Security Affairs

MARCH 11, 2023

” reads the analysis published by ASEC. The PlugX backdoor has been used since 2008 by multiple China-linked APT groups, including Mustang Panda , Winnti , and APT41 In the attacks observed by ASEC, once exploited the vulnerability, threat actors executed a PowerShell command to create a file named esetservice.exe.

File names 92

File names Security IT Information Security 92

Security Affairs

FEBRUARY 10, 2024

The researchers noticed that the backdoor contained a plist file named ‘test’. The analysis of artifacts and IoCs revealed a possible link with the BlackBasta and (ALPHV/BlackCat) ransomware operation. “We identified multiple variants of the embedded Apple script, but all of them are meant for data exfiltration.”

Ransomware 121

Ransomware File names Passwords IT 121

Security Affairs

MAY 31, 2023

Further analysis revealed that this behavior is present in hundreds of models of Gigabyte PCs. ” reads the analysis from Eclypsium. Upon analyzing of the impacted UEFI firmware, the researchers identified a file named File Name: 8ccbee6f7858ac6b92ce23594c9e2563ebcef59414b5ac13ebebde0c715971b2.bin

File names 96

File names Risk Passwords Security 96

Security Affairs

MARCH 17, 2024

.” Threat actors used this MSI installer to unpack the next stage using the password “LBjWCsXKUz1Gwhg” The resulting file is named Installer-Ultimate_v4.3e.9b.exe. The analysis of the content used to inflate the file allowed the researcher to determine its actual size of 3.43

Passwords 109

Passwords File names Archiving Cybersecurity 109

Security Affairs

MARCH 17, 2022

The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability. The name B1txor20 is based on the file name “b1t” used for the propagation and the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

Honeypots 131

Honeypots File names Communications Encryption 131

Security Affairs

APRIL 2, 2020

” reads the analysis published by the experts. Upon execution, the wiper drops a series of helper files into a temporary folder, including a BAT file named “coronovirus Installer,” which is responsible for most of the setup work. The BAT file creates a hidden folder named COVID-19, then move the dropped files to it.

File names 114

File names Access IT Security 114

Security Affairs

MARCH 19, 2022

In August 2021, IBM X-Force researchers conducted a new analysis of an old variant of the threat that unlike the one analyzed by Fortinet experts appears to be a development version used for testing purposes. The analysis conducted by IBM X-Force researchers reinforced the link between Diavol ransomware and the TrickBot malware. .

Ransomware 93

Ransomware File names Encryption Cybersecurity 93

Security Affairs

NOVEMBER 26, 2019

Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. ”reads the analysis published by Microsoft. Polymorphic techniques involve frequently changing identifiable characteristics like file names and types, encryption keys and other artifacts.

File names 126

File names Encryption Mining Security 126

Security Affairs

OCTOBER 22, 2023

.” A Vietnamese group observed by the researchers used very similar lures and delivery methods in different attacks attempting to deliver: DarkGate Ducktail Lobshot Redline stealer The attack chain began with the download of a file named “Salary and new products.8.4.zip” zip” and the execution of the content.

File names 109

File names Archiving IT Access 109

Security Affairs

AUGUST 18, 2023

Each of the archives we were able to retrieve consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets sideloaded by the executable when started, and an encrypted data file named agent.data.” ” reads the analysis published by SentinelOne. IP-based geolocation service.

Archiving 95

Archiving File names Encryption Passwords 95

Security Affairs

MARCH 26, 2021

Accenture security researchers published an analysis of the latest Hades campaign, which is ongoing since at least December 2020. . Experts noticed that each Hades ransomware sample uses a different extension to files that it encrypts and drops a ransom note with file name “HOW-TO-DECRYPT-[extension].txt”.

Ransomware 142

Ransomware Encryption File names Manufacturing 142

Security Affairs

APRIL 18, 2021

“The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).” ” reads the analysis published by Sophos. The unknown attacker is attempting to deliver a payload which is being hosted on a compromised Exchange server.

