Virus Bulletin
@virusbtn
Followers
58,930
Following
1,440
Media
8,690
Statuses
25,214
Security information portal, testing and certification body. Organisers of the annual Virus Bulletin conference. @VirusBulletin @infosec .exchange
Oxfordshire, UK
Joined February 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#Eurovision2024
• 1443921 Tweets
América
• 489127 Tweets
New Jersey
• 221256 Tweets
#धरती_को_स्वर्ग_बनाना_है
• 181169 Tweets
#母の日
• 155711 Tweets
Nemo
• 120414 Tweets
ヴィクトリアマイル
• 62568 Tweets
#MothersDay
• 60490 Tweets
#UFCStLouis
• 47995 Tweets
Barco
• 30835 Tweets
Tatum
• 30010 Tweets
Pachuca
• 29430 Tweets
カーネーション
• 28767 Tweets
ストフェス
• 27108 Tweets
Igor
• 23763 Tweets
Saint MSG Insan
• 20112 Tweets
カグヤ様
• 19463 Tweets
Canes
• 17958 Tweets
Roger Corman
• 16886 Tweets
Garland
• 16316 Tweets
ナミュール
• 14064 Tweets
Buckley
• 11443 Tweets
Derrick Lewis
• 10937 Tweets
Sophos researchers discovered that attackers had booted their target computers into Safe Mode to execute the Avos Locker ransomware. The reason? Many, if not most, endpoint security products do not run in Safe Mode.
9
134
339
AT&T Alien Labs has recently discovered a cluster of Linux ELF executables with low rates of detection in VirusTotal. The files were identified as modifications of the open-source PRISM backdoor used by multiple threat actors in various campaigns.
4
137
310
The latest blog post from JPCERT/CC explains the details of, and countermeasures against, a new technique used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file.
0
114
262
Unit 42 researchers look at the most commonly used TLDs in malicious domains.
4
103
221
Sophos lists details of attacker behaviour and impact as well as the tactics, techniques and procedures (TTPs) seen in the wild in 2020/2021.
1
86
212
Sophos analysts have uncovered a new ransomware that calls itself Epsilon Red. The ransomware is written in Go and is preceded by a set of unique PowerShell scripts that prepare the ground for the file-encryption routine.
2
100
208
Sophos has updated the story of the CVE-2021-40444 exploit, which triggers a Word document to deliver an infection without using macros. The attack was only successful on unpatched Windows systems.
3
75
209
Mandiant has published guidance for organizations on how to protect against a destructive attack. The recommendations include common techniques used by threat actors for initial access, reconnaissance, privilege escalation & mission objectives.
0
88
203
McAfee researchers have discovered a new technique that downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro.
1
83
192
A list of 50 CyberChef recipes and curated links for malware analysis has been shared by
@mattnotmax
.
0
82
185
Splunk researchers look into the tactics, techniques and procedures employed by APT29 in a recent campaign. The attack chain begins with a spear-phishing email leading to the delivery of the WINELOADER backdoor.
1
82
166
Malwarebytes' Jérôme Segura describes a malvertising campaign that delivers a loader written in Go, followed by the Rhadamanthys stealer.
4
71
143
Adding a security.txt file to your website makes it easier for others to responsibly disclose vulnerabilities
2
71
134
CERT-UA present details of a recent APT28 campaign that created threats to a domain controller within an hour from the moment of the initial compromise.
1
65
137
In a post from last week, researchers at Lab52 observe an unknown actor using similar techniques to APT29 and post details about the new techniques they identified, in particular the SVG Dropper, DLL used for infection and C2 behaviour.
2
40
132
ESET researchers have discovered NSPX30, a sophisticated implant used by a new China-aligned APT group they've named Blackwood. The NSPX30 implant is deployed via the update mechanisms of legitimate software such as Tencent QQ, WPS Office & Sogou Pinyin.
3
62
133
Team Cymru's S2 Research Team present a short update report providing insight into the operation of Vidar, demonstrating the evolution of its management infrastructure and evidence of steps taken by the threat actors to potentially cover their tracks.
0
41
129
Microsoft introduces a new threat intelligence brief that will be released quarterly, looking at the current threat landscape, trending tactics, techniques and strategies used by the world’s most prolific threat actors.
