2014, DNS, Encryption and Malware - Cyber Security Informer

German encrypted email service Tutanota suffers DDoS attacks

Security Affairs

SEPTEMBER 19, 2020

The popular encrypted email service Tutanota was hit with a series of DDoS attacks this week targeting its website fist and its DNS providers later. Encrypted email service, Tutanota suffered a series of DDoS attacks that initially targeted the website and later its DNS providers. ” continues the post.

DDOS

DDOS Encryption DNS Advertising

Who’s Behind the Botnet-Based Service BHProxies?

Krebs on Security

FEBRUARY 24, 2023

The Mylobot malware includes more than 1,000 hard-coded and encrypted domain names, any one of which can be registered and used as control networks for the infected hosts. The account didn’t resume posting on the forum until April 2014. 5, 2014 , but historic DNS records show BHproxies[.]com com on Mar.

Accountability

Accountability Advertising Marketing Malware

New Ttint IoT botnet exploits two zero-days in Tenda routers

Security Affairs

OCTOBER 5, 2020

Unlike other IoT DDoS botnets, Ttint implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router firewall and DNS settings, executing remote custom system commands. ” ~ Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. ” concludes the report.

IoT

IoT Firmware DNS Advertising

Webinars

Reimagining Cybersecurity Training: Driving Real Impact on Security Culture

MORE WEBINARS

InvisiMole group targets military sector and diplomatic missions in Eastern Europe

Security Affairs

JUNE 18, 2020

They use DNS tunneling for stealthier C&C communications, and place execution guardrails on the malicious components to hide the malware from security researchers.” Experts also observed attackers using a DNS downloader that was designed for long-term, covert access to the target machine. Pierluigi Paganini.

DNS

DNS Advertising Spyware Software

GALLIUM Threat Group targets global telcos, Microsoft warns

Security Affairs

DECEMBER 12, 2019

Experts pointed out that GALLIUM threat actors were using common versions of malware and publicly available tools with a few changes to evade detection. The operators leverage on low cost and easy to replace infrastructure using dynamic-DNS domains and regularly reused hop points. ” continues the analysis. Pierluigi Paganini.

Telecommunications

Telecommunications DNS Malware Advertising

China-Linked APT15 group is using a previously undocumented backdoor

Security Affairs

JULY 23, 2019

The attackers demonstrated an increasing level of sophistication across the years, they used custom-malware and various exploits in their attacks. “Second, we identified a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum. ” reads the report published by ESET.

DNS

DNS Malware Advertising Manufacturing

Chalubo, a new IoT botnet emerges in the threat landscape

Security Affairs

OCTOBER 23, 2018

Security experts from Sophos Labs have spotted a new piece of IoT malware tracked as Chalubo that is attempting to recruit devices into a botnet used to launch DDoS attacks. “The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher.” ” continues the analysis.

IoT

IoT DDOS Architecture Malware

WinDealer dealing on the side

SecureList

JUNE 2, 2022

In their initial disclosures on this threat actor, TeamT5 identified three malware families: SpyDealer, Demsty and WinDealer. In 2020, we discovered a whole new distribution method for the WinDealer malware that leverages the automatic update mechanism of select legitimate applications. WinDealer is a modular malware platform.

Malware

Malware Encryption Social Engineering Telecommunications

Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet

Security Affairs

AUGUST 8, 2018

Ramnit is one of the most popular banking malware families in existence today, it was first spotted in 2010 as a worm, in 2011, its authors improved it starting from the leaked Zeus source code turning the malware into a banking Trojan. In 2014 it reached the pinnacle of success, becoming the fourth largest botnet in the world.