File names 80

File names Archiving Passwords Communications 80

Security Affairs

FEBRUARY 17, 2022

The file writes data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer. ” reads the analysis published by Avanan. “In this attack brief, Avanan will analyze how these.exe files are being used by hackers in Microsoft Teams.”

File names 142

File names Phishing Data breaches Access 142

Security Affairs

NOVEMBER 5, 2020

” reads the analysis published by Sophos. Each attack type is connected by the same program database (PDB) path, and some of the samples recorded and connected to the cybercriminals contain the folder name ‘KilllSomeOne.’ “In both of these cases, the payload is stored in the file named Groza_1.dat.

File names 108

File names Encryption Libraries IT 108

Security Affairs

OCTOBER 18, 2022

” reads the analysis published by Symantec. To prevent analysis, the malware also cleans up created artifacts, overwriting the content of the dropped wlbsctrl.dll file before deleting it. Spyder Loader is a sophisticated modular backdoor that according to the experts is under continuous evolution.

File names 111

File names Encryption Manufacturing Libraries 111

Security Affairs

MARCH 26, 2021

The researchers shared a detailed analysis on Security Affairs , they explained that once the malware has infected a Windows machine, it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using the DiskCryptor tool. DiskCryptor is not inherently malicious but has been weaponized.”

Ransomware 144

Ransomware Encryption File names Passwords 144

Security Affairs

JULY 8, 2023

” reads the analysis published by Proofpoint. At the provided URL, a password-encrypted.rar file named “Abraham Accords & MENA.rar” was hosted. The.rar archive contained a dropper named “Abraham Accords & MENA.pdf.lnk.” ” continues the analysis.

Archiving 96

Archiving Cloud File names Metadata 96

Security Affairs

JULY 28, 2021

In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors. The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

Encryption 109

Encryption File names Communications IT 109

Security Affairs

FEBRUARY 8, 2023

Upon execution, the downloader will check against a blacklist of malware analysis tools by checking for running processes’ specific names (i.e. It creates temporary files with the “ lock” and “ trash” extensions. The downloader contains hardcoded C2 server addresses.

File names 86

File names Passwords Phishing Encryption 86

Security Affairs

JUNE 5, 2021

. “Based on the analysis, the Cyble research team found that Nucleus Software is the first victim of the BlackCocaine ransomware group.” ” reads the post published by Cyble.

Ransomware 129

Ransomware Encryption File names Financial Services 129

Security Affairs

SEPTEMBER 10, 2020

” reads the analysis published by ESET. ” continues the analysis. The analysis of the source code of the malware revealed that it access tables in the DB that contain logs of system events, information about VoIP gateways, and call metadata. The CDRThief can start from any location on the disk, using any file name.

Metadata 121

Metadata Encryption File names Passwords 121

Security Affairs

JULY 24, 2021

Experts also discovered that the malware targets files created with the Ichitaro Japanese word processor , a circumstance that suggests it was developed to target Japanese users. The malware also implements evasion and anti-analysis capabilities to prevent the malicious code from being analyzed. associated with the Tokyo Olympics.exe.”

File names 139

File names Access Security IT 139

Security Affairs

DECEMBER 27, 2018

” In the attempt to deceive the victims, attackers used the internal file name “Baidu PC Faster” and the “Baidu WiFi Hotspot Setup” in the description of the file. ” reads the analysis published by Anomali Labs.

File names 96

File names IT Security 96

Security Affairs

MARCH 8, 2022

Google Threat Analysis Group (TAG), which focuses on the analysis of nation-state threat actors, revealed to have blocked attacks against hundreds of Ukrainians conducted by Belarus and Russian state-sponsored hackers.

Military 97

Military Phishing File names Government 97

Security Affairs

MARCH 17, 2020

The website was distributing a file named WSHSetup.exe, it is the downloader for both the CoronaVirus Ransomware and the Kpot password-stealer. Upon execution, the executable will attempt to download several files from a remote web site, at the time of the analysis, only a few of them were available.