1
45
125
Volexity found a 0-day exploitation of a vulnerability in GlobalProtect (CVE-2024-3400). The threat actor, UTA0218, attempted to install UPSTYLE, a custom Python backdoor, on the firewall, allowing the attacker to execute additional commands on the device.
0
47
127
Mandiant researchers present the evolution of UNC4990, an actor that makes heavy use of USB devices for initial infection. UNC4990 primarily targets users based in Italy and is likely motivated by financial gain.
0
66
126
Windows has a little-known feature that lets you dump memory when a process exists,
@cyberkramer
writes
1
67
125
K7 analysts describe how threat actors use the legitimate WerFault.exe to execute Pupy RAT on victims’ machines.
1
44
122
Mandiant has released a tool named GoReSym to parse Go symbol information and other embedded metadata.
1
47
114
Palo Alto researchers present a tutorial on identifying beacon Cobalt Strike Team Servers in the wild.
1
55
110
Trend Micro researchers look at the Raspberry Robin malware, spreading in telecommunications & government systems. The main payload is packed with >10 layers for obfuscation & can deliver a fake payload if it detects sandboxing or security analytics tools
0
40
110
K7 researchers analyse Cobalt Strike and its loader module.
0
43
107
Sophos researchers investigated a Midas ransomware attack that leveraged at least two different commercial remote access tools (AnyDesk & TeamViewer) and an open-source Windows utility (Process Hacker) in the process.
0
54
108
The latest article from ITOCHU Cyber & Intelligence Inc. presents the evolution of the LODEINFO malware, used by APT10, from v0.6.6 to v0.7.3. The malware has been updated with new features, as well as changes to its anti-analysis techniques.
0
56
108
AhnLab's ASEC team present an analysis report on malware cases that are being distributed using Microsoft OneNote.
2
51
103
Elastic Security Labs researchers describe the updates they observed to PIKABOT's loader and core components in new PIKABOT campaigns.
0
32
102
Microsoft researchers recently discovered the exact method through which MikroTik devices are used in Trickbot’s C2 infrastructure. Their analysis looks at how attackers gain access to MikroTik devices & use compromised IoT devices in Trickbot attacks.
1
42
104
Sophos researchers (and regular VB conference speakers)
@GaborSzappanos
and
@threatresearch
analysed the toolset used by the Netwalker ransomware actors and found they mostly rely on publicly available tools
0
51
102
Fortinet researchers show how a threat group uses breached YouTube channels to distribute a Lumma Stealer variant. These YouTube videos typically feature content related to cracked applications and have a malicious URL in the descriptions.
0
42
100
Cisco Talos researchers have identified a new backdoor authored and operated by the Turla APT group. TinyTurla-NG is similar to Turla’s previously disclosed implant, TinyTurla, and was seen targeting a Polish non-governmental organization.
0
34
101
researchers present an analysis of DCRat, an inexpensive, yet capable malware that gives threat actors complete surveillance over their victims. Its potential to access & control social network accounts adds another layer of risk.
0
40
98
Fortinet researchers analyse a politically-themed RTF document that exploits CVE-2017-11826
0
66
96
ESET researchers analyse a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition. ESPecter bootkit can bypass Windows Driver Signature Enforcement to load its own unsigned driver, to facilitate its espionage activities.
0
34
98
After almost ten years and more than 19,000 tweets I am handing over this account to the rest of the great VB team. Thank you all for following, all the best for 2020 and beyond and keep doing great things!
─
@martijn_grooten
11
8
99
Zscaler researchers identified several instances of low-volume targeted attack campaigns by the Evilnum APT group. They present the technical details of all components involved in the end-to-end attack chain.
1
39
98
Palo Alto's
@malware_traffic
has written a detailed post on the evolution of the Valak infostealer and malware downloader
1
45
95
Volexity's Ankur Saini, Callum Roxan, Charlie Gardner & Damien Cash look into recent CharmingCypress (aka Charming Kitten, APT42, TA453) spear-phishing tactics & malware.
1
44
94
The Avast Threat Intelligence team has published a blog on understanding how threat actors use Cobalt Strike payloads and how you can analyse them.
0
51
94
The DFIR Report observed an intrusion in which an adversary exploited multiple Exchange vulnerabilities (ProxyShell) that led to the BitLocker ransomware. The threat actors conducted the intrusion with almost no malware.
