Sophos researchers discovered that attackers had booted their target computers into Safe Mode to execute the Avos Locker ransomware. The reason? Many, if not most, endpoint security products do not run in Safe Mode.
AT&T Alien Labs has recently discovered a cluster of Linux ELF executables with low rates of detection in VirusTotal. The files were identified as modifications of the open-source PRISM backdoor used by multiple threat actors in various campaigns.
The latest blog post from JPCERT/CC explains the details of, and countermeasures against, a new technique used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file.
Sophos analysts have uncovered a new ransomware that calls itself Epsilon Red. The ransomware is written in Go and is preceded by a set of unique PowerShell scripts that prepare the ground for the file-encryption routine.
Sophos has updated the story of the CVE-2021-40444 exploit, which triggers a Word document to deliver an infection without using macros. The attack was only successful on unpatched Windows systems.
Mandiant has published guidance for organizations on how to protect against a destructive attack. The recommendations include common techniques used by threat actors for initial access, reconnaissance, privilege escalation & mission objectives.
McAfee researchers have discovered a new technique that downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro.
Splunk researchers look into the tactics, techniques and procedures employed by APT29 in a recent campaign. The attack chain begins with a spear-phishing email leading to the delivery of the WINELOADER backdoor.
CERT-UA present details of a recent APT28 campaign that created threats to a domain controller within an hour from the moment of the initial compromise.
In a post from last week, researchers at Lab52 observe an unknown actor using similar techniques to APT29 and post details about the new techniques they identified, in particular the SVG Dropper, DLL used for infection and C2 behaviour.
ESET researchers have discovered NSPX30, a sophisticated implant used by a new China-aligned APT group they've named Blackwood. The NSPX30 implant is deployed via the update mechanisms of legitimate software such as Tencent QQ, WPS Office & Sogou Pinyin.
Team Cymru's S2 Research Team present a short update report providing insight into the operation of Vidar, demonstrating the evolution of its management infrastructure and evidence of steps taken by the threat actors to potentially cover their tracks.
Microsoft introduces a new threat intelligence brief that will be released quarterly, looking at the current threat landscape, trending tactics, techniques and strategies used by the world’s most prolific threat actors.
Volexity found a 0-day exploitation of a vulnerability in GlobalProtect (CVE-2024-3400). The threat actor, UTA0218, attempted to install UPSTYLE, a custom Python backdoor, on the firewall, allowing the attacker to execute additional commands on the device.
Mandiant researchers present the evolution of UNC4990, an actor that makes heavy use of USB devices for initial infection. UNC4990 primarily targets users based in Italy and is likely motivated by financial gain.
Trend Micro researchers look at the Raspberry Robin malware, spreading in telecommunications & government systems. The main payload is packed with >10 layers for obfuscation & can deliver a fake payload if it detects sandboxing or security analytics tools
Sophos researchers investigated a Midas ransomware attack that leveraged at least two different commercial remote access tools (AnyDesk & TeamViewer) and an open-source Windows utility (Process Hacker) in the process.
The latest article from ITOCHU Cyber & Intelligence Inc. presents the evolution of the LODEINFO malware, used by APT10, from v0.6.6 to v0.7.3. The malware has been updated with new features, as well as changes to its anti-analysis techniques.
Microsoft researchers recently discovered the exact method through which MikroTik devices are used in Trickbot’s C2 infrastructure. Their analysis looks at how attackers gain access to MikroTik devices & use compromised IoT devices in Trickbot attacks.
Sophos researchers (and regular VB conference speakers)
@GaborSzappanos
and
@threatresearch
analysed the toolset used by the Netwalker ransomware actors and found they mostly rely on publicly available tools
Fortinet researchers show how a threat group uses breached YouTube channels to distribute a Lumma Stealer variant. These YouTube videos typically feature content related to cracked applications and have a malicious URL in the descriptions.
Cisco Talos researchers have identified a new backdoor authored and operated by the Turla APT group. TinyTurla-NG is similar to Turla’s previously disclosed implant, TinyTurla, and was seen targeting a Polish non-governmental organization.
researchers present an analysis of DCRat, an inexpensive, yet capable malware that gives threat actors complete surveillance over their victims. Its potential to access & control social network accounts adds another layer of risk.
