X-Industry

The HardBit ransomware first appeared in October 2022, with a 2.0 version coming shortly thereafter in November of 2022.   As one expects of a ransomware attack, HardBit targets organizations and demands cryptocurrency payments in exchange for decrypting data. 

Earlier variants of HardBit aren’t noted as being especially unique, though one standout attribute of HardBit is that the operators have enhanced their extortion tactics by demanding to know about the victim’s potential cyber insurance co

Threat actors have exploited hacked high-ranking legitimate websites to enable BadSpace malware backdoor distribution on Windows machines.  The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases, a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system.  BadSpace is a backdoor Trojan that secretly installs itself on a computer, giving cybercriminals remote access and control. It can

LightSpy is a modular surveillance framework that can be used to steal a variety of data, including files, screenshots, mobile location data, or even messenger data from apps like Telegram.  It was first documented by TrendMicro and Kapersky in 2020 as an iOS implant.  At the time, LightSpy would spread through a watering hole method, which is to say that targets would be directed to pages mimicking local news sites.  An example page can be seen in the image below.  The APT group said to be resp

FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file.  The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command and control (C2) server.  This attack employs various evasion techniques to ensure successful payload delivery.

Over the past few years, Ukraine has been a significant target due to its geopolitical situation

A newly identified Android Trojan can steal user information and allow attackers to take control of infected devices. Named Brokewell, the trojan includes all the capabilities of mobile banking malware while also providing attackers with remote access to devices. Brokewell is being distributed via fake application updates, such as newer Chrome browser iterations and updates for an Austrian digital authentication application.

The malware overlays fake windows over the targeted mobile applications

Phishing-as-a-service, or PhaaS, is a cyber threat subscription service, much like any number of other “as a service” types you may be familiar with, such as ransomware-as-a-service.  One of the noted early pioneers of this model is BulletProofLink.  This operation was taken down by Malaysian law enforcement in November of last year in collaboration with the Australian Federal Police and the FBI. 

The general ideal of phishing-as-a-service is that service providers are offering ready-to-use phis

ANY.RUN[1] the interactive malware sandbox provider, has issued a warning about BunnyLoader, a rapidly evolving malware written in C/C++.  The new version, BunnyLoader 3.0, boasts enhanced capabilities and requires users and organizations to be more vigilant than ever.

Released just in September 2023, BunnyLoader's malicious functions range from exfiltrating credentials to stealing cryptocurrency wallets and dropping additional malware.

Here are some of the key changes introduced in BunnyLoader

On 16 March 2024, Sentinel Labs identified a suspicious Linux binary uploaded from Ukraine.  Initial analysis showed surface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start of the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer).  Since our initial finding, no similar samples or variants have been detected or publicly reported until now.  This new sample is a confirmed variant called ‘AcidPour’, a wiper with si

The US Department of Justice claims that it has disrupted a botnet controlled by the Russian state-sponsored hacking group Forest Blizzard, also known as Fancy Bear. The Russian hackers' targets include US and foreign governments, military entities, and security and corporate organizations. The FBI operation copied and deleted stolen files and other data from the compromised routers and, working with local Internet service providers, the FBI then informed the owners and operators of the routers.

Magnet Goblin, a financially motivated threat actor, is swiftly adopting one-day security vulnerabilities into its arsenal to opportunistically breach edge devices and public-facing services and deploy malware on compromised hosts.  Threat actor group Magnet Goblin's hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, mainly targeting public-facing servers and edge devices.  In some cases, the deployment of the exploits is within 1 day after a [proof-of-concept] is publi

Cybersecurity researchers have identified an updated version of a macOS information stealer called Atomic (or AMOS), indicating that the threat actors behind the malware are actively enhancing its capabilities. It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption to bypass detection rules.

Atomic Stealer first emerged in April 2023 for a monthly subscription of $1,000. It's capable of harvesting sensitive information from a

The banking malware known as Carbanak has been observed to be used in ransomware attacks with updated tactics.  The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness.  Carbanak returned in November 2023 through new distribution chains and has been distributed through compromised websites to impersonate various business-related software.

See:  https://redskyalliance.org/Finance/never-take-malware-from-strangers

Some impersonated tools include popular

At its most basic, the term “auto fill” refers to a feature or set of features that enables users to insert previously entered information into web pages.  Depending on the specific application being used, this can be any sort of information like names and address, moving all the way up to information that needs more protection such as credit card numbers and username/password combinations.

On Android devices, it is often the case that an application will display a login form by using what’s cal

A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z.  This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection.

While malvertising campaigns are known to set up replica sites advertising widely

A highly sophisticated piece of malware posing as a cryptocurrency miner has stayed hidden for five years, infecting more than one million devices, cybersecurity investigators warn.  Named StripedFly, the threat contains code sequences previously observed in the malware used by the threat actor known as the Equation Group, known for APT malware and attacks, which has been linked to the US National Security Agency.

Designed as a modular framework, StripedFly can target both Windows and Linux and

A new information stealer named ExelaStealer has become the latest one to become available to the hacker audience.  There are many choices available for off-the-shelf malware designed to capture sensitive data from compromised Windows systems.  ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor creator.

Written in Python and incorporating support for JavaScript, it comes fitted with capabilities to siphon passwords, Discord tokens, credit c

A new malware-as-a-service option for cybercriminals known as BunnyLoader was released on September 4^th, 2023.  It has since seen a variety of updates and has reached version 2.0.  As one might expect from any number of the “as a service” monikers, malware-as-a-service is a business model for cybercriminals.  The business model is such that malware and its associated infrastructure are provided to customers for a fee.  This can also be seen as a variation to the software-as-a-service model.

Thos

In 1923, the Soviet Union created the Nagorno-Karabakh Autonomous Oblast (an oblast is an administrative region or province) within the Azerbaijan Soviet Socialist Republic.  This oblast has a 95% ethnically Armenian population.  In 1988, Nagorno-Karabakh intended to leave Azerbaijan and join the neighboring Republic of Armenia.  While the Soviet Union was able to keep the resulting tension under control, once the USSR began to collapse, armed conflict between Azerbaijan and Armenia began for co

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint cybersecurity advisory (CSA) regarding new Truebot malware variants that are being used against organizations in the United States and Canada.

Older versions of the Truebot malware variant were delivered via malicious phishing email attachments, the CSA expla

A common tactic for cybercriminals is to distribute storage drives, phones, or other internet-connected devices filled with hidden malware to hack victims and steal their information. Although smartwatches have not been known for major security breaches so far, they carry many of the same vulnerabilities as other IoT products and warrant a similar degree of caution.  A recent InfraGard brief by DHS cautioned the use of Smartphones and being vulnerable to malware.

The US Army’s Criminal Investiga