2015, File names and Libraries - Information Management Today

Enigma info-stealing malware targets the cryptocurrency industry

Security Affairs

FEBRUARY 13, 2023

The attacker also exploits the CVE-2015-2291 flaw in an Intel driver to conduct BYOVD attacks and reduce the token integrity of Microsoft Defender. This approach allows the attacker to continuously update and eliminates reliance on fixed file names.” ” continues the report.

Archiving

Archiving File names Libraries Phishing

New KilllSomeOne APT group leverages DLL side-loading

Security Affairs

NOVEMBER 5, 2020

The name KilllSomeOne comes from the phrase ‘KilllSomeOne’ used in the DLL side-loading attacks, the group is using poorly-written English messages relating to political subjects. . Dynamic-link library (DLL) side-loading takes advantage of how Microsoft Windows applications handle DLL files. Pierluigi Paganini.

File names

File names Encryption Libraries IT

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Security Affairs

MARCH 3, 2020

Hash 757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f Threat Kimsuky loader Brief Description Scr file, initial loader Ssdeep 12288:APWcT1z2aKqkP/mANd2JiEWKZ52zfeCkIAYfLeXcj6uuLl:uhT1z4q030JigZUaULeXc3uLl. Figure 2: Written file (AutoUpdate.dll) in the “%AppData%LocalTemp” path. Table 2: AutoUpdate.dll Information.

IT

IT File names Libraries Communications

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

Security Affairs

SEPTEMBER 12, 2019

This operation is similar to the threat group’s August 2018 campaign , using compromised university resources to send library-themed phishing emails.” The hackers registered at least 20 new domain names through the Freenom domain provider that offers free top-level domain names. Pierluigi Paganini.

Phishing

Phishing Libraries File names Metadata

Recently fixed WinRAR bug actively exploited in the wild

Security Affairs

MARCH 15, 2019

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive. The issue affects a third-party library, called UNACEV2.DLL DLL that is used by WINRAR, it resides in the way an old third-party library, called UNACEV2.DLL,

Archiving

Archiving Libraries File names Security

Emotet operators are running Halloween-themed campaigns

Security Affairs

OCTOBER 31, 2020

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. since August. Emotet, known to use holidays and other seasonal themes as lures, has been observed running Halloween-themed campaigns.

File names

File names Libraries Ransomware Security

Evilnum APT used Python-based RAT PyVil in recent attacks

Security Affairs

SEPTEMBER 3, 2020

The second layer of Python code decodes and loads to memory the main RAT and the imported libraries. The new infection chain starts by including just one LNK file in the ZIP archive attached to spear-phishing messages. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. concludes the report.

Phishing

Phishing Encryption File names Metadata

Severe bug in LibreOffice and OpenOffice suites allows remote code execution

Security Affairs

FEBRUARY 5, 2019

By exploiting the vulnerability it is possible to trigger the automatic execution of a specific python library included in the suite using a hidden onmouseover event. The expert pointed out that the python file, named “pydoc.py,” is already included in the LibreOffice software. Pierluigi Paganini.

File names

File names Libraries Security IT

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Security Affairs

APRIL 14, 2020

“The emails all contained a malicious Rich Text Format (RTF) phishing lure with the file name 20200323- sitrep -63- covid -19. ” The messages use a weaponized rich text format (RTF) attachment that exploits the CVE-2012-0158 buffer overflow in Microsoft’s ListView / TreeView ActiveX controls in MSCOMCTL.OCX library.

Ransomware

Ransomware Phishing File names Encryption

New Gallmaker APT group eschews malware in cyber espionage campaigns

Security Affairs

OCTOBER 10, 2018

“These lure documents use titles with government , military, and diplomatic themes, and the file names are written in English or Cyrillic languages. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. ” continues Symantec. Pierluigi Paganini.

Military

Military File names Libraries Government

The Long Run of Shade Ransomware

Security Affairs

FEBRUARY 19, 2019

It spreads Shade/ Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all across the world. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Ransomware

Ransomware Mining File names Encryption

Thousands of applications affected by a zero-day issue in jQuery File Upload plugin

Security Affairs

OCTOBER 20, 2018

The plugin is widely adopted by numerous server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others. Cashdollar discovered two PHP files named upload.php and UploadHandler.php in the package’s source, which contained the file upload code.

File names

File names Libraries Security Access

CrowdStrike uncovered a new campaign of GOBLIN PANDA APT aimed at Vietnam

Security Affairs

SEPTEMBER 5, 2018

“Two exploit documents with Vietnamese-language file names were observed with file metadata unique to the GOBLIN PANDA adversary.” Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. ” reads the analysis published by CrowdStrike. Pierluigi Paganini.

