Unit 42 analyzes a multi-stage attack that begins with a malicious Compiled HTML Help (.chm) file delivered inside a 7z archive and culminates with Agent Tesla loading and exfiltrating data via FTP. The operation uses obfuscated JavaScript and PowerShell acros…
Tag: SSO
Two sentences: Researchers observed a rapid exploit campaign against F5 BIG-IP CVE-2022-1388, deploying web shells and Mirai-era malware within days. The events highlight the danger of exposed devices and the need for secure configurations and timely patching.…
Proofpoint profiles Nerbian RAT, a Go-based malware with aggressive anti-analysis and evasion capabilities that uses COVID-19 themes to lure victims. The attack chain starts with a maldoc phishing email, drops a Go-based loader UpdateUAV.exe, which then retrie…
On May 4, 2022, F5 released a security advisory for a remote code execution vulnerability in the iControlREST component of its BIG-IP product tracked as CVE-2022-1388. Threat actors can bypass authentication and run arbitrary code on unpatched systems, with ma…
North Korea-linked Lazarus continues its Dream Job espionage campaign targeting chemical sector organizations, using fake job offers, Trojanized tools, and a multi-stage payload chain to infiltrate networks and steal intellectual property. Symantec’s findings …
FortiGuard Labs observed a new DDoS botnet named Enemybot, attributed to Keksec, that borrows code from Gafgyt and Mirai while using obfuscation and a Tor-hidden C2 to complicate takedowns. It targets routers from Seowon Intech and D-Link and leverages a wide …
SystemBC is a proxy malware that has been used by various attackers for years, functioning as both a proxy bot and a downloader for additional payloads. It has recently been distributed through SmokeLoader and Emotet and has featured in ransomware campaigns, i…
Cybereason Nocturnus details a new espionage campaign by APT-C-23 targeting Israeli officials, featuring upgraded malware (Barb(ie) Downloader, BarbWire Backdoor, and VolatileVenom Android implant) and sophisticated social engineering to gain initial access. T…
Fortinet FortiGuard Labs analyzes a phishing-driven Remcos RAT campaign that delivers a malicious Excel macro to Windows users, initiating a multi-stage VBS/PowerShell payload chain. The malware uses a decrypted configuration block, process hollowing into RegA…
FIN7’s intrusion landscape evolves from LOADOUT and GRIFFON in 2020 to POWERPLANT as the main PowerShell-based backdoor in 2021, with BEACON acting as a secondary access path and extensive PowerShell tradecraft continuing to shape their operations. The report …
The diary documents a MetaStealer infection chain delivered via malicious Excel attachments that drop and persist a Windows EXE and DLL after macro execution and a VBScript loader. It also notes the malware abusing legitimate services like GitHub and transfer.…
McAfee Labs reports scammers exploiting Ukraine donation efforts by deploying crypto donation phishing sites and deceptive emails to harvest funds and personal data. The campaigns use fake chat boxes, donation verifiers, and counterfeit logos to appear legitim…
A SentinelOne analysis examines Hive Ransomware’s IPfuscation technique, which hides a shellcode payload by encoding ASCII IP addresses that are translated into binary to form the shellcode. The write-up covers IPfuscated, UUIDfuscation, and MACfuscation varia…
Talisman is a PlugX variant that loads a modified DLL via a signed benign binary to decrypt and execute a backdoored payload with plug-in capabilities. The campaign is attributed with medium confidence to the Chinese state-backed RedFoxtrot group, targeting So…
ThreatLabz analyzes Thanos-based ransomware variants (Prometheus, Haron, Spook, and Midas) to show how operators shifted tactics in 2021, using RaaS builders, double extortion, and variant revamps to extend campaigns. The Midas variant encrypts files with Sals…