Email Campaign Spreads StrRAT Fake-Ransomware RAT

Threatpost

Microsoft Security discovered malicious PDFs that download Java-based StrRAT, which can steal credentials and change file names but doesn't actually encrypt.

New DeadBolt Ransomware Targets NAT Devices

Schneier on Security

There’s a new ransomware that targets NAT devices made by QNAP: The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a.deadbolt file extension.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

STRRAT RAT spreads masquerading as ransomware

Security Affairs

Microsoft warns of a malware campaign that is spreading a RAT dubbed named STRRAT masquerading as ransomware. This RAT is infamous for its ransomware-like behavior of appending the file name extension.crimson to files without actually encrypting them.

Night Sky, a new ransomware operation in the threat landscape

Security Affairs

Once encrypted a file, the ransomware appends the ‘ nightsky ‘ extension to encrypted file names. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.

Hack of DNA website exposes data from 92M accounts

Information Management Resources

MyHeritage received a message from a researcher who unearthed a file named 'myheritage' containing email addresses and encrypted passwords of nearly all of its users on a private server outside the company. Hacking Data security Cyber security Cyber attacks

Details of the REvil Ransomware Attack

Schneier on Security

After writing a base-64-encoded payload to a file named agent.crt the dropper executed it. […]. The ransomware dropper Agent.exe is signed with a Windows-trusted certificate that uses the registrant name “PB03 TRANSPORT LTD.”

FBI published a flash alert on Mamba Ransomware attacks

Security Affairs

Mamba ransomware is one of the first malware that encrypted hard drives rather than files that was detected in public attacks. Mamba leverages a disk-level encryption strategy instead of the conventional file-based one. Payment does not guarantee files will be recovered.

New RedLine malware version distributed as fake Omicron stat counter

Security Affairs

The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant.

New COVID19 wiper overwrites MBR making computers unusable

Security Affairs

Upon execution, the wiper drops a series of helper files into a temporary folder, including a BAT file named “coronovirus Installer,” which is responsible for most of the setup work. The BAT file creates a hidden folder named COVID-19, then move the dropped files to it.

Evil Corp rebrands their ransomware, this time is the Macaw Locker

Security Affairs

The Macaw Locker ransomware encrypts victims’ files and append the .macaw macaw extension to the file name of the encrypted files.

Iran-linked Seedworm APT targets Telecoms organizations across the Middle East and Asia

Security Affairs

A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named “Special discount program.zip”, suggesting that it arrived in a spear-phishing email.”

Night Sky ransomware operators exploit Log4Shell to target hack VMware Horizon servers

Security Affairs

The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom. Researchers from MalwareHunterteam first spotted the ransomware family, once encrypted a file, the ransomware appends the ‘.

Avast released a free decryptor for Babuk ransomware

Security Affairs

Researchers from cybersecurity firm Avast released a decryption tool for Babuk ransomware that allows victims to recover their files for free. Cybersecurity firm Avast has released a decryption tool for Babuk ransomware that allows victims to recover their files for free.

Integrating AWS S3 and Windows PowerShell to Download and Rename Files

Perficient

You may change the profile name to whatever you like. Downloading and Renaming Files from AWS S3 using PowerShell. Define the bucket you would like to download the files from. Define the folder within the bucket you would like to download the files from.

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Security Affairs

“The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).”

Sony Bravia Smart TVs affected by a critical vulnerability

Security Affairs

“This application handles file names incorrectly when the user uploads a media file. ” The third flaw directory-traversal vulnerability tracked as CVE-2018-16594 that relates to the way the Photo Sharing Plus app handles file names. The application handles file names incorrectly when receiving a user’s input file via uploading a URL. A attacker can upload an arbitrary file with a crafted file name (e.g.: /./)

New ransomware group Hive leaks Altus group sample files

Security Affairs

On June 14th, Altus Group, a commercial real estate software solutions firm, disclosed a security breach, now Hive ransomware gang leaked its files. Files leaked online. The sample archive is password protected – but the file names and types are clearly visible.

BlackCocaine Ransomware, a new malware in the threat landscape

Security Affairs

“The WHOIS information for the domain reveals that the domain of the BlackCocaine ransomware was registered on May 28, 2021” The researchers reported that a file named a.BlackCocaine was recently submitted to different public sandboxes.

Proactively Protecting Your Sensitive Information for Remote Workers

AIIM

This strategy can help keep project files organized among team members and aid in the disposition of documents once a project has been completed. Discovering content on an employee’s workstation by examining meta-data criteria such as file name, type, or age.

Introducing the PhishingKitTracker

Security Affairs

Almost every file into the raw folder is malicious so I strongly recommend you to neither open these files, nor misuse the code to prank your friends. NB: Large File System Hahead. This folder is tracked by using Git Large File System since many files are bigger than 100MB.

Microsoft warns of Dexphot miner, an interesting polymorphic threat

Security Affairs

Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Polymorphic techniques involve frequently changing identifiable characteristics like file names and types, encryption keys and other artifacts.

BlackWater, a malware that uses Cloudflare Workers for C2 Communication

Security Affairs

Researchers from MalwareHunterTeam discovered a suspicious RAR file named “COVID-19-” that was being distributed online, likely through phishing emails. "Important The RAR archive contains a file named “Important – COVID-19” that displays a Word icon.

