Communications, File names, Libraries and Security

Communications

File names

Libraries

Security

China-linked APT41 group targets Hong Kong with Spyder Loader

Security Affairs

OCTOBER 18, 2022

Like the sample analyzed by Cyberreason, the Spyder Loader sample analyzed by Symantec uses the CryptoPP C++ library. To prevent analysis, the malware also cleans up created artifacts, overwriting the content of the dropped wlbsctrl.dll file before deleting it. . ” continues the report. Pierluigi Paganini.

File names

File names Encryption Manufacturing Libraries

China-linked LuminousMoth APT targets entities from Southeast Asia

Security Affairs

JULY 14, 2021

. “The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files. We found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19 Case 12-11-2020(MOTC).rar” ” reads the analysis published by Kaspersky.

Archiving

Archiving File names Government Libraries

Join 55,000+

Insiders

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Trending Sources

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Security Affairs

MARCH 3, 2020

The Kimsuky APT group has been analyzed by several security teams. Hash 757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f Threat Kimsuky loader Brief Description Scr file, initial loader Ssdeep 12288:APWcT1z2aKqkP/mANd2JiEWKZ52zfeCkIAYfLeXcj6uuLl:uhT1z4q030JigZUaULeXc3uLl. Figure 1: tweet on 28 February 2020.

IT File names Libraries Communications

Evilnum APT used Python-based RAT PyVil in recent attacks

Security Affairs

SEPTEMBER 3, 2020

The second layer of Python code decodes and loads to memory the main RAT and the imported libraries. The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. The PyVil RAT stores the malware settings (i.e. Pierluigi Paganini.

Phishing

Phishing Encryption File names Metadata

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Security Affairs

APRIL 14, 2020

a United States defense research entity, a Turkish government agency managing public works, several large technology and communications firms headquartered in Canada, Germany, and the United Kingdom, and medical organizations/medical research facilities located in Japan and Canada). ” reads the analysis published by PaloAlto Networks.

Ransomware

Ransomware Phishing File names Encryption

ATMitch: New Evidence Spotted In The Wild

Security Affairs

MAY 7, 2019

The recent, unattended discovery of such kind of sample within the Info-Sec community led us to a deep dive into this particular malware tool, spearhead of a sophisticated cyber arsenal. The executable sample is a PE32 x86 file named “tester.exe”. Figure 5: “msxfs.dll”, library required by malware to communicate with ATM device.

Libraries

Libraries e-Discovery Communications File names

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

Security Affairs

MARCH 2, 2019

This is part of a giant list of Living off the Land (LOL) techniques that attackers employ to mask their activities from runtime endpoint security monitoring tools such as AVs. The first port is used to maintain communications between C2 and clients. File name: patent-2019-02-20T093A283A05-1.xls Technical Analysis.

File names

File names Phishing Libraries IT

Dissecting the latest Ursnif DHL-Themed Campaign

Security Affairs

DECEMBER 4, 2018

Security experts at Yoroi – Cybaze Z-Lab discovered a new variant of the infamous Ursnif malware targeted Italian users through a malspam campaign. The beaconing pattern recognized in the C2 communication is consistent with Gozi/Ursnif/IFSB/Dreambot malware variants. Introduction. Figure 6: C2 network traffic.

Archiving

Archiving File names Libraries Communications

A new trojan Lampion targets Portugal

Security Affairs

DECEMBER 29, 2019

A randomly named folder is created in the Windows AppData directory that will keep the malicious files. Figure 15: Some operations are performed, such as create folders on AppData and setting the default process security level with VBScript – (3/5). Two files are obtained from 2 AWS S3 buckets. At the moment, the file 0.zip

Passwords

Passwords e-Discovery IT Cleanup

Guarding Against Solorigate TTPs

eSecurity Planet

FEBRUARY 3, 2021

Since then, much has been learned about the tactics, techniques, and procedures (TTPs) deployed and what steps organizations are taking to harden their network and application security. Former Department of Homeland Security (DHS) officials noted “this could be an extremely serious breach of security.” federal agencies.

Cybersecurity

Cybersecurity Access Authentication Cloud

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware

Security Affairs

FEBRUARY 16, 2021

dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C RUNTIME LIBRARY. dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C RUNTIME LIBRARY. Usually, executables using the side-by-side feature will have these resources located in the embedded manifest file. exe8CBB75FEBFB4B0B7C3B6D3613386220C.

Libraries

Libraries Communications Phishing Encryption

APT34: Glimpse project

Security Affairs

MAY 2, 2019

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools , exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. At this stage we might appreciate two communication ways.

Computer and Electronics

Computer and Electronics Communications Government File names

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Security Affairs

JULY 7, 2020

However, in this new release, two DLL files are distributed. VBS file leverages the Windows rundll32 library to inject the first DLL into memory (P-14-7.dll), Figure 6: Deofuscated VBS file – Lampion trojan July 2020. LNK files from the Windows startup folder. VBS files from the Windows startup folder.

Communications

Communications Cloud Phishing Encryption

WinRAR CVE-2018-20250 flaw exploited in multiple campaigns

Security Affairs

MARCH 28, 2019

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive. The issue affects a third-party library, called UNACEV2.DLL DLL that is used by WINRAR, it resides in the way an old third-party library, called UNACEV2.DLL,

Archiving

Archiving File names Education Libraries

Information Management Today

China-linked APT41 group targets Hong Kong with Spyder Loader

China-linked LuminousMoth APT targets entities from Southeast Asia

Trending Sources

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Evilnum APT used Python-based RAT PyVil in recent attacks

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

ATMitch: New Evidence Spotted In The Wild

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

Dissecting the latest Ursnif DHL-Themed Campaign

A new trojan Lampion targets Portugal

Guarding Against Solorigate TTPs

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware

APT34: Glimpse project

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

WinRAR CVE-2018-20250 flaw exploited in multiple campaigns

Stay Connected