Talos IR trends Q3 2024: Identity-based operations loom large

Threat actors are increasingly conducting identity-based attacks across a range of operations that are proving highly effective, with credential theft being the main goal in a quarter of incident response engagements. These attacks were primarily facilitated by living-off-the-land binaries LoLBin...

LOLSpoof - An Interactive Shell To Spoof Some LOLBins Command Line

LOLSpoof is a an interactive shell program that automatically spoof the command line arguments of the spawned process. Just call your incriminate-looking command line LOLBin e.g. powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA.... and LOLSpoof will ensure that the process creation telemetry...

China-linked Hackers Deploy New 'UNAPIMON' Malware for Stealthy Operations

A threat activity cluster tracked as Earth Freybug has been observed using a new malware called UNAPIMON to fly under the radar. "Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on espionage and financially motivated activities," Trend Micro security...

Talos Takes 128: Year in Review - Ransomware and Commodity Loaders Edition

Were back with the final year in review focused episode. This time the focus is on the ever broadening ransomware landscape and the commodity malware loaders that often support it. Ill be joined by one of the researchers from the year in review report, Aliza Johnson to talk about what we saw on t...

Talos Takes 126: Year in Review - Threat Landscape Edition

Were back with another year in review focused episode. This time the focus will be the threat landscape generally and Ill be joined by threat researcher Caitlin Huey. In this episode well discuss what we found in the last year, with a focus on the general threat landscape. Well spend time...

Lorenz Ransomware Exploit Mitel VoIP Systems to Breach Business Networks

The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting...

Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group

Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker DEV-0270 aka...

Profiling DEV-0270: PHOSPHORUS’ ransomware operations

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations,...

Hardware-based threat defense against increasingly complex cryptojackers

Even with the dip in the value of cryptocurrencies in the past few months, cryptojackers – trojanized coin miners that attackers distribute to use compromised devices’ computing power for their objectives – continue to be widespread. In the past several months, Microsoft Defender Antivirus detect...

New 'Quantum' Builder Lets Attackers Easily Create Malicious Windows Shortcuts

A new malware tool that enables cybercriminal actors to build malicious Windows shortcut .LNK files has been spotted for sale on cybercrime forums. Dubbed Quantum Lnk Builder, the software makes it possible to spoof any extension and choose from over 300 icons, not to mention support UAC and...

LolZarus: Lazarus Group Incorporating Lolbins into Campaigns

Qualys Threat Research has identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin. This blog details the markers of this campaign, including macro content, campaign flow and phishing themes ...

Living Off the Land: How to Defend Against Malicious Use of Legitimate Utilities

Living-off-the-land binaries LOLBins are no joke: Cyberattackers have been increasingly making use of them to hide their malicious work from security solutions. It’s time for threat hunters and IT security staff to familiarize themselves with how these are used in the attack chains of some of the...

Azure LoLBins: Protecting against the dual use of virtual machine extensions

Azure Defender for Resource Manager offers unique protection by automatically monitoring the resource management operations in your organization, whether theyre performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. In this blog, we will look into the...

Azure LoLBins: Protecting against the dual use of virtual machine extensions

Azure Defender for Resource Manager offers unique protection by automatically monitoring the resource management operations in your organization, whether theyre performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. In this blog, we will look into the...

WastedLocker Goes "Big-Game Hunting" in 2020

By Ben Baker, Edmund Brumaghin, JJ Cummings and Arnaud Zobec. Threat summary After initially compromising corporate networks, the attacker behind WastedLocker performs privilege escalation and lateral movement prior to activating ransomware and demanding ransom payment.The use of "dual-use" tools...

Threat Source newsletter (Nov. 14, 2019)

Newsletter compiled by Jon Munshaw. Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week. It was all about the bugs this week. Patch Tuesday was especially busy for us, including our usual recap of all the vulnerabilities...

Hunting for LoLBins

By Vanja Svajcer. Introduction Attackers' trends tend to come and go. But one popular technique we're seeing at this time is the use of living-off-the-land binaries — or "LoLBins". LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances...

CB TAU Threat Intelligence Notification: Trickbot Banking Trojan Continues to Evolve

There has been various coverage recently regarding newly identified Trickbot samples found in the wild. A recent sample identified by TAU includes additional techniques that leverage LOLBin's, which are used by Trickbot to enumerate the network environment, and additionally perform a dump of the...

CB TAU Threat Intelligence Notification: Smominru Botnet Leverages New Attack Techniques

Carbon Black’s Threat Analysis Unit TAU and CB ThreatSight discovered the resurgence of a previously active crypytomining botnet campaign called Smominru. This campaign has evolved since its original discovery in the latter half of 2017, leveraging new techniques including LOLbins, polymorphic...

LOLBAS - Living Off The Land Binaries And Scripts (LOLBins And LOLScripts)

The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques. All the different files can be found behind a fancy frontend here: https://lolbas-project.github.io thanks @ConsciousHacker for this bit of eyecandy and the team ov...