SecureList

JUNE 5, 2023

Satacom downloader, also known as LegionLoader, is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next stage of another malware family currently distributed by Satacom.

Cryptocurrency 78

Cryptocurrency DNS Malware Encryption 78

Security Affairs

OCTOBER 20, 2021

” The MSI package first removes registry keys associated with the old Purple Fox installations if any are present, then it replaces the components of the malware with new ones. “The goal is to install the MSI package as an admin without any user interaction.” ” continues the analysis.

Encryption 87

Encryption DNS Architecture Firewall 87

Security Affairs

JUNE 18, 2020

They use DNS tunneling for stealthier C&C communications, and place execution guardrails on the malicious components to hide the malware from security researchers.” Experts also observed attackers using a DNS downloader that was designed for long-term, covert access to the target machine.

DNS 79

DNS Advertising Spyware Software 79

Security Affairs

DECEMBER 12, 2019

” The GALLIUM threat actor is active, but its activity was more intense between 2018 and mid-2019. link] — bk (Ben K) (@bkMSFT) December 12, 2019. Experts pointed out that GALLIUM threat actors were using common versions of malware and publicly available tools with a few changes to evade detection.

Telecommunications 66

Telecommunications DNS Malware Advertising 66

Krebs on Security

FEBRUARY 24, 2023

The Mylobot malware includes more than 1,000 hard-coded and encrypted domain names, any one of which can be registered and used as control networks for the infected hosts. The only experience listed for Khafagy prior to the TikTok job is labeled “Marketing” at “Confidential,” from February 2014 to October 2019.

Accountability 229

Accountability Advertising Marketing Malware 229

Security Affairs

JULY 23, 2019

The attackers demonstrated an increasing level of sophistication across the years, they used custom-malware and various exploits in their attacks. “Second, we identified a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum. ” reads the report published by ESET.

DNS 86

DNS Malware Advertising Manufacturing 86

Security Affairs

DECEMBER 7, 2019

In June malware researchers from Cybaze-Yoroi spotted a new suspicious activity potentially linked to the popular APT group. The experts at Cybaze confirmed that the infection patterns were similar to the other attacks spotted in early 2019, including the Matryoshka structure and the use of chained SFX archives. The Gamaredon group.

Government 57

Government Advertising Media DNS 57

Security Affairs

NOVEMBER 19, 2020

Impacted systems included WordPress and DotNetNuke managed hosting platforms, online databases, email servers, DNS servers, RDP access points, and FTP servers. REvil gang is one of the major ransomware operations, it has been active since April 2019, its operators claim to earn over $100 million a year through its RaaS service.

Ransomware 113

Ransomware DNS Encryption Hacking 113

Security Affairs

NOVEMBER 21, 2019

“Fast forwarded to October 11, 2019, our Anglerfish honeypot captured another suspicious ELF sample, and it turned out to be the Downloader of the previous suspicious ELF sample.” It allows users using web browsers to set up user accounts, Apache, DNS, file sharing and much more. SecurityAffairs – Roboto botnet , malware).

DDOS 80

DDOS System Administration Advertising DNS 80

SecureList

AUGUST 30, 2023

Both infection methods resulted in the same malware (the DeathNote downloader), which uploaded the target’s information and retrieved the next-stage payload at the discretion of the C2 (Command and Control) server. It’s thought that the malware was spread through a vulnerability in the software.

Malware 73

Malware Spyware Cryptocurrency Government 73

CyberSecurity Insiders

JANUARY 31, 2021

Back in 2019, a McAfee report confirmed that across all sectors, ransomware incidents increased by 118% during the first quarter of 2019. The average ransom demand increased 100% from 2019 through Q1 of 2020. 3: Not Just Encrypting Data, but Stealing Data to Extort. 2: Increased Ransom Amount.

Ransomware 40

Ransomware Backups Encryption Healthcare 40

SecureList

DECEMBER 8, 2022

Just to clarify, the subheading isn’t a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers (DDRs). Janicab was first introduced in 2013 as malware able to run on MacOS and Windows operating systems. Janicab 1.2.9a. Janicab 1.1.2. LNK files structure comparison.

Malware 104

Malware DNS Engineering Internet 104

Fox IT

JANUARY 12, 2021

NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020. The more recent intrusions took place in 2019 at companies in the aviation industry. observed Q2 2017 Cobalt Strike v3.12, observed Q3 2018 Cobalt Strike v3.14, observed Q2 2019.

