• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware

Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak
  • Posted on:December 13, 2018 at 6:24 am
  • Posted in:Malware
  • Author:
    Trend Micro
0

On April 14, 2017, The Shadow Brokers (TSB) leaked a bevy of hacking tools named “Lost in Translation.” This leak is notorious for having multiple zero-day remote code execution (RCE) vulnerabilities targeting critical protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP) and applications like collaboration and web server-based software. The exploit toolkit includes EternalBlue, EternalChampion, EternalSynergy, EsteemAudit, EchoWrecker, ExplodingCan, EpicHero, and EWorkFrenzy, among others.

The leak also contains multiple post-exploitation implants and utilities, used for maintaining persistence on the infected system, bypassing authentication, performing various malicious activities, and establishing command-and-control (C&C) channels with a remote server, among others. Five of the most notable implants include DoublePulsar, PeddleCheap, ExpandingPulley, KillSuit (KiSu), and DanderSpritz, which all have different capabilities, features, and usage.

Read More
Tags: Shadow BrokersTildeb

Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch
  • Posted on:December 12, 2018 at 1:02 am
  • Posted in:Malware, Vulnerabilities
  • Author:
    Trend Micro
0

We detected mining activity on our honeypot that involves the search engine Elasticsearch, which is a Java-developed search engine based on the Lucene library and released as open-source. The attack was deployed by taking advantage of known vulnerabilities CVE-2015-1427, a vulnerability in its Groovy scripting engine that allows remote attackers to execute arbitrary shell commands through a crafted script, and CVE-2014-3120, a vulnerability in the default configuration of Elasticsearch.

Read More
Tags: cryptocurrency minerElasticsearch

New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers
  • Posted on:December 11, 2018 at 2:00 am
  • Posted in:Internet of Things, Malware
  • Author:
    Joseph C Chen (Fraud Researcher)
0

We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted website traffic from all devices connected to the same router.

Read More
Tags: internet of thingsNovidaderouters

New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools
  • Posted on:November 30, 2018 at 2:42 am
  • Posted in:Malware, Targeted Attacks
  • Author:
    Jaromir Horejsi (Threat Researcher)
0

MuddyWater is a well-known threat actor group that has been active since 2017. They have regularly targeted various organizations in Middle East and Central Asia, primarily using spear phishing emails with malicious attachments. We recently observed a few interesting delivery documents with similarities to the known MuddyWater tools, techniques and procedures.

Read More
Tags: backdoorphishingPowershellsocial engineering

Proofs of Concept Abusing PowerShell Core: Caveats and Best Practices
  • Posted on:November 28, 2018 at 11:54 pm
  • Posted in:Exploits, Malware
  • Author:
    Trend Micro
0

We explored possible strategies attackers can employ when abusing PowerShell Core. These proofs of concept (PoCs) would help in better understanding — and in turn, detecting and preventing — the common routines and behaviors of possible and future threats that attackers might use. The PoCs we developed using PowerShell Core were conducted on Windows, Linux, and mac OSs. Most of the techniques we applied can be seen from previous threats involving PowerShell-based functionalities, such as the fileless KOVTER and POWMET. The scenarios in our PoCs are also based on the PowerShell function they use.

Read More
Tags: PowershellPowerShell Core
Page 1 of 27412 › »

Security Predictions for 2018

  • Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.
    Read our security predictions for 2018.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Popular Posts

  • Exploring Emotet: Examining Emotet’s Activities, Infrastructure
  • Perl-Based Shellbot Looks to Target Organizations via C&C
  • December Patch Tuesday: Year-End Batch Addresses Win32k Elevation of Privilege and Windows DNS Server Vulnerabilities
  • Fake Banking App Found on Google Play Used in SMiShing Scheme
  • TrickBot’s Bigger Bag of Tricks

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.