malware (53)

10947154064?profile=RESIZE_400xCyberattacks in the US have significantly increased over the past year, with the healthcare system and other critical sectors being attacked as the threat of malware like ransomware and foreign spyware continues to evolve.   During 2022, US government officials and lawmakers renewed their focus on cyber security and sought to secure the country’s critical sectors from rising cyber threats. This issue will increase in 2023, as many of those threats are still escalating while the cyber sector is c

10923797266?profile=RESIZE_400xRisePro is an information-stealing malware that was first discovered in mid-December 2022.  The earliest log recording from this malware, as of the time of this writing, was December 12th, 2022.  The logs found were posted to Russian Market, which is a log shop that is like other markets, such as Genesis.  There appeared to be multiple thousands of logs posted [2].  RisePro appears to be written in C++ and acts similarly to the “Vidar” malware.  According to a Joe Sandbox analysis, RisePro exhib

10913981254?profile=RESIZE_400xCybersecurity researchers have published the inner workings of a new wiper called Azov Ransomware that's deliberately designed to corrupt data and "inflict impeccable damage" to compromised systems.  Azov is the name of ransomware, malware that blocks access to files by encrypting them.  It encrypts all files (except files with .ini, .dll, and .exe extensions) and appends the ".azov" extension to their filenames. Also, Azov drops ransom notes (the "RESTORE_FILES.txt" files) in all folders that i

10906606696?profile=RESIZE_400xMalware is nothing more that burglary tools.  Cyber researchers have recently shed light on a Dark web marketplace called “In the Box” that is designed to specifically cater to mobile malware operators.  The actor behind the criminal storefront, believed to be available since at least January 2020, has been offering over 400 custom web injects grouped by geography that can be purchased by other adversaries looking to mount attacks of their own.  The automation allows other bad actors to create o

10905077878?profile=RESIZE_400xBack in 1969, the rock group – The Rolling Stones – recorded an album titled “Let it Bleed.” The album sold over 2.4 million copies, and in 1997, it was voted the 27th "Best Album Ever." The current "Bleed You" malicious cyber campaign is far from being popular and is trying to take advantage of a known remote code execution (RCE) vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions. More than 1,000 systems are unpatched and vulnerable to compromise.

If an attacker gains cont

10895583072?profile=RESIZE_400xOver the past six months, the infamous Emotet botnet has shown almost no activity, and now it is distributing malicious spam.  Emotet is by far one of the most dangerous trojans ever created.  The malware became a very destructive program as it grew in scale and sophistication.  The victim can be anyone from corporate to private users exposed to spam email campaigns.

The botnet distributes through phishing containing malicious Excel or Word documents.  When users open these documents and enable

10893672288?profile=RESIZE_180x180A China-based cyber actor group is leveraging the trust associated with popular international brands to orchestrate a large-scale phishing campaign dating back as far as 2019.   The threat actor, Fangxiao, is said to have registered over 42,000 imposter domains, with initial activity observed in 2017.  Fangxiao targets businesses in multiple verticals, including retail, banking, travel, and energy.  The offers promised financial or physical incentives are used to trick victims into further sprea

10889538276?profile=RESIZE_400xSecurity researchers are alerting about an ongoing supply chain attack that uses malicious Python packages to distribute an information stealer.  The attackers have been active since October 2022.  The attack was uncovered by investigators on 01 November 2022, with the attackers copying existing popular libraries and injecting a malicious ‘import’ statement into them. The purpose of the injected code is to infect the victim’s machine with a script that runs in the background. The script, which f

10859960864?profile=RESIZE_400xCyber threat actors are using a never-before-seen technique to stealthily infect victims with malware by abusing legitimate tools.  The campaign has been detailed by cybersecurity researchers  who say that the attackers can spend more than 18 months inside the networks of victims while taking steps to ensure their activity stays under the radar to avoid detection in what's thought to be an intelligence-gathering and espionage operation. 

