Encryption, File names and Libraries - Information Management Today

Encryption

File names

Libraries

Night Sky ransomware operators exploit Log4Shell to target hack VMware Horizon servers

Security Affairs

JANUARY 11, 2022

Another gang, Night Sky ransomware operation, started exploiting the Log4Shell vulnerability in the Log4j library to gain access to VMware Horizon systems. The Night Sky ransomware operation started exploiting the Log4Shell flaw (CVE-2021-44228) in the Log4j library to gain access to VMware Horizon systems.

Ransomware

Ransomware Libraries File names Encryption

China-linked APT41 group targets Hong Kong with Spyder Loader

Security Affairs

OCTOBER 18, 2022

Spyder Loader loads AES-encrypted blobs to create the wlbsctrl.dll which acts as a next-stage loader that executes the content. Like the sample analyzed by Cyberreason, the Spyder Loader sample analyzed by Symantec uses the CryptoPP C++ library. ” continues the report.

File names

File names Encryption Manufacturing Libraries

Join 55,000+

Insiders

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Webinars

Peak Performance: Continuous Testing & Evaluation of LLM-Based Applications

MORE WEBINARS

Trending Sources

New KilllSomeOne APT group leverages DLL side-loading

Security Affairs

NOVEMBER 5, 2020

The name KilllSomeOne comes from the phrase ‘KilllSomeOne’ used in the DLL side-loading attacks, the group is using poorly-written English messages relating to political subjects. . Dynamic-link library (DLL) side-loading takes advantage of how Microsoft Windows applications handle DLL files.

File names

File names Encryption Libraries IT

Webinars

Peak Performance: Continuous Testing & Evaluation of LLM-Based Applications

MORE WEBINARS

China-linked Budworm APT returns to target a US entity

Security Affairs

OCTOBER 13, 2022

The attackers continue to use the HyperBro backdoor which is often loaded using the dynamic-link library (DLL) side-loading technique. The binary, which has the default name vf_host.exe, is usually renamed by the attackers in order to masquerade as a more innocuous file. .”

File names

File names Financial Services Manufacturing Libraries

Iran-linked APT TA453 targets Windows and macOS systems

Security Affairs

JULY 8, 2023

At the provided URL, a password-encrypted.rar file named “Abraham Accords & MENA.rar” was hosted. The.rar archive contained a dropper named “Abraham Accords & MENA.pdf.lnk.” It generates a system identifier by combining the operating system name, hostname, and a random number.

Archiving

Archiving Cloud File names Metadata

Evilnum APT used Python-based RAT PyVil in recent attacks

Security Affairs

SEPTEMBER 3, 2020

The second layer of Python code decodes and loads to memory the main RAT and the imported libraries. The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. The PyVil RAT stores the malware settings (i.e.

Phishing

Phishing Encryption File names Metadata

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Security Affairs

APRIL 14, 2020

“The emails all contained a malicious Rich Text Format (RTF) phishing lure with the file name 20200323- sitrep -63- covid -19. ” The messages use a weaponized rich text format (RTF) attachment that exploits the CVE-2012-0158 buffer overflow in Microsoft’s ListView / TreeView ActiveX controls in MSCOMCTL.OCX library.

Ransomware

Ransomware Phishing File names Encryption

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

Security Affairs

SEPTEMBER 12, 2019

This operation is similar to the threat group’s August 2018 campaign , using compromised university resources to send library-themed phishing emails.” The hackers registered at least 20 new domain names through the Freenom domain provider that offers free top-level domain names.

Phishing

Phishing Libraries File names Metadata

JSWorm: The 4th Version of the Infamous Ransomware

Security Affairs

SEPTEMBER 4, 2019

JSWorm encrypts all the user files appending a new extension to their name. During the encryption phase, the ransomware creates an HTML Application “JSWRM-DECRYPT.hta” in each folder it encounters. The HTA file corresponds to the ransom window shown in Figure 1. Figure 3: Extensions excluded from encryption.

Ransomware

Ransomware Encryption File names Libraries

The Long Run of Shade Ransomware

Security Affairs

FEBRUARY 19, 2019

The phishing email contains a.zip file named “slavneft.zakaz.zip”, which means something like “slavneft order” in English, showing a direct reference to “Slavneft”. It contains a russian speaking JavaScript file named “«??? «??? «?????????» ??????????? ??????”, Background of the infected machine, after encryption phase.

Ransomware

Ransomware Mining File names Encryption

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

Security Affairs

MARCH 2, 2019

File name: patent-2019-02-20T093A283A05-1.xls However, as already mentioned at the beginning of the technical analysis, SI-LAB team obtained two types of files, namely xls and doc archives. File name : 68131_46_20190219.doc Analyzing the MSI file – The installer/dropper of infamous FlawedAmmyy.

File names

File names Phishing Libraries IT

Cr1ptT0r Ransomware targets D-Link NAS Devices and embedded systems

Security Affairs

FEBRUARY 23, 2019

Once the malware has infected a system drops two plain text files, one is a ransom note called “_FILES_ENCRYPTED_README.txt,” which gives information to the victim on what has happened and instruction to pay the ransom. Like other ransomware, the operators allow victims to unlock a file for free.

Ransomware

Ransomware Encryption File names Libraries

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware

Security Affairs

FEBRUARY 16, 2021

dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C RUNTIME LIBRARY. dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C RUNTIME LIBRARY. Usually, executables using the side-by-side feature will have these resources located in the embedded manifest file. exe8CBB75FEBFB4B0B7C3B6D3613386220C.

Libraries

Libraries Communications Phishing Encryption

Guarding Against Solorigate TTPs

eSecurity Planet

FEBRUARY 3, 2021

Presenting itself as a JPG file named “gracious_truth.jpg,” Teardrop is a memory-only dropper built to enter a network seamlessly and replace the embedded payload. The problem: software can be mighty complex, made up of components, development frameworks, operating system features, libraries, and more. Encryption.

Cybersecurity

Cybersecurity Access Authentication Cloud

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Security Affairs

JULY 7, 2020

However, in this new release, two DLL files are distributed. VBS file leverages the Windows rundll32 library to inject the first DLL into memory (P-14-7.dll), Figure 6: Deofuscated VBS file – Lampion trojan July 2020. LNK files from the Windows startup folder. VBS files from the Windows startup folder.

Communications

Communications Cloud Phishing Encryption

Night Sky ransomware operators exploit Log4Shell to target hack VMware Horizon servers

China-linked APT41 group targets Hong Kong with Spyder Loader

Webinars

Trending Sources

New KilllSomeOne APT group leverages DLL side-loading

Webinars

China-linked Budworm APT returns to target a US entity

Iran-linked APT TA453 targets Windows and macOS systems

Evilnum APT used Python-based RAT PyVil in recent attacks

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

JSWorm: The 4th Version of the Infamous Ransomware

The Long Run of Shade Ransomware

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

Cr1ptT0r Ransomware targets D-Link NAS Devices and embedded systems

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware

Guarding Against Solorigate TTPs

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Stay Connected