New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers

A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. "This incident is a part of a larger malvertising campaign that targets other utilities like...

New DotRunpeX Malware Delivers Multiple Malware Families via Malicious Ads

A new piece of malware dubbed dotRunpeX is being used to distribute numerous known malware families such as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar. "DotRunpeX is a new injector written in .NET using the Process...

NetWire Remote Access Trojan Maker Arrested

From Brian Krebs: A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan RAT marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of the NetWire sales website by the...

NetWire Malware Site and Server Seized, Admin Arrested

By Habiba Rashid The alleged administrator of the website selling NetWire malware has been arrested in Croatia. This is a post from HackRead.com Read the original post: NetWire Malware Site and Server Seized, Admin Arrested...

International Law Enforcement Takes Down Infamous NetWire Cross-Platform RAT

A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan RAT known as NetWire. Coinciding with the seizure of the sales website www.worldwiredlabs.com, a Croatian national who is suspected to be the website...

International Law Enforcement Takes Down Infamous NetWire Cross-Platform RAT

A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan RAT known as NetWire. Coinciding with the seizure of the sales website www.worldwiredlabs.com, a Croatian national who is suspected to be the website...

Who’s Behind the NetWire Remote Access Trojan?

A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan RAT marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of the NetWire sales website by the U.S. Federal Bureau...

Threat Roundup for September 16 to September 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral...

Experts Warn of Hacking Group Targeting Aviation and Defense Sectors

Entities in the aviation, aerospace, transportation, manufacturing, and defense industries have been targeted by a persistent threat group since at least 2017 as part of a string of spear-phishing campaigns mounted to deliver a variety of remote access trojans RATs on compromised systems. The use...

Cybercrooks Frame Targets by Planting Fabricated Digital Evidence

Threat actors are hijacking the devices of India’s human rights lawyers, activists and defenders, planting incriminating evidence to set them up for arrest, researchers warn. The actor, dubbed ModifiedElephant, has been at it for at least 10 years, and it’s still active. It’s been shafting target...

Amazon, Azure Clouds Host RAT-ty Trio in Infostealing Campaign

Cyberattackers are abusing Amazon Web Services AWS and Azure Cloud services to deliver a trio of remote access trojans RATs, researchers warned – all aimed at hoovering up sensitive information from target users. According to an analysis from Cisco Talos, threat actors have been pushing out...

Hackers Use Cloud Services to Distribute Nanocore, Netwire, and AsyncRAT Malware

Threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver commodity remote access trojans RATs such as Nanocore, Netwire, and AsyncRAT to siphon sensitive information from compromised systems. The spear-phishing attacks, whi...

Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure

By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user's information. According to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across the...

Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs

By Asheer Malhotra, Vanja Svajcer and Justin Thattil. Cisco Talos is tracking a campaign targeting government personnel in India using themes and tactics similar to APT36 aka Mythic Leopard and Transparent Tribe.This campaign distributes malicious documents and archives to deliver the Netwire...

Taxpayers Targeted With Improved NetWire RAT Variant

A new variant of the the NetWire remote access trojan RAT is hitching a ride on IRS-themed phishing ploys targeting taxpayers in hopes of snatching victims’ credentials and tax information. The recently uncovered campaign reveals the RAT’s operators swapping up infection tactics to use a legacy...

TAU Threat Analysis: NetWire Variant Leveraging AutoIt Scripts and Windows Shortcut Links

NetWire, an information stealing RAT that dates back multiple years, has been witnessed in the wild recently using a tactic of combining Windows shortcut link files and AutoIt scripts. These scripts pose as BitTorrent files, a protocol used for direct peer-to-peer file transfers, to entrench and...

Threat Roundup for February 7 to February 14

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 7 and Feb. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...

Threat Roundup for December 13 to December 20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 13 and Dec. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics...

Threat Roundup for November 29 to December 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 29 and Dec. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...

Active C2 Discovery Using Protocol Emulation Part1 (HYDSEVEN NetWire)

Malware C2 addresses can be an important IOC to detect known threats. In order to obtain C2 information, we first need malware samples which are then analyzed dynamically or statically. However the analysis task is often times not straightforward. Increasingly anti-analysis methods are implemente...