Analysis, File names and Information Security - Information Management Today

North Korea-linked Kimsuky APT attack targets victims via Messenger

Security Affairs

MAY 17, 2024

Researchers at Genius Security Center (GSC) identified a new attack strategy by the North Korea-linked Kimsuky APT group and collaborated with the Korea Internet & Security Agency (KISA) for analysis and response. ” reads the analysis. If the victims launch it the multi-stage attack chain starts.

File names

File names Phishing Communications Security

PoC exploit code for critical Fortinet FortiNAC bug released online

Security Affairs

FEBRUARY 21, 2023

The two vulnerabilities, tracked as CVE-2022-39952 and CVE-2021-42756 , are respectively an external control of file name or path in Fortinet FortiNAC and a collection of stack-based buffer overflow issues in the proxy daemon of FortiWeb. is an external control of file name or path in the keyUpload scriptlet of FortiNAC.

File names

File names Archiving Access Cybersecurity

Qakbot operations continue to evolve to avoid detection

Security Affairs

JULY 13, 2022

. “Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 ” reads the analysis published by Zscaler. ” continues the analysis. Compensation-1172258432-Feb-16.xlsb,

File names

File names Archiving Compliance IT

Webinars

Generative AI Deep Dive: Advancing from Proof of Concept to Production

MORE WEBINARS

Evil Telegram campaign: Trojanized Telegram apps found on Google Play

Security Affairs

SEPTEMBER 10, 2023

The malicious code hidden in the apps can harvest sensitive information from compromised Android devices. The apps can collect information about the user’s contacts, including IDs, nicknames, names, and phone numbers. The collected information is then encrypted and cached into a temporary file named tgsync.s3.

File names

File names Personal data Encryption Security

macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

Security Affairs

FEBRUARY 10, 2024

The researchers noticed that the backdoor contained a plist file named ‘test’. The analysis of artifacts and IoCs revealed a possible link with the BlackBasta and (ALPHV/BlackCat) ransomware operation. “We identified multiple variants of the embedded Apple script, but all of them are meant for data exfiltration.”

Ransomware

Ransomware File names Passwords IT

PlugX malware delivered by exploiting flaws in Chinese programs

Security Affairs

MARCH 11, 2023

” reads the analysis published by ASEC. The PlugX backdoor has been used since 2008 by multiple China-linked APT groups, including Mustang Panda , Winnti , and APT41 In the attacks observed by ASEC, once exploited the vulnerability, threat actors executed a PowerShell command to create a file named esetservice.exe.

File names

File names Security IT Information Security

Experts warn of backdoor-like behavior within Gigabyte systems

Security Affairs

MAY 31, 2023

Further analysis revealed that this behavior is present in hundreds of models of Gigabyte PCs. ” reads the analysis from Eclypsium. ” Firmware security firm Eclypsium said it first detected the anomaly in April 2023. .” Gigabyte has since acknowledged and addressed the issue.

File names

File names Risk Passwords Security

“gitgub” malware campaign targets Github users with RisePro info-stealer

Security Affairs

MARCH 17, 2024

.” Threat actors used this MSI installer to unpack the next stage using the password “LBjWCsXKUz1Gwhg” The resulting file is named Installer-Ultimate_v4.3e.9b.exe. The analysis of the content used to inflate the file allowed the researcher to determine its actual size of 3.43

Passwords

Passwords File names Archiving Cybersecurity

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

Security Affairs

MARCH 17, 2022

The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability. The name B1txor20 is based on the file name “b1t” used for the propagation and the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

Honeypots

Honeypots File names Communications Encryption

Emsisoft releases free decryptor for the victims of the Diavol ransomware

Security Affairs

MARCH 19, 2022

In August 2021, IBM X-Force researchers conducted a new analysis of an old variant of the threat that unlike the one analyzed by Fortinet experts appears to be a development version used for testing purposes. The analysis conducted by IBM X-Force researchers reinforced the link between Diavol ransomware and the TrickBot malware. .

Ransomware

Ransomware File names Encryption Cybersecurity

Microsoft warns of Dexphot miner, an interesting polymorphic threat

Security Affairs

NOVEMBER 26, 2019

. “The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. ”reads the analysis published by Microsoft.

File names

File names Encryption Mining Security

Vietnamese threat actors linked to DarkGate malware campaign

Security Affairs

OCTOBER 22, 2023

.” A Vietnamese group observed by the researchers used very similar lures and delivery methods in different attacks attempting to deliver: DarkGate Ducktail Lobshot Redline stealer The attack chain began with the download of a file named “Salary and new products.8.4.zip” zip” and the execution of the content.

