ASEC reports Magniber distribution in Korea disguised as MSI Windows installers, using MOTW bypass and base64-encoded links to evade blocking. The campaign leverages MSI Custom Actions to execute a Magniber DLL, deletes volume shadow copies to hinder recovery,…
Category: Threat Research
ASEC’s RAPIT analysis summarizes malware weekly stats from January 30 to February 5, 2023, highlighting downloader as the top category, followed by Infostealer and backdoor. The leading families were SmokeLoader, BeamWinHTTP, Formbook, Quasar RAT, and RedLine,…
The ESXiArgs ransomware campaign targets VMware ESXi servers by exploiting a two-year-old OpenSLP heap overflow vulnerability (CVE-2021-21974) to deploy encryption across near 1,000 servers worldwide, with France, the US, and Germany heavily affected. The atta…
Sliver backdoor was installed via Sunlogin vulnerability exploitation, with threat actors using BYOVD to disable security products and deploy a reverse shell alongside Gh0st RAT and XMRig CoinMiner. The report details Sliver’s capabilities, the Sunlogin RCE at…
Fortinet’s FortiGuard Labs highlights the Trigona ransomware in its bi-weekly Ransomware Roundup, detailing its double-extortion approach of encrypting endpoints and threatening to leak exfiltrated data. The report covers suspected infection vectors (emails, R…
A Mirai-driven botnet variant is dropping Medusa, a Python-based botnet, onto Linux targets to perform DDoS, ransomware, brute-force attacks, and data exfiltration. The article details the Medusa botnet’s client, C2 communications, attack methods, and the IOCs…
VSTO Add-Ins can be weaponized to deliver and execute code via Office documents, offering persistence across Office sessions. The article details local and remote VSTO attack flows, including user prompts to enable Add-Ins, encoded PowerShell payloads, and a r…
FortiGuard Labs detected a zero-day in a PyPI package named “web3-essential,” published by a newly joined user known as ‘Trexon’ on January 26, 2023. The package downloads and executes a Go-based binary to steal sensitive data and exfiltrate it via a Discord w…
IceBreaker APT is a newly tracked threat targeting the gambling/gaming sector in the run-up to ICE London, employing social-engineering to lure a customer-service agent and delivering a two-stage payload chain. Researchers describe a modular Node.js-based back…
ASEC’s weekly malware statistics for January 23–29, 2023 categorize threats by family, with downloader as the largest share, followed by Infostealer and backdoor. The report highlights BeamWinHTTP as the top downloader, with SmokeLoader, Formbook, AgentTesla, …
Cyble Research & Intelligence Labs details a new BAT loader used to disseminate RATs and stealers via OneNote attachments delivered through spam emails. The article walks through the infection chain, the obfuscated BAT loader, in-memory .NET payload loading (Q…
Two sentences summarizing the article: Quick Heal researchers examine how malware bypasses User Account Control (UAC) to gain admin privileges, enabling ransomware to encrypt system files. The piece details three CMSTP-based UAC bypass methods (malicious INF f…
Two sentences summarizing the intrusion: An August 2022 incident began with a malicious Word document carrying a VBA macro that installed a PowerShell-based implant, established persistence via scheduled tasks, and used a renamed AutoHotkey-based keylogger to …
AveMaria distribution campaigns evolved through seven case studies in 2022, showcasing multiple delivery formats and evolving execution steps to evade detection. ThreatLabz notes ongoing updates to AveMaria’s chain, including new techniques like custom downloa…
Checkmarx researchers tracked a persistent threat actor they named PYTA27 who distributed multiple malicious Python packages to PyPI and GitHub, evolving from plain-text payloads to obfuscated and multi-stage stealers that target Discord and crypto-wallets. Th…