This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-09T22:05:53+00:00 www.secnews.physaphae.fr RiskIQ - cyber risk firms (now microsoft) 2024-06-07T21:10:07+00:00 https://community.riskiq.com/article/dccc6ab3 www.secnews.physaphae.fr/article.php?IdArticle=8514942 False Ransomware,Malware,Tool,Threat,Mobile,Prediction None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-06-07T19:53:27+00:00 https://community.riskiq.com/article/d4ad1229 www.secnews.physaphae.fr/article.php?IdArticle=8514887 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-06-07T17:32:33+00:00 https://community.riskiq.com/article/46bbe9fb www.secnews.physaphae.fr/article.php?IdArticle=8514830 False Malware,Tool,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-06-06T20:12:19+00:00 https://community.riskiq.com/article/96c5190e www.secnews.physaphae.fr/article.php?IdArticle=8514354 False Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-06-05T21:10:50+00:00 https://community.riskiq.com/article/aff8b8d5 www.secnews.physaphae.fr/article.php?IdArticle=8513887 False Ransomware,Spam,Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-06-05T20:12:47+00:00 https://community.riskiq.com/article/57d133ec www.secnews.physaphae.fr/article.php?IdArticle=8513888 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-06-04T17:52:04+00:00 https://community.riskiq.com/article/d3dbe72f www.secnews.physaphae.fr/article.php?IdArticle=8513189 False Malware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-06-04T01:40:42+00:00 https://community.riskiq.com/article/b1a12c50 www.secnews.physaphae.fr/article.php?IdArticle=8512727 False Ransomware,Malware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Lumen Technologies\' Black Lotus Labs has identified a destructive event they\'re calling "The Pumpkin Eclipse" that took place over a 72-hour period between October 25-27, 2023, where over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). ## Description The incident disrupted internet access across numerous Midwest states, impacting a specific ISP and three router models: the ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380. The incident rendered the infected devices permanently inoperable and required a hardware-based replacement. The primary payload responsible for the event was identified as “Chalubo,” a commodity remote access trojan (RAT) that employed savvy tradecraft to obfuscate its activity. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot. The Lua functionality was likely employed by the malicious actor to retrieve the destructive payload. At this time, it is unclear how the threat actors initially gained access to the routers. However, the investigation revealed that the threat actors likely abused weak credentials or exploited an exposed administrative interface. The threat actors behind this event chose a commodity malware family to obfuscate attribution, instead of using a custom-developed toolkit. ## References ["Malware botnet bricked 600,000 routers in mysterious 2023 attack"](https://www.bleepingcomputer.com/news/security/malware-botnet-bricked-600-000-routers-in-mysterious-2023-event/) BleepingComputer (Accessed 2024-06-03) ["The Pumpkin Eclipse"](https://blog.lumen.com/the-pumpkin-eclipse/) Black Lotus Labs (Accessed 2024-06-03)]]> 2024-06-03T21:15:33+00:00 https://community.riskiq.com/article/e05de672 www.secnews.physaphae.fr/article.php?IdArticle=8512644 False Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-06-03T14:03:42+00:00 https://community.riskiq.com/article/0d99f56e www.secnews.physaphae.fr/article.php?IdArticle=8512475 False Malware,Tool,Vulnerability,Threat,Industrial,Prediction,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-31T22:14:46+00:00 https://community.riskiq.com/article/08f4a417 www.secnews.physaphae.fr/article.php?IdArticle=8510885 False Malware,Tool,Vulnerability,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-31T21:10:13+00:00 https://community.riskiq.com/article/9af8f767 www.secnews.physaphae.fr/article.php?IdArticle=8510861 False Ransomware,Malware,Tool,Vulnerability,Threat,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-30T21:08:56+00:00 https://community.riskiq.com/article/e21eabb7 www.secnews.physaphae.fr/article.php?IdArticle=8510275 False Malware,Threat,Mobile,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-30T20:28:18+00:00 https://community.riskiq.com/article/39e87f2a www.secnews.physaphae.fr/article.php?IdArticle=8510250 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Industrial None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-29T20:27:37+00:00 https://community.riskiq.com/article/e9845916 www.secnews.physaphae.fr/article.php?IdArticle=8509575 False Malware,Tool,Threat,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - North America #### Targeted Industries - Education - ]]> 2024-05-29T17:09:34+00:00 https://community.riskiq.com/article/0bd219dd www.secnews.physaphae.fr/article.php?IdArticle=8509476 False Spam,Malware,Threat,Medical None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-28T20:51:27+00:00 https://community.riskiq.com/article/9dd6578a www.secnews.physaphae.fr/article.php?IdArticle=8508820 False Ransomware,Malware,Threat,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-28T17:37:40+00:00 https://community.riskiq.com/article/eb5e10a2 www.secnews.physaphae.fr/article.php?IdArticle=8508725 False Ransomware,Malware,Hack,Tool,Threat APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - North America - South America ## Snapshot Forcepoint reports on Metamorfo Banking Trojan, also known as Casbaneiro, that is a banking trojan that targets North and South America. ## Description he malware spreads through malspam campaigns, enticing users to click on HTML attachments. Once clicked, a series of activities are initiated, all focused on gathering system metadata. The malware is distributed via email and the attachment contains malicious codes that lead to data compromise. The PowerShell commands are utilized to drop the files at various suspicious locations, shutdown the system, and cause persistence to steal user data such as computer names, modifying system settings, user settings, keylogging, and sending it to compromised systems. Forcepoint customers are protected against this threat at various stages of attack. ## References ["Exploring the Metamorfo Banking Trojan"](https://www.forcepoint.com/blog/x-labs/exploring-metamorfo-banking-malware) Forcepoint (Accessed 2024-05-24)]]> 2024-05-24T19:09:46+00:00 https://community.riskiq.com/article/72f52370 www.secnews.physaphae.fr/article.php?IdArticle=8506313 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-24T18:42:00+00:00 https://community.riskiq.com/article/c95e7fd5 www.secnews.physaphae.fr/article.php?IdArticle=8506285 True Ransomware,Spam,Malware,Tool,Threat,Commercial None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-24T17:17:36+00:00 https://community.riskiq.com/article/a8c96e40 www.secnews.physaphae.fr/article.php?IdArticle=8508821 False Malware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-24T01:09:17+00:00 https://community.riskiq.com/article/8ca39741 www.secnews.physaphae.fr/article.php?IdArticle=8505826 False Ransomware,Spam,Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Elastic Security Labs has identified an intrusion set, REF4578, that incorporates several malicious modules and leverages vulnerable drivers to disable known security solutions (EDRs) for crypto mining. ## Description The primary payload of this intrusion set is GHOSTENGINE, which is responsible for retrieving and executing modules on the machine. GHOSTENGINE primarily uses HTTP to download files from a configured domain, with a backup IP in case domains are unavailable. Additionally, it employs FTP as a secondary protocol with embedded credentials. The ultimate goal of the REF4578 intrusion set was to gain access to an environment and deploy a persistent Monero crypto miner, XMRig. The malware authors incorporated many contingency and duplication mechanisms, and GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner. This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRIG miner. The malware scans and compares all the running processes with a hardcoded list of known EDR agents. If there are any matches, it first terminates the security agent and then deletes the security agent binary with another vulnerable]]> 2024-05-23T21:02:25+00:00 https://community.riskiq.com/article/c2420a77 www.secnews.physaphae.fr/article.php?IdArticle=8505727 False Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The Governmental Computer Emergency Reponse Team of Ukraine (CERT-UA) has observed increased activity from a financially movtivated threat actor they track as UAC-0006. Since May 20, 2024, the group has conducted at least two distinct malware distribution campaigns. ## Description CERT-UA reports that these campaigns are distributing SmokeLoader malware via phishing emails. These emails contain ZIP archives with malicious files, including .IMG files with executable (.exe) files and Microsoft Access (.ACCDB) documents with embedded macros. These macros execute PowerShell commands to download and run the executable files. After initial system compromise, additional malware such as Taleshot and RMS are downloaded and installed. Currently, the botnet comprises several hundred infected computers. As a result of this increased activity, CERT-UA expects an increase in fraud schemes targeting remote banking systems in the near future. ## Detections **Microsoft Defender Antivirus** Microsoft Defender Antivirus detects threat components as the following malware: - [*Trojan:Win32/SmokeLoader*](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/SmokeLoader&threatId=-2147238753) - *[Trojan:Win64/Smokeloader](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Smokeloader&threatId=-2147113809)* ## References [UAC-0006 Increased Cyberattacks](https://cert.gov.ua/article/6279366). Computer Emergency Response Team of Ukraine (accessed 2024-05-22)]]> 2024-05-22T20:16:56+00:00 https://community.riskiq.com/article/7bef5f52 www.secnews.physaphae.fr/article.php?IdArticle=8505023 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-22T16:31:26+00:00 https://community.riskiq.com/article/bc072613 www.secnews.physaphae.fr/article.php?IdArticle=8504898 False Spam,Malware,Tool,Threat,Legislation None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-22T15:21:21+00:00 https://community.riskiq.com/article/d5d5c07f www.secnews.physaphae.fr/article.php?IdArticle=8504864 False Ransomware,Malware,Tool,Threat APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-21T18:21:28+00:00 https://community.riskiq.com/article/cbf8691b www.secnews.physaphae.fr/article.php?IdArticle=8504244 False Ransomware,Malware,Threat,Prediction None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-20T20:03:06+00:00 https://community.riskiq.com/article/cdc0c90f www.secnews.physaphae.fr/article.php?IdArticle=8503644 False Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-20T14:19:33+00:00 https://community.riskiq.com/article/8374cff8 www.secnews.physaphae.fr/article.php?IdArticle=8503469 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-17T19:11:34+00:00 https://community.riskiq.com/article/86a682a8 www.secnews.physaphae.fr/article.php?IdArticle=8501846 False Malware,Tool,Threat,Technical None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-17T16:57:23+00:00 https://community.riskiq.com/article/055cd342 www.secnews.physaphae.fr/article.php?IdArticle=8501757 False Malware,Threat,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot ESET researchers have published a report on the evolution of the Ebury malware campaign, which leverages Linux malware for financial gain. ## Description The campaign has diversified to include credit card and cryptocurrency theft. The malware has been updated with new obfuscation techniques, a new domain generation algorithm, and improvements in the userland rootkit used by Ebury to hide itself from system administrators. The Ebury threat actors use different methods to compromise new servers, including the use of adversary in the middle to intercept SSH traffic of interesting targets inside data centers and redirect it to a server used to capture credentials. Ebury malware family has been used to compromise more than 400,000 servers since 2009, with more than 100,000 still compromised as of late 2023. The threat actors leverage their access to hosting providers\' infrastructure to install Ebury on all the servers that are being rented by that provider. Among the targets are Bitcoin and Ethereum nodes. HTTP POST requests made to and from the servers are leveraged to steal financial details from transactional websites. ## References ["Ebury botnet malware infected 400,000 Linux servers since 2009".](https://www.bleepingcomputer.com/news/security/ebury-botnet-malware-infected-400-000-linux-servers-since-2009/) BleepingComputer (Accessed 2024-05-15) ["Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain".](https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/) ESET (Accessed 2024-05-15)]]> 2024-05-16T21:30:54+00:00 https://community.riskiq.com/article/276a4404 www.secnews.physaphae.fr/article.php?IdArticle=8501240 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-16T19:51:14+00:00 https://community.riskiq.com/article/95ff5bf6 www.secnews.physaphae.fr/article.php?IdArticle=8501182 True Ransomware,Spam,Malware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-15T20:41:19+00:00 https://community.riskiq.com/article/4782de66 www.secnews.physaphae.fr/article.php?IdArticle=8500488 False Ransomware,Malware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-15T20:23:43+00:00 https://community.riskiq.com/article/6c0c8997 www.secnews.physaphae.fr/article.php?IdArticle=8500489 False Malware,Tool,Threat,Prediction None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-14T20:34:29+00:00 https://community.riskiq.com/article/5b5aaff4 www.secnews.physaphae.fr/article.php?IdArticle=8499815 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-13T13:30:14+00:00 https://community.riskiq.com/article/fd207107 www.secnews.physaphae.fr/article.php?IdArticle=8498946 False Spam,Malware,Tool,Vulnerability,Threat,Cloud APT 42 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot SocGholish (also known as FakeUpdates), a malware known for its stealth and the intricacy of its delivery mechanisms, is targeting enterprises with deceptive browser update prompts. ## Description As reported by eSentire, compromised legitimate websites serve as the infection vector, where malicious JavaScript code is injected to prompt users to download browser updates. The downloaded files contain SocGholish malware, initiating the infection process upon execution.  The script employs various techniques to avoid detection and evade analysis. First, it checks if the browser is being controlled by automation tools and terminates execution if detected. Subsequently, it scrutinizes if the browser window has undergone significant manipulation to determine if the environment is being monitored. Additionally, it inspects for specific WordPress cookies to halt further actions if the user is logged into a WordPress site. If none of these conditions apply, it establishes a mouse movement event listener, tr]]> 2024-05-10T16:50:08+00:00 https://community.riskiq.com/article/c5bf96a0 www.secnews.physaphae.fr/article.php?IdArticle=8497333 False Malware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-09T16:44:05+00:00 https://community.riskiq.com/article/1db83f2c www.secnews.physaphae.fr/article.php?IdArticle=8496697 False Malware,Vulnerability,Threat,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Researchers at Zscaler have published a report about the evolution of HijackLoader, a malware loader, and its new evasion tactics. ## Description HijackLoader, also known as IDAT Loader, emerged in 2023 as a malware loader equipped with versatile modules for injecting and executing code. HijackLoader has modular architecture, an attribute that sets it apart from typical loaders.  Zscaler researchers analyzed a new HijackLoader variant that features upgraded evasion techniques. These enhancements aim to aid in the malware\'s stealth, prolonging its ability to evade detection. The latest version of HijackLoader introduces modules to bypass Windows Defender Antivirus, circumvent User Account Control (UAC), evade inline API hooking commonly used by security tools, and utilize process hollowing. HijackLoader\'s delivery mechanism involves utilizing a PNG image, decrypted and parsed to load the subsequent stage of the attack. HijackLoader has been observed serving as a delivery mechinism for various malware families, including Amadey, [Lumma Stealer](https://sip.security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad), Racoon Stealer v2, and Remcos RAT. ## Detections Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/HijackLoader](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/HijackLoader.AHJ!MTB&threatId=-2147058662) ## References [HijackLoader Updates](https://www.zscaler.com/blogs/security-research/hijackloader-updates). Zscaler (accessed 2024-05-09)]]> 2024-05-09T16:11:06+00:00 https://community.riskiq.com/article/8c997d7c www.secnews.physaphae.fr/article.php?IdArticle=8496698 False Malware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-09T00:49:06+00:00 https://community.riskiq.com/article/1f1ae96f www.secnews.physaphae.fr/article.php?IdArticle=8496261 False Ransomware,Malware,Tool,Threat,Prediction,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Juniper Threat Labs has reported that attackers are actively exploiting vulnerabilities in Ivanti Pulse Secure VPN appliances.  **Read more about Microsoft\'s coverage of [CVE-2023-46805 and CVE-2024-21887 here.](https://sip.security.microsoft.com/intel-profiles/cve-2023-46805)** ## Description The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited to deliver the Mirai botnet, among other malware, posing a significant threat to network security worldwide. CVE-2023-46805 is a critical security flaw affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways. This vulnerability allows remote attackers to bypass authentication mechanisms and gain unauthorized access to restricted resources. The second vulnerability, CVE-2024-21887, is a command injection flaw found in the web components of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability allows attackers to send specially crafted requests to execute arbitrary commands on the appliance. Attackers have used these vulnerabilities to deliver Mirai payloads through shell scripts.  Organizations using Ivanti Pulse Secure appliances are urged to apply the provided patches immediately and review their security posture to protect against these and future vulnerabilities. ## Recommendations As of January 31, 2024 Ivanti has released patches via the standard download portal for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. Follow the [vendor\'s guide](https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide) to upgrade to a patched version. ## References "[Hackers Actively Exploiting Ivanti Pulse Secure Vulnerabilities](https://gbhackers.com/hackers-actively-exploiting/)" GBHackers. (Accessed 2024-05-08)]]> 2024-05-08T19:42:50+00:00 https://community.riskiq.com/article/2d95eb1b www.secnews.physaphae.fr/article.php?IdArticle=8496119 False Malware,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot JFrog Security Research has discovered three large-scale malware campaigns that targeted Docker Hub, planting millions of "imageless" repositories with malicious metadata. ## Description Docker Hub is a platform that delivers many functionalities to developers, presenting numerous opportunities for development, collaboration, and distribution of Docker images. Currently, it is the number one container platform of choice for developers worldwide. Yet, a significant concern arises when considering the content of these public repositories. The research reveals that nearly 20% of these public repositories actually hosted malicious content.  