SecureList

JANUARY 22, 2024

We recently caught sight of a new, hitherto unknown, macOS malware family that was piggybacking on cracked software. A downloader A completed “patching” kicked off the main payload, with the sample reaching out to its C2 for an encrypted script. The ciphertext was AES -encrypted in CBC mode.

Software 102

Software DNS Computers and Electronics Malware 102

Security Affairs

NOVEMBER 5, 2021

Over the past months, other ransomware gangs, including Conti and Lockfile , exploited ProxyShell flaws to deliver their malware. The attack chain starts with a downloader module on a victim’s server in the form of a standalone executable format and a DLL. The DLL downloader is run by the Exchange IIS worker process w3wp.exe.

Ransomware 131

Ransomware Backups Encryption DNS 131

SecureList

OCTOBER 25, 2023

Introduction It’s just another cryptocurrency miner… Nobody would even suspect the mining malware was merely a mask, masquerading behind an intricate modular framework that supports both Linux and Windows. This malware employed a custom EternalBlue SMBv1 exploit to infiltrate its victims’ systems.

Malware 107

Malware DNS Encryption Cryptocurrency 107

Malwarebytes

JANUARY 22, 2024

The group uses social engineering techniques to persuade their targets to open documents or download malware. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted. It is mainly in use by security researchers to classify malware.

Social Engineering 95

Social Engineering Government Media DNS 95

SecureList

JUNE 5, 2023

Satacom downloader, also known as LegionLoader, is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next stage of another malware family currently distributed by Satacom.

Cryptocurrency 78

Cryptocurrency DNS Malware Encryption 78

Cisco Security

NOVEMBER 3, 2022

Cisco provided automated malware analysis, threat intelligence, DNS visibility and Intrusion Detection; brought together with SecureX. The findings report addresses several security topics, including: Encrypted vs. Unencrypted network traffic. Malware Analysis, through the NetWitness® integration. Voice over IP.

Wireless 73

Wireless DNS Education Encryption 73

SecureList

MARCH 10, 2021

Back then, cybercriminals distributed malware under the guise of the Malwarebytes antivirus installer. In the latest campaign, we have seen several apps impersonated by the malware: the ad blockers AdShield and Netshield, as well as the OpenDNS service. Updater.exe code snippet containing the encrypted address. Patched.netyyk.

DNS 141

DNS Antivirus Malware Encryption 141

SecureWorld News

MARCH 29, 2024

Malvertising acts as a vessel for malware propagation. To set such a stratagem in motion, cybercriminals poison legitimate websites with ads that lead to shady URLs or download malicious code camouflaged as something harmless. This interference is a major catalyst for double extortion that involves both a breach and data encryption.

Cybercrime 84

Cybercrime Advertising Engineering Antivirus 84

SecureList

DECEMBER 1, 2023

To exfiltrate data and deliver next-stage malware, the attackers abuse cloud-based data storage, such as Dropbox or Yandex Disk, as well as a temporary file sharing service. libssl.dll or libcurl.dll was statically linked to implants to implement encrypted C2 communications. We discovered that the domain in question has a deb.fdmpkg[.]org

Malware 91

Malware Ransomware Encryption Energy and Utilities 91

Webroot

SEPTEMBER 7, 2023

Depending on the size of the business, one-third to two-thirds of businesses suffer malware attacks in any given year. Tools like Webroot’s Advanced Email Threat Protection analyze the links and attachments in messages to detect malware and keep your systems secure against threats. In 2022, American businesses lost $10.3

Encryption 88

Encryption Cyber Insurance Cybercrime Phishing 88

eSecurity Planet

AUGUST 8, 2022

A public key is stored with the Domain Name System (DNS) for download by any email server receiving emails with the encrypted digital signature. SPF email authentication counters spoofing by publishing to DNS records a list of email-sending Internet Protocol (IP) addresses authorized by the sending domain. What is SPF?

DNS 116

DNS Phishing Authentication Marketing 116

Security Affairs

MAY 6, 2023

Twitter confirmed that a security incident publicly exposed Circle tweets FBI seized other domains used by the shadow eBook library Z-Library WordPress Advanced Custom Fields plugin XSS exposes +2M sites to attacks Fortinet fixed two severe issues in FortiADC and FortiOS Pro-Russia group NoName took down multiple France sites, including the French (..)