File names

File names Archiving IT Access

Threat actors leverage Microsoft Teams to spread malware

Security Affairs

FEBRUARY 17, 2022

The file writes data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer. ” reads the analysis published by Avanan. “In this attack brief, Avanan will analyze how these.exe files are being used by hackers in Microsoft Teams.”

File names

File names Phishing Data breaches Access

Hades ransomware gang targets big organizations in the US

Security Affairs

MARCH 26, 2021

Accenture security researchers published an analysis of the latest Hades campaign, which is ongoing since at least December 2020. . Experts noticed that each Hades ransomware sample uses a different extension to files that it encrypts and drops a ransom note with file name “HOW-TO-DECRYPT-[extension].txt”.

Ransomware

Ransomware Encryption File names Manufacturing

Bronze Starlight targets the Southeast Asian gambling sector

Security Affairs

AUGUST 18, 2023

Each of the archives we were able to retrieve consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets sideloaded by the executable when started, and an encrypted data file named agent.data.” ” reads the analysis published by SentinelOne. IP-based geolocation service.

Archiving

Archiving File names Encryption Passwords

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Security Affairs

APRIL 18, 2021

“The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).” ” reads the analysis published by Sophos. The unknown attacker is attempting to deliver a payload which is being hosted on a compromised Exchange server.

File names

File names Archiving Passwords Communications

China-linked APT41 group targets Hong Kong with Spyder Loader

Security Affairs

OCTOBER 18, 2022

” reads the analysis published by Symantec. To prevent analysis, the malware also cleans up created artifacts, overwriting the content of the dropped wlbsctrl.dll file before deleting it. Spyder Loader is a sophisticated modular backdoor that according to the experts is under continuous evolution.

File names

File names Encryption Manufacturing Libraries

FBI published a flash alert on Mamba Ransomware attacks

Security Affairs

MARCH 26, 2021

The researchers shared a detailed analysis on Security Affairs , they explained that once the malware has infected a Windows machine, it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using the DiskCryptor tool. DiskCryptor is not inherently malicious but has been weaponized.”

Ransomware

Ransomware Encryption File names Passwords

Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers

Security Affairs

JULY 28, 2021

In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors. The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

Encryption

Encryption File names Communications IT

Iran-linked APT TA453 targets Windows and macOS systems

Security Affairs

JULY 8, 2023

” reads the analysis published by Proofpoint. At the provided URL, a password-encrypted.rar file named “Abraham Accords & MENA.rar” was hosted. The.rar archive contained a dropper named “Abraham Accords & MENA.pdf.lnk.” ” continues the analysis.

Archiving

Archiving Cloud File names Metadata

New Graphiron info-stealer used in attacks against Ukraine

Security Affairs

FEBRUARY 8, 2023

Upon execution, the downloader will check against a blacklist of malware analysis tools by checking for running processes’ specific names (i.e. It creates temporary files with the “ lock” and “ trash” extensions. The downloader contains hardcoded C2 server addresses.

File names

File names Passwords Phishing Encryption

BlackCocaine Ransomware, a new malware in the threat landscape

Security Affairs

JUNE 5, 2021

. “Based on the analysis, the Cyble research team found that Nucleus Software is the first victim of the BlackCocaine ransomware group.” ” reads the post published by Cyble.

Ransomware

Ransomware Encryption File names Financial Services

Japanese computers hit by a wiper malware ahead of 2021 Tokyo Olympics

Security Affairs

JULY 24, 2021

Experts also discovered that the malware targets files created with the Ichitaro Japanese word processor , a circumstance that suggests it was developed to target Japanese users. The malware also implements evasion and anti-analysis capabilities to prevent the malicious code from being analyzed. associated with the Tokyo Olympics.exe.”

File names

File names Access Security IT

CDRThief Linux malware steals VoIP metadata from Linux softswitches

Security Affairs

SEPTEMBER 10, 2020

” reads the analysis published by ESET. ” continues the analysis. The analysis of the source code of the malware revealed that it access tables in the DB that contain logs of system events, information about VoIP gateways, and call metadata. ” concludes the analysis. run/callservice.pid'. .

Metadata

Metadata Encryption File names Passwords

Google TAG: Russia, Belarus-linked APTs targeted Ukraine

Security Affairs

MARCH 8, 2022

Google Threat Analysis Group (TAG), which focuses on the analysis of nation-state threat actors, revealed to have blocked attacks against hundreds of Ukrainians conducted by Belarus and Russian state-sponsored hackers.

Military

Military Phishing File names Government

Attackers use a new CoronaVirus Ransomware to cover Kpot Infostealer infections

Security Affairs

MARCH 17, 2020

The website was distributing a file named WSHSetup.exe, it is the downloader for both the CoronaVirus Ransomware and the Kpot password-stealer. Upon execution, the executable will attempt to download several files from a remote web site, at the time of the analysis, only a few of them were available.

