Encryption, File names, Libraries and Security - Information Management Today

Encryption

File names

Libraries

Security

Night Sky ransomware operators exploit Log4Shell to target hack VMware Horizon servers

Security Affairs

JANUARY 11, 2022

Another gang, Night Sky ransomware operation, started exploiting the Log4Shell vulnerability in the Log4j library to gain access to VMware Horizon systems. The Night Sky ransomware operation started exploiting the Log4Shell flaw (CVE-2021-44228) in the Log4j library to gain access to VMware Horizon systems. trendmrcio[.]com,

Ransomware

Ransomware Libraries File names Encryption

China-linked APT41 group targets Hong Kong with Spyder Loader

Security Affairs

OCTOBER 18, 2022

Spyder Loader loads AES-encrypted blobs to create the wlbsctrl.dll which acts as a next-stage loader that executes the content. Like the sample analyzed by Cyberreason, the Spyder Loader sample analyzed by Symantec uses the CryptoPP C++ library. ” continues the report. Follow me on Twitter: @securityaffairs and Facebook.

File names

File names Encryption Manufacturing Libraries

Join 55,000+

Insiders

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Trending Sources

New KilllSomeOne APT group leverages DLL side-loading

Security Affairs

NOVEMBER 5, 2020

The name KilllSomeOne comes from the phrase ‘KilllSomeOne’ used in the DLL side-loading attacks, the group is using poorly-written English messages relating to political subjects. . Dynamic-link library (DLL) side-loading takes advantage of how Microsoft Windows applications handle DLL files. Pierluigi Paganini.

File names

File names Encryption Libraries IT

China-linked Budworm APT returns to target a US entity

Security Affairs

OCTOBER 13, 2022

The attackers continue to use the HyperBro backdoor which is often loaded using the dynamic-link library (DLL) side-loading technique. The binary, which has the default name vf_host.exe, is usually renamed by the attackers in order to masquerade as a more innocuous file. .” Pierluigi Paganini.

File names

File names Financial Services Manufacturing Libraries

Iran-linked APT TA453 targets Windows and macOS systems

Security Affairs

JULY 8, 2023

The spear-phishing message appears as a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The.rar archive contained a dropper named “Abraham Accords & MENA.pdf.lnk.”

Archiving

Archiving Cloud File names Metadata

Evilnum APT used Python-based RAT PyVil in recent attacks

Security Affairs

SEPTEMBER 3, 2020

The second layer of Python code decodes and loads to memory the main RAT and the imported libraries. The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. The PyVil RAT stores the malware settings (i.e. Pierluigi Paganini.

Phishing

Phishing Encryption File names Metadata

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

Security Affairs

SEPTEMBER 12, 2019

This operation is similar to the threat group’s August 2018 campaign , using compromised university resources to send library-themed phishing emails.” The hackers registered at least 20 new domain names through the Freenom domain provider that offers free top-level domain names. Pierluigi Paganini.

Phishing

Phishing Libraries File names Metadata

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Security Affairs

APRIL 14, 2020

“The emails all contained a malicious Rich Text Format (RTF) phishing lure with the file name 20200323- sitrep -63- covid -19. ” The messages use a weaponized rich text format (RTF) attachment that exploits the CVE-2012-0158 buffer overflow in Microsoft’s ListView / TreeView ActiveX controls in MSCOMCTL.OCX library.

Ransomware

Ransomware Phishing File names Encryption

JSWorm: The 4th Version of the Infamous Ransomware

Security Affairs

SEPTEMBER 4, 2019

JSWorm encrypts all the user files appending a new extension to their name. During the encryption phase, the ransomware creates an HTML Application “JSWRM-DECRYPT.hta” in each folder it encounters. The HTA file corresponds to the ransom window shown in Figure 1. Figure 3: Extensions excluded from encryption.

Ransomware

Ransomware Encryption File names Libraries

The Long Run of Shade Ransomware

Security Affairs

FEBRUARY 19, 2019

Since the beginning of the year, security firms observed a new intense ransomware campaign spreading the Shade ransomware. Between January and February, a new, intense, ransomware campaign has been observed by many security firms. It contains a russian speaking JavaScript file named “«??? «??? «?????????» ??????????? ??????”,

Ransomware

Ransomware Mining File names Encryption

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

Security Affairs

MARCH 2, 2019

This is part of a giant list of Living off the Land (LOL) techniques that attackers employ to mask their activities from runtime endpoint security monitoring tools such as AVs. File name: patent-2019-02-20T093A283A05-1.xls File name : 68131_46_20190219.doc Figure 20: Files that are part of MSI.

File names

File names Phishing Libraries IT

Guarding Against Solorigate TTPs

eSecurity Planet

FEBRUARY 3, 2021

Since then, much has been learned about the tactics, techniques, and procedures (TTPs) deployed and what steps organizations are taking to harden their network and application security. Former Department of Homeland Security (DHS) officials noted “this could be an extremely serious breach of security.” federal agencies.

Cybersecurity

Cybersecurity Access Authentication Cloud

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware

Security Affairs

FEBRUARY 16, 2021

dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C RUNTIME LIBRARY. dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C RUNTIME LIBRARY. Usually, executables using the side-by-side feature will have these resources located in the embedded manifest file. exe8CBB75FEBFB4B0B7C3B6D3613386220C.

Libraries

Libraries Communications Phishing Encryption

Cr1ptT0r Ransomware targets D-Link NAS Devices and embedded systems

Security Affairs

FEBRUARY 23, 2019

Once the malware has infected a system drops two plain text files, one is a ransom note called “_FILES_ENCRYPTED_README.txt,” which gives information to the victim on what has happened and instruction to pay the ransom. Like other ransomware, the operators allow victims to unlock a file for free. Pierluigi Paganini.

Ransomware

Ransomware Encryption File names Libraries

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Security Affairs

JULY 7, 2020

However, in this new release, two DLL files are distributed. VBS file leverages the Windows rundll32 library to inject the first DLL into memory (P-14-7.dll), Figure 6: Deofuscated VBS file – Lampion trojan July 2020. LNK files from the Windows startup folder. VBS files from the Windows startup folder.

Communications

Communications Cloud Phishing Encryption

Night Sky ransomware operators exploit Log4Shell to target hack VMware Horizon servers

China-linked APT41 group targets Hong Kong with Spyder Loader

Trending Sources

New KilllSomeOne APT group leverages DLL side-loading

China-linked Budworm APT returns to target a US entity

Iran-linked APT TA453 targets Windows and macOS systems

Evilnum APT used Python-based RAT PyVil in recent attacks

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

JSWorm: The 4th Version of the Infamous Ransomware

The Long Run of Shade Ransomware

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

Guarding Against Solorigate TTPs

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware

Cr1ptT0r Ransomware targets D-Link NAS Devices and embedded systems

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Stay Connected