malware (42)

10827725278?profile=RESIZE_400xChromeLoader proves to be an extremely prevalent and persistent malware.  It initially drops as an .iso and can be used to leak users’ browser credentials, harvest recent online activity, and hijack browser searches to display ads.  The VMware Carbon Black Managed Detection and Response (MDR) team observed the first Windows variants of ChromeLoader in the wild in January 2022 and the macOS version in March 2022.   There are some variants known to ChromeLoader, including ChromeBack and Choziosi L

10812254669?profile=RESIZE_400xThe Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. This new dropper does not rely on Accessibility permissions to automatically install the dropper Sharkbot malware.  This new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.

See:  https://redskyalliance.org/xindustry/don-t-get-bitten-by-sharkbot

The apps in question, Mister Phone

10794947080?profile=RESIZE_400xThey say, “Ya gotta Play, to Win.”  Many state lotteries are now online through the Internet.  But in New Hampshire, playing the lottery on the Internet could be hazardous.  Clicking unknown pop-ups on the Internet is never a good idea and it wasn’t in NH this past Friday. 

The New Hampshire Lottery website is back in service after the agency faced a cyber-attack on 26 August that attempted to trick users into clicking a pop-up and downloading malware.  “The (cyber) attack resulted in the creati

10739450863?profile=RESIZE_400xThe Qbot malware was first discovered in 2008 and it has been used for a variety of purposes. It boasts a couple of prolific campaigns in recent years, particularly in 2020, but recent events indicate that it might have a slightly different coat of paint. We’ll begin our exploration here with a little bit of history on the Qbot malware, but from there we will move on to discussing DLL usage manipulation in Windows. In particular, we’ll go over a little bit about DLL side-loading: what it is, how

10625108672?profile=RESIZE_400x

Raccoon Stealer, one of the most prolific data stealers in digital history is back and more effective than ever.  The re-emergence of the malware, best known for stealing personal information like passwords, files, and biometric data was first spotted by French cybersecurity company Sekoia the last week of June 2022.  According to the firm's analysis, the authors of Raccoon Stealer have rewritten the code from scratch and added screenshot capturing and keystroke logging to its list of capabilit

10575761875?profile=RESIZE_400xRed Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associate

10515484081?profile=RESIZE_400xMalware has become an industry segment and professional developers are found to exchange, steal each other’s code and engage in collaborations. Attacks are multi-layer with diverse sophisticated software apps taking over different jobs along the attack chain from initial compromise to ultimate data exfiltration or encryption. The specific tools for each stage are highly specialized and can often be rented as a service such as Malware as a Service (MaaS0), including customer support and subscript

10496162276?profile=RESIZE_400xThe very first version of what would become known as ‘email’ was invented in 1965 at Massachusetts Institute of Technology (MIT) as part of the university's Compatible Time-Sharing System.  Emails, an old, tried and true method of communication – emails are still used for both good and bad purposes.  In Belgrade, a series of email bomb threats were sent on 16 May to Serbian government authorities.  The emails included threats against schools, bridges, restaurants and a soccer match, bringing its

10477932254?profile=RESIZE_400xEspionage comes in many forms, for advanced persistent threat (APT) “UNC3524” as dubbed by security company Mandiant, the objective is to collect emails dealing with corporate development, mergers & acquisitions, and corporate transactions.  “UNC3524” was first discovered in December 2019 and has been tracked since then.  The group’s corporate targets and interest in M&A plans point to financial motivation, however, the group’s ability to linger in a target environment while collecting emails, s

10261197883?profile=RESIZE_400xThose readers who have children have already built a sandbox and watched the contents be tracked into their house.  What I will be describing is a different type of sandbox or some have referred to it as a “Cuckoo box.”  Before hunting malware, every researcher needs to find a system where to analyze it. There are several ways to do it; build your own environment or use third-party solutions.  Here are some “easy” steps required to create a custom malware sandbox where you can perform a proper a

10215100865?profile=RESIZE_400xRed Sky Alliance performs queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with assoc

10184219479?profile=RESIZE_400xSince the beginning of phishing, fraudulent invoicing and purchasing schemes have been one of the most common lures, because they make money.  The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially where a business may be involved.  Researchers recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals.  The e-mail containe

10150931055?profile=RESIZE_400xCyber threat investigators believe the infamous TrickBot malware has reached its limits, but its development team appears to have been “acquired” by the Conti ransomware gang, which has been thriving amid recent crackdowns.  TrickBot has been around since 2016.  It was initially a banking trojan designed to steal financial data, but it evolved into a modular stealer that could target a wide range of information.  See:  https://redskyalliance.org/xindustry/trickbot-has-learned-more-tricks

TrickBo

10150608476?profile=RESIZE_400xWelcome to the new normal, the cybersecurity threat landscape has gotten progressively more complex and dangerous.  The online world is full of data thieves, extortionists, and even state actors looking to exploit vulnerabilities in businesses' digital defenses.  The cyber threat actors have the upper hand at the moment. Part of the reason for that is the fallout from the rapid digitization made necessary by the COVID-19 pandemic.  According to research on the subject, more than half of business

10148505256?profile=RESIZE_400xThe Winter Olympics have officially come to a close. There have been heartwarming headlines of athletes overcoming adversity, upsets, dominant performances, and countless clips of the mascot Bing Dwen Dwen throughout the past two weeks.  The headline that cyber professionals are waiting for a yet to arrive.

In the weeks leading up to the opening of the Olympic Games athletes were required to install the My2022 app to track their health. The app is supposed to track Covid-19 and monitor the healt

10086538496?profile=RESIZE_400xThe operators of the GootLoader campaign are targeting employees of accounting and law firms as part of a renewed effort of cyberattacks to deploy malware on infected systems.  This is an unfortunate sign that the adversary is expanding its focus to other high-value targets.  The Gootkit malware family has been around for five years or more, and is used to distribute code such as ransomware, which can encrypt the files on a Windows computer and only release them once a ransom is paid.

Gootloader

10046387086?profile=RESIZE_400xRed Sky Alliance performs queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with assoc

9978770477?profile=RESIZE_400xTens of thousands of devices around the world, including many industrial control systems (ICS) and government computers, have been targeted in what appears to be an espionage campaign that involves a new piece of malware now named PseudoManuscrypt, Kaspersky recently reported. Manuscrypt, aka NukeSped, is a family of malware tools that have been used in espionage campaigns in the past. One such was a February spear-phishing campaign linked to Lazarus a prolific North Korean APT that used the Man

9837181474?profile=RESIZE_400xA new Android banking trojan has been discovered targeting international banks and cryptocrrency services from the United Kingdom, Italy and the US.  Twenty-two instances have been reported so far.  The malware, first detected at the end of October 2021, appears to be new and is still being developed.  It was discovered by Cleafy, an Italian fraud detection and prevention firm.  Cleafy calls it ‘SharkBot’, named after the frequency of the word ‘sharked’ in its binaries.

SharkBot is not found in

9822278874?profile=RESIZE_400xCybersecurity threats, risks and challenges are often different depending on various international locations.  Cyber-attack targets vary based on local resources and means to exploit vulnerabilities.  Cyber criminals and nation-state attackers zero in on specific nations, companies and organizations for varying incentives.   Additionally, the COVID-19 pandemic amplified and intensified cybersecurity threats.  Since 2019, attackers have launch remote work-enabled attacks or social engineering att