Ransomware

Ransomware Passwords File names Encryption

New Linux Ransomware BlackSuit is similar to Royal ransomware

Security Affairs

JUNE 3, 2023

ReadMe file name: README.BlackSuit.txt. ” reads the analysis published by TrendMicro. similarities in jumps based on BinDiff, a comparison tool for binary files.” In May, multiple cybersecurity experts spotted a new ransomware family called BlackSuit, including Palo Alto Unit42 experts. Extension: blacksuit.

Ransomware

Ransomware Encryption File names Cybersecurity

Maze ransomware uses Ragnar Locker virtual machine technique

Security Affairs

SEPTEMBER 17, 2020

” reads the analysis published by Sophos. In the two attempts blocked by the Sophos end-point, the Maze operators attempted to launch various ransomware executables using scheduled tasks named ‘Windows Update Security,’ or ‘Windows Update Security Patches,’ or ‘Google Chrome Security Update.’

Ransomware

Ransomware Encryption File names Security

RedAlert, LILITH, and 0mega, 3 new ransomware in the wild

Security Affairs

JULY 15, 2022

This step ensures that these processes do not block access to the files to be encrypted.” ” reads the analysis published by Cyble. “The ransomware searches for files to encrypt on the local system by enumerating the file directories using FindFirstFileW() and FindNextFileW() API functions.

Ransomware

Ransomware Encryption File names Risk

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Security Affairs

MARCH 3, 2020

Technical Analysis. Hash 757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f Threat Kimsuky loader Brief Description Scr file, initial loader Ssdeep 12288:APWcT1z2aKqkP/mANd2JiEWKZ52zfeCkIAYfLeXcj6uuLl:uhT1z4q030JigZUaULeXc3uLl. Table 1: Information about initial loader with.scr extension. hwp” extension.

IT

IT File names Libraries Communications

Gootkit delivery platform Gootloader used to deliver additional payloads

Security Affairs

MARCH 1, 2021

” reads the analysis published by researchers Gabor Szappanos and Andrew Brandt from Sophos. ” continues the analysis. file is the initial infector, and the only stage of the infection at which a malicious file is written to the filesystem. “This.js

Search queries

Search queries CMS Ransomware File names

Magecart gang hides PHP-based web shells in favicons

Security Affairs

MAY 14, 2021

The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file.” ” reads the analysis published by Malwarebytes. Threat actors edited the shortcut icon tags with a path to the fake PNG file. ” concludes the analysis.

File names

File names Cybersecurity Security Access

New PowerExchange Backdoor linked to an Iranian APT group

Security Affairs

MAY 26, 2023

The infection chain commenced with spear phishing messages using a zip file named Brochure.zip in attachment. ” reads the analysis published by Fortinet. ” The backdoor connects to the Exchange server and sends the computer name, base64-encoded, to a mailbox to indicate it’s running.

Communications

Communications File names Archiving Phishing

3CX voice and video conferencing software victim of a supply chain attack

Security Affairs

MARCH 30, 2023

The company started distributing digitally signed Trojanized installers to its customers “The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.”

File names

File names Manufacturing Libraries Cybersecurity

Popular SHAREit app is affected by severe flaws yet to be fixed

Security Affairs

FEBRUARY 16, 2021

” The analysis of the app’s code revealed that that potentially any app can can call the startActivity() function through the broadcast receiver as “com.lenovo.anyshare.app.DefaultReceiver.” ” continues the analysis. In this case, all files in the /data/data/<package> folder can be freely accessed.”

File names

File names Access Ransomware IT

Stealth Soldier backdoor used is targeted espionage attacks in Libya

Security Affairs

JUNE 9, 2023

PowerPlus is used to run two commands, one of them to maintain persistence and the other for querying details about the task into a file named DRSch. Finally, our analysis revealed a connection to the previously exposed “Eye on the Nile” campaign.” The process involves the use of a watchdog as an update mechanism.

File names

File names Phishing IT Security

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Security Affairs

FEBRUARY 26, 2020

In this case, based on the analysis of the shared IoC, all the identified samples are not new and were reused with some small changes. Technical Analysis. However, detailed information about the vector used to spread the malware are unknown. Our analysis, therefore, begins with the executable recovered from the Yomi Sandbox.

File names

File names Communications Encryption IT

Experts disclose details of Apache Cassandra DB RCE

Security Affairs

FEBRUARY 16, 2022

. “When the option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions. ” continues the analysis. Experts shared a PoC to create a new file named “hacked” on the Cassandra server.

