Latest Threat Intelligence
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
Description: This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes the open-source Tesseract OCR engine to extract text from image files and specifically targets passwords, cryptocurrency wallet addresses, and related information within those images for exfiltration to attacker-controlled servers.
Created at: 2024-05-17T08:50:10.150000
Updated at: 2024-05-21T09:16:05.579000
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
Description: LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolving with new features like process discovery and desktop file listing. LATRODECTUS shares infrastructure and techniques with ICEDID operators, suggesting it may be a potential replacement. Elastic Security provides robust detection capabilities through memory signatures, behavioral rules, and hunting opportunities to respond to threats like LATRODECTUS.
Created at: 2024-05-17T09:03:43.401000
Updated at: 2024-05-21T08:49:48.432000
Master of Puppets: Uncovering the pro-Russian influence campaign
Description: The DoppelGänger campaign is an ongoing influence operation attributed to Russian entities Structura and the Social Design Agency. Its primary goal is to diminish support for Ukraine and foster divisions within supporting nations. It targets audiences in several Western countries through a network of news websites publishing disinformation articles amplified via inauthentic social media accounts across multiple platforms. The campaign demonstrates an ability to tailor narratives to specific countries and current events, adapting its targeting and tactics.
Created at: 2024-05-21T08:22:34.695000
Updated at: 2024-05-21T08:22:34.695000
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
Description: At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry points were secured. They exploited a well-known vulnerability related to untrusted data deserialization in the VIEWSTATE parameter of the ASP.NET environment, referred to as VIEWSTATE deserialization.
Created at: 2024-05-20T10:05:56.747000
Updated at: 2024-05-21T07:52:29.585000
GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure
Description: In recent research, Recorded Future's Insikt Group uncovered a sophisticated cybercriminal campaign led by Russian-speaking threat actors from the Commonwealth of Independent States (CIS). These threat actors leveraged a GitHub profile to impersonate legitimate software applications like 1Password, Bartender 5, and Pixelmator Pro to distribute various malware types, such as Atomic macOS Stealer (AMOS) and Vidar. This malicious activity highlights the abuse of trusted internet services to orchestrate cyberattacks that steal personal information.
Created at: 2024-05-20T16:33:16.552000
Updated at: 2024-05-20T16:33:16.552000
New Antidot Android Banking Trojan Masquerading as Fake Google Play Updates
Description: The "Antidot" Android Banking Trojan Masquerades As A Google Play Update App. It Strategically Targets Android Users Across Various Regions And Employs VNC And Overlay Techniques To Harvest Credentials.
Created at: 2024-05-20T11:57:30.297000
Updated at: 2024-05-20T15:54:50.107000
Analysis of APT attack cases targeting domestic companies using Dora RAT (Andariel Group)
Description: AhnLab Security Intelligence Center (ASEC) recently confirmed that the Andariel group carried out APT attacks on domestic companies and institutions. The targeted organizations included manufacturing companies, construction firms, and educational institutions. The attackers employed backdoors, keyloggers, infostealers, and proxy tools to control the infected systems and steal data. In this attack, malicious codes previously associated with the Andariel group were identified, such as Nestdoor, a backdoor malware. Additionally, web shells were detected. Although not identical, the proxy tool used in past Lazarus group attacks was also employed in this incident.
Created at: 2024-05-20T10:20:28.411000
Updated at: 2024-05-20T10:20:28.411000
Banking trojan unleashed: Observing emerging global campaigns
Description: IBM's X-Force has been tracking large-scale phishing campaigns distributing the Grandoreiro banking trojan, likely operated as a Malware-as-a-Service. The malware targets over 1500 global banks, enabling banking fraud in over 60 countries. The latest variant features major updates, including string decryption and domain generation algorithm enhancements, and the ability to spread through Microsoft Outlook clients. Campaigns impersonate government entities in Mexico, Argentina, and South Africa, indicating a change in strategy and global expansion since recent law enforcement actions against the operators.
Created at: 2024-05-20T09:40:42.607000
Updated at: 2024-05-20T09:48:42.295000
Redline Stealer: A Novel Approach
Description: A new packed variant of the Redline Stealer trojan was observed spreading in the wild. It uses Lua bytecode and advanced techniques to evade detection, infect systems, and exfiltrate sensitive user data. The malware leverages GitHub for distribution and abuses Windows components for stealthy persistence. It gathers system info and communicates with a remote C2 server to receive commands and exfiltrate data. Detailed analysis revealed the inner workings of the malware, its obfuscation methods, and novel techniques.
Created at: 2024-04-19T13:52:30.478000
Updated at: 2024-05-19T13:00:03.978000
Analysis of Pupy RAT Used in Attacks Against Linux Systems
Description: Pupy RAT is a cross-platform remote access trojan that has been used by various threat actors, including APT groups, to target Linux and Windows systems. It provides features for remote control, information theft, and post-exploitation attacks. Recent examples include distribution alongside PlugX to target South Korea, and updated versions targeting Russia and Eastern Europe. To prevent infection, systems should be kept updated and anti-malware solutions used.
Created at: 2024-04-19T13:48:13.123000
Updated at: 2024-05-19T13:00:03.978000
