malware (91)

13193143874?profile=RESIZE_400xThe country's National Cyber Security Centre (NCSC) has uncovered a new malware campaign targeting Swiss residents through fake postal letters. The scam involves fraudulent correspondence disguised as official communication from MeteoSwiss, the Federal Office of Meteorology and Climatology. It urges recipients to scan a QR code and download a malicious weather app for Android devices.

See: https://redskyalliance.org/xindustry/malicious-qr-codes

The fake “Severe Weather Warning App” app mimics t

13143059864?profile=RESIZE_400xThousands of people, including many who use applications such as AutoCAD, JetBrains, and the Foxit PDF editor, have become victims of a sophisticated data-stealing and crypto-mining malware campaign active since February 2023. The as-yet-unidentified threat behind it is distributing the malware via forum posts and illegal torrents. What makes the malware challenging to mitigate is its use of SSL pinning and TLSv1.3 encryption to protect its command-and-control (C2) communications and data exfilt

13104605869?profile=RESIZE_400xA global law enforcement operation has disrupted infrastructure for the Redline and Meta info stealers, malware tools that cybercriminal groups use to steal sensitive personal data. Operation Magnus took place on 28 October 2024, with law enforcement shutting down three servers used to run the malware in the Netherlands and the seizure of two domains. This means the malware no longer functions and cannot currently be used to steal new data from infected victims.
See: https://redskyalliance.org/xi

13080587485?profile=RESIZE_400xA new malware family named WarmCookie, also known as BadSpace, has been actively distributed through malspam and malvertising campaigns since April 2024.

See:  https://redskyalliance.org/xindustry/windows-backdoor-to-push-badspace  

According to a blog post from Cisco Talos published on 23 October 2024, the malware facilitates persistent access to compromised networks. It has been observed as an initial payload, often leading to the deployment of additional malware such as CSharp-Streamer-RAT an

12960356261?profile=RESIZE_400xDue to economic turbulence and a relentless surge in cyber threats, today's cybersecurity landscape requires enterprises to remain resilient by adapting to security risks.  Many organizations have chosen to adapt to these risks by embracing modern technology such as generative artificial intelligence (GenAI), which can present new risks if not implemented properly.  The speed at which companies innovate and adopt new technology is far outpacing the security measures that must be addressed first.

12945016087?profile=RESIZE_400xAfter the city of Columbus, Ohio, experienced a ransomware attack in July 2024 and disclosed the event, it sued a researcher who claimed the breach was more significant than the city let on.  Ohio's largest city first fell victim to an attack on 18 July 2024 and quickly informed the public, claiming that it had stopped the attack before malware had infected its systems.

In early August 2024, the Rhysida ransomware gang leaked 3.1TB of data on its Tor-based site, information it claimed to have st

12932620875?profile=RESIZE_400xThe US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.  GRU Unit 29155 cyber actors began deploying the destructi

12940419696?profile=RESIZE_400xIn August 2024, FortiGuard Labs observed a python infostealer we call Emansrepo that is distributed via emails that include fake purchase orders and invoices.  Emansrepo compresses data from the victim’s browsers and files in specific paths into a zip file and sends it to the attacker’s email.  According to our research, this campaign has been ongoing since November 2023.  The attacker sent a phishing mail containing an HTML file, which was redirected to the download link for Emansrepo.  PyInsta

12931457261?profile=RESIZE_400xIn an era where digital threats loom large, the world finds itself grappling with an unprecedented surge in cyber-attacks.  Yeah, no kidding.  The landscape of digital security has become a battlefield, with corporate networks experiencing a staggering 30% increase in weekly attacks in the second quarter of 2024 compared to the same period in 2023.  Yet, a recent study by Kiteworks, a provider of secure content communication solutions, has revealed a significant knowledge gap in the US regarding

12869795452?profile=RESIZE_400xFortiGuard Labs recently encountered an ongoing ValleyRAT campaign specifically targeting Chinese speakers.  This malware has historically targeted e-commerce, finance, sales, and management enterprises.  ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage.  Another noteworthy characteristic of this malware is its heavy usage of shellcode to execute its many components directly in memory, sign

12757025281?profile=RESIZE_400xSpyware is malicious software engineered to covertly monitor and gather information from a user’s computer without their awareness or consent. It can record activities like keystrokes, browsing behavior, and personal information, often transmitting this data to a third party for espionage or theft.