These repositories do not contain container images but instead contain metadata that is malicious. The content ranged from simple spam that promotes pirated content, to extremely malicious entities such as malware and phishing sites, uploaded by automatically generated accounts. Prior to this publication, the JFrog research team disclosed all findings to the Docker security team, including 3.2M repositories that were suspected as hosting malicious or unwanted content. The Docker security team quickly removed all of the malicious and unwanted repositories from Docker Hub ## Recommendations JFrog Security Research reccommends Users should prefer using Docker images that are marked in Docker Hub as “Trusted Content”. ## References ["JFrog Security Research Discovers Coordinated Attacks on Docker Hub that Planted Millions of Malicious Repositories"](https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/#new_tab) JFrog. (Accessed 2024-05-07)]]> 2024-05-07T20:14:06+00:00 https://community.riskiq.com/article/64465418 www.secnews.physaphae.fr/article.php?IdArticle=8495482 False Spam,Malware None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T19:54:46+00:00 https://community.riskiq.com/article/7c5aa156 www.secnews.physaphae.fr/article.php?IdArticle=8494794 False Malware,Vulnerability,Threat,Patching,Cloud APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T16:26:54+00:00 https://community.riskiq.com/article/157eab98 www.secnews.physaphae.fr/article.php?IdArticle=8494726 False Ransomware,Malware,Tool,Vulnerability,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Researchers at Zscaler have published a report about the evolution of ZLoader, a modular banking trojan, and its new evasion tactics. Check out Microsoft\'s write-up on ZLoader [here](https://sip.security.microsoft.com/intel-profiles/cbcac2a1de4e52fa5fc4263829d11ba6f2851d6822569a3d3ba9669e72aff789). ## Description ZLoader, also known as Terdot, DELoader, or Silent Night, is a modular Trojan derived from leaked ZeuS source code. After nearly two years of absence, ZLoader resurfaced in September 2023 with a new version incorporating changes to its obfuscation methods, domain generation algorithm (DGA), and network communication. Recently, it has reintroduced an anti-analysis mechanism reminiscent of the original ZeuS 2.x code. This feature limits ZLoader\'s binary execution to the infected system, a trait that had been abandoned by many malware strains derived from the leaked source code until this recent development. ## Detections Microsoft Defender Antivirus detects threat components as the following malware: - Trojan:Win64/ZLoader - Trojan:Win32/ZLoader ## References [ZLoader Learns Old Tricks](https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks#indicators-of-compromise--iocs-). Zscaler (accessed (2024-05-03) [ZLoader](https://sip.security.microsoft.com/intel-profiles/cbcac2a1de4e52fa5fc4263829d11ba6f2851d6822569a3d3ba9669e72aff789). Microsoft (accessed 2024-05-03) # ZLZLoaderoader]]> 2024-05-03T21:17:42+00:00 https://community.riskiq.com/article/0d7c21ec www.secnews.physaphae.fr/article.php?IdArticle=8493230 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot FortiGuard Labs has identified the emergence of the "Goldoon" botnet, which targets D-Link devices by exploiting the CVE-2015-2051 vulnerability. This allows attackers to gain complete control of vulnerable systems and launch further attacks, including distributed denial-of-service (DDoS). ## Description The botnet\'s initial infiltration involves the exploitation of CVE-2015-2051 to download a file "dropper" from a specific URL, which then downloads the botnet file using an XOR key to decrypt specific strings. The "dropper" script is programmed to automatically download, execute, and clean up potentially malicious files across various Linux system architectures. After execution, the script removes the executed file and then deletes itself to erase any trace of its activity. Once executed, Goldoon establishes a persistent connection with its Command and Control (C2) server and waits for commands to launch related behaviors, including various denial-of-service attacks. The malware contains 27 different methods related to various attacks, posing a significant threat to affected organizations. These methods include ICMP Flooding, TCP Flooding, UDP Flooding, DNS Flooding, HTTP Bypass, HTTP Flooding, and Minecraft DDoS Attack. ## References "[New Goldoon Botnet Targeting D-Link Devices](https://www.fortinet.com/blog/threat-research/new-goldoon-botnet-targeting-d-link-devices)" FortiGuard Labs. (Accessed 2024-05-03)]]> 2024-05-03T20:21:03+00:00 https://community.riskiq.com/article/de08653e www.secnews.physaphae.fr/article.php?IdArticle=8493201 False Malware,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Cybersecurity professionals at GBHackers have discovered a series of cyberattacks targeting poorly managed Microsoft SQL (MS-SQL) servers to install Mallox Ransomware on systems. **Read more about Microsoft\'s coverage for [Mallox Ransomware here.](https://sip.security.microsoft.com/intel-profiles/7fbe39c998c8a495a1652ac6f8bd34852c00f97dc61278cafc56dca1d443131e)** ## Description The threat actor group\'s modus operandi involves exploiting vulnerabilities in improperly managed MS-SQL servers. By employing brute force and dictionary attacks, the attackers gain unauthorized access, primarily targeting the SA (System Administrator) account.  Once inside, they deploy the Remcos Remote Access Tool (RAT) to take control of the infected system. Remcos RAT, initially used for system breach and control, has been repurposed by attackers for malicious activities, featuring capabilities such as keylogging, screenshot capture, and control over webcams and microphones.  Additionally, a custom-made remote screen control malware is deployed, allowing attackers to gain access to the infected system using the AnyDesk ID obtained from the command and control server. Mallox ransomware, known for targeting MS-SQL servers, was then installed to encrypt the system.  Mallox ransomware, utilizes AES-256 and SHA-256 encryption algorithms, appending a ".rmallox" extension to encrypted files. The attack patterns observed in this campaign bear a striking resemblance to ]]> 2024-05-03T20:14:15+00:00 https://community.riskiq.com/article/f5f3ecc6 www.secnews.physaphae.fr/article.php?IdArticle=8493202 False Ransomware,Malware,Tool,Vulnerability,Threat,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T20:56:45+00:00 https://community.riskiq.com/article/e27d7355 www.secnews.physaphae.fr/article.php?IdArticle=8492041 False Ransomware,Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T19:01:06+00:00 https://community.riskiq.com/article/9a596ba8 www.secnews.physaphae.fr/article.php?IdArticle=8492017 False Malware,Tool,Threat,Medical,Commercial None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The DFIR report provides a detailed account of a sophisticated intrusion that began with a phishing campaign using PrometheusTDS to distribute IcedID malware in August 2023. ## Description The IcedID malware established persistence, communicated with C2 servers, and dropped a Cobalt Strike beacon, which was used for lateral movement, data exfiltration, and ransomware deployment. The threat actor also utilized a suite of tools such as Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind. The intrusion culminated in the deployment of Dagon Locker ransomware after 29 days. The threat actors employed various techniques to obfuscate the JavaScript file and the Cobalt Strike shellcode, evade detection, maintain persistence, and perform network enumeration activities. The threat actor\'s activities included the abuse of lateral movement functionalities such as PsExec and Remote Desktop Protocol (RDP), exfiltration of files, dumping and exfiltration of Windows Security event logs, and the use of PowerShell commands executed from the Cobalt Strike beacon. Additionally, the threat actor employed multiple exfiltration techniques, including the use of Rclone and AWS CLI to exfiltrate data from the compromised infrastructure. The deployment of the Dagon Locker ransomware was facilitated through the use of a custom PowerShell script, AWScollector, and a locker module, with a specific PowerShell command run from a domain controller to deploy the ransomware to different systems. The impact of this incident resulted in all systems being affected by the Dagon Locker ransomware. ## References [https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/](https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/)]]> 2024-04-29T20:07:15+00:00 https://community.riskiq.com/article/55e96eb8 www.secnews.physaphae.fr/article.php?IdArticle=8490876 False Ransomware,Malware,Tool,Threat,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-29T16:05:58+00:00 https://community.riskiq.com/article/aa388c3b www.secnews.physaphae.fr/article.php?IdArticle=8490778 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Industrial None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-26T19:12:08+00:00 https://community.riskiq.com/article/2641df15 www.secnews.physaphae.fr/article.php?IdArticle=8489234 False Ransomware,Spam,Malware,Tool,Threat,Industrial,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Central Asia - East Asia - North America - Northern Europe - South America - South Asia - Southeast Asia - Southern Europe - Western Europe - Eastern Europe - Central America and the Caribbean ## Snapshot Researchers at Securonix have discovered an ongoing attack campaign using phishing emails to deliver a malware called SSLoad.  