Security Affairs

OCTOBER 18, 2022

. “We also saw Mimikatz being executed on victim networks, as well as a Trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control (C&C) server, while the other would load a payload from the provided file name in the command-line.”

File names 112

File names Encryption Manufacturing Libraries 112

Security Affairs

FEBRUARY 17, 2022

. “Most employees have been trained to second-guess identities in email, but few know how to make sure that the name and photo they see in a Teams conversation are real. It is simple to edit a profile and become most anyone you like. ” concludes the report. Follow me on Twitter: @securityaffairs and Facebook. Pierluigi Paganini.

File names 143

File names Phishing Data breaches Access 143

Security Affairs

JUNE 3, 2023

According to government experts, the Royal ransomware attacks targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare and public healthcare (HPH), and education. ReadMe file name: README.BlackSuit.txt. New #ransomware #BlackSuit targets Windows, #Linux. Extension: blacksuit.

Ransomware 95

Ransomware Encryption File names Cybersecurity 95

Security Affairs

FEBRUARY 26, 2020

Figure 4: Piece of the encrypted file downloaded from “share.]dmca.]gripe”. Inside it, two files named “filename1.vbs” Figure 5: Installed files. The content of the VBScript is straightforward: it simply is the launching point to run executable file. Figure 10: Piece of network communication intercepted.

File names 117

File names Communications Encryption IT 117

Security Affairs

JANUARY 12, 2022

The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant. Over the course of the few weeks after this variant was released, we noticed one IP address in particular communicating with this C2 server.”

Manufacturing 135

Manufacturing File names Archiving Encryption 135

eSecurity Planet

JULY 1, 2022

The goal is to pivot from the router to workstations in the targeted network, where other RATs will be deployed to establish persistent and undetected communication channels (C2 servers). For now, the advanced persistent threat (APT) group behind the campaign remains unknown.

File names 117

File names Access Communications Security 117

Security Affairs

MARCH 18, 2022

Upon executing the core component, the malware first checks if its executable file name starts with “[k” If it does not, it performs the following routine: It redirects both stdout and stderr file descriptors to /dev/null. It sets the default handlers for SIGTERM, SIGINT, SIGBUS, SIGPIPE, and SIGIO signals.

IoT 96

IoT Military File names Communications 96

Security Affairs

JULY 28, 2021

In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors. The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

Encryption 111

Encryption File names Communications IT 111

Security Affairs

MAY 13, 2023

The CheckMate ransomware operators have been targeting the Server Message Block (SMB) communication protocol used for file sharing to compromise their victims’ networks. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README”

Ransomware 92

Ransomware Encryption Passwords File names 92

Security Affairs

JULY 14, 2021

. “The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files. We found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19 Case 12-11-2020(MOTC).rar” ” reads the analysis published by Kaspersky.

Archiving 98

Archiving File names Government Libraries 98

Security Affairs

MAY 10, 2023

exe ” and used the icon image associated with docx files. The executable is a self-contained archive that once executed will extract two files. One of the files is the bait document, while the other one is an HTA file named log extension with embedded VBScript code The HTA file contacts the C2 server to fetch a second-stage payload.

File names 91

File names Archiving Phishing Government 91

Security Affairs

SEPTEMBER 3, 2020

The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. The new infection chain starts by including just one LNK file in the ZIP archive attached to spear-phishing messages. The PyVil RAT stores the malware settings (i.e.

Phishing 137

Phishing Encryption File names Metadata 137

Security Affairs

JANUARY 24, 2023

Crimew discovered a file named NoFly.csv which is a legitimate U.S. records (first names, last names, and dates of birth) belonging to people with suspected or known ties to terrorist groups. “three csv files, employee_information.csv, NOFLY.CSV and SELECTEE.CSV. no fly list from 2019 containing over 1.56

Archiving 92

Archiving File names Access Authentication 92

Security Affairs

MAY 23, 2023

“The fake Skype installer was a.NET executable file named skype32.exe exe that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. .

