it has [… |
Malware | ★★★ | |
 |
2023-02-08 18:54:03 | Hackers are selling a service that bypasses ChatGPT restrictions on malware (lien direct) | ChatGPT restrictions on the creation of illicit content are easy to circumvent. | Malware | ChatGPT | ★★★ |
 |
2023-02-08 16:33:06 | Attackers increasingly use Microsoft\'s OneNote to deliver QakBot malware (lien direct) | Pas de details / No more details | Malware | ★★ | |
 |
2023-02-08 16:31:00 | Russian Hackers Using Graphiron Malware to Steal Data from Ukraine (lien direct) | A Russia-linked threat actor has been observed deploying a new information-stealing malware in cyber attacks targeting Ukraine. Dubbed Graphiron by Broadcom-owned Symantec, the malware is the handiwork of an espionage group known as Nodaria, which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056. "The malware is written in Go and is designed to harvest a wide | Malware Threat | ★★ | |
|
2023-02-08 13:09:54 | (Déjà vu) Malicious Dota 2 game mods infected players with malware (lien direct) | Security researchers have discovered four malicious Dota 2 game mods that were used by a threat actor to backdoor the players' systems. [...] | Malware Threat | ★★★ | |
|
2023-02-08 13:09:54 | Malicious Dota 2 game modes infected players with malware (lien direct) | Security researchers have discovered four malicious Dota 2 game modes that were used by a threat actor to backdoor the players' systems. [...] | Malware Threat | ★★★ | |
|
2023-02-08 13:00:00 | Android 14 to block malware from abusing sensitive permissions (lien direct) | Google has announced the release of the first developer preview for Android 14, the next major version of the world's most popular mobile operating system, which comes with security and privacy enhancements, among other things. [...] | Malware | ★★★★ | |
 |
2023-02-08 12:41:00 | Supply Chain Attack via New Malicious Python Packages by Malware Author Core1337 (lien direct) | The FortiGuard Labs team recently discovered various new 0-day attacks in PyPI packages by malware author, "Core1337". Read to learn more about these malicious supply chain attacks. | Malware | ★★ | |
|
2023-02-08 11:57:08 | A Deep Dive Into the Growing GootLoader Threat (lien direct) | >Cybereason GootLoader as a 'severe' threat, as the malware uses a combination of evasion and living off the land techniques, making its presence difficult to dectec. | Malware Threat | ★★ | |
|
2023-02-08 11:13:00 | Threat group targets over 1,000 companies with screenshotting and infostealing malware (lien direct) | Researchers warn that a new threat actor has been targeting over a thousand organizations since October with the goal of deploying credential-stealing malware. The attack chain also involves reconnaissance components including a Trojan that takes screenshots of the desktops of infected computers.Tracked as TA866 by researchers from security firm Proofpoint, the group's tooling seems to have similarities to other campaigns reported in the past under different names going as far back as 2019. Even though this latest activity appears to be financially motivated, some of the possibly related attacks seen in the past suggest that espionage was also a motivation at the time.To read this article in full, please click here | Malware Threat | ★★★ | |
 |
2023-02-08 11:09:54 | (Déjà vu) Check Point 2023 Security Report: Cyberattacks reach an all-time high in response to geo-political conflict, and the rise of \'disruption and destruction\' malware (lien direct) | >The 2023 Security Report is reflecting on a chaotic year in cybersecurity. The report looks back on a tumultuous 2022, which saw cyberattacks reach an all-time high in response to the Russo-Ukrainian war. Education and Research remains the most targeted sector, but attacks on the healthcare sector registered a 74% increase year-on-year. According to the… | Malware | ★★ | |
|
2023-02-08 11:00:31 | 2023 Security Report: Cyberattacks reach an all-time high in response to geo-political conflict, and the rise of \'disruption and destruction\' malware (lien direct) | >The 2023 Security Report is reflecting on a chaotic year in cybersecurity. The report looks back on a tumultuous 2022, which saw cyberattacks reach an all-time high in response to the Russo-Ukrainian war. Education and Research remains the most targeted sector, but attacks on the healthcare sector registered a 74% increase year-on-year. According to the […] | Malware | ★★ | |