How the attack begins is still uncertain, but victims beco

10856609287?profile=RESIZE_400xLinkedIn has become a popular destination for threat actors trying to communicate with people for a variety of purposes, such as distributing malware, cyberespionage, credential stealing, financial fraud, etc.  One common approach to using LinkedIn by cyber criminals is to approach people using fake profile claiming to be a recruiter working at technology, defense, or media companies.  The North Korean-sponsored group Lazarus often engaged in these kinds of activities in order to propagate malwa

10854679261?profile=RESIZE_400xOne of the oldest and most successful forms of banking malware has been repurposed into a backdoor trojan described as "significantly dangerous" and likely to be used for ransomware attacks.  The new variant of Ursnif malware, also known as Gozi, has been detailed by researchers who suggest it has been purposefully built to power ransomware and data-theft attacks by using malicious Microsoft Office documents to get into users’ computers and requires macros to be activated. 

Designed to steal ban

10827725278?profile=RESIZE_400xChromeLoader proves to be an extremely prevalent and persistent malware.  It initially drops as an .iso and can be used to leak users’ browser credentials, harvest recent online activity, and hijack browser searches to display ads.  The VMware Carbon Black Managed Detection and Response (MDR) team observed the first Windows variants of ChromeLoader in the wild in January 2022 and the macOS version in March 2022.   There are some variants known to ChromeLoader, including ChromeBack and Choziosi L

10812254669?profile=RESIZE_400xThe Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. This new dropper does not rely on Accessibility permissions to automatically install the dropper Sharkbot malware.  This new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.


The apps in question, Mister Phone

10794947080?profile=RESIZE_400xThey say, “Ya gotta Play, to Win.”  Many state lotteries are now online through the Internet.  But in New Hampshire, playing the lottery on the Internet could be hazardous.  Clicking unknown pop-ups on the Internet is never a good idea and it wasn’t in NH this past Friday. 

The New Hampshire Lottery website is back in service after the agency faced a cyber-attack on 26 August that attempted to trick users into clicking a pop-up and downloading malware.  “The (cyber) attack resulted in the creati

10739450863?profile=RESIZE_400xThe Qbot malware was first discovered in 2008 and it has been used for a variety of purposes. It boasts a couple of prolific campaigns in recent years, particularly in 2020, but recent events indicate that it might have a slightly different coat of paint. We’ll begin our exploration here with a little bit of history on the Qbot malware, but from there we will move on to discussing DLL usage manipulation in Windows. In particular, we’ll go over a little bit about DLL side-loading: what it is, how


Raccoon Stealer, one of the most prolific data stealers in digital history is back and more effective than ever.  The re-emergence of the malware, best known for stealing personal information like passwords, files, and biometric data was first spotted by French cybersecurity company Sekoia the last week of June 2022.  According to the firm's analysis, the authors of Raccoon Stealer have rewritten the code from scratch and added screenshot capturing and keystroke logging to its list of capabilit

10575761875?profile=RESIZE_400xRed Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associate

10515484081?profile=RESIZE_400xMalware has become an industry segment and professional developers are found to exchange, steal each other’s code and engage in collaborations. Attacks are multi-layer with diverse sophisticated software apps taking over different jobs along the attack chain from initial compromise to ultimate data exfiltration or encryption. The specific tools for each stage are highly specialized and can often be rented as a service such as Malware as a Service (MaaS0), including customer support and subscript

10496162276?profile=RESIZE_400xThe very first version of what would become known as ‘email’ was invented in 1965 at Massachusetts Institute of Technology (MIT) as part of the university's Compatible Time-Sharing System.  Emails, an old, tried and true method of communication – emails are still used for both good and bad purposes.  In Belgrade, a series of email bomb threats were sent on 16 May to Serbian government authorities.  The emails included threats against schools, bridges, restaurants and a soccer match, bringing its

10477932254?profile=RESIZE_400xEspionage comes in many forms, for advanced persistent threat (APT) “UNC3524” as dubbed by security company Mandiant, the objective is to collect emails dealing with corporate development, mergers & acquisitions, and corporate transactions.  “UNC3524” was first discovered in December 2019 and has been tracked since then.  The group’s corporate targets and interest in M&A plans point to financial motivation, however, the group’s ability to linger in a target environment while collecting emails, s