Ransomware Business Models: Future Pivots and Trends

Ransomware Business Models: Future Pivots and Trends

RDP port 3389 remains a popular service abused by ransomware actors to gain initial access to systems located and connected to on-premise infrastructure. However, as more organizations shift to the cloud services for file storage and active directory systems, ransomware groups will look for more opportunities to develop and/or exploit vulnerabilities not yet leveraged at scale. Evolutions Gradual evolutions in the current modern ransomware models as we know them are expected to be tweaked in…

Read More

Earth Preta Spear-Phishing Governments Worldwide

Earth Preta Spear-Phishing Governments Worldwide

In our observation of the campaigns, we noted that, Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links. Users are then lured into downloading and triggering the malware to execute,  TONEINS, TONESHELL, and PUBLOAD. PUBLOAD has been previously reported, but we add new technical insights in this entry that tie it to TONEINS and TONESHELL, newly…

Read More

Hack the Real Box: APT41’s New Subgroup Earth Longzhi

Hack the Real Box: APT41’s New Subgroup Earth Longzhi

Hack the Real Box: APT41’s New Subgroup Earth Longzhi APT & Targeted Attacks We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August. By: Hara Hiroaki, Ted Lee November 09, 2022 Read time:  ( words) In early 2022, we investigated an incident that compromised a company…

Read More

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint By: Mohamed Fahmy, Sherif Magdy, Ahmed Samir October 25, 2022 Read time:  ( words) The Trend Micro research team recently analyzed an infection related to the LV ransomware group, a ransomware as a service (RaaS) operation that has been active since late 2020,…

Read More

How Water Labbu Exploits Electron-Based Applications

How Water Labbu Exploits Electron-Based Applications

We discovered that the Cobalt Strike instance added a persistence registry key to load an exploit file from an online code repository controlled by Water Labbu. The repository hosted multiple exploit files of  CVE-2021-21220 (a Chromium vulnerability affecting versions before 89.0.4389.128) to execute a Cobalt Strike stager. It also contained files designed to target Meiqia (美洽), a Chinese desktop-based live chat app for online customer support that is used on websites. MeiQia (美洽) was developed…

Read More

Tracking Earth Aughisky’s Malware and Changes

Tracking Earth Aughisky’s Malware and Changes

Tracking Earth Aughisky’s Malware and Changes APT & Targeted Attacks For over 10 years, security researchers have been observing and keeping tabs of APT group Earth Aughisky’s malware families and the connections, including previously documented malware that have yet to be attributed. By: CH Lei October 04, 2022 Read time:  ( words) For security researchers and analysts monitoring advanced persistent threat (APT) groups’ attacks and tools, Earth Aughisky (also known as Taidoor) is among the…

Read More

Water Labbu Abuses Malicious DApps to Steal Cryptocurrency

Water Labbu Abuses Malicious DApps to Steal Cryptocurrency

Water Labbu Abuses Malicious DApps to Steal Cryptocurrency Cyber Crime The parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious JavaScript code into their malicious decentralized application websites to steal cryptocurrency. By: Joseph C Chen, Jaromir Horejsi October 03, 2022 Read time:  ( words) We discovered a threat actor we named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques,  interacting with victims to…

Read More

How Malicious Actors Abuse Native Linux Tools in Their Attacks

How Malicious Actors Abuse Native Linux Tools in Their Attacks

Based on real-world attacks and our honeypots, we observed that malicious actors use a variety of enabled tools that come bundled with Linux distributions, such as curl, wget, chmod, chattr, ssh, base64, chroot, crontab, ps, and pkill, that are abused by attackers for nefarious purposes. We have seen malicious actors abusing these tools in the wild. The presence of these utilities, especially inside container environments, should be at least considered, since they provide additional avenues…

Read More

Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users

Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users

We confirmed that both the legitimate and the malicious versions of the chat installer were unsigned, which means the users of MiMi chat were probably used to all these extra steps to finally install the application despite all the macOS watchguards. HyperBro The HyperBro malware family has been around since 2017 and has been extensively analyzed. It was updated in mid-2019, which we described in detail in our Operation DRBControl paper. The version used in…

Read More

Trend Micro Joins AWS Marketplace Vendor Insights

Trend Micro Joins AWS Marketplace Vendor Insights

Cloud computing is on a roll. Gartner predicts that spending on public cloud services including IaaS, SaaS and PaaS will reach nearly $500bn this year and grow by over 21% to hit $600bn by 2023. But security concerns persist. Marketplaces like the one offered by AWS make it a lot easier to get the right security tools in the hands of those that need them most. But finding the right cybersecurity partners can still be…

Read More
1 2 3 4