Malware - 2022(119)
|
DATE |
NAME |
CATEGORY |
SUBCATEGORIES |
|
|
9.7.22 |
Raspberry |
Raspberry Robin is a spreading threat, using specifically crafted Microsoft links (LNK files) to infect its victims. Cybereason observed delivery through file archives, removable devices (USB) or ISO files. |
||
|
7.7.22 |
Linux |
BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant. |
||
|
7.7.22 |
Linux |
Symbiote, a new “nearly impossible to detect” Linux malware, targeted financial sectors in Latin America—and the threat actors behind it might have links to Brazil. These findings were revealed in a recent report, a joint effort between the Blackberry Research Team and Dr. Joakim Kennedy, a security researcher with Intezer. |
||
|
1.7.22 |
Backdoor |
Following on from our earlier Owowa discovery, we continued to hunt for more backdoors potentially set up as malicious modules within IIS, a popular web server edited by Microsoft. And we didn’t come back empty-handed… |
||
|
29.6.22 |
Stealer |
YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom” |
||
|
28.6.22 |
RAT |
A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks. |
||
|
28.6.22 |
Malware |
In June 2022, a new Android banking trojan was discovered by the Cleafy TIR team. Since the lack of information and the absence of a proper nomenclature of this malware family, we decided to dub it as Revive to better track this family inside our internal Threat Intelligence taxonomy. |
||
|
27.6.22 |
Malware loader |
Recently, Cyble Research Labs came across a Twitter post where a researcher observed this malware spreading through spam campaigns. Additionally, it downloads Cobalt Strike Beacons as payloads in compromised systems. |
||
|
25.6.22 |
Crypto-Mining |
The Cybereason GSOC Managed Detection and Response (MDR) Team is investigating a series of recent infections with the LemonDuck malware. |
||
|
25.6.22 |
Backdoor |
The GSOC Cybereason Managed Detection and Response (MDR) Team is investigating a series of recent infections that use the SolarMarker backdoor. |
||
|
25.6.22 |
Ransomware |
In this Threat Analysis Report, the GSOC investigates the PYSA ransomware. The PYSA ransomware came into awareness earlier this year when the Federal Bureau of Investigation (FBI) reported on the ransomware’s increased activity and high damaging impact. |
||
|
25.6.22 |
Stealer |
This report provides an overview of key information-stealing features of the Snake malware and discusses similarities that we discovered in the staging mechanisms of samples from Snake and two common information-stealing malware programs, FormBook and Agent Tesla. |
||
|
25.6.22 |
Backdoor |
Towards the end of 2021, multiple attacks were carried out exploiting the notorious Microsoft Exchange Server vulnerabilities chained together and referred to as ProxyShell, which ultimately enabled multiple threat actors to deploy malware on their targets’ networks. There have been several reports detailing the exploitation of these vulnerabilities by Iranian state sponsored threat actors, among them the Phosphorus APT group carrying out ransomware attacks. |
||
|
25.6.22 |
RAT |
Following recently published research detailing the group’s TTPs including their main tools “PyDcrypt” and “DCSrv”, the Cybereason Nocturnus team discovered a previously unidentified Remote Access Trojan (RAT) in the Moses Staff arsenal dubbed StrifeWater. |
||
|
16.6.22 |
Rootkit/Backdoor |
Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. |
||
|
14.6.22 |
Linux |
Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. |
||
|
14.6.22 |
RAT |
Warzone aims to be the Remote Access Trojan (RAT) of choice for aspiring miscreants on a budget. It is sold on a publicly available website as opposed to on the dark web, as a Malware-as-a-Service (MaaS) subscription-based platform. |
||
|
14.6.22 |
Keylogger |
Snake Keylogger is a malware developed using .NET. It first appeared in late 2020 and focused on stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data. |
||
|
14.6.22 |
RAT |
Arkei Infostealer Expands Reach Using SmokeLoader to Target Crypto Wallets and MFA |
||
|
14.6.22 |
Linux |
A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm |
||
|
14.6.22 |
RAT |
PureCrypter has been growing in popularity with a number of information stealers and remote access trojans (RATs) being deployed by it. ThreatLabz has observed PureCrypter being used to distribute the following malware families: |
||
|
14.6.22 |
Android/iOS |
How SeaFlower 藏海花 installs backdoors in iOS/Android web3 wallets to steal your seed phrase |
||
|
14.6.22 |
Malware |
Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group. |