Malware

Malware DNS Encryption Banking

Roboto, a new P2P botnet targets Linux Webmin servers

Security Affairs

NOVEMBER 21, 2019

.” The analysis of the bot revealed that it supports seven functions: reverse shell, self-uninstall, gather process’ network information, gather Bot information, execute system commands, run encrypted files specified in URLs, DDoS attack, etc. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

DDOS

DDOS System Administration Advertising DNS

New Linux/DDosMan threat emerged from an evolution of the older Elknot

Security Affairs

APRIL 1, 2019

The popular expert unixfreaxjp analyzed a new China ELF DDoS’er malware tracked as “Linux/DDoSMan” that evolves from the Elknot malware to deliver new ELF bot. But what kind of malware is this Elknot Trojan? This malware is an update and reuse from the Elknot’s malware source code.

DDOS

DDOS Malware Encryption Penetration Testing

FIN7 Hackers group is back with a new loader and a new RAT

Security Affairs

OCTOBER 12, 2019

The new loader is able to drop the malware directly in memory, it was dubbed BOOSTWRITE and allows threat actors to load several malicious codes, including the Carbanak backdoor. In March, the group carried out attacks delivering a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host.

Identity Theft

Identity Theft Hacking Advertising DNS

Necurs Botnet adopts a new strategy to evade detection

Security Affairs

MARCH 4, 2019

Necurs botnet is currently the second largest spam botnet , it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware , the Scarab ransomware , and the Dridex banking Trojan. Instead, the real IP address of the C2 is obfuscated with what is essentially an encryption algorithm.

DNS

DNS Banking Advertising Ransomware

Russia-linked Gamaredon group targets Ukraine officials

Security Affairs

DECEMBER 7, 2019

In June malware researchers from Cybaze-Yoroi spotted a new suspicious activity potentially linked to the popular APT group. Upon reboot, the VBScript performs an HTTP GET request to fetch an encrypted stage from a dynamic DNS domain. ” ~ Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Government

Government Advertising Media DNS

Analyzing a Danabot Paylaod that is targeting Italy

Security Affairs

DECEMBER 20, 2018

The malware tries to connect to the remote host 149.154.157.104 (EDIS-IT IT) through an encrypted SSL channel, then it downloads other components and deletes itself from the filesystem. Registry key created by malware. Figure 2: Complete malware implant folder. Example of execution of the malware. As shown in Fig.3,

Banking

Banking Malware Internet Internet

OilRig APT group: the evolution of attack techniques over time

Security Affairs

AUGUST 7, 2019

OilRig Description : According to MITRE , OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. T1388) , from group_b to group_d time frames OilRig used real Compromised User Accountsextracted by Malware (rif. Exploit Technique Over Time.

Computers and Electronics

Computers and Electronics Penetration Testing DNS Phishing

INTERNET BLOCKING IN MYANMAR – SECRET BLOCK LIST AND NO MEANS TO APPEAL

Security Affairs

AUGUST 10, 2020

Our findings show that both Telenor and MPT block websites using DNS tampering. MPT is ignoring the DNS requests to the blocked domains, while Telenor is redirecting them to an IP address outside of the country. The block page uses the domain “ urlblocked.pw ” registered the 26th of March 2020 with a free Let’s encrypt certificate.

Internet

Internet Internet Telecommunications DNS

LimeRAT spreads in the wild

Security Affairs

APRIL 9, 2019

Too many times turned into fully-featured malware implants by unethical hackers and cyber criminals. Exploring the malware code, we detected multiple evidence indication of the possible belonging malware family: LimeRAT. Figure 9: The persistence mechanisms of the malware. Technical Analysis. C2 retrieval.

Malware

Malware Advertising DNS Antivirus

Spying on satellite internet comms with a $300 listening station

Security Affairs

AUGUST 10, 2020

Pavel explained that attackers could also collect information even when the traffic is encrypted. The analysis of DNS could reveal the user’s Internet browsing history while the analysis of TLS certificates could allow fingerprinting the servers the user connected.

Internet

Internet Internet Advertising Encryption

IT threat evolution Q3 2021

SecureList

NOVEMBER 26, 2021

The PyInstaller module for Windows contains a script named “Guard” Interestingly, this malware was developed for both Windows and macOS operating systems. The malware tries to spread to other hosts on the network by infecting USB drives. After this, they were tricked into downloading previously unknown malware.

