Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT

Recent months have seen a surge in mailings with lookalike email attachments in the form of a ZIP archive containing JScript scripts. The script files – disguised as requests and bids from potential customers or partners – bear names such as "Запрос цены и предложения от Индивидуального...

Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks

The Iranian threat actor known as Tortoiseshell has been attributed to a new wave of watering hole attacks that are designed to deploy a malware dubbed IMAPLoader. "IMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows utilities and acts as a...

WinRAR Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zip' class MetasploitModule 'WinRAR CVE-2023-38831 Exploit', 'Description' = %q This module exploits a vulnerability in WinRAR CVE-2023-38831. When a user opens...

New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks

Malicious actors are using a legitimate Rust-based injector called Freeze.rs to deploy a commodity malware called XWorm in victim environments. The novel attack chain, detected by Fortinet FortiGuard Labs on July 13, 2023, is initiated via a phishing email containing a booby-trapped PDF file. It...

MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans

A new phishing campaign codenamed MULTISTORM has set its sights on India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems. "The attack chain ends with the victim machine infected with multiple unique RAT remote access trojan malware instances, su...

Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor

An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that's designed to deploy an updated version of a Windows backdoor called PowerLess. Cybersecurity firm Check Point is tracking the activity cluster under its mythical creature handle Educated...

New 'Bad Magic' Cyber Threat Disrupts Ukraine's Key Sectors Amid War

Amid the ongoing war between Russia and Ukraine, government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea have been attacked as part of an active campaign that drops a previously unseen, modular framework dubbed CommonMagic. "Although the initial vector of...

Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks

An open source command-and-control C2 framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel. Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023...

Chinese Hackers Target Government Officials in Europe, South America, and Middle East

A Chinese hacking group has been attributed to a new campaign aimed at infecting government officials in Europe, the Middle East, and South America with a modular malware known as PlugX. Cybersecurity firm Secureworks said it identified the intrusions in June and July 2022, once again demonstrati...

State-backed hacking group from China is targeting the Russian military

In an unexpected turn of events, research has surfaced about a Chinese APT advanced persistent threat group targeting the Russian military in recent cyberattacks. Tracked as Bronze President, Mustang Panda, RedDelta, and TA416, the group has focused mainly on Southeast Asian targets—and more...

Macrome - Excel Macro Document Reader/Writer For Red Teamers And Analysts

An Excel Macro Document Reader/Writer for Red Teamers & Analysts. Blog posts describing what this tool actually does can be found here and here. Installation / Building Clone or download this repository, the tool can then be executed using dotnet - for example: dotnet run -- build --decoy-documen...

Cybercriminals Have a Heyday with WinRAR Bug in Fresh Campaigns

A recently discovered vulnerability in the WinRAR file archival utility has been exploited in a slew of new campaigns, including one with a never-before-seen payload. The flurry of activity shows no sign of waning as cybercriminals continue to find success exploiting the bug. The campaigns take...

TAU Threat Intelligence Notification: Operation SharpShooter

Operation Sharpshooter, leverages an embedded shellcode as an in-memory implant to download and retrieve a second-stage implant, which is known as Rising Sun. Rising Sun uses source code from the Duuzer backdoor that has been used in a past campaign of Lazarus group. This newly discovered campaig...

Latest Sofacy Campaign Targeting Security Researchers

Sofacy, the Russian-speaking APT group connected to interference in the 2016 U.S. presidential election, has been targeting researchers, admins and others interested in cybersecurity. Cisco’s security research arm Talos published a report on Sunday describing a campaign linked to Sofacy, also kno...

New KONNI Campaign References North Korean Missile Capabilities

This blog was authored by Paul RascagneresExecutive SummaryWe recently wrote about the KONNI Remote Access Trojan RAT which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in...

The Word exposed 0day vulnerabilities: no need to enable the macros, open the document it automatically install a malicious program-vulnerability warning-the black bar safety net

! In fact, the use of Word macros as the distribution of malicious programs is the way today's conventional via, so many people choose to disable macros, but if you say disable the macros are useless, such a malicious Word document danger is quite different. Recently, McAfee and FireEye security...

APT Group Sends Spear Phishing Emails to Indian Government Officials

Introduction On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and...

APT Group Sends Spear Phishing Emails to Indian Government Officials

Introduction On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and...

CVE-2016-4117: Flash Zero-Day Exploited in the Wild

On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-4117 and reported the issue to the Adobe Product Security Incident Response Team PSIRT. Adobe released a patch for the vulnerability in APSB16-15 just four days later. Attackers...

Command and Control Used in Sanny APT Attacks Shut Down

Two message boards used by the Sanny malware as a command-and-control channel have been shut down by the Korea Information Security Agency in conjunction with security company FireEye. Sanny is a targeted attack, attributed to attackers in Korea, against individuals working in Russia’s aerospace,...