Cyberattackers Exploit Google Sheets for Malware Control in Likely Espionage Campaign

Cybersecurity researchers have uncovered a novel malware campaign that leverages Google Sheets as a command-and-control C2 mechanism. The activity, detected by Proofpoint starting August 5, 2024, impersonates tax authorities from governments in Europe, Asia, and the U.S., with the goal of targeti...

Exploring the (Not So) Secret Code of Black Hunt Ransomware

It seems like every week, the cybersecurity landscape sees the emergence of yet another ransomware variant, with Black Hunt being one of the latest additions. Initially reported by cybersecurity researchers in 2022, this new threat has quickly made its presence known. In a recent incident, Black...

Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar

The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts. "This technique capitalizes on the inherent trust these files command within the Windows environment," Uptycs...

CISA, NSA, FBI, and MS-ISAC Release Phishing Prevention Guidance

Today, the Cybersecurity Infrastructure and Security Agency CISA, the National Security Agency NSA, the Federal Bureau of Investigation FBI, and the Multi-State Information Sharing and Analysis Center MS-ISAC released a joint guide, Phishing Guidance: Stopping the Attack Cycle at Phase One. The...

New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers

At least 1,200 Redis database servers worldwide have been corralled into a botnet using an "elusive and severe threat" dubbed HeadCrab since early September 2021. "This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional...

Wipermania: An All You Can Wipe Buffet

Wipermania: An All You Can Wipe Buffet By Max Kersten · November 15, 2022 In early 2022, Ukrainian companies were struck by multiple destructive wipers, attacking various organizations across sectors. This raised questions about the usage and impact of “digital weapons” within the security...

Inside Raccoon Stealer V2

Raccoon Stealer is back on the news again. US officials arrested Mark Sokolovsky, one of the malware actors behind this program. In July 2022, after several months of the shutdown, a Raccoon Stealer V2 went viral. Last week, the Department of Justice's press release stated that the malware...

CAPEv2 - Malware Configuration And Payload Extraction

CAPE is a malware sandbox. It was derived from Cuckoo with the goal of adding automated malware unpacking and config extraction - hence its name is an acronym: 'Config And Payload Extraction'. Automated unpacking allows classification based on Yara signatures to complement network Suricata and...

The Tetrade: Brazilian banking malware goes global

Introduction Brazil is a well-known country with plenty of banking trojans developed by local crooks. The Brazilian criminal underground is home to some of the worlds busiest and most creative perpetrators of cybercrime. Like their counterparts in China and Russia, their cyberattacks have a stron...

Cybersecurity Needs to Go Back to the Basics

This is part of our ongoing conversation about the worldwide challenges of working remotely. To stay up-to-date on the latest insights, refer to our live page for COVID-19: Cybersecurity Community Resources. This piece was co-authored with support from Optiv. Security teams have spent decades...

Variant of Paradise Ransomware Targets Office IQY Files

A new variant of the Paradise ransomware attacks rarely-targeted Microsoft Office Excel IQY files, providing a new and relatively inobtrusive way to infiltrate and hijack an organization’s network, researchers have found. Lastline Labs’ James Haughom discovered the variant in December in a spam...

The APT Name Game: How Grim Threat Actors Get Goofy Monikers

What’s in a name? When it comes to advanced persistent threat groups, it is often quite a bit. While their monikers’ may seem whimsical – Fancy Bear, Nomadic Octopus, Ocean Lotus and Darkhotel – the reality is these are not arbitrary names. In fact, many are similar to schoolyard nicknames or a...

Case Study: A Cryptomining Attack — With an Assist From Advanced Malware Techniques

In Carbon Black's Quarterly Incident Response Threat Report QIRTR, some of the world’s leading incident response IR professionals reported seeing an uptick in lateral movement, counter incident response, and island-hopping attacks from motivated nation-states. In the case study below, Kroll notes...

Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

A team of security researchers—which majorly focuses on finding clever ways to get into air-gapped computers by exploiting little-noticed emissions of a computer's components like light, sound and heat—have published another research showcasing that they can steal data not only from an air gap...

Now you see me: Exposing fileless malware

Attackers are determined to circumvent security defenses using increasingly sophisticated techniques. Fileless malware boosts the stealth and effectiveness of an attack, and two of last years major ransomware outbreaks Petya and WannaCry used fileless techniques as part of their kill chains. The...

Excerpts from Preparing for NGAV at Scale: Prevent Attacks & Stop Breaches

Carbon Black recently published a guide to help enterprises gauge their readiness in their initial search for next-generation antivirus, or NGAV; this is an excerpt from that guide, which you can find here. For more information about how Cb Defense, Carbon Black's NGAV + EDR solution, helps...

Remote Symbol Resolution

Introduction The following blog discusses a couple of common techniques that malware uses to obscure its access to the Windows API. In both forms examined, analysts must calculate the API start address and resolve the symbol from the runtime process in order to determine functionality. After...

Remote Symbol Resolution

Introduction The following blog discusses a couple of common techniques that malware uses to obscure its access to the Windows API. In both forms examined, analysts must calculate the API start address and resolve the symbol from the runtime process in order to determine functionality. After...

Banking Malware Vawtrak Seen Using Tor2Web

Developers behind the banking Trojan Vawtrak have begun obscuring some of their servers with Tor2Web, a move that’s added another degree of difficulty when it comes to uncovering their activity. To this point the malware’s techniques – its evolution beyond banking websites, ability to break...

Hackers Pinch Obfuscation Technique From DEFCON Presentation

UPDATE: Feds aren’t the only ones who are paying attention to the demonstrations at security conferences like Black Hat and DEFCON – the folks who actually don the black hats are, also. That point was driven home this week by Kaspersky Lab researcher Marta Janus, who blogged about an interesting...