Security Affairs

JUNE 26, 2021

IT back-office and communications systems, such as email have been taken offline at the time. We believe Hive to be a ransomware group, because it currently states the data to be “encrypted”, potentially suggesting that Altus Group is given an opportunity to pay itself out of further trouble. Here’s what we know.

Ransomware 120

Ransomware File names Archiving Encryption 120

Security Affairs

JULY 28, 2021

In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors. The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

Encryption 111

Encryption File names Communications IT 111

Security Affairs

FEBRUARY 26, 2020

The file downloaded from this censorship free file hosting is actually a chunk of 125KB random looking bytes, suggesting it would likely be some binary payload protected with strong encryption. Figure 4: Piece of the encrypted file downloaded from “share.]dmca.]gripe”. Inside it, two files named “filename1.vbs”

File names 130

File names Communications Encryption IT 130

Security Affairs

JANUARY 12, 2022

The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant. Upon executing the Omicron Stats.exe, it unpacks resources encrypted with triple DES using ciphermode ECB and padding mode PKCS7.

Manufacturing 144

Manufacturing File names Archiving Encryption 144

Security Affairs

MAY 19, 2021

Conti ransomware also breached the network of Ireland’s Department of Health (DoH) but the ransomware failed to encrypt the systems. In a separate attack, the ransomware gang also breached the network of the country’s Department of Health (DoH) but failed to encrypt the systems of the organization.

Ransomware 96

Ransomware Encryption File names IoT 96

Security Affairs

SEPTEMBER 3, 2020

The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. The new infection chain starts by including just one LNK file in the ZIP archive attached to spear-phishing messages. The PyVil RAT stores the malware settings (i.e.

Phishing 145

Phishing Encryption File names Metadata 145

Security Affairs

APRIL 14, 2020

a United States defense research entity, a Turkish government agency managing public works, several large technology and communications firms headquartered in Canada, Germany, and the United Kingdom, and medical organizations/medical research facilities located in Japan and Canada). ” reads the analysis published by PaloAlto Networks.

Ransomware 131

Ransomware Phishing File names Encryption 131

Security Affairs

DECEMBER 17, 2019

The name Dacls comes from its file name and the hard-coded strings, the malware has a modular structure that could extend its capabilities by loading plugins. Dacls Bot include command execution, file management, process management, test network access, C2 connection agent, and network scanning.

CMS 91

CMS File names Encryption Access 91

Security Affairs

JANUARY 9, 2020

The malware did not have an encryption/decryption routine for network communication a circumstance that suggest it was still under development. One victim was compromised by Windows AppleJeus malware in March 2019, experts determined that the infection started from a malicious file named WFCUpdater.exe.

File names 72

File names Encryption Authentication Communications 72

Security Affairs

JULY 8, 2019

Surely the presence of an ISO file as attachment is suspicious, but for an unaware user it could go unnoticed, also thanks to the new Windows versions which natively support the filetype. Extracting the content of the ISO image, we encounter an EXE file named “po-ima0948436.exe”. Encrypted payload, stored in Resource section.

File names 74

File names Encryption Archiving Phishing 74

Security Affairs

MAY 29, 2019

Once the macro is executed, the malware downloads two files from “kentona[.su”, su”, using an SSL encrypted communication, and stores them in “C:UsersPublic” path: “ rtegre.exe ” and “ wprgxyeqd79.exe Anyway, just before the kill loop, the real malicious payload is executed: the “ winserv.exe ” file. cloudflare[.com”

IT 77

IT Retail Archiving File names 77

Security Affairs

APRIL 28, 2020

The executed crypto miner is the file named “” kswapd0 ” based on the famous XMRIG monero crypto miner. It is composed only by three files: “ a”, “run”, “stop ”. They are three bash scripts, which we start to analyze: Figure 10: Content of the “a” script file. The initial script is the file named “ a ”.

Mining 108

Mining File names Honeypots IT 108

Security Affairs

MARCH 17, 2020

The script creates a new file named “ pinumber.vbs ” and starts filling it with the instructions through the “echo” function appending the strings to the next vbs stage. An evidence about the presence of the malicious file hosted on the legit website is shown in the following figure: Figure 5: Communication with the DropUrl.

Archiving 142

Archiving Passwords Encryption IT 142

Security Affairs

MARCH 2, 2019

The first port is used to maintain communications between C2 and clients. Users who receive emails with xls files attached should be aware as that files can be an undetected vehicle spreading any kind of malware. File name: patent-2019-02-20T093A283A05-1.xls File name : 68131_46_20190219.doc

File names 96

File names Phishing Libraries IT 96

Security Affairs

OCTOBER 28, 2019

According to VT history detection the same hash has been seen with at least three different names: educrety.exe , prestezza.exe and cardsharper.exe. ExifTools shows that prestezza.exe is the original file name while the project internal name is: cardsharper.exe.

Passwords 51

Passwords Encryption File names Military 51

Security Affairs

SEPTEMBER 13, 2023

According to Microsoft, the campaign aims at building capabilities that could disrupt critical communications infrastructure between the United States and Asia region in the case of future crises. Attackers also a Packerloader tool to load and execute shellcode, which is stored in a file in an encrypted form.

File names 123

File names Access Encryption Communications 123

Security Affairs

JULY 22, 2020

The main branch also has auxiliary modules that allow the Prometei botnet to communicate through TOR or I2P networks, to collect information about processes running on the system, check of open ports on target systems and to crawl the file systems in search for file names given as the argument to the module.

Mining 104

Mining File names Passwords Communications 104

Security Affairs

JULY 7, 2020

Figure 6: Deofuscated VBS file – Lampion trojan July 2020. Some parts of the code are highlighted in Figure 6 and described below: Function to generate random strings is used to generate arbitrary folders and file names. LNK files from the Windows startup folder. VBS files from the Windows startup folder.

Communications 113

Communications Cloud Phishing Encryption 113

Security Affairs

FEBRUARY 16, 2021

Also, the original file name and compilation date are different between the legitimate (left-side) and the malicious DLL (right-side). Javali trojan communicates with Google Docs files to obtain its configuration, including the address of the C2 server. Figure 20: Javali trojan – Delphi forms.

Libraries 123

Libraries Communications Phishing Encryption 123

eSecurity Planet

FEBRUARY 3, 2021

Presenting itself as a JPG file named “gracious_truth.jpg,” Teardrop is a memory-only dropper built to enter a network seamlessly and replace the embedded payload. Encryption. In an update to their Sunburst findings , FireEye touched on the part of an additional malware strain. Cloud Access Security Broker (CASB).

Cybersecurity 62

Cybersecurity Access Authentication Cloud 62

Security Affairs

AUGUST 31, 2018

My entire “Cyber adventure” began with a simple email within a.ZIP file named “Nuovo Documento1.zip” Stage1 was dropping and executing a brand new PE file named: rEOuvWkRP.exe (sha256: 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c) using the bitsadmin.exe native Microsoft program.

Computer and Electronics 69

Computer and Electronics File names Security Access 69

Troy Hunt

MARCH 3, 2021

. — Troy Hunt (@troyhunt) March 2, 2021 If you're not familiar with hashing, how it's not the same as encryption and how it can still leave passwords vulnerable, read this primer from September first. This (almost always) identifies you, it's literally how people communicate with *you*!

Passwords 145

Passwords Data breaches Mining Risk 145