Over the last two weeks, we saw that “from the beginning of 2022, we have dealt with six different strains of wiper malware targeting Ukraine: WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. These attacks are notable on their own. But there’s been an elephant in the room by way of the rumored ‘satellite modem hack’. This particular attack goes beyond Ukraine.”

For more articles, check out our #onpatrol4malware blog.

Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations

Source: MANDIANT

Mandiant believes that North Korea’s cyber capability supports both long-standing and immediate political and national security priorities, as well as financial goals. Read more.

Phishing-kit market: what’s inside “off-the-shelf” phishing packages

Source: SecureList Kaspersky

Phishing kits are ready-to-deploy packages that require the bare minimum effort to use. Moreover, their developers usually provide instructions with their products for inexperienced attackers. Read more.

AcidRain | A Modem Wiper Rains Down on Europe

Source: SentinelLabs

From the beginning of 2022, we have dealt with six different strains of wiper malware targeting Ukraine: WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. Read more.

Remote Access Trojan Capable Of Conducting Ransomware & DDOS Activities

Source: CYBLE

During our regular OSINT research, Cyble Research Labs came across a new RAT named Borat. Unlike other RATs, the Borat provides Ransomware, DDOS, etc., to Threat Actors along with usual RAT features, further expanding the malware capabilities. Read more.

New UAC-0056 activity: There’s a Go Elephant in the room

Source: Malwarebytes LABS

In late March 2022, the Malwarebytes Threat Intelligence Team identified new activity from this group that targeted several entities in Ukraine, including ICTV, a private TV channel. Read more.

Over the last two weeks, we saw that KELA published a report on ransomware operators’ overall trends and movements over 2021. The cybersecurity firm says that the number of major organizations tracked as ransomware victims increased from 1460 to 2860. In addition, the new Pocket Guide to the MITRE ATT&CK Framework. The Mitre ATT&CK framework classifies attacker actions during the lifecycle of a cyberattack.

For more articles, check out our #onpatrol4malware blog.

Pocket Guide to the MITRE ATT&CK Framework

Source: LiveAction

The Mitre ATT&CK framework classifies attacker actions during the lifecycle of a cyberattack. It helps organizations answer a crucial question: how well can we defend against attacker tactics, techniques, and procedures during various phases of an attack? Read more.

CISA and FBI warning: Hackers used these tricks to dodge multi-factor authentication and steal email from NGO

Source: ZD Net

FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about Russian state-sponsored activity that pre-dates recent warnings over cyber activity related to Russia’s military invasion of Ukraine. Read more.

Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software

Source: SentinelOne

This previously undiscovered set of activities centers around a Python-compiled binary that masquerades as Ukrainian language translation software, leading to the infection of GrimPlant, and GraphSteel. Read more.

Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Source: Microsoft Security

In this blog, we will share our analysis of the said method and provide insights on how attackers gain access to MikroTik devices and use compromised IoT devices in Trickbot attacks. Read more.

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

Source: Security Affairs

Researchers uncovered a new Linux botnet, tracked as B1txor20, that exploits the Log4J vulnerability and DNS tunnel. The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability. Read more.

Franchises, partnerships emerge in Ransomware-as-a-Service operations

Source: ZD Net

On Friday, KELA published a report on ransomware operators’ overall trends and movements over 2021. The cybersecurity firm says that the number of major organizations tracked as ransomware victims increased from 1460 to 2860. Read more.

Hackers Target Bank Networks with new Rootkit to Steal Money from ATM Machines

Source: The Hackers News

A financially motivated threat actor has been observed deploying a previously unknown rootkit targeting Oracle Solaris systems with the goal of compromising Automatic Teller Machine (ATM) switching networks and carrying out unauthorized cash withdrawals at different banks using fraudulent cards. Read more.

Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS

Source: Volexity

This blog post provides an in-depth analysis of the macOS variant of GIMMICK, but also demonstrates the features and characteristics of the Windows variant. Read more.

Over the last couple of weeks we saw On February 24, 2022, Anonymous — a global collective of hackers — announced it was launching a cyber operation against Russian President Vladimir Putin and the Russian state for invading Ukraine. At 2:50 PM EST on February 24, 2022, an anonymous Twitter account with 1.3 million followers tweeted, “The Anonymous collective is officially in cyberwar against the Russian government.”.

For more articles, check out our #onpatrol4malware blog.

Why the Cyberwar Against Russia Could Have a Major Impact on the U.S. and Europe

Source: Mailchi

On February 24, 2022, Anonymous announced it was launching a cyber operation against Russian President Vladimir Putin and the Russian state for invading Ukraine. Read more.

FBI Releases Indicators of Compromise for RagnarLocker Ransomware

Source: CISA

The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of ransomware actors targeting critical infrastructure sectors. Read more.

