Communications, File names and Security - Information Management Today

ToxicEye RAT exploits Telegram communications to steal data from victims

Security Affairs

APRIL 24, 2021

Telegram is a legitimate service and enterprise AV engines and security solutions trust its traffic. “The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example of a file name we found was ‘paypal checker by saint.exe’). Pierluigi Paganini.

Communications

Communications File names Encryption Education

North Korea-linked Kimsuky APT attack targets victims via Messenger

Security Affairs

MAY 17, 2024

Researchers at Genius Security Center (GSC) identified a new attack strategy by the North Korea-linked Kimsuky APT group and collaborated with the Korea Internet & Security Agency (KISA) for analysis and response. “And if you compare the two malicious file execution screens, you can see the same pattern.

File names

File names Phishing Communications Security

BlackWater, a malware that uses Cloudflare Workers for C2 Communication

Security Affairs

MARCH 15, 2020

Researchers from MalwareHunterTeam discovered a suspicious RAR file named “COVID-19-” that was being distributed online, likely through phishing emails. "Important The RAR archive contains a file named “Important – COVID-19” that displays a Word icon. "Important – COVID-19.rar"

Communications

Communications File names Archiving Phishing

Webinars

Generative AI Deep Dive: Advancing from Proof of Concept to Production

MORE WEBINARS

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

Security Affairs

MARCH 17, 2022

The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability. The name B1txor20 is based on the file name “b1t” used for the propagation and the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

Honeypots

Honeypots File names Communications Encryption

New PowerExchange Backdoor linked to an Iranian APT group

Security Affairs

MAY 26, 2023

The backdoor uses emails for C2 communications, where the C2 is the victim’s Microsoft Exchange server. The infection chain commenced with spear phishing messages using a zip file named Brochure.zip in attachment. ” reads the analysis published by Fortinet. It also acts as a proxy for the attacker to mask himself.”

Communications

Communications File names Archiving Phishing

Night Sky, a new ransomware operation in the threat landscape

Security Affairs

JANUARY 7, 2022

Once encrypted a file, the ransomware appends the ‘ nightsky ‘ extension to encrypted file names. Experts pointed out that the gang communicates with victims via email and a clear website running an instance of the Rocket.Chat. Source MalwareHunterTeam. Follow me on Twitter: @securityaffairs and Facebook.

Ransomware

Ransomware Encryption File names Communications

Medibank Defends its Security Practices as its Ransomware Woes Worsen

IT Governance

NOVEMBER 17, 2022

The organisation’s share price plummeted by almost 19% following the data breach, and despite its claims that it has done the right thing, new details continue to emerge that cast doubt on Medibank’s cyber security practices. Things got worse for Medibank after a second database was leaked , containing a file named “abortions”.

IT

IT Ransomware Security Data breaches

Threat actors leverage Microsoft Teams to spread malware

Security Affairs

FEBRUARY 17, 2022

Starting in January 2022, security researchers from Avanan observed attackers compromising Microsoft Teams accounts attach malicious executables to chat and infect participants in the conversation. “Compounding this problem is the fact that default Teams protections are lacking, as scanning for malicious links and files is limited.

File names

File names Phishing Data breaches Access

New ransomware group Hive leaks Altus group sample files

Security Affairs

JUNE 26, 2021

On June 14th, Altus Group, a commercial real estate software solutions firm, disclosed a security breach, now Hive ransomware gang leaked its files. IT back-office and communications systems, such as email have been taken offline at the time. A week later, they reported “no evidence of impact”. Here’s what we know.

Ransomware

Ransomware File names Archiving Encryption

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Security Affairs

APRIL 18, 2021

“The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).” ” The attack used a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth). .

File names

File names Archiving Passwords Communications

Highly Sophisticated Malware Attacks Home and Small Office Routers

eSecurity Planet

JULY 1, 2022

Security researchers have uncovered an unusually sophisticated malware that has been targeting small office/home office (SOHO) routers for nearly two years, taking advantage of the pandemic and rapid shift to remote work. See The Best Wi-Fi 6 Routers Secure and Fast Enough for Business. See the Best Antivirus Software.

File names

File names Access Communications Security

New Linux Ransomware BlackSuit is similar to Royal ransomware

Security Affairs

JUNE 3, 2023

According to government experts, the Royal ransomware attacks targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare and public healthcare (HPH), and education. ReadMe file name: README.BlackSuit.txt. New #ransomware #BlackSuit targets Windows, #Linux. Extension: blacksuit.

Ransomware

Ransomware Encryption File names Cybersecurity

China-linked APT41 group targets Hong Kong with Spyder Loader

Security Affairs

OCTOBER 18, 2022

. “We also saw Mimikatz being executed on victim networks, as well as a Trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control (C&C) server, while the other would load a payload from the provided file name in the command-line.”