0
42
93
Trend Micro researchers provide an overview of "Cheerscrypt", a new Linux-based ransomware variant that compromises ESXi servers.
2
32
94
The Splunk Threat Research Team presents a deep analysis of a PlugX variant, including details of its payload extraction, tactics and impact.
0
47
94
Bitdefender has discovered a malware campaign that uses components of SecondEye - a legitimate monitoring application - to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers.
5
40
89
Palo Alto Networks researchers examine the technical details of ChromeLoader (Choziosi Loader/ChromeBack), focusing on the evolution of its different versions and changes in its infection process, and review new variants.
1
37
87
SonicWall researchers recently observed a new variant of GuLoader. They look at unpacking its shellcodes, a new anti-debug technique it deploys, and its custom Vectored Exception Handler.
6
43
80
The latest blog post from CrowdStrike shows the various evasion techniques employed by a recent HijackLoader (aka IDAT Loader) sample at multiple stages of the malware.
0
48
90
Curated Intelligence's
@BushidoToken
explores threat group naming schemes and why they are important.
2
28
88
On Christmas Eve, The DFIR Report's researchers observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware within just 3 hours of gaining initial access.
1
45
86
Security researcher
@BushidoToken
writes about three top-tier cybercrime syndicates which are tracked by the private cybersecurity industry as EvilCorp, WizardSpider, and FIN7.
0
33
87
The Splunk Threat Research Team present an analysis of the AutoIt loader designed to initiate DarkGate on compromised hosts.
0
47
88
Palo Alto's
@malware_traffic
created a tutorial for using Wireshark to analyse Emotet network traffic
0
34
87
The DFIR Report describes an intrusion in which the actor gained access using an ISO & LNK file, used lateral movement techniques, dumped credentials, kerberoasted a domain admin account, & executed a bespoke tool to discover privilege escalation paths.
0
33
84
The DFIR Report researchers describe an intrusion where IcedID from a malspam campaign was used as initial access vector, followed by discovery activity, Cobalt Strike, remote management tools such as Atera & Splashtop & finally Conti ransomware deployment
0
42
84
S2W's Minyeop Choi shares a detailed analysis of DarkGate - a malware that, when installed on a target computer, allows attackers to carry out various acts such as information theft, cryptocurrency mining, and execution of arbitrary programs.
1
44
86
The DFIR Report researchers describe an intrusion using Gootloader as initial access vector via an SEO poisoning campaign. The threat actors then used RDP, WMI, Mimikatz, Lazagne, WMIExec & SharpHound to gain access to sensitive documents.
0
42
85
BlackBerry researchers document findings and break down the technical details of recent attacks by the Cuba ransomware threat group. They also discuss in depth the latest evolution in the tactics, techniques and procedures (TTPs) utilized by the group.
1
51
86
Kroll's Cyber Threat Intelligence team reveal the results of their research into SYSTEMBC, which focused on its C2 server. The malicious tool is used to maintain access in a compromised network.
0
47
85
Trend Micro researchers look into Pawn Storm (APT28/Forest Blizzard), which attempted to launch NTLMv2 hash relay attacks through different methods, with huge peaks in the number of targets and variations in the government departments it targeted.
0
36
84
Researchers from The DFIR Report look into an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID, which dropped and executed a Cobalt Strike beacon, leading to the Dagon Locker ransomware.
1
31
86
Researchers at Palo Alto's Unit 42 present a Cobalt Strike tutorial & analysis. They describe the encoding algorithm, give definitions & describe differences in encoding types used in the Cobalt Strike framework, & cover malicious attacks seen in the wild.
0
26
80
The DFIR Report has posted the second part of its defender’s guide to Cobalt Strike, which focuses on the network traffic it produced and covers topics such as Domain Fronting, SOCKS proxy, C2 traffic, Sigma rules, JARM, JA3/s, RITA and more.
0
32
81
Microsoft has published an article about using fuzzy hashing and deep learning to counter malware detection evasion techniques.
1
30
79
Cisco Talos researchers analyse TimbreStealer, which targets victims in Mexico. This information stealer exhibits a sophisticated array of techniques to circumvent detection, engage in stealthy execution, & ensure its persistence within compromised systems
1
37
80
AhnLab researchers analyse an infostealer disguised as the Adobe Reader installer. The threat actor distributes a fake PDF file, with the message that Adobe Reader is required to open it, thus prompting the user to download & install the malware.
