Displaying items by tag: Malware
New Advanced Fileless Malware Found Using Windows Event Logs
When most people think of malware, they think of binaries that are downloaded to a drive and executed. However, that is only part of the malware world. The other side does not actually download the malicious binary directly to the drive and often injects it directly into memory though the use of scripts. The name fileless is a bit of a misnomer as there are always files to be found in different stages of the attack, it is more to the point that much of the malicious work is doe through injection of code into legitimate processes without the need to write much of it to disk.
Chat Logs Expose Ransomware Groups Methods and Styles of Interactions with Victims
Ransomware is a huge shadow over many businesses and individuals’ heads. It has loomed as a significant threat since the first stains hit the internet inside malicious zip files masquerading as “Xerox” documents. Since that time ransomware and the groups behind it have evolved significantly. At the top of the food chain are groups like Hive and Conti who have not only evolved their own tools but utilize strategic approaches to their organizations complete with acquisitions and, in some cases, attempted legitimate business fronts to further their activities.
Conti has a New Toy as Bumblebee Malware Replaces BazarLoader
April must be the month for new malware tools to be released, or at least announced as we have already heard about new forms of attack/infection from the group behind Emotet and now we hear that Conti has replaced BazarLoader with new malware tracked as Bumblebee. The newly disclosed malware is also under active development with multiple new features showing up this month.
Yet Another New Attack Method Shows Up From the Group Behind Emotet
Yesterday we told you that the gang behind Emotet was looking to used Excel add-ins as a possible new technique to compromise systems as part of their spamming campaigns. The detected techniques were labeled as potentially being part of research and development efforts on the part of the group TA542 due to changes Microsoft is making in Office (and ones many admins already push). The R&D efforts do not stop there though as multiple security research teams are now saying they have identified another new technique associated with Emotet.
The Group Behind Emotet is Looking to Get Around Microsoft’s VBA Changes
TA542 the wonderful people that brought you Emotet appears to be in the middle of a development and testing cycle on new delivery methods. According to researchers at ProofPoint the creators or the Emotet Botnet are potentially looking to find a new delivery method in response to the, long overdue, default disabling of VBA based Macros by Microsoft in their office products. Although ProofPoint seems to think this is development testing, the activity could also be part of a more targeted campaign.
CISA warns that US ICS/SCADA Systems are being Targeted by Threat Groups
CISA has issued another warning that SCADA/ICS systems are being targeted for attack. This time they are in the sights of Nation-State groups and with customized tools. The tools are part of follow-on activities after the initial beachhead has been established. These days gaining initial access to a network, even for infrastructure, does not seem to be a difficult task for nation-state groups.
Crypto Mining Malware Targeting Amazon Lambda Serverless Environments
Some needs to let Gordan Freeman know that the Xen aliens are attacking Lambda, time to grab a crowbar and go to work. Ok, so there are no invaders from a border dimension coming and the Lambda in question is really Amazon’s Lambda Serverless function in AWS while the threat is a bit of crypto mining malware that appears to have been specifically written for Lambda in Google’s Go.
The State of Banking and Financial Malware on Google’s Play Store is Just Bad
It looks like there has been another round of malware identified on the Google Play sore and, you guessed it, the majority is focused on banks and other financial institutions. The combination of apps found totals around 515,000 downloads. 500,000 of these downloads are being attributed to a new trojan dubbed Octo and appears to be distributed via fake apps uploaded to the Google Play store.
Financial Threat Group, FIN7 Shows Signs of Evolving Tools and Coordination with Ransomware Groups
For some reason, malware, attacker tools, and even the threat groups themselves tend to be viewed and talked about as static objects (outside of the security and threat analytics world). Malware is just Malware, the same with Ransomware strains. Once they get named, they are that way forever. However, that is the farthest thing from reality. Threat Groups evolve their tactics, toolsets, and they even have DevOps around their malware/ransomware.
FBI Sent out an Advisory Alleging a Targeted Campaign Against State Election Officials
The FBI, on March 29th, released a Private Industry Notification with vague details on a potential Phishing campaign targeting election officials in at least nine US states. The information in the advisory gives very broad information without really saying much. There is no information in the notification on which states were targeted and the phishing campaign sounds a lot like ones that are sent out to millions of people every day.