Data breaches 97

Data breaches Malware Mobile Spyware 97

Krebs on Security

MARCH 28, 2021

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. But Watson said they don’t know how many of those systems also ran the secondary download from the rogue Krebsonsecurity domain.

Hacking 351

Hacking Cybercrime DNS Antivirus 351

eSecurity Planet

SEPTEMBER 17, 2021

Cobalt Strike Beacon Linux enables emulation of advanced attacks to a network over HTTP, HTTPS, or DNS. Beacon’s shell commands are handy for performing various injections , remote command executions, and unauthorized uploads and downloads. The malware has been renamed Vermilion. VirusTotal Failed to Detect the Malware.

DNS 98

DNS Malware Software Security Awareness 98

Security Boulevard

JANUARY 17, 2024

Figure 1 — Cloudflare RBI Diagram The primary focus of RBI is to prevent user interactions with web-based malware such as cross-site scripting (XSS), drive-by downloads, and various forms of malicious JavaScript. Other RBI solutions are set to a fail-closed state that blocks the download of a file if it cannot scan it.

DNS 64

DNS Penetration Testing Passwords Encryption 64

Security Affairs

JUNE 18, 2020

They use DNS tunneling for stealthier C&C communications, and place execution guardrails on the malicious components to hide the malware from security researchers.” The attack chain begins with the deployment of a TCP downloader that fetches the next stage payload.

DNS 84

DNS Advertising Spyware Software 84

Fox IT

JUNE 2, 2020

Publicly discovered in late April 2020, the Team9 malware family (also known as ‘Bazar [ 1 ]’) appears to be a new malware being developed by the group behind Trickbot. Even though the development of the malware appears to be recent, the developers have already developed two components with rich functionality. Introduction.

Malware 48

Malware DNS Architecture Backups 48

SecureList

AUGUST 30, 2023

The attackers were able to embed malicious code into the libffmpeg media processing library to download a payload from their servers. If the target opened the document and enabled the macros, a malicious script would extract the embedded downloader and load it with specific parameters.

Malware 73

Malware Spyware Cryptocurrency Government 73

eSecurity Planet

DECEMBER 8, 2023

Domain name service (DNS) attacks threaten every internet connection because they can deny, intercept, and hijack connections. With the internet playing an increasing role in business, securing DNS plays a critical role in both operations and security. TLS and HTTPS inherently create secured and encrypted sessions for communication.

DNS 111

DNS DDOS Firewall Architecture 111

SecureList

SEPTEMBER 21, 2023

The first-ever large-scale malware attacks on IoT devices were recorded back in 2008, and their number has only been growing ever since. A successful password cracking enables hackers to execute arbitrary commands on a device and inject malware. Statista portal predicts their number will exceed 29 billion by 2030. Tested, tried.

IoT 86

IoT DDOS Passwords Malware 86

Security Affairs

OCTOBER 22, 2021

The FiveSys rootkit uses the same technique to remain under the radar, it is very similar to the Undead malware and likely originate from China where is used to target domestic games. Up.sys downloads an executable and starts it using an embedded dll which it injects from kernel mode. PAC fle, hence the name probably).

Malware 114

Malware DNS Internet Internet 114

Security Affairs

OCTOBER 23, 2018

Security experts from Sophos Labs have spotted a new piece of IoT malware tracked as Chalubo that is attempting to recruit devices into a botnet used to launch DDoS attacks. “The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher.” ” continues the analysis.

IoT 82

IoT DDOS Architecture Malware 82

SecureList

JUNE 2, 2022

In their initial disclosures on this threat actor, TeamT5 identified three malware families: SpyDealer, Demsty and WinDealer. In 2020, we discovered a whole new distribution method for the WinDealer malware that leverages the automatic update mechanism of select legitimate applications. WinDealer is a modular malware platform.

Malware 113

Malware Encryption Social Engineering Telecommunications 113

Security Affairs

JUNE 9, 2022

Other techniques employed by the APT group include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection. Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host. The malware sets the auto start function with the value “EverNoteTrayUService”.

