Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

The persistence is ensured by copying a script similarly named as the current filename to the /usr/lib/systemd/system/ directory, and creating a symlink to this file in the /etc/ystem/system/multi-user.target.wants/ directory. Thus, this method only works if the current process has root privileges. The content of the script is: [Unit]Description=xxx[Service]Type=forkingExecStart=<path to current file> -xExecStop=/usr/bin/id[Install]WantedBy=multi-user.target After running the code dependent on the parameters, if the operator has not chosen a GUID with the “-f” parameter, the malware generates…

Read More

Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool

Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool

Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool Malware Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX. By: Buddy Tancio, Abraham Camba, Catherine Loveria February 24, 2023 Read time:  ( words) Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used (via the DLL…

Read More

Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns

Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns

Technical perspectives Based on the arsenals and TTPs, we believe Earth Yako may be related to a number of existing groups. However, since we could only observe partial technical overlaps between Earth Yako and the following groups, we note that this is not our final attribution. We found the overlaps similar with the following groups: 1.      Darkhotel Darkhotel (a.k.a. DUBNIUM) is a threat actor observed to frequently target Japanese organizations in the past. Earth Yako’s…

Read More

Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs

Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs

Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs Malware We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures. By: Aliakbar Zahravi, Peter Girnus February 09, 2023 Read time:  ( words) We recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the cryptocurrency industry to install an information stealer. In this campaign, the suspected Russian threat actors, use several highly obfuscated and underdevelopment…

Read More

Earth Zhulong Familiar Patterns Target Vietnam

Earth Zhulong Familiar Patterns Target Vietnam

Introduction In 2022, we discovered a hacking group that has been targeting telecom, technology, and media sectors in Vietnam since 2020. We track this particular group as Earth Zhulong. We believe that Earth Zhulong is likely related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology. In this post, we’ll introduce Earth Zhulong’s new tactics, techniques, and procedures (TTPs) in the recent campaign and the evolution of…

Read More

Earth Zhulong Familiar Patterns Target Southeast Asian Firms

Earth Zhulong Familiar Patterns Target Vietnam

Introduction In 2022, we discovered a hacking group that has been targeting telecom, technology, and media sectors in Southeast Asia since 2020. We track this particular group as Earth Zhulong. We believe that Earth Zhulong is likely related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology. In this post, we’ll introduce Earth Zhulong’s new tactics, techniques, and procedures (TTPs) in the recent campaign and the evolution…

Read More

What SOCs Need to Know About Water Dybbuk

What SOCs Need to Know About Water Dybbuk

What SOCs Need to Know About Water Dybbuk Cyber Crime We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar. By: Stephen Hilt, Lord Alfred Remorin February 02, 2023 Read time:  ( words) BEC or Business Email Compromise is a significant problem for businesses around the world. According to the Federal Bureau of Investigation (FBI), BEC costs victims more money than ransomware, with an…

Read More

New APT34 Malware Targets The Middle East

New APT34 Malware Targets The Middle East

APT34 Targeting and Arsenal Evolution APT34 has been documented to target organizations worldwide, particularly companies from the financial, government, energy, chemical, and telecommunications industries in the Middle East since at least 2014. Documented as a group primarily involved for cyberespionage, APT34 has been previously recorded targeting government offices and show no signs of stopping with their intrusions. Our continuous monitoring of the group proves it continues to create new and updated tools to minimize the detection…

Read More

New Mimic Ransomware Abuses Everything APIs for its Encryption Process

New Mimic Ransomware Abuses Everything APIs for its Encryption Process

New Mimic Ransomware Abuses Everything APIs for its Encryption Process Ransomware Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. By: Nathaniel Morales, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai, Nathaniel Gregory Ragasa January 26, 2023 Read time:  ( words) Trend Micro researchers discovered a new ransomware…

Read More

Attacking The Supply Chain: Developer

Attacking The Supply Chain: Developer

In 2021, we published an entry identifying the weak parts of the supply chain security. In the face of the surge in documented attacks, the entry gave a summarized overview of how malicious actors found gaps to abuse and take advantage of for possible gains and disruptions. In this entry, we focus on one specific part of the supply chain: the developers themselves. To find a suitable attack model focusing on the developer, we must…

Read More
1 2 3 4 11