Latest Threat Intelligence
Stories from the SoC Part 1: IDAT Loader to BruteRatel
Description: This report provides an analysis of a recent malware campaign that begins with a drive-by download of a Rust binary, which then loads the IDAT malware loader. The IDAT loader injects the SecTop RAT, followed by deployment of the Brute Ratel C4 framework for command and control. Technical details are provided on the tactics, techniques and procedures used at each stage of the attack.
Created at: 2024-04-01T09:22:41.845000
Updated at: 2024-05-01T09:04:25.876000
Dissects infostealer malware
Description: Jamf Threat Labs analyzed two recent infostealer malware attacks targeting macOS users. The attacks used different techniques but had the common goal of stealing sensitive user data. The malware prompted for passwords, collected browser data, and exfiltrated information.
Created at: 2024-04-01T09:17:04.319000
Updated at: 2024-05-01T09:04:25.876000
Distribution of Infostealer Made With Electron
Description: AhnLab Security Intelligence Center (ASEC) has discovered an Infostealer malware strain developed using the Electron framework, which allows the creation of applications using JavaScript, HTML, and CSS. The malware is distributed through Nullsoft Scriptable Install System (NSIS) installer format. Once executed, it installs an Electron application that interacts with the operating system via Node.js, where the malicious behaviors are defined. The report describes two cases, one involving user information collection and the other uploading collected data to a file-sharing service. The malware strains are difficult to detect due to their Electron structure.
Created at: 2024-04-30T14:52:39.554000
Updated at: 2024-04-30T14:56:45.047000
Zloader Learns Old Tricks
Description: Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection. This anti-analysis technique was present in the original ZeuS 2.X code but implemented differently.
Created at: 2024-04-30T14:41:41.484000
Updated at: 2024-04-30T14:47:27.945000
The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen
Description: This report details a novel infection chain associated with DarkGate malware, a Remote Access Trojan (RAT) that exploits the AutoHotkey utility and attempts to bypass Microsoft Defender SmartScreen. The infection begins with an HTML-based entry point or an XLS file, utilizing techniques such as disguising malicious content as legitimate files. The attack chain involves downloading and executing various components, including VBScript, PowerShell scripts, and AutoHotkey scripts, ultimately leading to the execution of the DarkGate payload. The report also highlights the vulnerability CVE-2023-36025 and its exploitation to evade SmartScreen warnings, as well as persistence mechanisms employed by the malware.
Created at: 2024-04-30T14:13:30.281000
Updated at: 2024-04-30T14:39:30.902000
FakeBat Malware Distributing via Fake Browser Updates
Description: This report details a recent malware campaign leveraging fake browser update notifications to distribute the FakeBat loader. The campaign employs sophisticated social engineering techniques, with malicious JavaScript code injected into compromised websites to trigger deceptive update prompts. These prompts mimic legitimate browser updates, personalized to match the user's browser type and language settings, ultimately serving a malicious MSIX payload signed with a previously used Consoneai Ltd signature. The report outlines the multi-stage infection chain, server-side logic controlling malicious page exposure, and the use of Pastebin links hosting anti-analysis techniques.
Created at: 2024-04-29T18:18:22.186000
Updated at: 2024-04-30T13:53:36.873000
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Description: Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, with DNS traffic to illegitimate combosquatted domain names.
Created at: 2024-04-29T19:15:55.595000
Updated at: 2024-04-29T19:15:55.595000
LightSpy Malware Variant Targeting macOS
Description: This report details the discovery of a macOS variant of the LightSpy malware, previously known to target iOS and Android devices. The macOS implant consists of a dropper that downloads and runs a core implant dylib, which in turn loads various plugins to accomplish malicious tasks. The report provides a technical analysis of the malware components, including the droppers, implants, and plugins, highlighting key differences from the iOS version. It also discusses the communication with the command-and-control (C2) server and the data collection capabilities of the malware. The report aims to raise awareness about the evolving threats targeting the macOS platform.
Created at: 2024-04-29T18:41:32.995000
Updated at: 2024-04-29T18:55:25.393000
Analysis of APT Group's Use of Malicious LNK Files to Deliver RokRat Attack
Description: The report details a recent cyber attack campaign by the APT-C-28 (ScarCruft) group, known for targeting organizations in Korea and Asia. The campaign utilized a malicious LNK file disguised as a document related to a 'North Korean Human Rights Expert Debate' to deliver the RokRat remote access trojan. When executed, the LNK file deployed a series of PowerShell scripts to download and execute the encrypted RokRat payload from a Dropbox link. Detailed analysis of the attack flow and malware components is provided, highlighting the group's persistent use of cloud services and evolving evasion techniques.
Created at: 2024-04-29T18:40:09.824000
Updated at: 2024-04-29T18:53:36.192000
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
Description: This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT disguised as benign software. The report meticulously dissects the attack chain, uncovering its stages, from a malicious NPM package to command execution, payload download, and the RAT's capabilities, including system information gathering, remote command execution, data exfiltration, and keystroke logging.
Created at: 2024-04-29T18:38:29.158000
Updated at: 2024-04-29T18:52:19.606000