Malware 90

Malware DNS Encryption Education 90

Security Affairs

OCTOBER 20, 2021

” The MSI package first removes registry keys associated with the old Purple Fox installations if any are present, then it replaces the components of the malware with new ones. . “The goal is to install the MSI package as an admin without any user interaction.” ” continues the analysis.

Encryption 94

Encryption DNS Architecture Firewall 94

Security Affairs

JULY 23, 2019

The attackers demonstrated an increasing level of sophistication across the years, they used custom-malware and various exploits in their attacks. “Second, we identified a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum. ” reads the report published by ESET. .”

DNS 90

DNS Malware Advertising Manufacturing 90

SecureList

MAY 17, 2021

It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry. Bizarro is distributed via MSI packages downloaded by victims from links in spam emails.

Banking 139

Banking Social Engineering Malware Engineering 139

Security Affairs

NOVEMBER 21, 2019

In October one of the honeypots of the company captured the bot, its downloader , and some bot modules. “Fast forwarded to October 11, 2019, our Anglerfish honeypot captured another suspicious ELF sample, and it turned out to be the Downloader of the previous suspicious ELF sample.” Pierluigi Paganini.

DDOS 83

DDOS System Administration Advertising DNS 83

Security Affairs

APRIL 1, 2019

The popular expert unixfreaxjp analyzed a new China ELF DDoS’er malware tracked as “Linux/DDoSMan” that evolves from the Elknot malware to deliver new ELF bot. But what kind of malware is this Elknot Trojan? This malware is an update and reuse from the Elknot’s malware source code.

DDOS 88

DDOS Malware Encryption Penetration Testing 88

SecureList

DECEMBER 8, 2022

Just to clarify, the subheading isn’t a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers (DDRs). Janicab was first introduced in 2013 as malware able to run on MacOS and Windows operating systems. Janicab 1.2.9a. Janicab 1.1.2. LNK files structure comparison.

Malware 104

Malware DNS Engineering Internet 104

Security Affairs

OCTOBER 12, 2019

The new loader is able to drop the malware directly in memory, it was dubbed BOOSTWRITE and allows threat actors to load several malicious codes, including the Carbanak backdoor. In March, the group carried out attacks delivering a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host.

Identity Theft 77

Identity Theft Hacking Advertising DNS 77

SecureList

JUNE 1, 2023

The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation. After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform. WIFI OUT: 0.0 - WWAN IN: 76281896.0, WWAN OUT: 100956502.0

Malware 145

Malware Backups Mobile DNS 145

SecureList

APRIL 22, 2024

A connection like this created on domain controllers allows attackers to obtain the IP addresses of hosts on the internal network through DNS queries. 54112" Krong is a proxy that encrypts the data transmitted through it using the XOR function. It protects data with the current user’s password and a special encryption master key.

VPN 105

VPN Passwords Encryption Malware 105

SecureList

JANUARY 13, 2022

The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure. Abusing a dccw.exe file is a known technique and we suspect the malware authors used it to run the next stage malware with high privilege.

Cryptocurrency 126

Cryptocurrency Malware Accountability Banking 126

Fox IT

JUNE 29, 2022

Flubot is an Android based malware that has been distributed in the past 1.5 An important part of the popularity of Flubot is due to the distribution strategy used in its campaigns, since it has been using the infected devices to send text messages, luring new victims into installing the malware from a fake website. Introduction.

Banking 97

Banking Malware DNS Encryption 97

Security Affairs

DECEMBER 20, 2018

N051118 ), where the malicious payload was dropped abusing a macro-enabled word document able to download the malicious DLL paylaod. The malware tries to connect to the remote host 149.154.157.104 (EDIS-IT IT) through an encrypted SSL channel, then it downloads other components and deletes itself from the filesystem.

Banking 77

Banking Malware Internet Internet 77

Security Boulevard

OCTOBER 21, 2022

Recently, Zscaler ThreatLabz discovered a new malware being used by the SideWinder APT threat group in campaigns targeting Pakistan: a backdoor we’ve called “WarHawk.” The WarHawk Backdoor consists of four modules: Download & Execute Module. SideWinder APT campaign targets Pakistan with a new backdoor named “WarHawk”.

DNS 52

DNS Phishing Malware Government 52