0
37
82
Both game developer Capcom and liquor company Campari have been hit by the Ragnar Locker ransomware
5
40
77
Elastic Security Labs researchers have observed a campaign that compromises users with signed MSIX application packages to gain initial access, & leverages a stealthy loader called GHOSTPULSE which decrypts and injects its final payload to evade detection.
3
31
80
Recorded Future’s Insikt Group look into recent espionage campaigns by TAG-70 (which overlaps with activity under the aliases Winter Vivern, TA473 & UAC-0114) exploiting Roundcube webmail and targeting European government & military mail servers.
1
36
79
NCC Group has released a dataset of Cobalt Strike beacons (2018 - 2022) and a Python library called dissect.cobaltstrike for dissecting and parsing Cobalt Strike related data.
0
36
79
Malwarebytes' Jérôme Segura describes an ongoing Nitrogen campaign delivered via malicious Google ads for PuTTY & FileZilla. Nitrogen is usually used to gain initial access to private networks, followed by data theft & ransomware deployment.
2
41
79
Trellix's
@MathanrajTK
&
@sijojacob1111
provide a comprehensive overview of how threat actors leverage the “search-ms” URI protocol handler as a vehicle for their malicious activities, and the steps involved from initial delivery to payload execution.
1
37
77
Proofpoint researchers observed an increase in account takeovers among tenants that have MFA protection, as threat actors are increasingly employing Adversary-in-the-Middle (AitM) phishing kits (such as EvilProxy).
1
33
76
Researchers from Palo Alto's Unit 42 team have analysed the recent activity of TridentUrsa (aka Gamaredon, UAC-0010, Primitive Bear, Shuckworm). There have been multiple shifts in the APT group's tactics, techniques and procedures (TTPs).
0
37
78
ESET has released its APT Activity Report Q2–Q3 2023, which summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated and analysed by ESET researchers from April 2023 until the end of September 2023.
0
27
76
Fortinet researchers provide detailed insights into how a threat actor distributes VenomRAT and other plugins using the BatCloak tool and ScrubCrypt to load the final payload.
1
51
78
Trustwave SpiderLabs’ Email Security team write about the Tycoon Group phishing-as-a-service (PaaS) framework. Its key selling features include the ability to bypass Microsoft two-factor authentication & leveraging Cloudflare to evade antibot measures.
0
42
78
Trend Micro's Peter Girnus, Aliakbar Zahravi & Simon Zuckerbraun delve into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion & investigate the malware's payload
1
35
78
Researchers at 360 Netlab have discovered an unknown ELF file propagating through the Log4J vulnerability. B1txor20 is a backdoor for the Linux platform and uses DNS Tunnel technology to build C2 communication channels.
0
37
78
Mandiant researchers detected APT29 targeting multiple diplomatic & government entities through a series of phishing waves. They also identified 2 new malware families, BEATDROP & BOOMMIC, as well as APT29’s retooling & abuse of Atlassian's Trello service.
0
29
77
Fortinet researchers look into an MS Excel document embedded with a VBA script that leads to a FAUST variant of the Phobos ransomware. This variant has the ability to maintain persistence in an environment & creates multiple threads for efficient execution
0
33
76
IBM X-Force's Golo Mühr, Claire Zaboeva & Joe Fasulo look into new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity focusing on regional military, police and civil government training centres across Ukraine.
2
36
76
Researchers from The DFIR Report look into a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. The time to ransomware (TTR) was just over 12 hours from the initial infection.
0
36
73
Sekoia researchers present an in-depth analysis of the Tycoon 2FA Phishing-as-a-Service (PhaaS) kit and the recent developments they spotted such as obfuscation, anti-detection capabilities and new network traffic patterns.
0
39
74
The DFIR Report researchers look into a Qbot (aka QakBot, Quakbot, Pinkslipbot) infection delivered, via a malspam campaign, through hidden Excel 4.0 macros.
0
34
73
The DFIR Report takes a look back at details from its public reports over 2021 and looks at some of the top tactics, techniques and procedures (TTPs) observed during the year.
0
29
74
Avast researchers discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. Lazarus used CVE-2024-21338 in the FudModule rootkit to perform direct kernel object manipulation.
0
30
75