Malware

Malware Banking Energy and Utilities Accountability

Damage from Silence APT operations increases fivefold. The gang deploys new tools on its “worldwide tour”

Security Affairs

AUGUST 20, 2019

The Trojan is used during the lateral movement stage and is designed to control compromised systems by performing tasks through the command shell and tunneling traffic using the DNS protocol. Silence has also changed its encryption alphabets, string encryption, and commands for the bot and the main module. Pierluigi Paganini.

Banking

Banking Cybercrime Cybersecurity Advertising

The Muncy malware is on the rise

Security Affairs

FEBRUARY 19, 2019

Over the last few days, a phishing campaign from DHL and entitled “ DHL Shipment Notification ” has been targeted users worldwide distribution the Muncy malware. Now, the malware is targeting user’s worldwide and has been spread via phishing campaigns. The process flow diagram below shown how the malware works.

Malware

Malware Phishing DNS Engineering

Cr1ptT0r Ransomware targets D-Link NAS Devices and embedded systems

Security Affairs

FEBRUARY 23, 2019

A user reported that its D-Link DNS-320 device was infected by malicious code. The D-Link DNS-320 model is no more available for sale, one of the members of the forum explained that the firmware of its NAS was never updated and its device was exposed to WAN through ports 8080, FTP port 21, and a range of ports for port forwarding.

Ransomware

Ransomware DNS Firmware Encryption

Iran-linked APT34: Analyzing the webmask project

Security Affairs

APRIL 23, 2019

Security expert Marco Ramilli published the findings of a quick analysis of the webmask project standing behind the DNS attacks implemented by APT34 (aka OilRig and HelixKitten ). Contest: Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran.

DNS

DNS Computers and Electronics Penetration Testing Government

Unveiling JsOutProx: A New Enterprise Grade Implant

Security Affairs

DECEMBER 20, 2019

Experts at Yoroi/Cybaze ZLab spotted a new sophisticated malware implant dubbed JsOutProx that seems to be unrelated to mainstream cyber weapons. During our threat intelligence source monitoring operations, we spotted a new sophisticated malware implant, dubbed JsOutProx, that seems to be unrelated to mainstream cyber weapons.

Malware

Malware DNS Architecture Advertising

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Fox IT

JUNE 23, 2020

Evil Corp were previously associated to the Dridex malware and BitPaymer ransomware, the latter came to prominence in the first half of 2017. Evil Corp has been operating the Dridex malware since July 2014 and provided access to several groups and individual threat actors.

Ransomware

Ransomware Encryption Malware Architecture

The ‘MartyMcFly’ investigation: Italian naval industry under attack

Security Affairs

NOVEMBER 14, 2018

Experts at Yoroi’s Cyber Security Defence Center along with Fincantieri’s security team investigated the recently discovered Martymcfly malware attacks. command and control services of info stealers malware). DNS requests intercepted. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Computers and Electronics

Computers and Electronics Penetration Testing Malware Phishing

APT trends report Q1 2021

SecureList

APRIL 27, 2021

In our initial report on Sunburst , we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation. This campaign made use of a previously unknown malware family we dubbed FourteenHi.

Malware

Malware Spyware Government Social Engineering

Trickbot module descriptions

SecureList

OCTOBER 19, 2021

Trickbot (aka TrickLoader or Trickster), is a successor of the Dyre banking Trojan that was active from 2014 to 2016 and performed man-in-the-browser attacks in order to steal banking credentials. Downloaded modules are encrypted, and can be decrypted with the Python script below. The Gophe spambot was used to propagate Dyre malware.

Banking

Banking Passwords VPN Internet

Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020

Malwarebytes

MAY 9, 2023

Finally, we will reveal unknown scripts and malware run by the group in this report. The configuration was encrypted, and looked like this: Config file forms the end of ntuser.dat That configuration was encrypted using AES. The IV is the first 16 bytes of the config. The key can be recovered from the fourth MZ.

