Security Affairs

MAY 23, 2024

The messages use specially crafted archives containing LNK files disguised as regular documents. These archives mimicked the installation process of Microsoft Defender or exploited current US political issues. Upon receiving a request, it executes the encoded JavaScript code using the Microsoft.JScript library.

Archiving 111

Archiving Military Communications Phishing 111

Security Affairs

JULY 14, 2021

The Dropbox link leads to a RAR archive that masquerades as a Word document by setting the “file_subpath” parameter to point to a filename with a.DOCX extension. “The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files.

Archiving 98

Archiving File names Government Libraries 98

Security Affairs

SEPTEMBER 2, 2019

The malware attempt to connect via SSH on Port 22 and deliver itself as a gzip archive. “The malware is uploaded as gzip compressed tarball archives of binaries, scripts, and libraries. ” The expert discovered that the script executes init2, that is one of the files in the gzip archive, if the directory.

IoT 89

IoT Honeypots Libraries Archiving 89

Security Affairs

OCTOBER 13, 2023

The threat actors leverage spear-phishing emails to deliver archive files utilizing DLL side-loading schemes. The CurKeep payload is very small, it is 10kb in size, contains 26 functions and is not statically compiled with any library. report – CurKeep collects information about the infected machine.

Government 104

Government IT Encryption Libraries 104

Security Affairs

MAY 7, 2022

“This launcher, dropped into the Tasks directory by the first stager, proxies all calls to wer.dll and its exports to the original legitimate library. The attack chain aims at distributing.RAR archive from the legitimate site file.io .” continues the analysis. Threat actors also used to sign modules to avoid detection.

Encryption 88

Encryption Libraries Archiving Communications 88

Security Affairs

SEPTEMBER 3, 2020

The second layer of Python code decodes and loads to memory the main RAT and the imported libraries. The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. The PyVil RAT stores the malware settings (i.e.

Phishing 136

Phishing Encryption File names Metadata 136

Security Affairs

FEBRUARY 21, 2020

Analyzing these files, we have a vbs script, a C# script and a zip file, inside this archive we found 4 PE artifacts: Figure 5: Content of the “systemidleperf.zip” file. The two dll are legit windows library and are used in support of the malicious behaviour. Figure 4: Extracted files. The SilentCMD Module.

Military 114

Military Communications Encryption IT 114