202 matches found
DarkComet (C2 Server) - File Upload
DarkComet C2 Server - File Upload !/usr/bin/env python3 EDB Note: Source https://gist.github.com/PseudoLaboratories/260b6f24844785aacc1e2fb61dd05c01/259944bd94a0d289ef80b9138c1e3f97a97aa9cd from time import sleep from socket import socket, AFINET, SOCKSTREAM, error from re import search from...
FormBook Malware Targets U.S. Defense Contractors, Aerospace and Manufacturing Sectors
Attackers spreading new malware called FormBook are singling out aerospace firms, defense contractors and some manufacturing organizations in the United States and South Korea. According to researchers at FireEye, FormBook was spotted in several high-volume distribution campaigns targeting the U....
Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea
We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The attackers involved in these email campaigns leveraged a variety of distribution...
CCleaner Command and Control Causes Concern
This post was authored by Edmund Brumaghin, Earl Carter, Warren Mercer, Matthew Molyett, Matthew Olney, Paul Rascagneres and Craig Williams.Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research...
[Updated] Infected CCleaner downloads from official servers
Update 9/19/2017: Avast posted a clarification explaining what happened and giving a timeline of the events. One point we should take note of is that the breach preceded the take-over of Piriform by Avast. Users that are unsure whether they were affected by this and whether their data may have be...
Threat Round-up for July 28 - August 4
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 28 and August 04. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristic...
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign
A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...
New Point-of-Sale Malware LockPoS Hitches Ride with FlokiBot
Botnets distributing FlokiBot point-of-sale malware have awoken from months of slumber and are back in business spewing a new malware dubbed LockPoS. Researchers say the malware is still flying under the radar of many antivirus and intrusion detection systems because it’s so new. Currently, LockP...
SambaCry exploit analysis-exploit warning-the black bar safety net
“2017 5 May 24, Samba released a 4. 6. 4 version, in the middle fix a serious remote code execution vulnerability, the vulnerability number CVE-2017-7494, the vulnerability affects Samba 3.5.0 after to 4. 6. 4/4. 5. 10/4. 4. 14 in the middle of all versions. SambaCry vulnerability is a scale spre...
Dridex and Locky Return Via PDF Attachments in Latest Campaigns
Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...
FIN7 Evolution and the Phishing LNK
FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishin...
FIN7 Evolution and the Phishing LNK
FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishin...
Wave of Java-Based RATs Target Tax Filers
Spammers are spreading Java-based remote access Trojans, known as jRATs, targeting tax filers with attachments named “IRS Updates.jar” and “ImportantPDF.jar” that, if executed, give attackers access to compromised endpoints. Zscaler, which is tracking the jRATs, believes some of the campaigns cou...
PoshC2 - Powershell C2 Server and Implants
PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework...
Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection
Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on...
RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing
Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because...
RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing
Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because...
Rovnix Variant Surfaces With New DGA
Researchers have unearthed a new version of the Rovnix malware that has a couple of additional features, including a new domain generation algorithm and a secure transmission channel for communicating with the command-and-control servers. Rovnix is a malware variant that often has been distribute...
Salesforce Warns Customers of Dyreza Banker Trojan Attacks
Salesforce.com is warning its customers that the Dyreza banker Trojan is now believed to be targeting some of the company’s users. The Trojan, which has the ability to bypass SSL, typically goes after customers of major banks, but seems to be expanding its reach. Dyreza is relatively new among th...
DGA Changer Malware Able to Modify Domain-Generation Seed on the Fly
Malware authors have been using domain-generation algorithms for a few years now, often in botnet-related malware that needs to stay one step ahead of takedown attempts and law enforcement agencies. Now, researchers have discovered that a strain of malware that may have been part of the attack in...