VPN 68

VPN Accountability Passwords DNS 68

SecureList

JUNE 1, 2023

The oldest traces of infection that we discovered happened in 2019. Forensic methodology It is important to note, that, although the malware includes portions of code dedicated specifically to clear the traces of compromise, it is possible to reliably identify if the device was compromised. net backuprabbit[.]com com cloudsponcer[.]com

Malware 145

Malware Backups Mobile DNS 145

Security Affairs

AUGUST 20, 2019

In 2019 alone, Silence has infected workstations in more than 30 countries across Europe, Latin America, Africa, and Asia. Ivoke was detected by Group-IB’s Threat Intelligence team in May 2019, when Silence sent out phishing emails purporting to be from a bank’s client with a request to block a card.

Banking 55

Banking Cybercrime Cybersecurity Advertising 55

Security Affairs

AUGUST 7, 2019

group_d : from March 2019 to August 2019 The evaluation process would take care of the following Techniques: Delivery , Exploit , Install and Command. T1388) , from group_b to group_d time frames OilRig used real Compromised User Accountsextracted by Malware (rif. group_a : from 2016 to August 2017 2.

Computers and Electronics 80

Computers and Electronics Penetration Testing DNS Phishing 80

eSecurity Planet

FEBRUARY 16, 2021

Malware, short for “malicious software,” is any unwanted software on your computer that, more often than not, is designed to inflict damage. Since the early days of computing, a wide range of malware types with varying functions have emerged. Best Practices to Defend Against Malware. Jump ahead: Adware. RAM scraper.

Malware 105

Malware Adware Spyware Antivirus 105

SecureList

NOVEMBER 26, 2021

The PyInstaller module for Windows contains a script named “Guard” Interestingly, this malware was developed for both Windows and macOS operating systems. The malware tries to spread to other hosts on the network by infecting USB drives. After this, they were tricked into downloading previously unknown malware.

Malware 86

Malware Banking Energy and Utilities Accountability 86

SecureList

APRIL 24, 2023

Introduction We introduced Tomiris to the world in September 2021, following our investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States (CIS). We hypothesize that the general aim is to provide operators with “full-spectrum malware” in order to evade security products.

Malware 89

Malware DNS Government Software 89

eSecurity Planet

FEBRUARY 3, 2021

This update touches on the newly detected malware , attack vectors to guard against, and why the targeting of security vendors is a critical development in cybersecurity. Before jumping into the technical details regarding each new malware detected and proper safeguards, here is a brief look at the events to date: Sep 2019.

Software 62

Software Malware Authentication Penetration Testing 62

Security Affairs

FEBRUARY 19, 2019

Over the last few days, a phishing campaign from DHL and entitled “ DHL Shipment Notification ” has been targeted users worldwide distribution the Muncy malware. Now, the malware is targeting user’s worldwide and has been spread via phishing campaigns. The process flow diagram below shown how the malware works.

Malware 77

Malware Phishing DNS Engineering 77

McAfee

SEPTEMBER 14, 2021

A special thanks to our Professional Services’ IR team, ShadowServer , for historical context on C2 domains, and Thomas Roccia /Leandro Velasco for malware analysis support. McAfee customers are protected from the malware/tools described in this blog. The malware also decrypts and injects the payload in memory.

Malware 144

Malware DNS Accountability Manufacturing 144

Cisco Security

AUGUST 29, 2022

25+ Years of Black Hat (and some DNS stats), by Alejo Calaoagan. Cisco is a Premium Partner of the Black Hat NOC , and is the Official Wired & Wireless Network Equipment, Mobile Device Management, DNS (Domain Name Service) and Malware Analysis Provider of Black Hat. Cisco Secure Malware Analytics (formerly Threat Grid).

DNS 86

DNS Wireless Malware Firewall 86

SecureList

MAY 23, 2023

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The malware’s execution flow is determined by the arguments provided in the command line with which it is run. h2: will cause the malware to gain persistence by creating a Windows service. /r0:

Malware 117

Malware Encryption Government Technology 117

eSecurity Planet

MAY 28, 2021

Malware detection has long been a game of signature detection. With ML and artificial intelligence (AI) using thousands of strains to train algorithms, one would surmise that the ability to detect malware is only improving. Hackers are using the same ML and AI technology to avoid using recognized malware. Old way New way.