Updated: Conti Ransomware

Source: CISA

CISA, FBI, NSA, USSS have re-released an advisory on Conti ransomware. Conti cyber threat actors remain active and reported Conti ransomware attacks against the U.S. and international organizations have risen to more than 1,000. Read more.

Mobile Malware is Surging in Europe: A Look at the Biggest Threats

Source: Proofpoint

In 2021 alone, Proofpoint detected several different malware packages across the globe. Although volume fell sharply toward the end of 2021, we’re seeing a 2022 resurgence.  Read more.

Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments

Source: APT41’s

APT41’s detailed persistent effort allowed them to successfully compromise at least six U.S. state government networks by exploiting vulnerable Internet-facing web applications. Read more.

SATCOM terminals under attack in Europe: a plausible analysis

Source: REVERSEMODE

February 24th: at the same time Russia initiated a full-scale attack on Ukraine, tens of thousands of KA-SAT SATCOM terminals suddenly stopped working in several European countries. Read more.

Ghostwriter / UNC1151 Adopts Microbackdoor Variants in Cyber Operations Against Ukraine

Source: Cluster25

For a few months Cluster25 collected and analyzed several malicious activities which then were internally linked with the threat actor known as UNC1151 (aka GhostWriter), an adversary believed to be linked to the Belarusian government. Read more.

Over the past two weeks, we saw that Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices. In addition, A team of researchers from China’s Pangu Lab on Wednesday published a 50-page report detailing a piece of Linux malware.

For more articles, check out our #onpatrol4malware blog.

SHIELDS UP

Source: CISA

While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations. Read more.

SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors

Source: Unit42

A custom backdoor, SockDetour is designed to serve as a backup backdoor in case the primary one is removed. It is difficult to detect since it operates filelessly and socketlessly on compromised Windows servers. Read more.

Chinese Researchers Detail Linux Backdoor of NSA-Linked Equation Group

Source: Securityweek

A team of researchers from China’s Pangu Lab on Wednesday published a 50-page report detailing a piece of Linux malware. Read more.

HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine

Source: SentinelLabs

On February 23rd, our friends at Symantec and ESET research tweeted hashes associated with a wiper attack in Ukraine, including one which is not publicly available as of this writing. Read more.

New Sandworm malware Cyclops Blink replaces VPNFilter

Source: NCSC

Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices. Read more.

Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

Source: CISA

FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. Read more.

Over the past two weeks, we saw “FritzFrog”, a peer-to-peer (P2P) botnet, which means its command and control server is not limited to a single, centralized machine, but rather can be done from every machine in its distributed network. And also, Qualys Threat Research has identified a new Lazarus campaign using employment phishing lures targeting the defense sector. The identified variants target job applicants for Lockheed Martin.

For more articles, check out our #onpatrol4malware blog.

FritzFrog: P2P Botnet Hops Back on the Scene

Source: Akamai

FritzFrog is a peer-to-peer botnet, which means its command and control server is not limited to a single, centralized machine, but rather can be done from every machine in its distributed network. Read more.

Modified Elephant APT And A Decade Of Fabricating Evidence

Source: Sentinel LABS

SentinelLabs published research into the operations of a Turkish-nexus threat actor we called EGoManiac, drawing attention to their practice of planting incriminating evidence on the systems of journalists to justify arrests by the Turkish National Police. Read more.

LolZarus: Lazarus Group Incorporating Lolbins into Campaigns

Source: Qualys Community

Qualys Threat Research has identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin. Read more.

Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed

Source: ASEC

On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware. Read more.

PrivateLoader: The first step in many malware schemes

Source: Intel471

This report focuses on the PrivateLoader modular downloader programmed in the C++ programming language connected to an unidentified PPI service. Read more.

Roaming Mantis reaches Europe

Source: SecureList by Kaspersky

Roaming Mantis is a malicious campaign that targets Android devices and spreads mobile malware via smishing. Kaspersky has been tracking Roaming Mantis since 2018 and published five more blog posts about this campaign. Read more.

FBI Releases Indicators of Compromise Associated with LockBit 2.0 Ransomware

Source: CISA

The FBI has released a Flash report detailing IOCs associated with attacks, using LockBit 2.0, a Ransomware-as-a-Service that employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation. Read more.

Over the last two weeks, Varonis Threat Labs has observed one such RaaS provider, ALPHV (aka BlackCat ransomware), gaining traction since late 2021, actively recruiting new affiliates and targeting organizations across multiple sectors worldwide. In addition, we observed KONNI, a Remote Administration Tool that has being used for at least 8 years. The North Korean threat actor that is using this piece of malware has being identified under the Kimsuky umbrella.