File names

File names Encryption Manufacturing Libraries

Russia-affiliated CheckMate ransomware quietly targets popular file-sharing protocol

Security Affairs

MAY 13, 2023

The CheckMate ransomware operators have been targeting the Server Message Block (SMB) communication protocol used for file sharing to compromise their victims’ networks. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README”

Ransomware

Ransomware Encryption Passwords File names

New RedLine malware version distributed as fake Omicron stat counter

Security Affairs

JANUARY 12, 2022

The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant. Over the course of the few weeks after this variant was released, we noticed one IP address in particular communicating with this C2 server.”

Manufacturing

Manufacturing File names Archiving Encryption

DownEx cyberespionage operation targets Central Asia

Security Affairs

MAY 10, 2023

exe ” and used the icon image associated with docx files. The executable is a self-contained archive that once executed will extract two files. One of the files is the bait document, while the other one is an HTA file named log extension with embedded VBScript code The HTA file contacts the C2 server to fetch a second-stage payload.

File names

File names Archiving Phishing Government

Russia-linked Cyclops Blink botnet targeting ASUS routers

Security Affairs

MARCH 18, 2022

In February, US and UK cybersecurity and law enforcement agencies published a joint security advisory about the Cyclops Blink bot that has been linked to the Russian-backed Sandworm APT group. For every hard-coded TCP port used to communicate with the C2 servers, the bot creates a rule in the Linux kernel firewall Netfilter.

IoT

IoT Military File names Communications

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Security Affairs

FEBRUARY 26, 2020

Figure 4: Piece of the encrypted file downloaded from “share.]dmca.]gripe”. Inside it, two files named “filename1.vbs” Figure 5: Installed files. The content of the VBScript is straightforward: it simply is the launching point to run executable file. Figure 10: Piece of network communication intercepted.

File names

File names Communications Encryption IT

Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers

Security Affairs

JULY 28, 2021

In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors. The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

Encryption

Encryption File names Communications IT

China-linked LuminousMoth APT targets entities from Southeast Asia

Security Affairs

JULY 14, 2021

. “The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files. We found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19 Case 12-11-2020(MOTC).rar” ” reads the analysis published by Kaspersky.

Archiving

Archiving File names Government Libraries

The previously undocumented GoldenJackal APT targets Middle East, South Asia entities

Security Affairs

MAY 23, 2023

“The fake Skype installer was a.NET executable file named skype32.exe This may indicate that the actor is trying to protect some of its tools and avoid specific security solutions.” exe that was approximately 400 MB in size. ” The JackalControl Trojan allows threat actors to remotely control the target machine.

File names

File names Government Communications IT

Researcher found US ‘No Fly List’ on an unsecured server

Security Affairs

JANUARY 24, 2023

Crimew discovered a file named NoFly.csv which is a legitimate U.S. records (first names, last names, and dates of birth) belonging to people with suspected or known ties to terrorist groups. “three csv files, employee_information.csv, NOFLY.CSV and SELECTEE.CSV. no fly list from 2019 containing over 1.56

Archiving

Archiving File names Access Authentication

Evilnum APT used Python-based RAT PyVil in recent attacks

Security Affairs

SEPTEMBER 3, 2020

The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. The new infection chain starts by including just one LNK file in the ZIP archive attached to spear-phishing messages. The PyVil RAT stores the malware settings (i.e. Pierluigi Paganini.

Phishing

Phishing Encryption File names Metadata

Chinese APT FunnyDream targets a South East Asian government

Security Affairs

NOVEMBER 17, 2020

Security experts at BitDefender have uncovered a new China-linked cyber espionage group, tracked as FunnyDream that has already infected more than 200 systems across Southeast Asia over the past two years. ” The name of the group comes from a powerful backdoor employed in the attacks of the APT group. ” Pierluigi Paganini.

Government

Government File names Communications Access

Conti ransomware gang also breached Ireland Department of Health (DoH)

Security Affairs

MAY 19, 2021

“The National Cyber Security Centre (NCSC) became aware on Thursday of an attempted cyber attack on the Department of Health. ” reads an update published by the Irish Department of the Environment, Climate and Communications. FEEDC (extension added by Conti Ransomware to filenames of encrypted files) – *.msi

Ransomware

Ransomware Encryption File names IoT

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Security Affairs

MARCH 3, 2020

The Kimsuky APT group has been analyzed by several security teams. Hash 757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f Threat Kimsuky loader Brief Description Scr file, initial loader Ssdeep 12288:APWcT1z2aKqkP/mANd2JiEWKZ52zfeCkIAYfLeXcj6uuLl:uhT1z4q030JigZUaULeXc3uLl. Figure 1: tweet on 28 February 2020.