The campaign, named FROZEN#SHADOW, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software. ## Description According to Securonix, FROZEN#SHADOW victim organizations appear to be targeted randomly, but are concentrated in Europe, Asia, and the Americas. The attack methodology involves the distribution of phishing emails that contain links leading to the retrieval of a JavaScript file that initiates the infection process. Subsequently, the MSI installer connects to an attacker-controlled domain to fetch and execute the SSLoad malware payload, followed by beaconing to a command-and-control (C2) server along with system information. The initial reconnaissance phase sets the stage for the deployment of Cobalt Strike, a legitimate adversary simulation software, which is then leveraged to download and install ScreenConnect. This enables the threat actors to remotely commandeer the compromised host and achieve extensive persistence in the target environment. ## References [https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/](https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/) [https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html](https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html)]]> 2024-04-26T17:25:03+00:00 https://community.riskiq.com/article/e39d9bb3 www.secnews.physaphae.fr/article.php?IdArticle=8489190 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-26T17:23:14+00:00 https://community.riskiq.com/article/ff848e92 www.secnews.physaphae.fr/article.php?IdArticle=8489191 False Ransomware,Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot ThreatFabric analysts have discovered a new mobile malware family called "Brokewell" that poses a significant threat to the banking industry. The malware is equipped with both data-stealing and remote-control capabilities, allowing attackers to gain remote access to all assets available through mobile banking. ## Description Brokewell uses overlay attacks to capture user credentials and can steal cookies by launching its own WebView. The malware also supports a variety of "spyware" functionalities, including collecting information about the device, call history, geolocation, and recording audio. After stealing the credentials, the actors can initiate a Device Takeover attack using remote control capabilities, giving them full control over the infected device. The malware is in active development, with new commands added almost daily.  ThreatFabric analysts discovered a fake browser update page designed to install an Android application that was used to distribute the malware. The malware is believed to be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions. ## References [https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware](https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware) [https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/](https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/)]]> 2024-04-25T18:53:33+00:00 https://community.riskiq.com/article/99a5deee www.secnews.physaphae.fr/article.php?IdArticle=8488684 False Malware,Threat,Mobile None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Cisco Talos reports on the ArcaneDoor campaign, attributed to the state-sponsored actor UAT4356 (Tracked by Microsoft as Storm-1849), targets perimeter network devices from multiple vendors, particularly Cisco Adaptive Security Appliances (ASA).  Microsoft tracks this actor as Storm-1849, [read more about them here.](https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5) #]]> 2024-04-24T19:34:05+00:00 https://community.riskiq.com/article/a0cf0328 www.secnews.physaphae.fr/article.php?IdArticle=8488184 False Malware,Tool,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Ukraine - Estonia - Eastern Europe ## Snapshot WithSecure has published research about a backdoor called "Kapeka," tracked by Microsoft as "KnuckleTouch," used in attacks in Eastern Europe since mid-2022. Kapeka functions as a versatile backdoor, providing both initial toolkit capabilities and long-term access to victims. Its sophistication suggests involvement by an APT group. WithSecure links Kapeka to Sandworm, tracked by Microsoft as Seashell Blizzard, a notorious Russian nation-state threat group associated with the GRU known for destructive attacks in Ukraine. **Microsoft tracks Sandworm as Seashell Blizzard.** [Read more about Seashell Blizzard here.](https://sip.security.microsoft.com/intel-profiles/cf1e406a16835d56cf614430aea3962d7ed99f01ee3d9ee3048078288e5201bb) **Microsoft tracks Kapeka as KnuckleTouch. **[Read more about Knuckletouch here.](https://sip.security.microsoft.com/intel-profiles/cdbe72d9f5f1ee3b3f8cd4e78a4a07f76addafdcc656aa2234a8051e8415d282) ## Description Kapeka overlaps with GreyEnergy and Prestige ransomware attacks, all attributed to Sandworm. WithSecure assesses it\'s likely that Kapeka is a recent addition to Sandworm\'s arsenal. The malware\'s dropper installs the backdoor, collecting machine and user information for the threat actor. However, the method of Kapeka\'s distribution remains unknown. Kapeka\'s emergence coincides with the Russia-Ukraine conflict, suggesting targeted attacks across Central and Eastern Europe since 2022. It may have been involved in the deployment of Prestige ransomware in late 2022. Kapeka is speculated to succeed GreyEnergy in Sandworm\'s toolkit, possibly replacing BlackEnergy. ## References [https://labs.withsecure.com/publications/kapeka](https://labs.withsecure.com/publications/kapeka)]]> 2024-04-23T16:31:06+00:00 https://community.riskiq.com/article/364efa92 www.secnews.physaphae.fr/article.php?IdArticle=8487526 False Ransomware,Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - United States ## Snapshot In late 2023, BlackBerry analysts detected a spear-phishing campaign launched by FIN7, tracked by Microsoft as Sangria Tempest, targeting a US-based automotive manufacturer. ## Description The attackers concentrated on employees within the IT department possessing elevated administrative privileges, luring them with an offer of a free IP scanning tool, which concealed the Anunak backdoor. This incident is demonstrative of a shift in FIN7\'s efforts from widespread targeting to more precise targeting of high-value sectors such as transportation and defense. Upon clicking on embedded URLs, victims were directed to malicious websites, part of a typosquatting scheme, which facilitated the download and execution of the Anunak backdoor onto their systems. The deployment of living off the land binaries, scripts, and libraries (lolbas) masked the malicious activity, aiding in the attackers\' initial foothold. Furthermore, the malware execution flow involved intricate multi-stage processes, including the decryption and execution of payloads, such as Anunak, and the establishment of persistence through OpenSSH. During the delivery phase of this campaign, the fake lure website, “advanced-ip-sccanner\[.\]com,” redirected to “myipscanner\[.\]com.” Blackberry analysts found multiple domains registered within minutes of the original on the same provider, illustrating that this campaign is likely not limited to this attack, but is instead part of a wider campaign by FIN7. ## References [https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry](https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry)]]> 2024-04-18T20:37:30+00:00 https://community.riskiq.com/article/e14e343c www.secnews.physaphae.fr/article.php?IdArticle=8484949 False Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-15T15:15:00+00:00 https://community.riskiq.com/article/c2035b32 www.secnews.physaphae.fr/article.php?IdArticle=8482834 False Ransomware,Spam,Malware,Tool,Threat,Prediction None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Checkmarx reports a recent attack campaign where cybercriminals manipulated GitHub\'s search functionality and used repositories to distribute malware. ## Description The attackers created repositories with popular names and topics, using techniques like automated updates and using fake accounts to add fake stargazers to projects to boost search rankings and deceive users. Malicious code was hidden within Visual Studio project files to evade detection, automatically executing when the project is built. The attackers also padded the executable with many zeros, a technique used to artificially boost the file size.  Checkmarx reports the padded executable file shares similarities with the "Keyzetsu clipper" malware, targeting cryptocurrency wallets. The malware establishes persistence on infected Windows machines by creating a scheduled task that runs the malicious executable daily at 4AM without user confirmation. ## Recommendations Checkmarx reccomends to prevent falling victim to similar attacks to keep an eye on the following suspicious properties of a repo: 1. Commit frequency: Does the repo have an extraordinary number of commits relative to its age? Are these commits changing the same file with very minor changes? 2. Stargazers: Who is starring this repo? Do most of the stargazers appear to have had accounts created around the same time? By being aware of these red flags, users can better protect themselves from inadvertently downloading and executing malware. ## References [https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/#new_tab](https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attac]]> 2024-04-12T19:25:21+00:00 https://community.riskiq.com/article/4d0ffb2c www.secnews.physaphae.fr/article.php?IdArticle=8480952 False Malware None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Germany ## Snapshot Proofpoint has identified TA547 launching an email campaign targeting German organizations with Rhadamanthys malware, marking the first known use of Rhadamanthys by this threat actor. The campaign involved impersonating a German retail company in emails containing password-protected ZIP files purportedly related to invoices, targeting multiple industries in Germany. ## Description The ZIP files contained LNK files which, when executed, triggered a PowerShell script to run a remote script loading Rhadamanthys into memory, bypassing disk writing. The PowerShell script displayed characteristics suggestive of machine-generated content, potentially from large language models (LLMs).  The recent campaign in Germany represents a shift in techniques for TA547, including the use of compressed LNKs and the previously unobserved Rhadamanthys stealer. The incorporation of suspected LLM-generated content into the attack chain provides insight into how threat actors are leveraging LLM-generated content in malware campaigns, although it did not change the functionality or efficacy of the malware or the way security tools defended against it. ## Recommendations [Check out Microsoft\'s write-up on information stealers here.](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) [Check out additional OSINT on Rhadamanthys here.](https://sip.security.microsoft.com/intel-explorer/articles/0131b256) ## References [https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer](https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer)]]> 2024-04-12T18:11:30+00:00 https://community.riskiq.com/article/119bde85 www.secnews.physaphae.fr/article.php?IdArticle=8480922 False Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The Insikt Group has uncovered a large-scale Russian-language cybercrime operation that leverages fake Web3 gaming projects to distribute infostealer malware targeting both macOS and Windows users. ## Description These Web3 games, based on blockchain technology, entice users with the potential for cryptocurrency earnings. The campaign involves creating imitation Web3 gaming projects with minor modifications to appear legitimate, along with fake social media accounts to enhance their credibility. Upon visiting the main webpages of these projects, users are prompted to download malware such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on their operating system. The threat actors have established a resilient infrastructure and are targeting Web3 gamers, exploiting their potential lack of cyber hygiene in pursuit of financial gains. The malware variants, including AMOS, are capable of infecting both Intel and Apple M1 Macs, indicating a broad vulnerability among users. The primary objective of the campaign appears to be the theft of cryptocurrency wallets, posing a significant risk to financial security. The threat actors\' Russian origin is hinted at by artifacts within the HTML code, although their exact location remains uncertain. ## References [https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gaming](https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gaming)]]> 2024-04-11T19:26:57+00:00 https://community.riskiq.com/article/0cdc08b5 www.secnews.physaphae.fr/article.php?IdArticle=8480234 False Malware,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The AhnLab Security Intelligence Center (ASEC) has identified a concerning trend where threat actors are exploiting YouTube channels to distribute Infostealers, specifically Vidar and LummaC2. ## Description Rather than creating new channels, the attackers are hijacking existing, popular channels with hundreds of thousands of subscribers. The malware is disguised as cracked versions of legitimate software, and the attackers use YouTube\'s video descriptions and comments to distribute the malicious links. The Vidar malware, for example, is disguised as an installer for Adobe software, and it communicates with its command and control (C&C) server via Telegram and Steam Community. Similarly, LummaC2 is distributed under the guise of cracked commercial software and is designed to steal account credentials and cryptocurrency wallet files.  The threat actors\' method of infiltrating well-known YouTube channels with a large subscriber base raises concerns about the potential reach and impact of the distributed malware. The disguised malware is often compressed with password protection to evade detection by security solutions. It is crucial for users to exercise caution when downloading software from unofficial sources and to ensure that their security software is up to date to prevent malware infections. ## References [https://asec.ahnlab.com/en/63980/](https://asec.ahnlab.com/en/63980/)]]> 2024-04-09T19:48:57+00:00 https://community.riskiq.com/article/e9f5e219 www.secnews.physaphae.fr/article.php?IdArticle=8478894 False Malware,Hack,Threat,Prediction,Commercial None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-08T15:09:15+00:00 https://community.riskiq.com/article/974639f2 www.secnews.physaphae.fr/article.php?IdArticle=8478203 False Ransomware,Spam,Malware,Tool,Threat,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-05T13:39:39+00:00 https://community.riskiq.com/article/b4f39b04 www.secnews.physaphae.fr/article.php?IdArticle=8476526 False Malware,Tool,Vulnerability,Threat,Studies,Industrial,Prediction,Technical Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Trend Micro analyzed a cyberespionage attack the company has attributed to Earth Freybug, a subset of APT41 (tracked by Microsoft as [Brass Typhoon](https://sip.security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05eafc0d4158b0e389b4078112d37c6?)). According to Trend Micro, Earth Freybug has been active since at least 2012 and the Chinese-linked group has been active in espionage and financially motivated attacks. Earth Freybug employs diverse tools like LOLBins and custom malware, targeting organizations globally. The attack used techniques like dynamic link library (DLL) hijacking and API unhooking to avoid monitoring for a new malware called UNAPIMON. UNAPIMON evades detection by preventing child processes from being monitored. The attack flow involved creating remote scheduled tasks and executing reconnaissance commands to gather system information. Subsequently, a backdoor was launched using DLL side-loading via a service called SessionEnv, which loads a malicious DLL. UNAPIMON, the injected DLL, uses API hooking to evade monitoring and execute malicious commands undetected, showcasing the attackers\' sophistication. [Check out Microsoft\'s write-up on dynamic-link library (DLL) hijacking here.](https://sip.security.microsoft.com/intel-explorer/articles/91be20e8?) #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html #### Publication Date April 2, 2024 #### Author(s) Christopher So]]> 2024-04-03T20:46:53+00:00 https://community.riskiq.com/article/327771c8 www.secnews.physaphae.fr/article.php?IdArticle=8475473 False Malware,Tool,Prediction APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point Research has analyzed the latest Linux version (v11) of DinodasRAT, which is a cross-platform backdoor that was observed in attacks by the Chinese threat actor LuoYu. The malware is more mature than the Windows version, with a set of capabilities tailored specifically for Linux servers. The latest version introduces a separate evasion module to hide any traces of malware in the system by proxying and modifying the system binaries\' execution. The malware is installed on Linux servers as a way for the threat actors to gain an additional foothold in the network. DinodasRAT was initially based on the open-source project called SimpleRemoter, a remote access tool based on the Gh0st RAT, but with several additional upgrades. #### Reference URL(s) 1. https://research.checkpoint.com/2024/29676/ #### Publication Date March 31, 2024 #### Author(s) Check Point Research ]]> 2024-04-02T20:33:27+00:00 https://community.riskiq.com/article/57ab8662 www.secnews.physaphae.fr/article.php?IdArticle=8474837 False Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) [Consultez la rédaction de Microsoft \\ sur les voleurs d'informations ici.] (Https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6?)?) > [Découvrez les rapports OSINT précédents sur Rhadamanthys ici.] (Https://sip.security.microsoft.com/intel-explorer/articles/463afcea) #### URL de référence (s) 1. https://asec.ahnlab.com/en/63477/ #### Date de publication 31 mars 2024 #### Auteurs) Ahnlab Security Intelligence Center

---