File names

File names Security Access IT

China-linked threat actors are targeting the government of Ukraine

Security Affairs

MARCH 18, 2022

Google’s Threat Analysis Group (TAG) researchers uncovered cyberespionage operations conducted by the Chinese People’s Liberation Army (PLA) and other China-linked APT groups and that targeted Ukraine’s government to gather info on the ongoing conflict.

Government

Government File names Phishing Security

Cisco confirms that data leaked by the Yanluowang ransomware gang were stolen from its systems

Security Affairs

SEPTEMBER 12, 2022

. “On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed.”

Ransomware

Ransomware IT Authentication File names

Korean cybersecurity agency released a free decryptor for Hive ransomware

Security Affairs

JUNE 30, 2022

We were able to recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis. As a result of our experiments, encrypted files were successfully decrypted using the recovered master key based on our mechanism.”

Ransomware

Ransomware Cybersecurity Encryption Blockchain

SolarWinds Attack: Microsoft sheds lights into Solorigate second-stage activation

Security Affairs

JANUARY 21, 2021

The new analysis shad lights on the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. The experts conducted a deep analysis of data collected by Microsoft 365 Defender data and Microsoft Defender telemetry. Microsoft published a new report that includes additional details of the SolarWinds supply chain attack.

File names

File names Metadata Data collection Security

Xenomorph malware is back after months of hiatus and expands the list of targets

Security Affairs

SEPTEMBER 26, 2023

The banking Trojan was used to target 56 European banks and steal sensitive information from the devices of their customers. The analysis of the code revealed the presence of not implemented features and the large amount of logging present, a circumstance that suggests that this threat is under active development. .

Phishing

Phishing File names Manufacturing IT

Threat actors leverages DLL-SideLoading to spread Qakbot malware

Security Affairs

JULY 26, 2022

The code will load any DLL with the same name if placed in the same folder as the Calc.exe executable resulting in the execution of a malicious DLL. “In this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for calc.exe.”

Passwords

Passwords File names Libraries Security

North Korea-linked Kimsuky APT attack targets victims via Messenger

PoC exploit code for critical Fortinet FortiNAC bug released online

Webinars

Trending Sources

Qakbot operations continue to evolve to avoid detection

Webinars

Evil Telegram campaign: Trojanized Telegram apps found on Google Play

macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

PlugX malware delivered by exploiting flaws in Chinese programs

Experts warn of backdoor-like behavior within Gigabyte systems

“gitgub” malware campaign targets Github users with RisePro info-stealer

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

Emsisoft releases free decryptor for the victims of the Diavol ransomware

Microsoft warns of Dexphot miner, an interesting polymorphic threat

Vietnamese threat actors linked to DarkGate malware campaign

Threat actors leverage Microsoft Teams to spread malware

Hades ransomware gang targets big organizations in the US

Bronze Starlight targets the Southeast Asian gambling sector

Monero Cryptocurrency campaign exploits ProxyLogon flaws

China-linked APT41 group targets Hong Kong with Spyder Loader

FBI published a flash alert on Mamba Ransomware attacks

Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers

Iran-linked APT TA453 targets Windows and macOS systems

New Graphiron info-stealer used in attacks against Ukraine

BlackCocaine Ransomware, a new malware in the threat landscape

Japanese computers hit by a wiper malware ahead of 2021 Tokyo Olympics

CDRThief Linux malware steals VoIP metadata from Linux softswitches

Google TAG: Russia, Belarus-linked APTs targeted Ukraine

Attackers use a new CoronaVirus Ransomware to cover Kpot Infostealer infections

New Linux Ransomware BlackSuit is similar to Royal ransomware

Maze ransomware uses Ragnar Locker virtual machine technique

RedAlert, LILITH, and 0mega, 3 new ransomware in the wild

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Gootkit delivery platform Gootloader used to deliver additional payloads

Magecart gang hides PHP-based web shells in favicons

New PowerExchange Backdoor linked to an Iranian APT group

3CX voice and video conferencing software victim of a supply chain attack

Popular SHAREit app is affected by severe flaws yet to be fixed

Stealth Soldier backdoor used is targeted espionage attacks in Libya

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Experts disclose details of Apache Cassandra DB RCE

China-linked threat actors are targeting the government of Ukraine

Cisco confirms that data leaked by the Yanluowang ransomware gang were stolen from its systems

Korean cybersecurity agency released a free decryptor for Hive ransomware

SolarWinds Attack: Microsoft sheds lights into Solorigate second-stage activation

Xenomorph malware is back after months of hiatus and expands the list of targets

Threat actors leverages DLL-SideLoading to spread Qakbot malware

Stay Connected