 |
2023-02-08 07:30:02 | (Déjà vu) ASEC Weekly Malware Statistics (January 30th, 2023 – February 5th, 2023) (lien direct) | The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 30th, 2023 (Monday) to February 5th, 2023 (Sunday). For the main category, downloader ranked top with 39.3%, followed by Infostealer with 28.8%, backdoor with 27.0%, ransomware with 2.6%, and CoinMiner with 2.2%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place... | Ransomware Malware | ★★ | |
|
2023-02-08 06:00:00 | Russian hackers using new Graphiron information stealer in Ukraine (lien direct) | The Russian hacking group known as 'Nodaria' (UAC-0056) is using a new information-stealing malware called 'Graphiron' to steal data from Ukrainian organizations. [...] | Malware | ★★ | |
|
2023-02-07 19:18:00 | New Banking Trojan Targeting 100M Pix Payment Platform Accounts (lien direct) | New malware demonstrates how threat actors are pivoting toward payment platform attacks, researchers say. | Malware Threat | ★★★ | |
|
2023-02-07 17:23:00 | Anomali Cyber Watch: MalVirt Obfuscates with KoiVM Virtualization, IceBreaker Overlay Hides V8 Bytecode Runtime Interpretation, Sandworm Deploys Multiple Wipers in Ukraine (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Malvertising, North Korea, Proxying, Russia, Typosquatting, Ukraine, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
(published: February 2, 2023)
In August-November 2022, North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer.
Analyst Comment: Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators.
MITRE ATT&CK: [MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique—T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1505.003 - Server Software Component: Web Shell | [MITRE ATT&CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items | [MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1553 - Subvert Trust Controls | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1070.007 - Indicator Removal: Clear Network Connection History And Configurations | |
Malware Tool Threat Medical Medical | APT 38 | ★★★ |
|
2023-02-07 17:21:02 | New QakNote attacks push QBot malware via Microsoft OneNote files (lien direct) | A new QBot malware campaign dubbed "QakNote" has been observed in the wild since last week, using malicious Microsoft OneNote' .one' attachments to infect systems with the banking trojan. [...] | Malware | ★★★ | |
 |
2023-02-07 12:23:54 | Malware Delivered through Google Search (lien direct) | Criminals using Google search ads to deliver malware isn’t new, but Ars Technica declared that the problem has become much worse recently. The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird... | Spam Malware | ★★ | |
 |
2023-02-07 11:00:00 | How to protect your car dealership from cyber-attacks (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Recent trends show that car dealerships are becoming a prime target for cyber-attacks, partly due to the rise in autonomous and connected vehicles. This is in addition to more traditional attacks such as phishing. Therefore, car dealerships are urged to take measures to improve their cybersecurity posture. Throughout this article, we will focus on how to protect your car dealership from cyber-attacks, from technological solutions to raising staff awareness, and more. Why are car dealerships being targeted by cybercriminals? Car dealerships collect a significant amount of data which is often stored on-site. This data includes things like names, addresses, email addresses, phone numbers, and perhaps more importantly, financial information such as bank details and social security numbers. Gaining access to this database can be very lucrative for criminals. A cybercriminal’s life is also made much easier if a car dealership uses outdated IT infrastructure and lacks sufficient processes in terms of protecting employee login details. How are car dealerships vulnerable to cyber-attacks? Before we discuss how to protect your car dealership from a cyber-attack, it is important to know what makes a car dealership vulnerable, and what sort of attacks it could be subjected to. Open Wi-Fi networks - Many car dealerships have open Wi-Fi networks for their customers to use freely. However, this provides an opportunity for hackers who can potentially