For more articles, check out our #onpatrol4malware blog.

Cryptocurrencies: tracing the evolution of criminal finances

Source: Europol

 Europol has undertaken an analysis of the criminal use of cryptocurrencies to support law enforcement and its response. The resultant report contains core definitions, case examples, and details of the challenges authorities face in combating the illicit use of cryptocurrency. Read more.

KONNI evolves into stealthier RAT

Source: MalwarebytesLab

KONNI is a Remote Administration Tool that has being used for at least 8 years. The North Korean threat actor that is using this piece of malware has being identified under the Kimsuky umbrella. Read more.

ALPHV (BlackCat) Ransomware

Source: Varonis

Varonis Threat Labs has observed one such RaaS provider, ALPHV (aka BlackCat ransomware), gaining traction since late 2021, actively recruiting new affiliates and targeting organizations across multiple sectors worldwide. Read more.

North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

Source: MalwarebytesLab

MalwarebytesLab provide technical analysis of this latest attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server. We have reported the rogue GitHub account for harmful content.  Read more.

Threat actor of in-Tur-est

Source: pwc

 PwC observed a phishing page that prompted an investigation into a new threat actor we now call ‘White Tur’. Per our in-house naming convention for threat actors, the use of the colour ‘White’ indicates that we have not yet formally attributed White Tur as being based in a specific geographic location. Read more.

Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign

Source: CrowdStrike

StellarParticle, an adversary campaign associated with COZY BEAR, was active throughout 2021 leveraging novel tactics and techniques in supply chain attacks observed by CrowdStrike incident responders. Read more.

TrickBot Bolsters Layered Defenses to Prevent Injection Research

Source: SecurityIntelligence

The cybercrime gang that operates the TrickBot Trojan, as well as other malware and ransomware attacks, has been escalating activity. As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls. Read more.

Over the past two weeks, we saw the operators of the SFile ransomware (aka Escal) have developed a Linux version of their malware to expand their operations. SFile ransomware (aka Escal), has been active since 2020, it was observed targeting only Windows systems. Also, Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users’ information.

For more articles, check out our #onpatrol4malware blog.

NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies

Source: SEKOIA.IO

NOBELIUM is another name for the APT29 intrusion set¹, operated by a threat actor allegedly linked to the SVR (the Foreign Intelligence Service of the Russian Federation)². Read more.

DNS Over HTTPS: 3 Strategies for Enterprise Security Monitoring

Source: Carnegie Mellon University

DoH is a protocol for performing DNS transactions via an encrypted HTTPS channel. In this post, Sean Hutchison discusses DNS over HTTPS and provide enterprise defenders with three strategies for security monitoring. Read more.

Experts warn of attacks using a new Linux variant of SFile ransomware

Source: Security Affairs

The operators of the SFile ransomware (aka Escal) have developed a Linux version of their malware to expand their operations. SFile ransomware (aka Escal), has been active since 2020, it was observed targeting only Windows systems. Read more.

Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure

Source: CISCO

Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user’s information. Read more.

EXPLOITING URL PARSING CONFUSION

Source: Claroty

Claroty’s Team82, in collaboration with Snyk’s research team, has conducted an extensive research project examining URL parsing primitives, and discovered major differences in the way many different parsing libraries and tools handle URLs. Read more.

New SysJoker Backdoor Targets Windows, Linux, and macOS

Source: Intezer

Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. Read more.

Patchwork APT caught in its own web

Source: Malwarebytes Labs

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear-phishing attacks. Read more.

Over the past two weeks, we saw that AvosLocker is a relatively new ransomware-as-a-service. The Sophos Rapid Response team has so far seen AvosLocker attacks in the Americas, Middle East, and Asia-Pacific, targeting Windows and Linux systems. In addition, we also saw the dirty dozen of Latin America: From Amavaldo to Zumanek.

For more articles, check out our #onpatrol4malware blog.

2022 Cybersecurity Predictions

Source: Outpost24

2021 was the year businesses continued to adapt to new working patterns, digital transformation, and battle the increasing threats from ransomware attacks. Here our panel of security experts shares their predictions for the key security challenges to look out for in 2022. Read more.

AvosLocker Ransomware Uses AnyDesk in Safe Mode to Launch Attacks, Sophos Reports

Source: SOPHOS

AvosLocker is a relatively new ransomware-as-a-service. The Sophos Rapid Response team has so far seen AvosLocker attacks in the Americas, Middle East, and Asia-Pacific, targeting Windows and Linux systems. Read more.

A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard

Source: Check Point 

Check Point published the story of “Jian” — an exploit used by Chinese threat actor APT31 which was “heavily inspired by” an almost-identical exploit used by the Equation Group, made publicly known by the Shadow Brokers leak. Read more.

