HackDig : Dig high-quality web security articles

AvosLocker enters the ransomware scene, asks for partners

This blog post was authored by Hasherezade In mid-July we responded to an incident that involved an attack on a Microsoft Exchange server. The threat actor used this entry point to get into a Domain Controller and then leveraged it as a springboard to deploy ransomware. While examining the ransomware payload, we noticed it was a new variant which we ha
Publish At:2021-07-23 21:36 | Read:628 | Comments:0 | Tags:Threat analysis AvosLocker ransomware

Remcos RAT delivered via Visual Basic

This blog post was authored by Erika Noerenberg Introduction Over the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos remote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive files containing scripts or executables. Like other RATs, Re
Publish At:2021-07-19 18:15 | Read:875 | Comments:0 | Tags:Malware Threat analysis Trojans rat remcos

Kimsuky APT continues to target South Korean government using AppleSeed backdoor

This blog post was authored by Hossein Jazi. The Kimsuky APT—also known as Thallium, Black Banshee, and Velvet Chollima—is a North Korean threat actor that has been active since 2012. The group conducts cyber espionage operations to target government entities mainly in South Korea. On December 2020, KISA (Korean Internet & Security Agency) provided a
Publish At:2021-06-01 12:05 | Read:540 | Comments:0 | Tags:Malware Threat analysis AppleSeed APT backdoor Kimsuky korea

Revisiting the NSIS-based crypter

This blog post was authored by hasherezade NSIS (Nullsoft Scriptable Install System) is a framework dedicated to creating software installers. It allows to bundle various elements of an application together (i.e. them main executable, used DLLs, configs), along with a script that controls where are they going to be extracted, and what their execution orde
Publish At:2021-05-31 16:35 | Read:542 | Comments:0 | Tags:Threat analysis crypters NSIS packers

SolarWinds attackers launch new campaign

Nobelium is a synthetic chemical element with the symbol No and atomic number 102. It is named in honor of Alfred Nobel. But it is also the name given to the threat actor that is behind the attacks against SolarWinds, the Sunburst backdoor, TEARDROP malware, GoldMax malware, other related components. Microsoft Threat Intelligence Center (MSTIC) has issued
Publish At:2021-05-28 14:28 | Read:419 | Comments:0 | Tags:Threat analysis constant contact Firebase nobelium solarwind

Aurora campaign: Attacking Azerbaijan using multiple RATs

This post was authored by Hossein Jazi As tensions between Azerbaijan and Armenia continue, we are still seeing a number of cyber attacks taking advantage of this situation. On March 5th 2021, we reported an actor that used steganography to drop a new .Net Remote Administration Trojan. Since that time, we have been monitoring this actor and were able to i
Publish At:2021-04-06 16:35 | Read:1016 | Comments:0 | Tags:Malware Threat analysis Armenia azerbaijan python rat

Cleaning up after Emotet: the law enforcement file

This blog post was authored by Hasherezade and Jérôme Segura Emotet has been the most wanted malware for several years. The large botnet is responsible for sending millions of spam emails laced with malicious attachments. The once banking Trojan turned into loader was responsible for costly compromises due to its relationship with ransomware gangs. On
Publish At:2021-01-29 17:30 | Read:1671 | Comments:0 | Tags:Malware Threat analysis botnet emotet law enforcement takedo

Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat

This post was authored by Hossein Jazi On December 7 2020 we identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that th
Publish At:2021-01-06 11:48 | Read:942 | Comments:0 | Tags:Social engineering Threat analysis APT37 Hangul korea Office

SolarWinds advanced cyberattack: What happened and what to do now

Over the weekend we learned more about the sophisticated attack that compromised security firm FireEye, the US Treasury and Commerce departments and likely many more victims. Threat actors hacked into IT company SolarWinds in order to use its software channel to push out malicious updates onto 18,000 of its Orion platform customers. This scenario, referre
Publish At:2020-12-14 17:48 | Read:1088 | Comments:0 | Tags:Threat analysis backdoor FireEye hacking solarwinds sunburst

German users targeted with Gootkit banker or REvil ransomware

This blog post was authored by Hasherezade and Jérôme Segura On November 23, we received an alert from a partner about a resurgence of Gootkit infections in Germany. Gootkit is a very capable banking Trojan that has been around since 2014 and possesses a number of functionalities such as keystroke or video recording designed to steal financially-related i
Publish At:2020-11-30 14:30 | Read:1289 | Comments:0 | Tags:Malware Threat analysis banker fileless german germany gootk

Malsmoke operators abandon exploit kits in favor of social engineering scheme

Exploit kits continue to be used as a malware delivery platform. In 2020, we’ve observed a number of different malvertising campaigns leading to RIG, Fallout, Spelevo and Purple Fox, among others. And, in September, we put out a blog post detailing a surge in malvertising via adult websites. One of those campaigns we dubbed ‘malsmoke’ h
Publish At:2020-11-16 15:06 | Read:1252 | Comments:0 | Tags:Exploits Social engineering Threat analysis exploit kits Fal

Release the Kraken: Fileless APT attack abuses Windows Error Reporting service

This blog post was authored by Hossein Jazi and Jérôme Segura. On September 17th, we discovered a new attack called Kraken that injected its payload into the Windows Error Reporting (WER) service as a defense evasion mechanism. That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or a
Publish At:2020-10-06 12:47 | Read:1316 | Comments:0 | Tags:Malware Malwarebytes news Threat analysis "your right to com

Inter skimming kit used in homoglyph attacks

As we continue to track web threats and credit card skimming in particular, we often rediscover techniques we’ve encountered elsewhere before. In this post, we share a recent find that involves what is known as an homoglyph attack. This technique has been exploited for some time already, especially in phishing scams with IDN homograph attacks. Th
Publish At:2020-08-06 16:20 | Read:1583 | Comments:0 | Tags:Threat analysis credit card skimming homoglyph Inter kit Mag

Malspam campaign caught using GuLoader after service relaunch

They say any publicity is good publicity. But perhaps this isn’t true for CloudEye, an Italian firm that claims to provide “the next generation of Windows executables’ protection”. First described by Proofpoint security researchers in March 2020, GuLoader is a downloader used by threat actors to distribute malware on a large scale.
Publish At:2020-07-30 16:35 | Read:1431 | Comments:0 | Tags:Malware Threat analysis GuLoader malspam malware spam steale

Effective Threat Intelligence Through Vulnerability Analysis

Vulnerabilities are weaknesses leveraged by adversaries to compromise the confidentiality, availability or integrity of a resource. The vulnerability ecosystem has matured considerably in the last few years. A significant amount of effort has been invested to capture, curate, taxonomize and communicate the vulnerabilities in terms of severity, impact and com
Publish At:2020-07-30 15:37 | Read:1349 | Comments:0 | Tags:Vulnerability Management ENISA Report threat analysis vulner

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud