Where is the Origin QAKBOT Uses Valid Code Signing

Where is the Origin QAKBOT Uses Valid Code Signing

In this case, the assumption that the threat actor was directly issued certificates through abuse of the certificate issuance process is more strongly suspected than the stealing of the private key, but the protection of private keys on the user side is still a challenge. In the use of code signing certificates, private key protection on the user side has been enhanced over time, but it still has a long way to go before it…

Read More

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint By: Mohamed Fahmy, Sherif Magdy, Ahmed Samir October 25, 2022 Read time:  ( words) The Trend Micro research team recently analyzed an infection related to the LV ransomware group, a ransomware as a service (RaaS) operation that has been active since late 2020,…

Read More

TeamTNT Returns – or Does It?

TeamTNT Returns – or Does It?

Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT’s arsenal. Source link

Read More

Tracking Earth Aughisky’s Malware and Changes

Tracking Earth Aughisky’s Malware and Changes

Tracking Earth Aughisky’s Malware and Changes APT & Targeted Attacks For over 10 years, security researchers have been observing and keeping tabs of APT group Earth Aughisky’s malware families and the connections, including previously documented malware that have yet to be attributed. By: CH Lei October 04, 2022 Read time:  ( words) For security researchers and analysts monitoring advanced persistent threat (APT) groups’ attacks and tools, Earth Aughisky (also known as Taidoor) is among the…

Read More

Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware

Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware

Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware Exploits & Vulnerabilities Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining. By: Sunil Bharti September 21, 2022 Read time:  ( words) We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is…

Read More

A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities

A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities

Using Workload Security to detect WebLogic vulnerability exploitation Workload Security’s correlation of telemetry and detections provided the initial security context in this campaign, which allowed security teams and analysts to track and monitor the malicious actor’s activities. The following Workload Security modules worked to detect the exploitation of CVE-2020-14882 on vulnerable systems: Intrusion prevention system module Workload Security’s intrusion prevention system module can tap into incoming traffic and effectively block and detect malicious network traffic….

Read More

BumbleBee a New Modular Backdoor Evolved From BookWorm

BumbleBee a New Modular Backdoor Evolved From BookWorm

BumbleBee a New Modular Backdoor Evolved From BookWorm Malware In March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. However, in our recent investigations, we have discovered a controller application that expands its capabilities. By: Vickie Su, Ted Lee, Nick Dai September 02, 2022 Read time:  ( words) In March 2021, we investigated a backdoor with a unique modular architecture and…

Read More

Tackling the Growing and Evolving Digital Attack Surface 2022 Midyear Cybersecurity Report

Tackling the Growing and Evolving Digital Attack Surface 2022 Midyear Cybersecurity Report

According to our Trend Micro Smart Protection Network (SPN) platform, Emotet detections soared in the first six months of 2022 with 148,701 detections compared to the 13,811 detections in the first half of the previous year. Based on our telemetry, Japan was the country with the highest number of detections. Comparison of Emotet detections Year Count 1H 2021 13,811 1H 2022 148,701 Source: Trend Micro Smart Protection Network Top five countries with Emotet detections Country…

Read More

New Golang Ransomware Agenda Customizes Attacks

New Golang Ransomware Agenda Customizes Attacks

Analysis and notable features The Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and completely standalone, meaning they will execute properly even without a Go interpreter installed on a system. This is possible since Go statically compiles necessary libraries (packages). Upon execution, this ransomware accepts various command-line arguments that define the malware flow and functionality, as listed in the table below. Argument  Description -alter {int}  Defines the port number…

Read More

Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

The mhyprot2.sys driver that was found in this sequence was the one built in August 2020. Going back to social media streams, we can see that shortly after Genshin Impact was released in September 2020, this module was discussed in the gaming community because it was not removed even after the game was uninstalled and because it allowed bypassing of privileges. A PoC, provided by user kagurazakasanae, showed that a library terminated 360 Total Security….

Read More
1 3 4 5 6 7 11