The dirty dozen of Latin America: From Amavaldo to Zumanek

Source: welivesecurity

ESET started this blogpost series dedicated to demystifying Latin American banking trojans in August 2019. Read more.

APT37 targets journalists with Chinotto multi-platform malware

Source: Bleeping Computer

North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android. Read more.

A Deep Dive Into SoWaT: APT31’s Multifunctional Router Implant

Source: impOrtp3

The group is targeting various types of targets of interest to the Chinese government. Notably, the group has been subject to several governmental attribution statements, including Germany, France, Norway, Australia. Read more.

RATDispenser, a new stealthy JavaScript loader used to distribute RATs

Source: Security Affairs

Researchers from the HP Threat Research team have discovered a new stealthy JavaScript loader dubbed RATDispenser that is being used to spread a variety of remote access trojans (RATs) in attacks into the wild. Read more.

Over the last two weeks, we saw the ten families of malicious samples are spreading using the Log4j2 vulnerability Now. NetLab published a blog disclosing Mirai and Muhstik botnet samples propagating through Log4j2 RCE vulnerability. You will also find here the Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild.     

 

For more articles, check out our #onpatrol4malware blog.

Ransomware playbook ITSM.00.099

Source: Government of Canada

Ransomware is a type of malware that denies a user’s access to a system or data until a sum of money is paid. It is a serious and evolving threat to Canadians. The impact of ransomware can be devastating to organizations. Read more.

Ten families of malicious samples are spreading using the Log4j2 vulnerability Now

Source: NetLab

On December 11, 2021, at 8:00 pm, NetLab published a blog disclosing Mirai and Muhstik botnet samples propagating through Log4j2 RCE vulnerability[1]. Read more.

When old friends meet again: why Emotet chose Trickbot for rebirth

Source: Check Point Research

Trickbot and Emotet are considered some of the largest botnets in history. They both share a similar story: they were taken down and made a comeback. Check Point Research observed Trickbot’s activities after the takedown operation. Read more.

Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild

Source: Bitdefender

On December 9, 2021, Apache disclosed CVE-2021-44228, a remote code execution vulnerability – assigned with a severity of 10 (the highest possible risk score). Read more.

APT31 INTRUSION SET CAMPAIGN

Source: ANSSI

In January 2021, ANSSI was informed of a large campaign of attacks against French entities linked to the APT31
intrusion set. The investigations carried out by ANSSI led to the analysis of the intrusion set’s entire chaine of infection. Read more.

ALPHV BlackCat – This year’s most sophisticated ransomware

Source: BleepingComputer

The new ALPHV ransomware operation, aka BlackCat, launched last month and could be the most sophisticated ransomware of the year, with a highly-customizable feature set allowing for attacks on a wide range of corporate environments. Read more.

Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions

Source: Check Point Research

CPR spotted the resurgence of Phorpiex, an old threat known for its sextortion spam campaigns, crypto-jacking, cryptocurrency clipping, and ransomware spread. Read more.

Over the last 2 weeks we saw A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. Sansec also discovered a sophisticated threat that is packed with never-seen stealth techniques.

For more articles, check out our #onpatrol4malware blog.

APWG Report: Phishing Smashes All Previous Records in Q3, 2021; Phishing Attacks Double Since Early 2020

Source: LinkedIn

Attacks Remain Costly, Rising and Maintaining Intensity of Focus Against Cryptocurrency Coins and Services Brands. Read more.

What is Protective DNS?

Source: Open Data Science

Protective DNS is an umbrella term for security solutions that examine DNS queries and implement safeguards to prevent systems from accessing internet resources that contain malicious C2 botnets, malware, ransomware, phishing, and more. Read more.

NginRAT parasite targets Nginx

Source: Sansec

A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. The parasite is used to steal data from eCommerce servers, also known as “server-side Magecart”. Read more.

CronRAT malware hides behind February 31st

Source: Sansec

In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed with never-seen stealth techniques. This malware, dubbed “CronRAT”, hides in the Linux calendar system on February 31st. Read more.

The benefits of external threat hunting

Source: Bleeping Computer

Have you heard of external threat hunting or threat reconnaissance? If you have, you’re in the 1 percent of the 1 percent. This article will help you to learn more. Read more.

Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors

Source: Proofpoint

Proofpoint threat researchers have observed the adoption of a novel and easily implemented phishing attachment technique by APT threat actors in Q2 and Q3 of 2021. Read more.

Tracking a P2P network related to TA505

Source: NCC Group

For the past few months NCC Group has been closely tracking the operations of TA505 and the development of their various projects (e.g. Clop). During this research we encountered a number of binary files that we have attributed to the developer(s) of ‘Grace’ (i.e. FlawedGrace). Read more.