#### Description AhnLab Security Intelligence Center (ASEC) discovered Rhadamanthys, an information stealer malware, using Google Ads tracking to distribute itself, posing as installers for popular groupware like Notion and Slack. The malware downloads malicious files after installation, often distributed through Inno Setup or NSIS installers. The attackers utilized Google Ads tracking to lead users to a malicious site, taking advantage of the platform\'s ability to insert external analytic website addresses. Clicking on the ads redirected users to a site tricking them into downloading the malware, ultimately injecting the Rhadamanthys malware into legitimate Windows files for data theft. >[Check out Microsoft\'s write-up on Information Stealers here.](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6?) >[Check out previous OSINT reporting on Rhadamanthys here.](https://sip.security.microsoft.com/intel-explorer/articles/463afcea) #### Reference URL(s) 1. https://asec.ahnlab.com/en/63477/ #### Publication Date March 31, 2024 #### Author(s) AhnLab Security Intelligence Center ]]> 2024-04-01T22:00:49+00:00 https://community.riskiq.com/article/bf8b5bc1 www.secnews.physaphae.fr/article.php?IdArticle=8474308 False Malware None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-01T13:51:22+00:00 https://community.riskiq.com/article/0bb98406 www.secnews.physaphae.fr/article.php?IdArticle=8474062 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Mobile,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim\'s mobile device. Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions. #### Reference URL(s) 1. https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its-wingspan/ #### Publication Date March 28, 2024 #### Author(s) Joshua Kamp ]]> 2024-03-28T19:11:03+00:00 https://community.riskiq.com/article/3f7c3599 www.secnews.physaphae.fr/article.php?IdArticle=8472213 False Malware,Mobile,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new malware campaign called Sign1 has been discovered by Sucuri and GoDaddy Infosec. The malware has been found on over 2,500 sites in the past two months. The malware is injected into WordPress custom HTML widgets that the attackers add to compromised websites. The malware is injected using a legitimate Simple Custom CSS and JS plugin. The malware is designed to redirect visitors to scam sites. The malware is time-based and uses dynamic JavaScript code to generate URLs that change every 10 minutes. The malware is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc. If the referrer does not match to these major sites, then the malware will not execute. #### Reference URL(s) 1. https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html #### Publication Date March 20, 2024 #### Author(s) Ben Martin ]]> 2024-03-26T19:39:28+00:00 https://community.riskiq.com/article/063f7fac www.secnews.physaphae.fr/article.php?IdArticle=8470965 False Malware Yahoo 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description StrelaStealer is a malware that targets email clients to steal login data, sending it to the attacker\'s server for potential further attacks. Since StrelaStealer\'s emergence in 2022, the threat actor has launched multiple large-scale email campaigns, with its most recent campaigns impacting over 100 organizations across the EU and U.S. Attackers have targeted organizations in a variety of industries, but organizations in the high tech industry have been the biggest target. Technical analysis of StrelaStealer reveals an evolving infection chain using ZIP attachments, JScript files, and updated DLL payloads, demonstrating the malware\'s adaptability and the challenge it poses to security analysts and products. #### Reference URL(s) 1. https://unit42.paloaltonetworks.com/strelastealer-campaign/ #### Publication Date March 22, 2024 #### Author(s) Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya, and Vishwa Thothathri]]> 2024-03-26T17:11:47+00:00 https://community.riskiq.com/article/82785858 www.secnews.physaphae.fr/article.php?IdArticle=8470906 False Malware,Threat,Technical None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-25T13:28:48+00:00 https://community.riskiq.com/article/95f9e604 www.secnews.physaphae.fr/article.php?IdArticle=8470186 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) [Consultez la rédaction de Microsoft \\ sur les voleurs d'informations ici.] (Https://sip.security.microsoft.com/intel-Profils / 2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6?) #### URL de référence (s) 1. https://www.rewterz.com/rewterz-news/rewterz-threat-lert-formbook-malware-active-iocs-98 #### Date de publication 21 mars 2024 #### Auteurs) Rewterz

---

#### Description FormBook, an information stealer (infostealer) malware discovered in 2016, has various capabilities such as tracking keystrokes, accessing files, capturing screenshots, and stealing passwords from web browsers. It can execute additional malware as directed by a command-and-control server and is adept at evading detection through techniques like code obfuscation and encryption. FormBook\'s flexibility allows customization for specific targets and its obfuscation methods make removal challenging. Cybercriminals distribute FormBook through email attachments like PDFs and Office Documents, with notable use during the 2022 Russia-Ukraine conflict. FormBook\'s successor, XLoader, is currently active. > [Check out Microsoft\'s write-up on information stealers here.](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6?) #### Reference URL(s) 1. https://www.rewterz.com/rewterz-news/rewterz-threat-alert-formbook-malware-active-iocs-98 #### Publication Date March 21, 2024 #### Author(s) Rewterz]]> 2024-03-21T19:45:35+00:00 https://community.riskiq.com/article/7b321c6c www.secnews.physaphae.fr/article.php?IdArticle=8468091 False Malware None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Perception Point\'s security researchers uncovered the PhantomBlu campaign targeting US-based organizations, deploying the NetSupport RAT through sophisticated evasion techniques and social engineering tactics. The attackers used legitimate features of remote administration tools, such as NetSupport Manager, for malicious activities like surveillance, keylogging, file transfer, and system control. The campaign leveraged OLE template manipulation in Microsoft Office documents to hide and execute malicious code, evading traditional security systems. Through analysis of phishing emails and payloads, the researchers identified the attackers\' preference for using reputable email delivery platforms and their intricate PowerShell dropper techniques. The PhantomBlu operation represents an evolution in malware delivery strategies, blending advanced evasion methods with social engineering to compromise targeted organizations effectively. #### Reference URL(s) 1. https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/ #### Publication Date March 18, 2024 #### Author(s) Ariel Davidpur]]> 2024-03-19T21:16:06+00:00 https://community.riskiq.com/article/356f4d44 www.secnews.physaphae.fr/article.php?IdArticle=8466954 False Malware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Malwarebytes has reported that the number of search-based malvertising incidents almost doubled in February 2024. One malware family that has been tracked is FakeBat, which uses MSIX installers packaged with heavily obfuscated PowerShell code. The malvertiser distributing the malware was abusing URL shortener services, but has now started to use legitimate websites that appear to have been compromised. The latest campaigns are targeting many different brands, including OneNote, Epic Games, Ginger, and the Braavos smart wallet application. Each downloaded file is an MSIX installer signed with a valid digital certificate, and once extracted, each installer contains more or less the same files with a particular PowerShell script. When the installer is run, this PowerShell script will execute and connect to the attacker\'s command and control server. The threat actor is able to serve a conditional redirect to their own malicious site, and victims of interest will be cataloged for further use. The full infection chain can be summarized in the web traffic image seen in the article. The malware distributors are able to bypass Google\'s security checks and redirect victims to deceiving websites. #### Reference URL(s) 1. https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns #### Publication Date March 12, 2024 #### Author(s) Jérôme Segura ]]> 2024-03-19T19:15:33+00:00 https://community.riskiq.com/article/7cc81ecb www.secnews.physaphae.fr/article.php?IdArticle=8466898 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description AhnLab Security intelligence Center (ASEC) recently discovered the distribution of an infostealer disguised as the Adobe Reader installer. The threat actor is distributing the file as PDF, prompting users to download and run the file. The fake PDF file is written in Portuguese, and the message tells the users to download the Adobe Reader and install it. By telling the users that Adobe Reader is required to open the file, it prompts the user to download the malware and install it. #### Reference URL(s) 1. https://asec.ahnlab.com/en/62853/ #### Publication Date March 11, 2024 #### Author(s) ASEC ]]> 2024-03-18T15:42:59+00:00 https://community.riskiq.com/article/b2bef56a www.secnews.physaphae.fr/article.php?IdArticle=8466155 True Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-18T13:23:03+00:00 https://community.riskiq.com/article/54f79303 www.secnews.physaphae.fr/article.php?IdArticle=8466085 False Ransomware,Spam,Malware,Tool,Threat,Prediction None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new MSIX malware disguised as the Notion installer is being distributed through a website that looks similar to the actual Notion homepage. This file is a Windows app installer, and it is signed with a valid certificate. Upon running the file, the user gets a pop-up, and upon clicking the Install button, Notion is installed on the PC and is infected with malware. #### Reference URL(s) 1. https://asec.ahnlab.com/en/62815/ #### Publication Date March 10, 2024 #### Author(s) Anh Ho Facundo Muñoz Marc-Etienne M.Léveillé ]]> 2024-03-11T20:06:53+00:00 https://community.riskiq.com/article/f21ac4ec www.secnews.physaphae.fr/article.php?IdArticle=8462305 False Malware None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-11T13:43:18+00:00 https://community.riskiq.com/article/0d210725 www.secnews.physaphae.fr/article.php?IdArticle=8462154 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point reports Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group\'s arsenal as fast as within 1 day after a POC for it was published. The group has targeted Ivanti, Magento, Qlink Sense, and possibly Apache ActiveMQ. Analysis of the actor\'s recent Ivanti Connect Secure VPN campaign revealed a novel Linux version of a malware called