FortiGuard Labs recently encountered an ongoing ValleyRAT campaign specifically targeting Chinese speakers. This malware has historically targeted e-commerce, finance, sales, and management enterprises. ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage. Another noteworthy characteristic of this malware is its heavy usage of shellcode to execute its many components directly in memory, sign
rat (20)
DarkGate malware operators have been exploiting a now-patched Windows SmartScreen bypass flaw through a phishing campaign that distributes fake Microsoft software installers to propagate the malicious code. Researchers discovered a then zero-day Internet Shortcut Files security feature bypass vulnerability tracked as CVE-2024-21412 earlier this year. Microsoft patched it as part of its February 2024 edition of Patch Tuesday updates. That was not before attackers such as Water Hydra exploited i
A new phishing campaign has been observed delivering Remote Access Trojans (RAT) such as VCURMS and STRRAT using a malicious Java-based downloader. The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware, an unusual aspect of the campaign is VCURMS' use of a Proton Mail email address ("sacriliage@proton[.]me") for communicating with a command-and-control (C2) server.
The attack chain commences
Our friends at FortiGuard Labs, recently detected a new injector written in Rust—one of the fastest-growing programming languages—to inject shellcode and introduce XWorm into a victim’s environment. While Rust is relatively uncommon in malware development, several campaigns have adopted this language since 2019, including Buer loader, Hive, and RansomExx. FortiGuard Labs analysis also revealed a significant increase in injector activity during May 2023, where the shellcode can be encoded with
This week, Rust-based file-encrypting ransomware was found to be impersonating the cybersecurity firm Sophos https://www.sophos.com as part of its operation. The malware named ‘SophosEncrypt’, the malware is being offered under the Ransomware-as-a-Service (RaaS) business model and appears to have already been used in malicious attacks. After several security researchers warned of the new RaaS, Sophos said it was aware of the brand's impersonation and was investigating the threat.
See: https:/
FortiGuard Labs researchers have come across a file name or e-mail subject that makes us sit up and take notice. Of course, it may turn out to be nothing. But every once in a while, one of these turns out to be incredibly interesting.
We recently came across one such file that referenced an Indian state military research organization and an in-development nuclear missile. The file was meant to deploy malware with characteristics matching the APT group “SideCopy.” With activities dating back t
A recent analysis by cyber threat investigators of over 70 billion DNS records has led to the discovery of a new sophisticated malware toolkit named Decoy Dog targeting enterprise networks. Decoy Dog, as the name implies, is evasive and employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains not to arouse any suspicion.
Decoy Dog is a cohesive toolkit with several highly unusual characteristics t
April 18th was Tax Day in the US. Did you file your taxes? If, not you can always get an extension. Either way, tax payers in the US need to heed the warning from Microsoft security investigators. Microsoft is warning of a new Remcos Remote Access Trojan (RAT) campaign targeting accounting and tax return preparation firms in the US. Tax season in the US has long represented an opportunity for cybercriminals to target unsuspecting victims in various types of malicious attacks, including malw
April 18th was Tax Day in the US. Did you file your taxes? If, not you can always get an extension. Either way, tax payers in the US need to heed the warning from Microsoft security investigators. Microsoft is warning of a new Remcos Remote Access Trojan (RAT) campaign targeting accounting and tax return preparation firms in the US. Tax season in the US has long represented an opportunity for cybercriminals to target unsuspecting victims in various types of malicious attacks, including malw
April 18th was Tax Day in the US. Did you file your taxes? If, not you can always get an extension. Either way, tax payers in the US need to heed the warning from Microsoft security investigators. Microsoft is warning of a new Remcos Remote Access Trojan (RAT) campaign targeting accounting and tax return preparation firms in the US. Tax season in the US has long represented an opportunity for cybercriminals to target unsuspecting victims in various types of malicious attacks, including malw
The Luna Moth, also known as the Silent Ransom Group, has been active since March 2022 and has extorted hundreds of thousands of dollars from several victims in the legal and retail sectors. The attacks are notable for employing callback phishing or Telephone-oriented attack Delivery (TOAD).
The lure of recent Luna Moth campaigns is a phishing email with an invoice indicating that the recipient’s credit card has been charged for a service, typically under $1,000. The phishing email is personaliz
Since 2018, Proofpoint researchers have tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at l
Activity Summary - Week Ending on 17 June 2022:
- Red Sky Alliance identified 39,997 connections from new IP’s checking in with our Sinkholes
- Amazon in Portland OR 35 x
- Analysts identified 1,669 new IP addresses participating in various Botnets
- Yashma Ransomware, GoodWill Ransomware and Horsemagyar Ransomware
- Grandoreiro Malware
- Moses Staff
- Summer Vacation
- Async RAT
- Netwire RAT
- Colombian Military members
- Quasar RAT
Link to full report: IR-22-168-002_weekly168.pdf
The old trick of using a Trojan horse to deceive is still in vogue and using cyber as the lure. A massive phishing campaign is distributing what looks like ransomware but is in fact trojan malware that creates a backdoor into Windows systems to steal usernames, passwords, and other information from victims. Detailed by cybersecurity researchers at Microsoft, the latest version of the Java-based STRRAT malware is being sent out via a large email campaign, which uses compromised email accounts t
Cyber threat actors are increasingly using and abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems. Telegram is a cloud-based instant messaging and voice-over IP service. Telegram client apps are available for Android, iOS, Windows Phone, Windows NT, macOS, and Linux. Users can send messages and exchange photos, videos, stickers, audio, and files of any type. Even when Telegr
Recently, one Discord network search turned up 20,000 virus results, researchers found. Workflow and collaboration tools like Slack and Discord have been infiltrated by threat actors, who are abusing their legitimate functions to evade security and deliver info-stealers, remote-access trojans (RATs) and other malware.
The pandemic-induced shift to remote work drove business processes onto these collaboration platforms in 2020, and predictably, 2021 has ushered in a new level cybercriminal exper
NYANxCAT is a prolific hacker who programs new pieces and versions of malware, shares it widely, and records blackhat hacker educational YouTube videos which has over 150,000 views. He uses GitHub repository, sells his hacker tools and services using PayPal and Bitcoin. In this report, we discuss some of the samples of NYANXCat malware, his business models, and possible Kuwaiti identity.
(Figure 1. NYANxCAT GitHub logo) |
NYANxCAT Hacker Profile
Name: possible name: Hmoud [Hu
Hackers are using a phishing campaign to deploy KONNI malware, a remote access trojan (RAT), via Microsoft Word documents containing malicious Visual Basic Application (VBA) macro code, according to a recent Department of Homeland Security (DHS) Cybersecurity and Infrastructure alert (CISA).
First observed in 2014, the malware was linked to several campaigns tied to North Korea. There are also significant links in code with the NOKKI malware family and researchers possess some evidence that link
Three US agencies published a joint warning alert for private companies about new versions of Taidoor, a malware family previously associated with Chinese state-sponsored hackers.
The alert is from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA), the Department of Defense's Cyber Command (CyberCom), and the Federal Bureau of Investigations (FBI). The three US government agencies report they have observed Taidoor being used in new attacks. The n
The electric grid is so important to any country’s national security and thus the high importance of keeping the electricity flowing. Even an outage of only a few minutes can wreak havoc on any residence or business. Cyber attackers responsible for distributing LookBack malware are targeting US utility providers with a new threat called “FlowCloud.” The FlowCloud modular remote-access trojan (RAT) has similarities and connections to the LookBack malware. The LookBack at its core is a remote