Author: Cyfirma
Summary:
CYFIRMA has identified a sophisticated dropper binary associated with the “ELPACO-team” ransomware, a new variant of the “MIMIC” ransomware family. This malware employs both malicious and legitimate tools to disable system defenses, encrypt various file types, and ensure persistence, posing a significant threat to individuals and organizations.…Summary:
MuddyWater is an advanced persistent threat (APT) group linked to the Iranian government, primarily targeting organizations in the Middle East. Utilizing in-memory attack techniques, they maintain a low detection profile while focusing on espionage and information theft. Their recent campaigns have involved phishing attacks and the deployment of custom malware, particularly against Israeli organizations.…Summary:
This report provides an in-depth analysis of SpyNote, a sophisticated Android malware variant that disguises itself as a legitimate antivirus application. It details the malware’s techniques for gaining extensive control over infected devices, maintaining persistence, and evading detection. The findings emphasize the urgent need for robust security measures to combat such threats.…Short Summary:
In Q3 2024, APT groups from China, North Korea, Iran, and Russia intensified their cyber operations, employing sophisticated techniques and targeting critical infrastructure. Chinese APTs focused on network devices, North Korean actors escalated attacks on various sectors, Iranian groups expanded their espionage efforts, and Russian actors utilized social engineering tactics.…
Short Summary:
This report by CYFIRMA provides insights into the current landscape of malware, specifically focusing on various stealers such as Divulge, DedSec, and Duck. These stealers are primarily promoted on platforms like GitHub, Discord, and Telegram, often targeting sensitive information from browsers and cryptocurrency wallets.…
Short Summary:
This report by CYFIRMA investigates the infrastructure of the APT group “Transparent Tribe,” identifying command-and-control (C2) servers linked to the group. The investigation reveals the use of Mythic Poseidon binaries and Linux desktop entry files as attack vectors, targeting individuals in India. The report emphasizes the evolving tactics of Transparent Tribe and the persistent threat they pose.…
The report from Cyfirma provides an in-depth analysis of the Gomorrah Stealer, a sophisticated information-stealing malware operating within a malware-as-a-service (MaaS) framework. It targets sensitive data from various applications, employing advanced evasion techniques and persistence strategies to maintain a foothold on infected systems. The report outlines the malware’s behavior, data collection methods, and its impact on cybersecurity.…
Short Summary:
Kimsuky, a North Korean hacking group active since 2018, focuses on espionage and financially motivated cybercrime. They target various technologies and countries, employing sophisticated tactics and exploiting vulnerabilities to achieve their goals.
Key Points:
Group Name: Kimsuky (also known as APT43) Motivation: Espionage and financial gain Target Technologies: Office Suites Software, Operating Systems, Web Applications Targeted Countries: South Korea, the United States, Japan, Vietnam, and NATO-affiliated European countries Recently Exploited Vulnerabilities: CVE-2024-21338 CVE-2021-44228 CVE-2017-17215 CVE-2017-11882 CVE-2020-0787 CVE-2017-0199 CVE-2017-0144 Malware Used: RandomQuery, xRAT, Gold Dragon Recent Campaigns: Utilized a malicious Chrome extension (TRANSLATEXT) targeting South Korean academia.…Short Summary:
The Mekotio Trojan is a sophisticated malware that utilizes an obfuscated PowerShell dropper to execute its payload. It gathers system information, communicates with a command-and-control (C2) server, and ensures persistence by modifying system settings. The malware employs various techniques to conceal its operations and maintain a foothold on infected systems.…
Short Summary:
CYFIRMA has identified a sophisticated dropper binary named “Angry Stealer,” which deploys an information-stealing malware targeting sensitive data from organizations and individuals. The malware, advertised on platforms like Telegram, is designed to exfiltrate various types of data, including browser information and cryptocurrency wallets, while employing advanced techniques to bypass security measures.…
Short Summary:
APT42 is an Iranian state-sponsored cyber espionage group primarily focused on information collection and surveillance against individuals and organizations of strategic interest to Iran. Active since at least 2015, they employ targeted spear phishing and deploy mobile malware to gain access to sensitive information.…
“`html Short Summary:
This report from Cyfirma provides an analysis of Mint Stealer, an information-stealing malware operating as a malware-as-a-service (MaaS) tool. It targets sensitive data from compromised systems, employing sophisticated evasion techniques to avoid detection. The report discusses Mint Stealer’s methods, its impact on cybersecurity, and offers guidance for defense strategies against such threats.…
Published On : 2024-07-26
EXECUTIVE SUMMARYA recent update from CrowdStrike caused the Blue Screen of Death (BSOD) on many Windows computers globally, leading to widespread disruption. Cybercriminals quickly exploited the chaos, using phishing campaigns and malicious domains to deceive users.
The CYFIRMA Research team is continuously monitoring the ongoing situation and has carried out an analysis of the tactics, techniques & procedures (TTPs) on deployed malware and malicious campaigns of the threat actors.…
Published On : 2024-07-19
EXECUTIVE SUMMARYIn the second quarter of 2024, Advanced Persistent Threat (APT) groups from China, North Korea, Iran, and Russia demonstrated a surge in dynamic and innovative cyber activities, significantly challenging the global cybersecurity landscape.
Starting with Iran, state-sponsored threat actors exhibited advanced capabilities across various regions and sectors.…