One of our honeypots detected a URL spreading a botnet with a Monero miner bundled with a Perl-based backdoor component. The routine caught our attention as the techniques employed are reminiscent as those used in the Outlaw hacking group’s previous operation.
Read More
We discovered a malware that uses three different online services — including Slack and GitHub– as part of its routine. Analysis of the attacker’s tools, techniques, and procedures lead us to believe that this might be a targeted attack from very capable threat actors.
Read More MuddyWater is a well-known threat actor group that has been active since 2017. They have regularly targeted various organizations in Middle East and Central Asia, primarily using spear phishing emails with malicious attachments. We recently observed a few interesting delivery documents with similarities to the known MuddyWater tools, techniques and procedures.
Read More
The cybercriminal group Lazarus, and particularly its subgroup Bluenoroff, has a history of attacking financial organizations in Asia and Latin America. There seems to be a resurgence of activity from the group, and recent events show how their tools and techniques have evolved. We discovered that they successfully planted their backdoor into several machines of financial institutions across Latin America.
Read More We noticed a series of testing submissions in VirusTotal that apparently came from the same group of malware developers in Moldova, at least based on the filenames and the submissions’ source. It appears they are working on a new malware that — based on how they were coded — is most likely intended to spread through spam emails embedded with malicious attachments.
The downloader malware’s payload is what makes it notable. It delivers a version of the Revisit remote administration tool, which is used to hijack the infected system. More importantly, it also delivers a malicious extension that could serve as a backdoor, stealing information keyed in on browsers.
Read More