IT

IT File names Libraries Communications

Zeus Sphinx spam campaign attempt to exploit Coronavirus outbreak

Security Affairs

MARCH 30, 2020

“Current malspam campaigns feature booby-trapped document files named “COVID 19 relief” and subject lines relying on the same theme. Sphinx’s targets have not changed from its past configuration files as it continues to focus on banks in the US, Canada, and Australia.” ” continues the post.”Next,

File names

File names Passwords Sales Authentication

Crooks exploit exposed Docker APIs to build AESDDoS botnet

Security Affairs

JUNE 15, 2019

“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.

File names

File names Mining Access Communications

STOP ransomware encrypts files and steals victim’s data

Security Affairs

MARCH 11, 2019

. “These tasks include showing a fake Windows Update screen, disabling Windows Defender, and blocking access to security sites by adding entries to Windows’s HOSTS file.” The Promorad Ransomware variant samples tested by the experts also download a file named 5.exe exe and executed it.

Encryption

Encryption Ransomware Passwords File names

Discovery of Simps Botnet Leads To Ties to Keksec Group

Security Affairs

MAY 18, 2021

On execution of the Simps binary, it drops a log file containing that the device has been infected with malware by Simps Botnet (see Figure 2). Figure 2: Dropped log file. Figure 3: C2 communication. Figure 10: keksec.infected.you.log file. The binary also connects to the C2 23.95.80[.]200 200 (see figure 3).

IoT

IoT File names Communications Security

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Security Affairs

APRIL 14, 2020

a United States defense research entity, a Turkish government agency managing public works, several large technology and communications firms headquartered in Canada, Germany, and the United Kingdom, and medical organizations/medical research facilities located in Japan and Canada). ” reads the analysis published by PaloAlto Networks.

Ransomware

Ransomware Phishing File names Encryption

Sofacy APT group used a new tool in latest attacks, the Cannon

Security Affairs

NOVEMBER 20, 2018

” Cannon acts as a downloader and relies on emails to communicate with the C2 server and receive instructions. Hackers used weaponized files named ‘crash list (Lion Air Boeing 737).docx’ Security Affairs – Sofacy APT, Cannot tool). docx’ for their campaigns. Pierluigi Paganini.

File names

File names Phishing Communications Government

Emissary Panda updated its weapons for attacks in the past 2 years

Security Affairs

MARCH 1, 2019

“This Gh0st RAT sample communicated with IP address 43 [. ] In all the cases, attackers deliver a WinRAR self-extracting (SFX) file that installs the SysUpdate stage 1 payload, that gains persistence and downloads and executes the second stage payload, SysUpdate Main. Windows NT 6.3; ” continues the analysis.

IT

IT File names Financial Services Communications

Dacls RAT, the first Lazarus malware that targets Linux devices

Security Affairs

DECEMBER 17, 2019

The name Dacls comes from its file name and the hard-coded strings, the malware has a modular structure that could extend its capabilities by loading plugins. “With connection proxy, the number of target host connections can be reduced, and the communication between the target and the real C2 can be hidden.”

CMS

CMS File names Encryption Access

Outlaw is Back, a New Crypto-Botnet Targets European Organizations

Security Affairs

APRIL 28, 2020

The executed crypto miner is the file named “” kswapd0 ” based on the famous XMRIG monero crypto miner. It is composed only by three files: “ a”, “run”, “stop ”. They are three bash scripts, which we start to analyze: Figure 10: Content of the “a” script file. The initial script is the file named “ a ”.

Mining

Mining File names Honeypots IT

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

Security Affairs

MARCH 2, 2019

This is part of a giant list of Living off the Land (LOL) techniques that attackers employ to mask their activities from runtime endpoint security monitoring tools such as AVs. The first port is used to maintain communications between C2 and clients. File name: patent-2019-02-20T093A283A05-1.xls Technical Analysis.

File names

File names Phishing Libraries IT

North Korea-linked Lazarus APT continues to target cryptocurrency exchanges

Security Affairs

JANUARY 9, 2020

The malware did not have an encryption/decryption routine for network communication a circumstance that suggest it was still under development. One victim was compromised by Windows AppleJeus malware in March 2019, experts determined that the infection started from a malicious file named WFCUpdater.exe. Pierluigi Paganini.

File names

File names Encryption Authentication Communications

TA505 is expanding its operations

Security Affairs

MAY 29, 2019

Once the macro is executed, the malware downloads two files from “kentona[.su”, su”, using an SSL encrypted communication, and stores them in “C:UsersPublic” path: “ rtegre.exe ” and “ wprgxyeqd79.exe The post TA505 is expanding its operations appeared first on Security Affairs. Example of junk instructions used in macro.