||
|
14.6.22 |
Malware |
Open-source lightweight backdoor for C2 communication. |
||
|
6.6.22 |
Malware |
A previously unknown malware loader named SVCReady has been discovered in phishing attacks, featuring an unusual way of loading the malware from Word documents onto compromised machines. |
||
|
5.6.22 |
Malware espionage |
An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks. |
||
|
4.6.22 |
Malware |
FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. |
||
|
31.5.22 |
Malware |
Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices |
||
|
29.5.22 |
Malware |
ChromeLoader might seem like a run-of-the-mill browser hijacker, but its peculiar use of PowerShell could spell deeper trouble. |
||
|
29.5.22 |
Malware |
Lowering the Barrier of Entry for Malicious Actors.Free-to-use browser automation framework creates thriving criminal community |
||
|
20.5.22 |
Linux |
XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices. By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out distributed denial-of-service (DDoS) attacks. |
||
|
20.5.22 |
Android Spyware |
Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. |
||
|
20.5.22 |
Malware |
The North Korea-backed Lazarus Group has been observed leveraging the Log4Shell vulnerability in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart. |
||
|
20.5.22 |
Malware |
In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. We discovered these domains by monitoring suspicious traffic in our Zscaler cloud. |
||
|
20.5.22 |
SQL Malware |
Microsoft on Tuesday warned that it recently spotted a malicious campaign targeting SQL Servers that leverages a built-in PowerShell binary to achieve persistence on compromised systems. |
||
|
18.5.22 |
Android |
Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related Keys |
||
|
14.5.22 |
Backdoor |
Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group. |
||
|
12.5.22 |
RAT |
|||
|
12.5.22 |
RAT |
The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries. It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis. |
||
|
11.5.22 |
Stealer |
Cyble research labs discovered a new Infostealer named Prynt Stealer. The stealer is new on the cybercrime forums and comes with various capabilities. Along with stealing the victim’s data, this stealer can also perform financial thefts using a clipper and keylogging operations. Additionally, it can target 30+ Chromium-based browsers, 5+ Firefox-based browsers, and a range of VPN, FTP, Messaging, and Gaming apps. |
||
|
11.5.22 |
Stealer |
During our routine threat-hunting exercise, Cyble Research Labs came across a C# .NET-based information stealer developed by the Saint gang. The activities of Saintstealer can be traced back as far as November 2021. The file is not packed and has multiple functionalities to steal credentials and system information. |
||
|
11.5.22 |
Malware |
Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. |
||
|
10.5.22 |
Backdoor |
Last week, I found another interesting Word document that delivered an interesting malicious script to potential victims. Usually, Office documents carry VBA macros that are activated using a bit of social engineering (the classic yellow ribbon) but this time, the document did not contain any malicious code. |
||
|
10.5.22 |
RAT |
DCRat (also known as DarkCrystal RAT) is a commercial Russian backdoor that was first released in 2018, before being redesigned and relaunched a year later. Notably, this threat appears to have been developed and maintained by a single person going by the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”). |
||
|
10.5.22 |
Android |
Joker, a repeat offender, refers to a class of harmful apps that are used for billing and SMS fraud, while also performing a number of actions of a malicious hacker's choice, such as stealing text messages, contact lists, and device information. |
||
|
10.5.22 |
Stealer |
It is established that the mentioned archive contains the SFX file of the same name, which, in turn, contains the malicious program CredoMap_v2. The difference between this version of the styler and the previous one is that it uses the HTTP protocol to filter data. |
||
|
8.5.22 |
Fileless |
In February 2022 we observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. |
||
|
8.5.22 |
Malware |
|||
|
8.5.22 |
Pay-per-install (PPI) |
Pay-per-install (PPI) malware services have been an integral part of the cybercrime ecosystem for a considerable amount of time. A malware operator provides payment, malicious payloads and targeting information, and those responsible for running the service outsource the distribution and delivery. |