ESET researchers analyse a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition. ESPecter bootkit can bypass Windows Driver Signature Enforcement to load its own unsigned driver, to facilitate its espionage activities.
After almost ten years and more than 19,000 tweets I am handing over this account to the rest of the great VB team. Thank you all for following, all the best for 2020 and beyond and keep doing great things!
─
@martijn_grooten
Zscaler researchers identified several instances of low-volume targeted attack campaigns by the Evilnum APT group. They present the technical details of all components involved in the end-to-end attack chain.
Registration is now open for
#VB2023
London, with some great deals for early bird bookings! The programme includes a mix of engaging and broad-ranging papers, featuring experts in the field from all around the world - check it out and register at
The DFIR Report observed an intrusion in which an adversary exploited multiple Exchange vulnerabilities (ProxyShell) that led to the BitLocker ransomware. The threat actors conducted the intrusion with almost no malware.
Bitdefender has discovered a malware campaign that uses components of SecondEye - a legitimate monitoring application - to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers.
Palo Alto Networks researchers examine the technical details of ChromeLoader (Choziosi Loader/ChromeBack), focusing on the evolution of its different versions and changes in its infection process, and review new variants.
SonicWall researchers recently observed a new variant of GuLoader. They look at unpacking its shellcodes, a new anti-debug technique it deploys, and its custom Vectored Exception Handler.
The latest blog post from CrowdStrike shows the various evasion techniques employed by a recent HijackLoader (aka IDAT Loader) sample at multiple stages of the malware.
On Christmas Eve, The DFIR Report's researchers observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware within just 3 hours of gaining initial access.
Security researcher
@BushidoToken
writes about three top-tier cybercrime syndicates which are tracked by the private cybersecurity industry as EvilCorp, WizardSpider, and FIN7.
The DFIR Report describes an intrusion in which the actor gained access using an ISO & LNK file, used lateral movement techniques, dumped credentials, kerberoasted a domain admin account, & executed a bespoke tool to discover privilege escalation paths.
The DFIR Report researchers describe an intrusion where IcedID from a malspam campaign was used as initial access vector, followed by discovery activity, Cobalt Strike, remote management tools such as Atera & Splashtop & finally Conti ransomware deployment
S2W's Minyeop Choi shares a detailed analysis of DarkGate - a malware that, when installed on a target computer, allows attackers to carry out various acts such as information theft, cryptocurrency mining, and execution of arbitrary programs.
The DFIR Report researchers describe an intrusion using Gootloader as initial access vector via an SEO poisoning campaign. The threat actors then used RDP, WMI, Mimikatz, Lazagne, WMIExec & SharpHound to gain access to sensitive documents.
BlackBerry researchers document findings and break down the technical details of recent attacks by the Cuba ransomware threat group. They also discuss in depth the latest evolution in the tactics, techniques and procedures (TTPs) utilized by the group.
Kroll's Cyber Threat Intelligence team reveal the results of their research into SYSTEMBC, which focused on its C2 server. The malicious tool is used to maintain access in a compromised network.
Trend Micro researchers look into Pawn Storm (APT28/Forest Blizzard), which attempted to launch NTLMv2 hash relay attacks through different methods, with huge peaks in the number of targets and variations in the government departments it targeted.
DomainTools researcher
@jfslowik
shares some thoughts on the possible link between the SUNBURST malware , used in the SolarWinds supply chain attack, and the Turla APT group
Researchers from The DFIR Report look into an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID, which dropped and executed a Cobalt Strike beacon, leading to the Dagon Locker ransomware.
Researchers from Palo Alto's Unit42 team have observed instances of Cloaked Ursa (aka
#APT29
- well known for targeting diplomatic missions globally) using lures focusing on the diplomats themselves rather than the countries they represent.
Researchers at Palo Alto's Unit 42 present a Cobalt Strike tutorial & analysis. They describe the encoding algorithm, give definitions & describe differences in encoding types used in the Cobalt Strike framework, & cover malicious attacks seen in the wild.
The DFIR Report has posted the second part of its defender’s guide to Cobalt Strike, which focuses on the network traffic it produced and covers topics such as Domain Fronting, SOCKS proxy, C2 traffic, Sigma rules, JARM, JA3/s, RITA and more.
