Encryption, File names and Phishing - Information Management Today

DeathRansom ransomware evolves encrypting files, but experts identified its author

Security Affairs

JANUARY 5, 2020

DeathRansom was considered fake ransomware due to the fact that it did not implement an effective encryption process, but now things are changing. DeathRansom is a ransomware family that was initially classified as a joke because it did not implement an effective encryption scheme. They share the naming pattern and infrastructure used.

Encryption

Encryption Ransomware IT Phishing

What is DKIM Email Security Technology? DKIM Explained

eSecurity Planet

MAY 24, 2023

At a high level, DKIM enables an organization to provide encryption hash values for key parts of an email. Using public-private encryption key pairs, receiving email servers can compare the received email hash value against the received hash value to validate if any alterations took place in transit.

Encryption

Encryption Security Authentication File names

To Fix DMARC Requires Angry Customers

eSecurity Planet

AUGUST 30, 2023

A new Cloudflare phishing report notes that most of the 1 billion brand impersonation emails the company detected “passed” SPF, DKIM, and DMARC email authentication protocols. At the same time, an organization is also quite likely to fall for business email compromise and phishing attacks from their vendors.

Authentication

Authentication Phishing Encryption Sales

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Security Affairs

APRIL 14, 2020

PaloAlto Networks experts warn of malicious Coronavirus themed phishing campaigns targeting government and medical organizations. The attacks against the Canadian healthcare organizations were discovered between March 24 and March 26, they started with coronavirus -themed phishing campaigns that were carried out in the last months.

Ransomware

Ransomware Phishing File names Encryption

ToxicEye RAT exploits Telegram communications to steal data from victims

Security Affairs

APRIL 24, 2021

Threat actors behind ToxicEye spread the RAT via phishing emails containing a malicious.exe file. “The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example of a file name we found was ‘paypal checker by saint.exe’). ” concludes the report.

Communications

Communications File names Encryption Education

Crooks use hidden directories of compromised HTTPS sites to deliver malware

Security Affairs

APRIL 2, 2019

Hacked websites were used for several malicious purposes, experts observed compromised WordPress and Joomla websites serving Shade /Troldesh ransomware, coin miners, backdoors, and some times were involved in phishing campaigns. The attackers use these locations to hide malware and phishing pages from the administrators.

CMS

CMS Phishing Ransomware File names

New Graphiron info-stealer used in attacks against Ukraine

Security Affairs

FEBRUARY 8, 2023

“Graphiron uses AES encryption with hardcoded keys. It creates temporary files with the “ lock” and “ trash” extensions. It uses hardcoded file names designed to masquerade as Microsoft office executables: OfficeTemplate.exe and MicrosoftOfficeDashboard.exe” reads the analysis published by Symantec.

File names

File names Passwords Phishing Encryption

Evilnum APT used Python-based RAT PyVil in recent attacks

Security Affairs

SEPTEMBER 3, 2020

Attackers carried out spear-phishing emails using the Know Your Customer regulations (KYC) as a lure. The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. The PyVil RAT was recently employed in attacks against FinTech companies across the U.K.

Phishing

Phishing Encryption File names Metadata

Iran-linked APT TA453 targets Windows and macOS systems

Security Affairs

JULY 8, 2023

The spear-phishing message appears as a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The.rar archive contained a dropper named “Abraham Accords & MENA.pdf.lnk.”

Archiving

Archiving Cloud File names Metadata

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

Security Affairs

SEPTEMBER 12, 2019

Iran-linked Cobalt Dickens APT group carried out a spear-phishing campaign aimed at tens of universities worldwide. This operation is similar to the threat group’s August 2018 campaign , using compromised university resources to send library-themed phishing emails.” ” reads the analysis published by Secureworks.

Phishing

Phishing Libraries File names Metadata

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Security Affairs

FEBRUARY 26, 2020

During our Threat Intelligence activities we noticed a suspicions artifact named “ CoronaVirusSafetyMeasures_pdf ”, so, intrigued by its name and by its recent submission on Yomi Hunter ( LINK ), we decided to deep dive into it. Probably, the infection vector was a phishing mail containing a specific attachment. exe” appeared.

File names

File names Communications Encryption IT

GermanWiper, a data-wiping malware that is targeting Germany

Security Affairs

AUGUST 5, 2019

Recently a data-wiping malware tracked as GermanWiper has been targeting German organizations, the malicious code is pushed via phishing messages. GermanWiper is being distributed in Germany through spam messages that pretend to be emails sent by a job applicant named Lena Kretschmer that is submitting her resume.

Ransomware

Ransomware Encryption File names Archiving

The Long Run of Shade Ransomware

Security Affairs

FEBRUARY 19, 2019

The phishing email contains a.zip file named “slavneft.zakaz.zip”, which means something like “slavneft order” in English, showing a direct reference to “Slavneft”. It contains a russian speaking JavaScript file named “«??? «??? «?????????» ??????????? ??????”, Content of README.txt file.

Ransomware

Ransomware Mining File names Encryption

Is BazarLoader malware linked to Trickbot operators?