NerbianRAT, in addition to WARPWIRE, a JavaScript credential stealer. The actor\'s arsenal also includes MiniNerbian, a small Linux backdoor, and remote monitoring and management (RMM) tools for Windows like ScreenConnect and AnyDesk. #### Reference URL(s) 1. https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/ #### Publication Date March 8, 2024 #### Author(s) Check Point ]]> 2024-03-08T17:30:16+00:00 https://community.riskiq.com/article/11616c16 www.secnews.physaphae.fr/article.php?IdArticle=8460926 False Malware,Tool,Vulnerability,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cado Security Labs researchers have recently encountered an emerging malware campaign targeting misconfigured servers running web-facing services. The campaign utilises a number of unique and unreported payloads, including four Golang binaries, that serve as tools to automate the discovery and infection of hosts running the above services. The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an n-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts. Once initial access is achieved, a series of shell scripts and general Linux attack techniques are used to deliver a cryptocurrency miner, spawn a reverse shell and enable persistent access to the compromised hosts. #### Reference URL(s) 1. https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ #### Publication Date March 6, 2024 #### Author(s) Matt Muir ]]> 2024-03-06T21:12:22+00:00 https://community.riskiq.com/article/68797fe5 www.secnews.physaphae.fr/article.php?IdArticle=8460028 False Malware,Tool,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-06T01:05:06+00:00 https://community.riskiq.com/article/1fe95f7f www.secnews.physaphae.fr/article.php?IdArticle=8459610 False Ransomware,Spam,Malware,Tool,Threat,Legislation,Medical None 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-05T19:03:47+00:00 https://community.riskiq.com/article/ed40fbef www.secnews.physaphae.fr/article.php?IdArticle=8459485 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Medical,Technical ChatGPT,APT 28,APT 4 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new wave of SocGholish malware infections has been identified, targeting WordPress websites. The malware campaign leverages a JavaScript malware framework that has been in use since at least 2017. The malware attempts to trick unsuspecting users into downloading what is actually a Remote Access Trojan (RAT) onto their computers, which is often the first stage in a ransomware infection. The infected sites were compromised through hacked wp-admin administrator accounts. #### Reference URL(s) 1. https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html #### Publication Date March 1, 2024 #### Author(s) Ben Martin ]]> 2024-03-04T20:21:51+00:00 https://community.riskiq.com/article/0218512b www.secnews.physaphae.fr/article.php?IdArticle=8459000 False Ransomware,Malware None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer Talos is calling TimbreStealer, which has been active since at least November 2023. It contains several embedded modules used for orchestration, decryption and protection of the malware binary. This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as “Mispadu.” #### Reference URL(s) 1. https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/ #### Publication Date February 27, 2024 #### Author(s) Guilherme Venere Jacob Finn Tucker Favreau Jacob Stanfill James Nutland ]]> 2024-02-27T20:31:31+00:00 https://community.riskiq.com/article/b61544ba www.secnews.physaphae.fr/article.php?IdArticle=8456070 False Spam,Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description AhnLab Security Intelligence Center (ASEC) has discovered that Nood RAT, a variant of Gh0st RAT that works in Linux, is being used in malware attacks. Nood RAT is a backdoor malware that can receive commands from the C&C server to perform malicious activities such as downloading malicious files, stealing systems\' internal files, and executing commands. Although simple in form, it is equipped with an encryption feature to avoid network packet detection. Nood RAT is developed using a builder that allows the threat actor to create x86 or x64 binary based on the architecture and choose and use the binary that fits the target system. The malware has a feature that changes its name in order to disguise itself as a legitimate program. The threat actor is able to decide the malware\'s fake process name during the development stage. #### Reference URL(s) 1. https://asec.ahnlab.com/en/62144/ #### Publication Date February 25, 2024 #### Author(s) Sanseo ]]> 2024-02-26T20:46:17+00:00 https://community.riskiq.com/article/cc509147 www.secnews.physaphae.fr/article.php?IdArticle=8455566 False Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Since September 2023, Cisco Talos have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s). The distribution campaigns for these malware families are related, with Astaroth and Mekotio being distributed under the same Google Cloud Project and Google Cloud storage bucket. Ousaban is also being dropped as part of the Astaroth infection process. The malware is being distributed via emails that are being sent using themes related to invoices or financial and tax documents, and sometimes pose as being sent from the local government tax agency in the country being targeted. The emails contain hyperlinks to Google Cloud Run, which can be identified due to the use of run[.]app as the top-level domain (TLD). When victims access these hyperlinks, they are redirected to the Cloud Run web services deployed by the threat actors and delivered the components necessary to initiate the infection process. #### Reference URL(s) 1. https://blog.talosintelligence.com/google-cloud-run-abuse/ #### Publication Date February 20, 2024 #### Author(s) Edmund Brumaghin Ashley Shen Holger Unterbrink Guilherme Venere ]]> 2024-02-23T20:51:22+00:00 https://community.riskiq.com/article/93dd0003 www.secnews.physaphae.fr/article.php?IdArticle=8454281 False Malware,Threat,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new banking Trojan named "Coyote" has been discovered, targeting users of over 60 banking institutions primarily in Brazil. It utilizes advanced techniques such as Squirrel installer, NodeJS, and Nim programming language to infect victims, diverging from traditional methods. The malware hides its loader within an update packager, then employs NodeJS to execute obfuscated JavaScript code and loads the final stage using Nim. Coyote persists by abusing Windows logon scripts and monitors banking applications for sensitive information, communicating with its command and control server via SSL channels. The Trojan\'s complexity signifies a shift towards modern technologies among cybercriminals, reflecting an increasing sophistication in the threat landscape. #### Reference URL(s) 1. https://securelist.com/coyote-multi-stage-banking-trojan/111846/ #### Publication Date February 8, 2024 #### Author(s) Global Research & Analysis Team Kaspersky Lab ]]> 2024-02-16T19:33:28+00:00 https://community.riskiq.com/article/4643beae www.secnews.physaphae.fr/article.php?IdArticle=8451083 False Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Proofpoint researchers discovered the return of the Bumblebee malware on February 8, 2024, marking its reappearance after four months of absence from their threat data. Bumblebee, a sophisticated downloader utilized by various cybercriminal groups, resurfaced in a campaign targeting US organizations through emails with OneDrive URLs containing Word files posing as voicemail messages from "info@quarlesaa[.]com". These Word documents, impersonating the electronics company Humane, utilized macros to execute scripts and download malicious payloads from remote servers. The attack chain, notably employing VBA macro-enabled documents, contrasts with recent trends in cyber threats, where such macros were less commonly used. Despite the absence of attribution to a specific threat actor, Proofpoint warns of Bumblebee\'s potential as an initial access point for subsequent ransomware attacks. The resurgence of Bumblebee aligns with a broader trend of increased cybercriminal activity observed in 2024, marked by the return of several threat actors and malware strains after prolonged periods of dormancy, indicating a surge in cyber threats following a temporary decline. #### Reference URL(s) 1. https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black #### Publication Date February 12, 2024 #### Author(s) Axel F Selena Larson Proofpoint Threat Research Team ]]> 2024-02-15T18:48:58+00:00 https://community.riskiq.com/article/ab2bde0b www.secnews.physaphae.fr/article.php?IdArticle=8450534 False Ransomware,Malware,Threat,Prediction None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cado researchers have discovered a new malware campaign called "Commando Cat" that targets exposed Docker API endpoints. The campaign is a cryptojacking campaign that leverages Docker as an initial access vector and mounts the host\'s filesystem before running a series of interdependent payloads directly on the host. The payloads are delivered to exposed Docker API instances over the internet. The attacker instructs Docker to pull down a Docker image called cmd.cat/chattr. The cmd.cat project "generates Docker images on-demand with all the commands you need and simply point them by name in the docker run command." It is likely used by the attacker to seem like a benign tool and not arouse suspicion. The attacker then creates the container with a custom command to execute. The primary purpose of the user.sh payload is to create a backdoor in the system by adding an SSH key to the root account, as well as adding a user with an attacker-known password. The tshd.sh script is responsible for deploying