access other areas of the network that store sensitive data. Malware - Malware is possibly the most likely form of cyber-attack, targeting individuals within your organization with malicious email attachments that execute software onto the victim’s device. This software can then grant the attacker remote access to the system. Phishing - Phishing emails are much more sophisticated than they used to be, appearing much more legitimate, and targeting individuals within the company. If an email seems suspicious or is from an unknown contact, then it is advised to avoid clicking any links. User error - Unfortunately, anyone working for the car dealership, even the owner, could pose a risk to security. Perhaps using lazy passwords, or not storing log-in details in a safe place. This is why cyber security training is now becoming mandatory at most businesses. The consequences of cyber-attacks on car dealerships If a small-to-medium-sized car dealership is the victim of a cyber-attack, then it can have a much bigger impact than just a short-term financial loss. Many smaller businesses that suffer a data breach are said to go out of business within six months of such an event, losing the trust of their customer base, and failing to recover from the financial impact. Research suggests that most consumers would not purchase a car from a dealership that has had a security breach in the past. Failing to prevent a cyber-attack and a criminal from gaining access to customer information is extremely detrimental to a business’s public image. How to protect your car dealership from cyber-attacks Regardl | Data Breach Malware Vulnerability | ★★ | |
|
2023-02-07 06:00:00 | Clop ransomware flaw allowed Linux victims to recover files for months (lien direct) | The Clop ransomware gang is now also using a malware variant that explicitly targets Linux servers, but a flaw in the encryption scheme has allowed victims to quietly recover their files for free for months. [...] | Ransomware Malware | ★★★ | |
|
2023-02-06 22:11:00 | Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread (lien direct) | The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign. | Ransomware Malware Vulnerability | ★★ | |
|
2023-02-06 18:06:00 | GuLoader Malware Using Malicious NSIS Executable to Target E-Commerce Industry (lien direct) | E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, | Malware | ★★ | |
 |
2023-02-06 16:41:07 | TrickGate crypter discovered after 6 years of infections (lien direct) | >New research from Check Point Research exposes a crypter that stayed undetected for six years and is responsible for several major malware infections around the globe. | Malware | ★★★ | |
|
2023-02-06 13:41:00 | FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection (lien direct) | An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a | Malware | ★★ | |
 |
2023-02-06 12:21:32 | Album Stealer zielt auf Facebook-Nutzer ab, die nach pornografischen Inhalten suchen (lien direct) | Das Zscaler ThreatLabz-Team deckt regelmäßig neue Arten von Infostealer-Familien in verschiedenen Angriffskampagnen auf. Kürzlich stießen die Forscher auf den Infostealer namens „Album“. Die Malware ist als Fotoalbum getarnt, dass pornografische Inhalte als Köder verwendet, während im Hintergrund bösartige Aktivitäten ausgeführt werden. Dazu setzt die Malware auf eine Side-Loading-Technik, bei der legitime Anwendungen zur Ausführung bösartiger DLLs verwendet werden, um die Entdeckung zu vermeiden. Die eigentliche Aufgabe ist jedoch das Stehlen von Cookies und Anmeldeinformationen, die von den Opfern in ihren Webbrowsern gespeichert wurden. Darüber hinaus werden Informationen von Facebook Ads Manager, Facebook Business-Konten und Facebook API Graph-Seiten gestohlen. Die auf einem infizierten System gesammelten Informationen werden schließlich an einen Command-and-Control-Server geschickt. - Malware / cybersecurite_home_droite | Malware | ★ | |
 |
2023-02-06 09:04:22 | A BOLDMOVE by the Chinese Hackers: Exploiting Fortinet Systems (lien direct) | >By Nilaa MaharjanContentsKey FindingsWhich Products and Versions are Affected?Making a BOLD statementBoldly going where no malware has gone beforeDetecting BOLDMOVE using LogpointInvestigation and response with LogpointRemediation and mitigation best practicesFinal ThoughtsTL;DRFortinet disclosed a zero-day vulnerability in its FortiOS SSL-VPN products in December 2022, which was discovered to have been exploited by ransomware gangs.The vulnerability, a [...] | Ransomware Malware Vulnerability | ★★ | |