Ransomware 98

Ransomware Passwords File names Encryption 98

Security Affairs

JUNE 3, 2023

ReadMe file name: README.BlackSuit.txt. ” reads the analysis published by TrendMicro. similarities in jumps based on BinDiff, a comparison tool for binary files.” In May, multiple cybersecurity experts spotted a new ransomware family called BlackSuit, including Palo Alto Unit42 experts. Extension: blacksuit.

Ransomware 97

Ransomware Encryption File names Cybersecurity 97

Security Affairs

MARCH 3, 2020

Technical Analysis. Hash 757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f Threat Kimsuky loader Brief Description Scr file, initial loader Ssdeep 12288:APWcT1z2aKqkP/mANd2JiEWKZ52zfeCkIAYfLeXcj6uuLl:uhT1z4q030JigZUaULeXc3uLl. Figure 2: Written file (AutoUpdate.dll) in the “%AppData%LocalTemp” path.

IT 130

IT File names Libraries Communications 130

Security Affairs

MAY 14, 2021

The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file.” ” reads the analysis published by Malwarebytes. Threat actors edited the shortcut icon tags with a path to the fake PNG file. ” concludes the analysis.

File names 104

File names Cybersecurity Security Access 104

Security Affairs

SEPTEMBER 17, 2020

” reads the analysis published by Sophos. In the two attempts blocked by the Sophos end-point, the Maze operators attempted to launch various ransomware executables using scheduled tasks named ‘Windows Update Security,’ or ‘Windows Update Security Patches,’ or ‘Google Chrome Security Update.’

Ransomware 144

Ransomware Encryption File names Security 144

Security Affairs

FEBRUARY 16, 2021

” The analysis of the app’s code revealed that that potentially any app can can call the startActivity() function through the broadcast receiver as “com.lenovo.anyshare.app.DefaultReceiver.” ” continues the analysis. In this case, all files in the /data/data/<package> folder can be freely accessed.”

File names 84

File names Access Ransomware IT 84

Security Affairs

JULY 15, 2022

This step ensures that these processes do not block access to the files to be encrypted.” ” reads the analysis published by Cyble. “The ransomware searches for files to encrypt on the local system by enumerating the file directories using FindFirstFileW() and FindNextFileW() API functions.

Ransomware 123

Ransomware Encryption File names Risk 123

Security Affairs

MARCH 1, 2021

” reads the analysis published by researchers Gabor Szappanos and Andrew Brandt from Sophos. ” continues the analysis. file is the initial infector, and the only stage of the infection at which a malicious file is written to the filesystem. “This.js

Search queries 112

Search queries CMS Ransomware File names 112

Security Affairs

MAY 26, 2023

The infection chain commenced with spear phishing messages using a zip file named Brochure.zip in attachment. ” reads the analysis published by Fortinet. ” The backdoor connects to the Exchange server and sends the computer name, base64-encoded, to a mailbox to indicate it’s running.

Communications 93

Communications File names Archiving Phishing 93

Security Affairs

MARCH 30, 2023

The company started distributing digitally signed Trojanized installers to its customers “The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.”

File names 91

File names Manufacturing Libraries Cybersecurity 91

Security Affairs

FEBRUARY 16, 2022

” continues the analysis. Experts shared a PoC to create a new file named “hacked” on the Cassandra server. . “When the option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions. Apache released versions 3.0.26 , 3.11.12 , and 4.0.2

File names 88

File names Security Access IT 88

Security Affairs

JUNE 9, 2023

PowerPlus is used to run two commands, one of them to maintain persistence and the other for querying details about the task into a file named DRSch. Finally, our analysis revealed a connection to the previously exposed “Eye on the Nile” campaign.” The process involves the use of a watchdog as an update mechanism.

File names 91

File names Phishing IT Security 91

Security Affairs

FEBRUARY 26, 2020

In this case, based on the analysis of the shared IoC, all the identified samples are not new and were reused with some small changes. Technical Analysis. Our analysis, therefore, begins with the executable recovered from the Yomi Sandbox. Figure 4: Piece of the encrypted file downloaded from “share.]dmca.]gripe”.

File names 116

File names Communications Encryption IT 116