File names 83

File names Government Communications IT 83

Security Affairs

NOVEMBER 17, 2020

FunnyDream is a custom-made backdoor that supports advanced persistence and communication capabilities, it was used by the APT group to gathering intelligence and data exfiltration. “The attackers used the backdoor prevalently as DLL files, but we observed an executable to be used as well.” ” continues the report.

Government 110

Government File names Communications Access 110

Security Affairs

MARCH 30, 2020

“Current malspam campaigns feature booby-trapped document files named “COVID 19 relief” and subject lines relying on the same theme. Sphinx’s targets have not changed from its past configuration files as it continues to focus on banks in the US, Canada, and Australia.” ” continues the post.”Next,

File names 103

File names Passwords Sales Authentication 103

Security Affairs

MARCH 3, 2020

Hash 757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f Threat Kimsuky loader Brief Description Scr file, initial loader Ssdeep 12288:APWcT1z2aKqkP/mANd2JiEWKZ52zfeCkIAYfLeXcj6uuLl:uhT1z4q030JigZUaULeXc3uLl. Figure 2: Written file (AutoUpdate.dll) in the “%AppData%LocalTemp” path. hwp” extension. Bypassing AV Detection.

IT 129

IT File names Libraries Communications 129

Security Affairs

MAY 19, 2021

” reads an update published by the Irish Department of the Environment, Climate and Communications. The malware involved in the attack is Conti Ransomware v3 (32 bit), which attempted to encrypt all files with the exception of the following file names: – CONTI_LOG.txt – readme.txt – *.FEEDC

Ransomware 88

Ransomware Encryption File names IoT 88

Security Affairs

MARCH 11, 2019

.” One of the variants analyzed by BleepingComputer encrypts data and appends the.promorad extension to encrypted files, then it creates ransom notes named _readme.txt as shown below. The Promorad Ransomware variant samples tested by the experts also download a file named 5.exe exe and executed it.

Encryption 86

Encryption Ransomware Passwords File names 86

Security Affairs

JUNE 15, 2019

“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.

File names 94

File names Mining Access Communications 94

Security Affairs

APRIL 14, 2020

a United States defense research entity, a Turkish government agency managing public works, several large technology and communications firms headquartered in Canada, Germany, and the United Kingdom, and medical organizations/medical research facilities located in Japan and Canada). ” reads the analysis published by PaloAlto Networks.

Ransomware 117

Ransomware Phishing File names Encryption 117

Security Affairs

DECEMBER 17, 2019

The name Dacls comes from its file name and the hard-coded strings, the malware has a modular structure that could extend its capabilities by loading plugins. “With connection proxy, the number of target host connections can be reduced, and the communication between the target and the real C2 can be hidden.”

CMS 76

CMS File names Encryption Access 76

Security Affairs

MARCH 1, 2019

“This Gh0st RAT sample communicated with IP address 43 [. ] In all the cases, attackers deliver a WinRAR self-extracting (SFX) file that installs the SysUpdate stage 1 payload, that gains persistence and downloads and executes the second stage payload, SysUpdate Main. Windows NT 6.3; ” continues the analysis.

IT 79

IT File names Financial Services Communications 79

Security Affairs

NOVEMBER 20, 2018

” Cannon acts as a downloader and relies on emails to communicate with the C2 server and receive instructions. Hackers used weaponized files named ‘crash list (Lion Air Boeing 737).docx’ Once successfully executed, the macro will install a payload and save a document to the system.”

File names 79

File names Phishing Communications Government 79

Security Affairs

APRIL 28, 2020

The executed crypto miner is the file named “” kswapd0 ” based on the famous XMRIG monero crypto miner. It is composed only by three files: “ a”, “run”, “stop ”. They are three bash scripts, which we start to analyze: Figure 10: Content of the “a” script file. The initial script is the file named “ a ”.

Mining 102

Mining File names Honeypots IT 102

Security Affairs

MAY 18, 2021

On execution of the Simps binary, it drops a log file containing that the device has been infected with malware by Simps Botnet (see Figure 2). Figure 2: Dropped log file. Figure 3: C2 communication. Figure 10: keksec.infected.you.log file. The binary also connects to the C2 23.95.80[.]200 200 (see figure 3).