TinyShell (tsh), an open-source Unix backdoor written in C. The gsc.sh script is responsible for deploying a backdoor called gs-netcat, a souped-up version of netcat that can punch through NAT and firewalls. The aws.sh script is a credential grabber that pulls credentials from a number of files on disk, as well as IMDS, and environment variables. The final payload is delivered as a base64 encoded script rather than in the traditional curl-into-bash method used previously by the malware. This base64 is echoed into base64 -d, and then piped into bash. #### Reference URL(s) 1. https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/ #### Publication Date February 1, 2024 #### Author(s) Nate Bill Matt Muir ]]> 2024-02-08T20:42:07+00:00 https://community.riskiq.com/article/1ae69360 www.secnews.physaphae.fr/article.php?IdArticle=8448153 False Malware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description ESET researchers have discovered a new cyber espionage campaign that uses twelve Android apps carrying VajraSpy, a remote access trojan (RAT) used by the Patchwork APT group. Six of the apps were available on Google Play, and six were found on VirusTotal. The apps were advertised as messaging tools, and one posed as a news app. VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code. It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera. The campaign targeted users mostly in Pakistan, and the threat actors likely used targeted honey-trap romance scams to lure their victims into installing the malware. #### Reference URL(s) 1. https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/ #### Publication Date February 1, 2024 #### Author(s) Lukas Stefanko ]]> 2024-02-05T21:31:30+00:00 https://community.riskiq.com/article/b8134bfa www.secnews.physaphae.fr/article.php?IdArticle=8447349 False Malware,Tool,Threat,Mobile None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Akamai Security Intelligence Group (SIG) has uncovered details about a new variant of the FritzFrog botnet, which abuses the 2021 Log4Shell vulnerability. The malware infects internet-facing servers by brute forcing weak SSH credentials. Newer variants now read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable. The malware also now also includes a module to exploit CVE-2021-4034, a privilege escalation in the polkit Linux component. This module enables the malware to run as root on vulnerable servers. #### Reference URL(s) 1. https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell #### Publication Date February 2, 2024 #### Author(s) Ori David ]]> 2024-02-02T20:03:16+00:00 https://community.riskiq.com/article/1fe06690 www.secnews.physaphae.fr/article.php?IdArticle=8446120 False Malware,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description AhnLab Security Intelligence Center (ASEC) has identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. The attack targets MS-SQL servers and exploits the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process. The attacker also attempted to use malware for port forwarding to establish an RDP connection to the infected system and control it remotely. The Trigona threat actor is known to use Mimikatz to steal account credentials. The threat actor installed AnyDesk to control the infected system. Administrators must use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks. V3 must also be updated to the latest version to block malware infection in advance. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. #### Reference URL(s) 1. https://asec.ahnlab.com/en/61000/ #### Publication Date January 29, 2024 #### Author(s) Sanseo ]]> 2024-02-01T21:40:33+00:00 https://community.riskiq.com/article/f3fb7f61 www.secnews.physaphae.fr/article.php?IdArticle=8445735 False Ransomware,Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014. Cases of attacks against countries other than South Korea have also been identified since 2017. The group usually employs spear phishing attacks against the national defense sector, defense industries, the press, the diplomatic sector, national organizations, and academic fields to steal internal information and technology from organizations. Even until recently, the Kimsuky group was still mainly employing spear phishing attacks to gain initial access. What makes the recent attacks different from the previous cases is that more LNK shortcut-type malware are being used instead of malware in Hangul Word Processor (HWP) or MS Office document format. The threat actor led users to download a compressed file through attachments or download links within spear phishing emails. When this compressed file is decompressed, it yields a legitimate document file along with a malicious LNK file. #### Reference URL(s) 1. https://asec.ahnlab.com/en/59590/ #### Publication Date December 7, 2023 #### Author(s) Sanseo ]]> 2024-01-30T21:43:14+00:00 https://community.riskiq.com/article/806c1abf www.secnews.physaphae.fr/article.php?IdArticle=8444953 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Parrot TDS (Traffic Redirect System) has escalated its campaign since October 2021, employing sophisticated techniques to avoid detection and potentially impacting millions through malicious scripts on compromised websites. Identified by Unit 42 researchers, Parrot TDS injects malicious scripts into existing JavaScript code on servers, strategically profiling victims before delivering payloads that redirect browsers to malicious content. Notably, the TDS campaign exhibits a broad scope, targeting victims globally without limitations based on nationality or industry. To bolster evasion tactics, attackers utilize multiple lines of injected JavaScript code, making it harder for security researchers to detect. The attackers, likely employing automated tools, exploit known vulnerabilities, with a focus on compromising servers using WordPress, Joomla, or other content management systems. #### Reference URL(s) 1. https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/#post-132073-_jt3yi5rhpmao #### Publication Date January 19, 2024 #### Author(s) Zhanglin He Ben Zhang Billy Melicher Qi Deng Bo Qu Brad Duncan ]]> 2024-01-25T19:48:09+00:00 https://community.riskiq.com/article/7b5d88cb www.secnews.physaphae.fr/article.php?IdArticle=8443112 False Malware,Tool,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description AhnLab SEcurity intelligence Center (ASEC) recently observed circumstances of a CoinMiner threat actor called Mimo exploiting various vulnerabilities to install malware. Mimo, also dubbed Hezb, was first found when they installed CoinMiners through a Log4Shell vulnerability exploitation in March 2022. The Mimo threat actor has installed various malware, including Mimus ransomware, proxyware, and reverse shell malware, besides the Mimo miner. The majority of the Mimo threat actor\'s attacks have been cases that use XMRig CoinMiner, but ransomware attack cases were also observed in 2023. The Mimus ransomware was installed with the Batch malware and was made based on the source code revealed on GitHub by the developer “mauri870” who developed the codes for research purposes. The ransomware was developed in Go, and the threat actor used this to develop ransomware and named it Mimus ransomware. Mimus ransomware does not have any particular differences when compared to MauriCrypt\'s source code. Only the threat actor\'s C&C address, wallet address, email address, and other configuration data were changed. #### Reference URL(s) 1. https://asec.ahnlab.com/en/60440/ #### Publication Date January 17, 2024 #### Author(s) Sanseo ]]> 2024-01-24T20:59:31+00:00 https://community.riskiq.com/article/5a1a420b www.secnews.physaphae.fr/article.php?IdArticle=8442691 False Ransomware,Malware,Vulnerability,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Starting in July 2023, Red Canary began investigating a series of attacks by adversaries leveraging MSIX files to deliver malware. MSIX is a Windows application package installation format that IT teams and developers increasingly use to deliver Windows applications within enterprises. The adversaries in each intrusion appeared to be using malicious advertising or SEO poisoning to draw in victims, who believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom. Victims span multiple industries, suggesting that the adversary\'s attacks are opportunistic rather than targeted. #### Reference URL(s) 1. https://redcanary.com/blog/msix-installers/ #### Publication Date January 16, 2024 #### Author(s) Tony Lambert ]]> 2024-01-22T20:39:42+00:00 https://community.riskiq.com/article/e54cc50a www.secnews.physaphae.fr/article.php?IdArticle=8441828 False Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Russian threat group COLDRIVER, also known as UNC4057, Star Blizzard, and Callisto, has expanded its targeting of Western officials to include the use of malware. The group has been focused on credential phishing activities against high-profile individuals in NGOs, former intelligence and military officers, and NATO governments. COLDRIVER has been using impersonation accounts to establish a rapport with the target, increasing the likelihood of the phishing campaign\'s success, and eventually sends a phishing link or document containing a link. COLDRIVER has been observed sending targets benign PDF documents from impersonation accounts, presenting these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted. If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim\'s machine. #### Reference URL(s) 1. https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/ #### Publication Date January 18, 2024 #### Author(s) Wesley Shields ]]> 2024-01-19T21:05:18+00:00 https://community.riskiq.com/article/e41b6786 www.secnews.physaphae.fr/article.php?IdArticle=8440784 False Malware,Threat,Cloud None 2.0000000000000000