Thousands of people, including many who use applications such as AutoCAD, JetBrains, and the Foxit PDF editor, have become victims of a sophisticated data-stealing and crypto-mining malware campaign active since February 2023. The as-yet-unidentified threat behind it is distributing the malware via forum posts and illegal torrents. What makes the malware challenging to mitigate is its use of SSL pinning and TLSv1.3 encryption to protect its command-and-control (C2) communications and data exfilt
malware (90)
A global law enforcement operation has disrupted infrastructure for the Redline and Meta info stealers, malware tools that cybercriminal groups use to steal sensitive personal data. Operation Magnus took place on 28 October 2024, with law enforcement shutting down three servers used to run the malware in the Netherlands and the seizure of two domains. This means the malware no longer functions and cannot currently be used to steal new data from infected victims.
See: https://redskyalliance.org/xi
A new malware family named WarmCookie, also known as BadSpace, has been actively distributed through malspam and malvertising campaigns since April 2024.
See: https://redskyalliance.org/xindustry/windows-backdoor-to-push-badspace
According to a blog post from Cisco Talos published on 23 October 2024, the malware facilitates persistent access to compromised networks. It has been observed as an initial payload, often leading to the deployment of additional malware such as CSharp-Streamer-RAT an
Due to economic turbulence and a relentless surge in cyber threats, today's cybersecurity landscape requires enterprises to remain resilient by adapting to security risks. Many organizations have chosen to adapt to these risks by embracing modern technology such as generative artificial intelligence (GenAI), which can present new risks if not implemented properly. The speed at which companies innovate and adopt new technology is far outpacing the security measures that must be addressed first.
After the city of Columbus, Ohio, experienced a ransomware attack in July 2024 and disclosed the event, it sued a researcher who claimed the breach was more significant than the city let on. Ohio's largest city first fell victim to an attack on 18 July 2024 and quickly informed the public, claiming that it had stopped the attack before malware had infected its systems.
In early August 2024, the Rhysida ransomware gang leaked 3.1TB of data on its Tor-based site, information it claimed to have st
The US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructi
In August 2024, FortiGuard Labs observed a python infostealer we call Emansrepo that is distributed via emails that include fake purchase orders and invoices. Emansrepo compresses data from the victim’s browsers and files in specific paths into a zip file and sends it to the attacker’s email. According to our research, this campaign has been ongoing since November 2023. The attacker sent a phishing mail containing an HTML file, which was redirected to the download link for Emansrepo. PyInsta
In an era where digital threats loom large, the world finds itself grappling with an unprecedented surge in cyber-attacks. Yeah, no kidding. The landscape of digital security has become a battlefield, with corporate networks experiencing a staggering 30% increase in weekly attacks in the second quarter of 2024 compared to the same period in 2023. Yet, a recent study by Kiteworks, a provider of secure content communication solutions, has revealed a significant knowledge gap in the US regarding
FortiGuard Labs recently encountered an ongoing ValleyRAT campaign specifically targeting Chinese speakers. This malware has historically targeted e-commerce, finance, sales, and management enterprises. ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage. Another noteworthy characteristic of this malware is its heavy usage of shellcode to execute its many components directly in memory, sign
Spyware is malicious software engineered to covertly monitor and gather information from a user’s computer without their awareness or consent. It can record activities like keystrokes, browsing behavior, and personal information, often transmitting this data to a third party for espionage or theft.
FortiGuard Labs recently detected an attack exploiting the CVE-2021-40444 vulnerability in Microsoft Office. This flaw allows attackers to execute malicious code via specially crafted documents. In th
The HardBit ransomware first appeared in October 2022, with a 2.0 version coming shortly thereafter in November of 2022. As one expects of a ransomware attack, HardBit targets organizations and demands cryptocurrency payments in exchange for decrypting data.
Earlier variants of HardBit aren’t noted as being especially unique, though one standout attribute of HardBit is that the operators have enhanced their extortion tactics by demanding to know about the victim’s potential cyber insurance co
Threat actors have exploited hacked high-ranking legitimate websites to enable BadSpace malware backdoor distribution on Windows machines. The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases, a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system. BadSpace is a backdoor Trojan that secretly installs itself on a computer, giving cybercriminals remote access and control. It can
LightSpy is a modular surveillance framework that can be used to steal a variety of data, including files, screenshots, mobile location data, or even messenger data from apps like Telegram. It was first documented by TrendMicro and Kapersky in 2020 as an iOS implant. At the time, LightSpy would spread through a watering hole method, which is to say that targets would be directed to pages mimicking local news sites. An example page can be seen in the image below. The APT group said to be resp
FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command and control (C2) server. This attack employs various evasion techniques to ensure successful payload delivery.
Over the past few years, Ukraine has been a significant target due to its geopolitical situation
A newly identified Android Trojan can steal user information and allow attackers to take control of infected devices. Named Brokewell, the trojan includes all the capabilities of mobile banking malware while also providing attackers with remote access to devices. Brokewell is being distributed via fake application updates, such as newer Chrome browser iterations and updates for an Austrian digital authentication application.
The malware overlays fake windows over the targeted mobile applications
Phishing-as-a-service, or PhaaS, is a cyber threat subscription service, much like any number of other “as a service” types you may be familiar with, such as ransomware-as-a-service. One of the noted early pioneers of this model is BulletProofLink. This operation was taken down by Malaysian law enforcement in November of last year in collaboration with the Australian Federal Police and the FBI.
The general ideal of phishing-as-a-service is that service providers are offering ready-to-use phis
ANY.RUN[1] the interactive malware sandbox provider, has issued a warning about BunnyLoader, a rapidly evolving malware written in C/C++. The new version, BunnyLoader 3.0, boasts enhanced capabilities and requires users and organizations to be more vigilant than ever.
Released just in September 2023, BunnyLoader's malicious functions range from exfiltrating credentials to stealing cryptocurrency wallets and dropping additional malware.
Here are some of the key changes introduced in BunnyLoader
On 16 March 2024, Sentinel Labs identified a suspicious Linux binary uploaded from Ukraine. Initial analysis showed surface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start of the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer). Since our initial finding, no similar samples or variants have been detected or publicly reported until now. This new sample is a confirmed variant called ‘AcidPour’, a wiper with si
The US Department of Justice claims that it has disrupted a botnet controlled by the Russian state-sponsored hacking group Forest Blizzard, also known as Fancy Bear. The Russian hackers' targets include US and foreign governments, military entities, and security and corporate organizations. The FBI operation copied and deleted stolen files and other data from the compromised routers and, working with local Internet service providers, the FBI then informed the owners and operators of the routers.
Magnet Goblin, a financially motivated threat actor, is swiftly adopting one-day security vulnerabilities into its arsenal to opportunistically breach edge devices and public-facing services and deploy malware on compromised hosts. Threat actor group Magnet Goblin's hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, mainly targeting public-facing servers and edge devices. In some cases, the deployment of the exploits is within 1 day after a [proof-of-concept] is publi
