article thumbnail

PLAYFULGHOST backdoor supports multiple information stealing features

Security Affairs

“Mandiant observed a second, more sophisticated execution scenario which begins with a Windows LNK file named QQLaunch.lnk. ThisLNK file combines a text file named h which contains the characters “MZ” and a second file t which contains the rest of PE payload to construct a new malicious DLL named libcurl.dll.”

article thumbnail

Threat actors attempted to capitalize CrowdStrike incident

Security Affairs

The attackers attempted to trick the company’s customers into opening a ZIP archive file named “ crowdstrike-hotfix.zip.” ” The archive includes a loader named Hijack Loader used to execute the Remcos RAT. ” reads the report published by Kaspersky.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Qakbot operations continue to evolve to avoid detection

Security Affairs

“Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 ThreatLabz reported that the attackers are using various different file names to disguise attachments designed to deliver Qakbot.

article thumbnail

CERT-UA warns of a phishing campaign targeting government entities

Security Affairs

Threat actors sent out emails attempting to impersonate Security Service of Ukraine (SSU) and contains a link to download a file named “Documents.zip.” ” Upon clicking the link, an MSI file is downloaded. If the recipient then opens this file, the ANONVNC malware, tracked as MESHAGENT, is executed. .

Phishing 138
article thumbnail

New COVID19 wiper overwrites MBR making computers unusable

Security Affairs

Upon execution, the wiper drops a series of helper files into a temporary folder, including a BAT file named “coronovirus Installer,” which is responsible for most of the setup work. The BAT file creates a hidden folder named COVID-19, then move the dropped files to it. ” continues the analysis.

article thumbnail

Nemty ransomware “LOVE_YOU” malspam campaign

Security Affairs

. “Attached to each email is a ZIP archive with a name formatted as with only the #s changing,” reads the advisory published by IBM X-Force IRIS. “The hash of the file contained within each of these archives remains the same and is associated with a highly obfuscated JavaScript file named LOVE_YOU.

article thumbnail

STRRAT RAT spreads masquerading as ransomware

Security Affairs

The Java-based STRRAT RAT was distributed in a massive spam campaign, the malware shows ransomware-like behavior of appending the file name extension.crimson to files without actually encrypting them. The latest version of the Java-based STRRAT malware (1.5) was seen being distributed in a massive email campaign last week.