|
2023-02-06 01:00:00 | Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations (lien direct) | Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team is monitoring attacks against systems with either unpatched vulnerabilities or... | Malware Tool Vulnerability Threat | ★★ | |
|
2023-02-05 10:15:32 | Linux version of Royal Ransomware targets VMware ESXi servers (lien direct) | Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines. [...] | Ransomware Malware | ★★ | |
 |
2023-02-05 00:00:00 | Hunting Opaque Predicates with YARA (lien direct) |
Introduction Malware tends to obfuscate itself using many different techniques from opaque predicates, garbage code, control flow manipulation with the stack and more. These techniques definitely make analysis more challening for reverse engineers. However, from a detection and hunting standpoint to find interesting samples to reverse engineer we can leverage our knowlege of these techniques to hunt for obfuscated code. In our case today, we will be developing a yara signature to hunt for one specific technique of opaque predicates, there are many variations and situations where this does not match and should only serve as a hunting signatures as more heuristic and programitic approaches for this are better for detection. |
Malware | ★★★ | |
|
2023-02-04 19:09:00 | PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions (lien direct) | A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate. "PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS ( | Malware | ★★★ | |
|
2023-02-04 08:17:56 | Onenote Malware: Classification and Personal Notes (lien direct) | During the past 4 months Microsoft Onenote file format has been (ab)used as Malware carrier by different criminal groups. While the main infection vector is still on eMail side – so nothing really relevant to write on – the used techniques, the templates and the implemented code to inoculate Malware changed a lot. So it […] | Malware | ★★★ | |
|
2023-02-04 00:27:06 | HeadCrab bots pinch 1,000+ Redis servers to mine coins (lien direct) | We devoting full time to floating under /etc A sneaky botnet dubbed HeadCrab that uses bespoke malware to mine for Monero has infected at least 1,200 Redis servers in the last 18 months.… | Malware | ★★★ | |
|
2023-02-03 20:33:00 | Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware (lien direct) | In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise. Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook. | Malware Threat | ★★ | |
|
2023-02-03 20:25:08 | Fast-evolving Prilex POS malware can block contactless payments (lien direct) | ... forcing users to insert their cards into less-secure PIN systems The reasons businesses and consumers like contactless payment transactions – high security and speed – are what make those systems bad for cybercriminals.… | Malware | ★★ | |
|
2023-02-03 16:00:00 | Scores of Redis Servers Infested by Sophisticated Custom-Built Malware (lien direct) | At least 1,200 Redis servers worldwide have been infected with "HeadCrab" cryptominers since 2021. | Malware | ★ | |
|
2023-02-03 16:00:00 | New Credential-Stealing Campaign By APT34 Targets Middle East Firms (lien direct) | The malware had additional exfiltration techniques compared to previously studied variants | Malware | APT 34 | ★★ |
|
2023-02-03 15:26:22 | (Déjà vu) Nouveau malware SwiftSlicer déployé dans une cyberattaque contre Ukraine le Commentaire de Quest Software (lien direct) | Le 25 janvier, le groupe de recherche ESET a découvert une nouvelle cyberattaque en Ukraine. Les attaquants du groupe Sandworm ont déployé un nouveau malware nommé SwiftSlicer, qui vise à détruire l'Active Directory. Nouveau malware SwiftSlicer déployé dans une cyberattaque contre Ukraine le Commentaire de Quest Software - Malwares | Malware | ★ | |
|
2023-02-03 15:14:07 | Check Point Software Technologies Achieves... (lien direct) | Check Point Software Technologies Achieves Highest Ranking in Miercom Next Generation Firewall Benchmark Report Check Point achieves 99.7% malware block rate, 99.9% phishing prevention, and ultra-low 0.1% False Positive Detection rate - Business News | Malware | ★ |
To see everything:
Our RSS (filtrered)