Surveillance

Surveillance Accountability DNS Encryption

The Hacker Mind Podcast: EP 69 Self-Healing Operating Systems

ForAllSecure

APRIL 19, 2023

I first met Dan when he was literally saving the world; okay, at least saving the internet as we know it today by disclosing to the major ISPs in the world a flaw he’d found in the Domain Name System or DNS. With a database operating system, you’ll known in milliseconds if you’ve been attacked with malware.

Software

Software Backups Computers and Electronics Technology

[SI-LAB] #OpJerusalem 2019 – JCry ransomware is now infecting Windows users

Security Affairs

MARCH 6, 2019

SI-LAB analyzed this malware and noticed that it does not use sophisticated techniques. Criminals used UPX packer to protect malware code written in Go and a RSA public certificate is hardcoded inside malware to encrypt all user’s target files. This finding results in a simple “key” to encrypt all the infected victims.

Ransomware

Ransomware Encryption Malware Cyber Attacks

[SI-LAB] #OpJerusalem 2019 – JCry ransomware is now infecting Windows users

Security Affairs

MARCH 6, 2019

SI-LAB analyzed this malware and noticed that it does not use sophisticated techniques. Criminals used UPX packer to protect malware code written in Go and a RSA public certificate is hardcoded inside malware to encrypt all user’s target files. This finding results in a simple “key” to encrypt all the infected victims.

Ransomware

Ransomware Encryption Malware Cyber Attacks

Cyber CEO: The History Of Cybercrime, From 1834 To Present

Herjavec Group

AUGUST 26, 2021

After being released in 2003, he uses WiFi to commit attacks, program malware and steal credit card information. 2002 – Internet Attack — By targeting the thirteen Domain Name System (DNS) root servers, a DDoS attack assaults the entire Internet for an hour. 1998-2007 — Max Butler — Max Butler hacks U.S. billion dollars in damages.

Cybercrime

Cybercrime Computers and Electronics Banking Hacking

Cyber Security Informer

German encrypted email service Tutanota suffers DDoS attacks

Who’s Behind the Botnet-Based Service BHProxies?

Webinars

Trending Sources

New Ttint IoT botnet exploits two zero-days in Tenda routers

Webinars

InvisiMole group targets military sector and diplomatic missions in Eastern Europe

GALLIUM Threat Group targets global telcos, Microsoft warns

China-Linked APT15 group is using a previously undocumented backdoor

Chalubo, a new IoT botnet emerges in the threat landscape

WinDealer dealing on the side

Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet

Roboto, a new P2P botnet targets Linux Webmin servers

New Linux/DDosMan threat emerged from an evolution of the older Elknot

FIN7 Hackers group is back with a new loader and a new RAT

Necurs Botnet adopts a new strategy to evade detection

Russia-linked Gamaredon group targets Ukraine officials

Analyzing a Danabot Paylaod that is targeting Italy

OilRig APT group: the evolution of attack techniques over time

INTERNET BLOCKING IN MYANMAR – SECRET BLOCK LIST AND NO MEANS TO APPEAL

LimeRAT spreads in the wild

Spying on satellite internet comms with a $300 listening station

IT threat evolution Q3 2021

Damage from Silence APT operations increases fivefold. The gang deploys new tools on its “worldwide tour”

The Muncy malware is on the rise

Cr1ptT0r Ransomware targets D-Link NAS Devices and embedded systems

Iran-linked APT34: Analyzing the webmask project

Unveiling JsOutProx: A New Enterprise Grade Implant

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

The ‘MartyMcFly’ investigation: Italian naval industry under attack

APT trends report Q1 2021

Trickbot module descriptions

Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020

The Hacker Mind Podcast: EP 69 Self-Healing Operating Systems

[SI-LAB] #OpJerusalem 2019 – JCry ransomware is now infecting Windows users

[SI-LAB] #OpJerusalem 2019 – JCry ransomware is now infecting Windows users

Cyber CEO: The History Of Cybercrime, From 1834 To Present

Stay Connected