Metadata

Metadata File names Libraries Government

BlackSquid malware uses multiple exploits to drop cryptocurrency miners

Security Affairs

JUNE 5, 2019

“This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons.” According to the experts, BlackSquid has worm-like propagation capabilities and it can be used to launch brute-force attacks. ” states Trend Micro.

Mining

Mining File names Libraries IT

ATMitch: New Evidence Spotted In The Wild

Security Affairs

MAY 7, 2019

The executable sample is a PE32 x86 file named “tester.exe”. This library provides access to the E X tension for F inancial S ervice (XFS) API, the communication interface needed to interact with AMT components such as PIN pad and cash dispenser. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Libraries

Libraries e-Discovery Communications File names

Dissecting the latest Ursnif DHL-Themed Campaign

Security Affairs

DECEMBER 4, 2018

The second stage of the infection chain is the “ ppc.cab ” file downloaded by the dropper to the “ %APPDATA%Roaming ” location: it actually is a Microsoft Cabinet archive embedding an executable file named “ puk.exe ”. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Pierluigi Paganini.

Archiving

Archiving File names Libraries Communications

JSWorm: The 4th Version of the Infamous Ransomware

Security Affairs

SEPTEMBER 4, 2019

The malware encrypts all the files whose extension is not present in the list. Figure 4: Content of “key” file contained in “C:ProgramData”. During the encryption phase, JSWorm writes a suspicious file named “key.Infection_ID.JSWRM” in “C:ProgramData”.It It contains the AES key used to encrypt the files.

Ransomware

Ransomware Encryption File names Libraries

New Cyber Operation Targets Italy: Digging Into the Netwire Attack Chain

Security Affairs

JUNE 5, 2020

The macro contained inside the document is quite minimal and does not contain dead code or other anti-analysis technique, a part of the random looking variable naming. If the download is successful, the malware reads raw bytes from the downloaded file and transforms them into ready to execute powershell code. Figure 3: Extracted Macro.

Manufacturing

Manufacturing File names IT Libraries

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

Security Affairs

MARCH 2, 2019

File name: patent-2019-02-20T093A283A05-1.xls However, as already mentioned at the beginning of the technical analysis, SI-LAB team obtained two types of files, namely xls and doc archives. File name : 68131_46_20190219.doc Analyzing the MSI file – The installer/dropper of infamous FlawedAmmyy.

File names

File names Phishing Libraries IT

A new trojan Lampion targets Portugal

Security Affairs

DECEMBER 29, 2019

As observed, the output shows us two AWS-hosted addresses that contain two malicious files, namely: hxxps[:]//fucktheworld.s3.us-east-2.amazonaws[.]com/0.zip zip file is a DLL with additional code loaded by PE File P-19-2.dll At the moment, the file 0.zip To get details about the library inside the 0.zip

Passwords

Passwords e-Discovery IT Cleanup

WinRAR CVE-2018-20250 flaw exploited in multiple campaigns

Security Affairs

MARCH 28, 2019

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive. The issue affects a third-party library, called UNACEV2.DLL DLL that is used by WINRAR, it resides in the way an old third-party library, called UNACEV2.DLL,

Archiving

Archiving File names Education Libraries

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Security Affairs

JULY 7, 2020

However, in this new release, two DLL files are distributed. VBS file leverages the Windows rundll32 library to inject the first DLL into memory (P-14-7.dll), Figure 6: Deofuscated VBS file – Lampion trojan July 2020. LNK files from the Windows startup folder. VBS files from the Windows startup folder.

Communications

Communications Cloud Phishing Encryption

Information Management Today

Enigma info-stealing malware targets the cryptocurrency industry

New KilllSomeOne APT group leverages DLL side-loading

Trending Sources

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

Recently fixed WinRAR bug actively exploited in the wild

Emotet operators are running Halloween-themed campaigns

Evilnum APT used Python-based RAT PyVil in recent attacks

Severe bug in LibreOffice and OpenOffice suites allows remote code execution

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

New Gallmaker APT group eschews malware in cyber espionage campaigns

The Long Run of Shade Ransomware

Thousands of applications affected by a zero-day issue in jQuery File Upload plugin

CrowdStrike uncovered a new campaign of GOBLIN PANDA APT aimed at Vietnam

BlackSquid malware uses multiple exploits to drop cryptocurrency miners

ATMitch: New Evidence Spotted In The Wild

Dissecting the latest Ursnif DHL-Themed Campaign

JSWorm: The 4th Version of the Infamous Ransomware

New Cyber Operation Targets Italy: Digging Into the Netwire Attack Chain

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

A new trojan Lampion targets Portugal

WinRAR CVE-2018-20250 flaw exploited in multiple campaigns

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Stay Connected