FortiGuard Labs recently detected an attack exploiting the CVE-2021-40444 vulnerability in Microsoft Office. This flaw allows attackers to execute malicious code via specially crafted documents. In th

12744610093?profile=RESIZE_400xThe HardBit ransomware first appeared in October 2022, with a 2.0 version coming shortly thereafter in November of 2022.   As one expects of a ransomware attack, HardBit targets organizations and demands cryptocurrency payments in exchange for decrypting data. 

Earlier variants of HardBit aren’t noted as being especially unique, though one standout attribute of HardBit is that the operators have enhanced their extortion tactics by demanding to know about the victim’s potential cyber insurance co

12684847278?profile=RESIZE_400xThreat actors have exploited hacked high-ranking legitimate websites to enable BadSpace malware backdoor distribution on Windows machines.  The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases, a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system.  BadSpace is a backdoor Trojan that secretly installs itself on a computer, giving cybercriminals remote access and control. It can

12640553088?profile=RESIZE_400xLightSpy is a modular surveillance framework that can be used to steal a variety of data, including files, screenshots, mobile location data, or even messenger data from apps like Telegram.  It was first documented by TrendMicro and Kapersky in 2020 as an iOS implant.  At the time, LightSpy would spread through a watering hole method, which is to say that targets would be directed to pages mimicking local news sites.  An example page can be seen in the image below.  The APT group said to be resp

12637369283?profile=RESIZE_400xFortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file.  The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command and control (C2) server.  This attack employs various evasion techniques to ensure successful payload delivery.

Over the past few years, Ukraine has been a significant target due to its geopolitical situation

12490145894?profile=RESIZE_400xA newly identified Android Trojan can steal user information and allow attackers to take control of infected devices. Named Brokewell, the trojan includes all the capabilities of mobile banking malware while also providing attackers with remote access to devices. Brokewell is being distributed via fake application updates, such as newer Chrome browser iterations and updates for an Austrian digital authentication application.

The malware overlays fake windows over the targeted mobile applications

12415386683?profile=RESIZE_400xPhishing-as-a-service, or PhaaS, is a cyber threat subscription service, much like any number of other “as a service” types you may be familiar with, such as ransomware-as-a-service.  One of the noted early pioneers of this model is BulletProofLink.  This operation was taken down by Malaysian law enforcement in November of last year in collaboration with the Australian Federal Police and the FBI. 

The general ideal of phishing-as-a-service is that service providers are offering ready-to-use phis

12414665062?profile=RESIZE_400xANY.RUN[1] the interactive malware sandbox provider, has issued a warning about BunnyLoader, a rapidly evolving malware written in C/C++.  The new version, BunnyLoader 3.0, boasts enhanced capabilities and requires users and organizations to be more vigilant than ever.

Released just in September 2023, BunnyLoader's malicious functions range from exfiltrating credentials to stealing cryptocurrency wallets and dropping additional malware.

Here are some of the key changes introduced in BunnyLoader

12404998269?profile=RESIZE_400xOn 16 March 2024, Sentinel Labs identified a suspicious Linux binary uploaded from Ukraine.  Initial analysis showed surface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start of the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer).  Since our initial finding, no similar samples or variants have been detected or publicly reported until now.  This new sample is a confirmed variant called ‘AcidPour’, a wiper with si

12402161876?profile=RESIZE_400xThe US Department of Justice claims that it has disrupted a botnet controlled by the Russian state-sponsored hacking group Forest Blizzard, also known as Fancy Bear. The Russian hackers' targets include US and foreign governments, military entities, and security and corporate organizations. The FBI operation copied and deleted stolen files and other data from the compromised routers and, working with local Internet service providers, the FBI then informed the owners and operators of the routers.