Cylera Labs presents medium-high confidence evidence tying Kwampirs to the notorious Shamoon attacks — a technical analysis

ASEC 분석팀은 작년 12월에 게시한 <디자인수정 요청 문서로 위장한 정보 탈취 목적의 악성 워드>와 동일한 유형의 워드 문서를 확인하였다. 이번에 확인된 워드 문서의 제목은 ‘제품소개서.doc’이며 내부에 특정 제품들에 대한 설명을 포함하고 있는 것으로 보아 물류, 쇼핑 관련 업체를 타겟한 공격으로 추정된다. 확인된 워드 문서 내부에는 이전과 동일한 이미지가 포함되어 있어 매크로 실행을 유도한다. 해당 워드 문서는 ‘디자인수정 요청.doc’ 파일과…

Achieve execution using a custom keyboard layout. Contribute to NtQuerySystemInformation/CustomKeyboardLayoutPersistence development by creating an account on GitHub.

背景


自从Log4J漏洞被曝光后，正所谓"忽如一夜漏洞来，大黑小灰笑开怀”。无数黑产团伙摩拳擦掌加入了这个“狂欢派对”，其中既有许多业界非常熟悉的恶意软件家族，同时也有一些新兴势力想趁着这股东风在黑灰产上分一杯羹。360Netlab作为专注于蜜罐和Botnet检测跟踪的团队，我们自该漏洞被公开后就一直关注它会被哪些僵尸网络利用，期间我们看到了Elknot，Gafgyt，Mirai等老朋友的从不缺席，也见证了一些新朋友的粉墨登场。


2022年2月9日，360Netlab的蜜罐系统捕获了一个未知的E…

Cyble Research Lab's analyzes Pandora Ransomware and the possibility that it may be a re-brand of Rook Ransomware.

Background


Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J…

Learn how CrowdStrike discovered a new vulnerability in the CRI-O Container Engine (CVE-2022-0811), and what organizations can do to remediate this vulnerability.

New malicious activity targets organizations with fake Ukrainian translation software to drop GrimPlant and GraphSteel malware.

Gh0stCringe RAT Being Distributed to Vulnerable Database Servers ASEC

DirtyMoe's Rapid Worming Expansion

The Microsoft Defender for IoT research team has recently discovered the exact method through which MikroTik devices are used in Trickbot’s C2 infrastructure. In this blog, we share the analysis of this method and provide insights on how attackers gain access…

The ASEC analysis team has discovered a word document that is in the same category as the document introduced in the post <Word File Disguised as a Design Modification Request for Information Theft>, uploaded in December last year. The title of the document…

Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group's activity, we determined they are an Initial Access Broker (IAB) who appear…

Cyble Research Labs recently came across a ransomware sample allegedly targeting Russia and sending out a message to stop the war.

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 7th, 2022 (Monday) to March 13th, 2022 (Sunday). For the main category, info-stealer…

Introduction to MikroTik Vulnerabilities

As war in Ukraine rages, new destructive malware continues to be discovered. In this short blog post, we will review IsaacWiper and CaddyWiper, two new wipers that do not have much in common based on…

In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities an…

BitRAT Disguised as Windows Product Key Verification Tool Being Distributed ASEC

Key Findings Proofpoint identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor. The attack targeted French entities in the construction,