IoT 130

IoT File names Communications Security 130

IT Governance

NOVEMBER 17, 2022

Things got worse for Medibank after a second database was leaked , containing a file named “abortions”. A fourth file was then leaked, labelled “psychos”, which contained hundreds of claims from policyholders who have undergone mental health treatment. From bad to worse.

IT 107

IT Ransomware Security Data breaches 107

Security Affairs

JANUARY 9, 2020

The malware did not have an encryption/decryption routine for network communication a circumstance that suggest it was still under development. One victim was compromised by Windows AppleJeus malware in March 2019, experts determined that the infection started from a malicious file named WFCUpdater.exe.

File names 61

File names Encryption Authentication Communications 61

Security Affairs

MARCH 2, 2019

The first port is used to maintain communications between C2 and clients. Users who receive emails with xls files attached should be aware as that files can be an undetected vehicle spreading any kind of malware. File name: patent-2019-02-20T093A283A05-1.xls File name : 68131_46_20190219.doc

File names 86

File names Phishing Libraries IT 86

Security Affairs

MAY 7, 2019

The recent, unattended discovery of such kind of sample within the Info-Sec community led us to a deep dive into this particular malware tool, spearhead of a sophisticated cyber arsenal. The executable sample is a PE32 x86 file named “tester.exe”. Figure 5: “msxfs.dll”, library required by malware to communicate with ATM device.

Libraries 62

Libraries e-Discovery Communications File names 62

Security Affairs

MAY 29, 2019

Once the macro is executed, the malware downloads two files from “kentona[.su”, su”, using an SSL encrypted communication, and stores them in “C:UsersPublic” path: “ rtegre.exe ” and “ wprgxyeqd79.exe Only a small portion of this code is actually used to start the infection, the rest is just junk code. cloudflare[.com”

IT 69

IT Retail Archiving File names 69

Lenny Zeltser

MARCH 2, 2019

For example, for VMware you’d extract the files into a dedicated folder, then launch the file named “MSEdge – Win10.vmx” After downloading and extracting the archive, follow the steps appropriate for your virtualization software to start the VM. vmx” The Windows OS in this VM expires after 90 days.

File names 112

File names Access Archiving Passwords 112

The Texas Record

MAY 18, 2023

Strategies and methods could include, policies, procedures, training, communication channels, storage conditions, informal guidance, etc. Liaison A has reported a 62% rate of proper file names. We won’t have any communication with the liaison.

Records Management 40

Records Management Risk Access File names 40

Security Affairs

JULY 8, 2019

Surely the presence of an ISO file as attachment is suspicious, but for an unaware user it could go unnoticed, also thanks to the new Windows versions which natively support the filetype. Extracting the content of the ISO image, we encounter an EXE file named “po-ima0948436.exe”. Malware attempt to communicate.

File names 71

File names Encryption Archiving Phishing 71

Security Affairs

MARCH 17, 2020

The script creates a new file named “ pinumber.vbs ” and starts filling it with the instructions through the “echo” function appending the strings to the next vbs stage. An evidence about the presence of the malicious file hosted on the legit website is shown in the following figure: Figure 5: Communication with the DropUrl.

Archiving 129

Archiving Passwords Encryption IT 129

OneHub

AUGUST 17, 2021

Educate them on the issues that information silos are causing within your organization, and lay out the steps you plan to take to heal these divisions by increasing communication and cooperation. Address this head-on with your staff. Take time to outline common company goals with your team.

Cloud 52

Cloud File names Access Education 52

Security Affairs

DECEMBER 4, 2018

The second stage of the infection chain is the “ ppc.cab ” file downloaded by the dropper to the “ %APPDATA%Roaming ” location: it actually is a Microsoft Cabinet archive embedding an executable file named “ puk.exe ”. The network traffic generated by the iexplore.exe processes points to the remote destination 149.129.129.1

Archiving 75

Archiving File names Libraries Communications 75