||
|
8.5.22 |
Ransomware |
|||
|
8.5.22 |
Ransomware |
A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2. |
||
|
8.5.22 |
Malware RAT |
|||
|
8.5.22 |
Malware RAT |
RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. |
||
|
8.5.22 |
Banking Trojan |
OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. |
||
|
8.5.22 |
Malware |
|||
|
8.5.22 |
Bot |
A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication. |
||
|
8.5.22 |
RAT |
Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors. |
||
|
8.5.22 |
RAT |
Remcos (acronym of Remote Control & Surveillance Software) is a Remote Access Software used to remotely control computers.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user. |
||
|
8.5.22 |
Cryptbot |
A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. |
||
|
8.5.22 |
Crypt |
FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
||
|
8.5.22 |
Bot |
Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. |
||
|
8.5.22 |
Malware |
|||
|
8.5.22 |
cryptocurrencies |
Raccoon is a stealer and collects "passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies". |
||
|
8.5.22 |
Stealer |
Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. |
||
|
8.5.22 |
Stealer |
RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. |
||
|
8.5.22 |
Backdoor |
The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. |
||
|
8.5.22 |
Malware |
We recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. |
||
|
5.5.22 |
Javascript/Backdoor |
A new JavaScript-based remote access Trojan (RAT) propagated via a social engineering campaign has been observed employing sneaky "fileless" techniques as part of its detection-evasion methods to elude discovery and analysis. |
||
|
5.5.22 |
Malware RAT |
I haven't really looked into Remcos RAT lately, but I found an email with a password-protected Excel file attached to it.Further investigation revealed Remcos RAT 3.x activity remarkably similar to an infection chain reported by Fortinet last month. Today's diary reviews a Remcos RAT infection in my lab on Wednesday 2022-05-04. |
||
|
30.4.22 |
Malware |
Starting in March 2022, Proofpoint observed campaigns delivering a new downloader called Bumblebee. At least three clusters of activity including known threat actors currently distribute Bumblebee. |
||
|
30.4.22 |
Malware Stealer |
At the start of the year, Bitdefender noticed a RIG Exploit Kit campaign using CVE-2021-26411 exploits found in Internet Explorer to deliver RedLine Stealer, a low-cost password stealer sold on underground forums. |
||
|
30.4.22 |
Malware |
The threat group’s targeting shift could reflect a change in China’s intelligence collection requirements due to the war in Ukraine. |
||
|
30.4.22 |
Malware |
Aqua’s Team Nautilus found a logical flaw in npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it. |
||
|
27.4.22 |
Malware |
GOLDBACKDOOR, an artifact that shares technical overlaps with another malware named BLUELIGHT, which has been previously linked to the group. |
||
|
27.4.22 |
Malware |
A rapidly expanding malware is entrapping routers, DVRs, and servers all over the web in order to launch Distributed Denial-of-Service (DDoS) attacks on over 100 victims every day. |
||
|
27.4.22 |
Malware |
BotenaGo is a relatively new malware written in Golang, Google’s open-source programming language. |
||
|
23.4.22 |
Javascript/Backdoor |
More_eggs is a JavaScript backdoor used by the Cobalt group. |
||
|
18.4.22 |
Infostealer, Backdoor |
|||
|
16.4.22 |
Malware Stealer |
|||
|
16.4.22 |
ICS Malware |
|||
|
16.4.22 |
ICS Malware |
|||
|
14.4.22 |
Malware |
|||
|
14.4.22 |
Malware |
|||
|
14.4.22 |
Malware Stealer |
|||
|
14.4.22 |
Malware Stealer |
|||
|
10.4.22 |
Malware RAT |
|||
|
10.4.22 |
Malware |
|||
|
9.4.22 |
Banking Malware |
|||
|
9.4.22 |
Malware |
|||
|
9.4.22 |
Banking Malware |
|||
|
9.4.22 |
Malware |
|||
|
6.4.22 |
Spyware |
|||
|
6.4.22 |
Malware espionage |
|||
|
6.4.22 |
Malware Stealer |
|||
|
2.4.22 |
Data Wiper |
|||
|
2.4.22 |
Data Wiper |
|||
|
2.4.22 |
Data Wiper |
|||
|
2.4.22 |
Data Wiper |
|||
|
2.4.22 |
RAT |
|||
|
2.4.22 |
Crypto Malware |
|
||
|
2.4.22 |
Malware |
|||
|
2.4.22 |
Ransomware |
|||
|
2.4.22 |
Malware Stealer |
|||
|
2.4.22 |
Malware Stealer |
|||
|
2.4.22 |
RAT |
|||
|
2.4.22 |
RAT |
|||
|
2.4.22 |
Crypto Malware |
|
||
|
2.4.22 |
Malware |
|||
|
28.3.22 |
RAT |
|||
|
28.3.22 |
Backdoor |
|||
|
1.3.22 |
Banking/RAT Malware |
|||
|
1.3.22 |
Destructive Malware |
|||
|
1.3.22 |
Data Wiper |
|||
|
1.3.22 |
Data Wiper |
|||
|
1.3.22 |
DNS Backdoor |
|||
|
1.3.22 |
BotNet |
|||
|
1.3.22 |
Data Wiper |
|||
|
1.3.22 |
Backdoor espionage |