Security Affairs

APRIL 18, 2021

The phishing messages include links pointing to Slack or BaseCamp cloud storage, for this reason, they don’t raise suspicion when are received by employees working at an organization that uses the above services. Some of the files’ names observed by the experts are presentation-document.exe, preview-document-[number].exe

File names

File names Ransomware Phishing Encryption

A new variant of Asruex Trojan exploits very old Office, Adobe flaws

Security Affairs

AUGUST 23, 2019

Trend Micro researchers discovered the new Asruex variant in malicious.PDF files that was spread via phishing messages. Researchers reported that attackers also used weaponized Word files to deliver the Asruex Trojan, in other cases the malicious code is delivered as a standard executable.

File names

File names Phishing Encryption Security

Spotting RATs: Delphi wrapper makes the analysis harder

Security Affairs

JULY 8, 2019

Phishing email content. The phishing email (Figure 1) has a well-designed body containing the enterprise logo and references about the impersonated company: its international reputation has been abused by attackers to lure the victim to open up the embedded attachment. Encrypted payload, stored in Resource section. The Loader.

File names

File names Encryption Archiving Phishing

19 petabytes of data exposed across 29,000+ unprotected databases

Security Affairs

MAY 7, 2021

Such lapses in database security can (and often do) lead to hundreds of millions of people having their personal information exposed on the internet, allowing threat actors to use that data for a variety of malicious purposes, including phishing and other types of social engineering attacks , as well as identity theft.

Passwords

Passwords Authentication Access File names

TA505 is expanding its operations

Security Affairs

MAY 29, 2019

Hash 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273 Threat Dropper Brief Description Excel file with malicious macro Ssdeep 3072:Mc38TehYTdeHVhjqabWHLtyeGxml8/dgzxXYhh3vVYwrq 8/P5HKuPF1+bkm13Kkf:B38TehYTdeHVhjqabWHLty/xml8/dgNr. The intercepted attack starts with a spear-phishing email embedding a spreadsheet.

IT

IT Retail Archiving File names

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

Security Affairs

MARCH 2, 2019

In February 2019, SI-LAB captured multiple samples of phishing campaigns using an Office Excel document carrying a malicious Excel 4.0 File name: patent-2019-02-20T093A283A05-1.xls Figure 1: Malicious xls file with an embedded XLM macro not detected by Virus Total. File name : 68131_46_20190219.doc

File names

File names Phishing Libraries IT

What is Ransomware? Everything You Should Know

eSecurity Planet

APRIL 6, 2023

Ransomware is a type of malicious program, or malware, that encrypts files, documents and images on a computer or server so that users cannot access the data. These keys are available to the attacker, and the encryption can only be decrypted using a private key. How Does Ransomware Work?

Ransomware

Ransomware Encryption Cybersecurity Risk

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Security Affairs

JULY 7, 2020

Lampion was first documented in December 2019 , and it was distributed in Portugal via phishing emails using templates based on the Portuguese Government Finance & Tax. Here, it was distributed using fake webpages, where the victim downloaded an MSI file, which then held the remaining Lampion infection chain. zipEncrypted: r?

Communications

Communications Cloud Phishing Encryption

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware

Security Affairs

FEBRUARY 16, 2021

The malicious activity starts with a phishing email sent to the target victims in Latin American – Brazil, Mexico, Chile, and Peru – and Europe – Spain and Portugal. The initial stage of these trojans is generally the execution of a dropper in a form of a VBS, JScript, or MSI file that downloads from the Cloud (AWS, Google, etc.)

Libraries

Libraries Communications Phishing Encryption

APT29 abused the Windows Credential Roaming in an attack against a diplomatic entity

Security Affairs

NOVEMBER 10, 2022

Mandiant researchers in early 2022 responded to an incident where the Russia-linked APT29 group (aka SVR group , Cozy Bear , Nobelium , and The Dukes ) successfully phished a European diplomatic entity. Then the attacker can write an arbitrary number of bytes to any file on the file system, posing as the victim account.

File names

File names Passwords Phishing Encryption

Information Management Today

DeathRansom ransomware evolves encrypting files, but experts identified its author

What is DKIM Email Security Technology? DKIM Explained

Trending Sources

To Fix DMARC Requires Angry Customers

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

ToxicEye RAT exploits Telegram communications to steal data from victims

Crooks use hidden directories of compromised HTTPS sites to deliver malware

New Graphiron info-stealer used in attacks against Ukraine

Evilnum APT used Python-based RAT PyVil in recent attacks

Iran-linked APT TA453 targets Windows and macOS systems

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

GermanWiper, a data-wiping malware that is targeting Germany

The Long Run of Shade Ransomware

Is BazarLoader malware linked to Trickbot operators?

A new variant of Asruex Trojan exploits very old Office, Adobe flaws

Spotting RATs: Delphi wrapper makes the analysis harder

19 petabytes of data exposed across 29,000+ unprotected databases

TA505 is expanding its operations

[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle

What is Ransomware? Everything You Should Know

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware

APT29 abused the Windows Credential Roaming in an attack against a diplomatic entity

Stay Connected