A new Shamoon 3 sample uploaded to VirusTotal from France

Security Affairs

” In the attempt to deceive the victims, attackers used the internal file name “Baidu PC Faster” and the “Baidu WiFi Hotspot Setup” in the description of the file. As observed in previous Shamoon samples the internal file name invokes a known PC tool, likely as a lure to allay initial user suspicion.”

South Korea suffers from the spread of people infected with Corona 19

Security Affairs

The malware found is an executable program (EXE) using file names such as ‘Corona’s domestic status’ and ‘Corona’s real-time corona status.’

B0r0nt0K ransomware demands $75,000 ransom to the victims

Security Affairs

The ransom encrypts all files and renames them by appending. rontok extension to the file names. According to the popular malware researcher Michael Gillespie , when the B0r0nt0K ransomware encrypts a file it will base64 the encrypted data. “The file’s name will also be renamed by encrypting the filename, base64 encoding it, url encoding it, and finally appending the.rontok extension to the new file name.

Emsisoft released a new free decryption tool for the Avest ransomware

Security Affairs

The Avest ransomware encrypts victim’s files and appends the extension “ ckey().email().pack14” The decryption tool could be used by the victims only after they have successfully removed the malware from their system to avoid that the Avest ransomware will repeatedly lock the machine or will encrypt files. ransomware to decrypt their files for free.

Magnat malvertising campaigns spreads malicious Chrome extensions, backdoors and info stealers

Security Affairs

The installer has many different file names. Experts spotted a series of malvertising campaigns using fake installers of popular apps and games to deliver a backdoor and a malicious Chrome extension.

Sales 87

Hacker breached Perceptics, a US maker of license plate readers

Security Affairs

Last week, a hacker that goes online with the moniker ‘Boris Bullet-Dodger’ reported the hack to The Register and showing it a list of files as proof of the attack. The hacker stole hundreds of gigabytes of files along with Microsoft Exchange and Access databases, ERP databases, HR records, and Microsoft SQL Server data stores. “The file names and accompanying directories – numbering almost 65,000 – fit with the focus of the surveillance technology biz.”

Japanese computers hit by a wiper malware ahead of 2021 Tokyo Olympics

Security Affairs

Experts noticed that the file has been uploaded to VirusTotal from France, at the time of its discovery it was detected by multiple antivirus products as a generic threat. Japanese researchers spotted an Olympics-themed wiper targeting Japanese users ahead of the 2021 Tokyo Olympics.

Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers

Security Affairs

In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors.

Crooks bypass a Microsoft Office patch for CVE-2021-40444 to spread Formbook malware

Security Affairs

The CVE-2021-40444 is a remote code execution security flaw that affected the MSHTML file format. The campaigns observed in August 2021 employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites. .

New KilllSomeOne APT group leverages DLL side-loading

Security Affairs

The name KilllSomeOne comes from the phrase ‘KilllSomeOne’ used in the DLL side-loading attacks, the group is using poorly-written English messages relating to political subjects. . “In both of these cases, the payload is stored in the file named Groza_1.dat.

Microsoft Vancouver leaking website credentials via overlooked DS_STORE file

Security Affairs

CyberNews researchers discovered a Desktop Services Store (DS_STORE) file left on a publicly accessible web server that belongs to Microsoft Vancouver. This is exactly what happened with the leftover DS_STORE file present on the Microsoft Vancouver web server. What’s in the file?

ToxicEye RAT exploits Telegram communications to steal data from victims

Security Affairs

Threat actors behind ToxicEye spread the RAT via phishing emails containing a malicious.exe file. Researchers noticed that that the ToxicEye RAT configuration file includes a Telegram bot that is compiled into an executable file.

Hades ransomware gang targets big organizations in the US

Security Affairs

Experts noticed that each Hades ransomware sample uses a different extension to files that it encrypts and drops a ransom note with file name “HOW-TO-DECRYPT-[extension].txt”.

Crackonosh Monero miner made $2M after infecting 222,000 Win systems

Security Affairs

Upon rebooting the system, Crackonosh will scan for the existence of antivirus software and will attempt to disable them, the malware also wipes log system files. It has names of folders, where they are installed and finally it deletes %PUBLIC%Desktop.”

Mining 100

Gootkit delivery platform Gootloader used to deliver additional payloads

Security Affairs

“And if that same site visitor clicks the “direct download link” provided on this page, they receive a.zip archive file with a filename that exactly matches the search query terms used in the initial search, which itself contains another file named in precisely the same way.”

REvil gang threatens to release intimate pictures of celebs who are customers of The Hospital Group

Security Affairs

We pumped out about 600 gb of the most important documents, personal data of customers, as well as intimate photos of these customers (this is not a completely pleasant sight:))” The ransomware gang plans to post the first batch of files, named “Pacient Personal – 20??

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Security Affairs

During our Threat Intelligence activities we noticed a suspicions artifact named “ CoronaVirusSafetyMeasures_pdf ”, so, intrigued by its name and by its recent submission on Yomi Hunter ( LINK ), we decided to deep dive into it. Figure 3: Dashboard of the file hosting service used.

Announcing PSIsafe 12 with Advanced Indexing & Search Functionality

Document Imaging Report

Other document management software applications act like electronic filing cabinets and you can only search based on keywords located in document file names. Auto-generate file names from document metadata.