Software 99

Software Firmware DNS VPN 99

eSecurity Planet

DECEMBER 3, 2021

lazydocker : A simple terminal UI for both docker and docker-compose : [link] pic.twitter.com/HsK17rzg8m — Binni Shah (@binitamshah) July 1, 2019. Brian Krebs is an independent investigative reporter known for his coverage of technology, malware , data breaches , and cybercrime developments. Brian Krebs | @briankrebs.

Accountability 134

Accountability Cybersecurity Penetration Testing InfoSec 134

eSecurity Planet

MARCH 25, 2022

With lateral movement across a victim’s IT infrastructure, threat actors can escalate privileges, spread malware , extract data , and disrupt IT services as with ransomware attacks. SamSam Ransomware: Malware Specializing in RDP. As long as actors go undetected, the timing of attacks is on the perpetrator’s terms.

VPN 111

VPN Software Authentication Encryption 111

SecureList

FEBRUARY 7, 2022

Roaming Mantis is a malicious campaign that targets Android devices and spreads mobile malware via smishing. We have been tracking Roaming Mantis since 2018, and published five blog posts about this campaign: Roaming Mantis uses DNS hijacking to infect Android smartphones. Roaming Mantis dabbles in mining and phishing multilingually.

Phishing 81

Phishing DNS Mobile Malware 81

SecureList

MAY 31, 2021

Out of the 18,000 Orion IT customers affected by the malware, it seems that only a handful were of interest to the attackers. For example, before making the first internet connection to its C2s, the Sunburst malware lies dormant for up to two weeks, preventing easy detection of this behaviour in sandboxes.

Malware 94

Malware Adware Encryption Architecture 94

eSecurity Planet

DECEMBER 17, 2021

Continuous monitoring of unsanctioned applications, malware , security policies, and more. Multiple security layers to protect against cloud threats and malware. In the Gartner Magic Quadrant for Cloud Access Security Brokers, Forcepoint was a Niche Player in 2018 and 2019 before becoming a Visionary in 2020. Censornet Features.

Risk 128

Risk Firewall Authentication Encryption 128

Fox IT

JUNE 23, 2020

Evil Corp were previously associated to the Dridex malware and BitPaymer ransomware, the latter came to prominence in the first half of 2017. Evil Corp has been operating the Dridex malware since July 2014 and provided access to several groups and individual threat actors.

Ransomware 45

Ransomware Encryption Malware Architecture 45

Security Affairs

APRIL 23, 2019

Security expert Marco Ramilli published the findings of a quick analysis of the webmask project standing behind the DNS attacks implemented by APT34 (aka OilRig and HelixKitten ). According to Duo, “ OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Source: MISP Project ).

DNS 76

DNS Computers and Electronics Penetration Testing Government 76

Cisco Security

AUGUST 28, 2023

XDR (eXtended Detection and Response) Integrations At Black Hat USA 2023, Cisco Secure was the official Mobile Device Management, DNS (Domain Name Service) and Malware Analysis Provider. SCA detected 289 alerts including Suspected Port Abuse, Internal Port Scanner, New Unusual DNS Resolver,and Protocol Violation (Geographic).

Wireless 68

Wireless DNS Mobile Technology 68

SecureList

APRIL 27, 2021

In our initial report on Sunburst , we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation. This campaign made use of a previously unknown malware family we dubbed FourteenHi.

Malware 138

Malware Spyware Government Social Engineering 138

Veracode Security

NOVEMBER 19, 2020

In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. Every 15 minutes, the malware runs scheduled tasks on the victim???s

Healthcare 52

Healthcare Ransomware Phishing Social Engineering 52

SecureList

JUNE 15, 2022

Complex attacks almost invariably feature several phases, such as reconnaissance, initial access to the infrastructure, gaining access to target systems and/or privileges, and the actual malicious acts (data theft, destruction or encryption, etc.). Malware log offers on a dark web forum. Malware logs (different). General topic.

VPN 89

VPN Accountability Ransomware Encryption 89

SecureList

OCTOBER 19, 2021

Currently Trickbot is focused on penetration and distribution over the local network, providing other malware (such as Ryuk ransomware ) with access to the infected system, though that’s not the only functionality it supports. Downloaded modules are encrypted, and can be decrypted with the Python script below. aexecDll32.

Banking 136

Banking Passwords VPN Internet 136