IT

IT Retail Archiving File names

ATMitch: New Evidence Spotted In The Wild

Security Affairs

MAY 7, 2019

The recent, unattended discovery of such kind of sample within the Info-Sec community led us to a deep dive into this particular malware tool, spearhead of a sophisticated cyber arsenal. The executable sample is a PE32 x86 file named “tester.exe”. Figure 5: “msxfs.dll”, library required by malware to communicate with ATM device.

Libraries

Libraries e-Discovery Communications File names

Break Down Information Silos With Cloud Storage and File Sharing

OneHub

AUGUST 17, 2021

Educate them on the issues that information silos are causing within your organization, and lay out the steps you plan to take to heal these divisions by increasing communication and cooperation. Online storage and file sharing. If your company isn’t already using online file storage, now is the perfect time to start.

Cloud

Cloud File names Access Education

6 Best Threat Intelligence Feeds to Use in 2023

eSecurity Planet

AUGUST 10, 2023

Here are our picks for the top threat intelligence feeds that security teams should consider adding to their defensive arsenal: AlienVault Open Threat Exchange: Best for community-driven threat feeds FBI InfraGard: Best for critical infrastructure security abuse.ch

Cybersecurity

Cybersecurity Access Metadata Energy and Utilities

Ursnif campaign targets Italy with a new infection Chain

Security Affairs

MARCH 17, 2020

The script creates a new file named “ pinumber.vbs ” and starts filling it with the instructions through the “echo” function appending the strings to the next vbs stage. An evidence about the presence of the malicious file hosted on the legit website is shown in the following figure: Figure 5: Communication with the DropUrl.

Archiving

Archiving Passwords Encryption IT

Dissecting the latest Ursnif DHL-Themed Campaign

Security Affairs

DECEMBER 4, 2018

Security experts at Yoroi – Cybaze Z-Lab discovered a new variant of the infamous Ursnif malware targeted Italian users through a malspam campaign. The beaconing pattern recognized in the C2 communication is consistent with Gozi/Ursnif/IFSB/Dreambot malware variants. Introduction. Figure 6: C2 network traffic.

Archiving

Archiving File names Libraries Communications

Spotting RATs: Delphi wrapper makes the analysis harder

Security Affairs

JULY 8, 2019

Surely the presence of an ISO file as attachment is suspicious, but for an unaware user it could go unnoticed, also thanks to the new Windows versions which natively support the filetype. Extracting the content of the ISO image, we encounter an EXE file named “po-ima0948436.exe”. Malware attempt to communicate.

File names

File names Encryption Archiving Phishing

ToxicEye RAT exploits Telegram communications to steal data from victims

North Korea-linked Kimsuky APT attack targets victims via Messenger

Webinars

Trending Sources

BlackWater, a malware that uses Cloudflare Workers for C2 Communication

Webinars

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

New PowerExchange Backdoor linked to an Iranian APT group

Night Sky, a new ransomware operation in the threat landscape

Medibank Defends its Security Practices as its Ransomware Woes Worsen

Threat actors leverage Microsoft Teams to spread malware

New ransomware group Hive leaks Altus group sample files

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Highly Sophisticated Malware Attacks Home and Small Office Routers

New Linux Ransomware BlackSuit is similar to Royal ransomware

China-linked APT41 group targets Hong Kong with Spyder Loader

Russia-affiliated CheckMate ransomware quietly targets popular file-sharing protocol

New RedLine malware version distributed as fake Omicron stat counter

DownEx cyberespionage operation targets Central Asia

Russia-linked Cyclops Blink botnet targeting ASUS routers

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers

China-linked LuminousMoth APT targets entities from Southeast Asia

The previously undocumented GoldenJackal APT targets Middle East, South Asia entities

Researcher found US ‘No Fly List’ on an unsecured server

Evilnum APT used Python-based RAT PyVil in recent attacks

Chinese APT FunnyDream targets a South East Asian government

Conti ransomware gang also breached Ireland Department of Health (DoH)

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Zeus Sphinx spam campaign attempt to exploit Coronavirus outbreak

Crooks exploit exposed Docker APIs to build AESDDoS botnet

STOP ransomware encrypts files and steals victim’s data

Discovery of Simps Botnet Leads To Ties to Keksec Group

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Sofacy APT group used a new tool in latest attacks, the Cannon

Emissary Panda updated its weapons for attacks in the past 2 years

Dacls RAT, the first Lazarus malware that targets Linux devices

Outlaw is Back, a New Crypto-Botnet Targets European Organizations

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

North Korea-linked Lazarus APT continues to target cryptocurrency exchanges

TA505 is expanding its operations

ATMitch: New Evidence Spotted In The Wild

Break Down Information Silos With Cloud Storage and File Sharing

6 Best Threat Intelligence Feeds to Use in 2023

Ursnif campaign targets Italy with a new infection Chain

Dissecting the latest Ursnif DHL-Themed Campaign

Spotting RATs: Delphi wrapper makes the analysis harder

Stay Connected