Cisco Talos researchers analyse TimbreStealer, which targets victims in Mexico. This information stealer exhibits a sophisticated array of techniques to circumvent detection, engage in stealthy execution, & ensure its persistence within compromised systems
AhnLab researchers analyse an infostealer disguised as the Adobe Reader installer. The threat actor distributes a fake PDF file, with the message that Adobe Reader is required to open it, thus prompting the user to download & install the malware.
Elastic Security Labs researchers have observed a campaign that compromises users with signed MSIX application packages to gain initial access, & leverages a stealthy loader called GHOSTPULSE which decrypts and injects its final payload to evade detection.
Recorded Future’s Insikt Group look into recent espionage campaigns by TAG-70 (which overlaps with activity under the aliases Winter Vivern, TA473 & UAC-0114) exploiting Roundcube webmail and targeting European government & military mail servers.
NCC Group has released a dataset of Cobalt Strike beacons (2018 - 2022) and a Python library called dissect.cobaltstrike for dissecting and parsing Cobalt Strike related data.
Malwarebytes' Jérôme Segura describes an ongoing Nitrogen campaign delivered via malicious Google ads for PuTTY & FileZilla. Nitrogen is usually used to gain initial access to private networks, followed by data theft & ransomware deployment.
Trellix's
@MathanrajTK
&
@sijojacob1111
provide a comprehensive overview of how threat actors leverage the “search-ms” URI protocol handler as a vehicle for their malicious activities, and the steps involved from initial delivery to payload execution.
Proofpoint researchers observed an increase in account takeovers among tenants that have MFA protection, as threat actors are increasingly employing Adversary-in-the-Middle (AitM) phishing kits (such as EvilProxy).
Researchers from Palo Alto's Unit 42 team have analysed the recent activity of TridentUrsa (aka Gamaredon, UAC-0010, Primitive Bear, Shuckworm). There have been multiple shifts in the APT group's tactics, techniques and procedures (TTPs).
ESET has released its APT Activity Report Q2–Q3 2023, which summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated and analysed by ESET researchers from April 2023 until the end of September 2023.
Fortinet researchers provide detailed insights into how a threat actor distributes VenomRAT and other plugins using the BatCloak tool and ScrubCrypt to load the final payload.
Trustwave SpiderLabs’ Email Security team write about the Tycoon Group phishing-as-a-service (PaaS) framework. Its key selling features include the ability to bypass Microsoft two-factor authentication & leveraging Cloudflare to evade antibot measures.
Trend Micro's Peter Girnus, Aliakbar Zahravi & Simon Zuckerbraun delve into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion & investigate the malware's payload
Researchers at 360 Netlab have discovered an unknown ELF file propagating through the Log4J vulnerability. B1txor20 is a backdoor for the Linux platform and uses DNS Tunnel technology to build C2 communication channels.
Mandiant researchers detected APT29 targeting multiple diplomatic & government entities through a series of phishing waves. They also identified 2 new malware families, BEATDROP & BOOMMIC, as well as APT29’s retooling & abuse of Atlassian's Trello service.
Fortinet researchers look into an MS Excel document embedded with a VBA script that leads to a FAUST variant of the Phobos ransomware. This variant has the ability to maintain persistence in an environment & creates multiple threads for efficient execution
IBM X-Force's Golo Mühr, Claire Zaboeva & Joe Fasulo look into new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity focusing on regional military, police and civil government training centres across Ukraine.
Researchers from The DFIR Report look into a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. The time to ransomware (TTR) was just over 12 hours from the initial infection.
Sekoia researchers present an in-depth analysis of the Tycoon 2FA Phishing-as-a-Service (PhaaS) kit and the recent developments they spotted such as obfuscation, anti-detection capabilities and new network traffic patterns.
The DFIR Report researchers look into a Qbot (aka QakBot, Quakbot, Pinkslipbot) infection delivered, via a malspam campaign, through hidden Excel 4.0 macros.
The DFIR Report takes a look back at details from its public reports over 2021 and looks at some of the top tactics, techniques and procedures (TTPs) observed during the year.
Avast researchers discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. Lazarus used CVE-2024-21338 in the FudModule rootkit to perform direct kernel object manipulation.