Tag: Detection Content

Behaviour Analysis of Redline Stealer

Infostealers occupy a special place among malware, since, with their simplicity, they very effectively cope with their primary tasks: to collect all potentially valuable information in the system, exfiltrate it to the command-and-control server, and then delete themselves and traces of their activities. They are used by both beginners and advanced threat actors, and there are […]

Read More
Nanocore RAT Detection

Nanocore RAT has been used in cyberattacks for about 7 years, and there are a huge number of modifications of this trojan. Official, “semi-official” and cracked versions of this malware are sold on forums on the DarkNet, and sometimes even given away for free, so it is not surprising that the number of attacks using […]

Read More
Immortal Stealer

This week, Lee Archinal, the Threat Bounty Program contributor posted a community Sigma rule for detecting yet another infostealer. The “Immortal Stealer (Sysmon Behavior)” rule is available for download in the Threat Detection Marketplace after registration: https://tdm.socprime.com/tdm/info/V0Q03WX81XBY/dEM_SXQBSh4W_EKGVbX_/?p=1 Immortal Infostealer appeared a little over a year ago on the dark web forums with different build-based subscriptions. […]

Read More
New QakBot Techniques

The QBot banking Trojan that is also known as Qakbot or Pinkslipbot has been known to cybersecurity researchers since 2008, and it keeps tricking the business with emerging campaigns demonstrating its elaborated stealth capabilities. Another phishing campaign delivering the malicious document has attracted the researchers’ attention. The latest QakBot attack is notable for delivering a […]

Read More
Recent Attacks of Lazarus APT

The Lazarus APT group is one of the few state-sponsored cyber espionage units that also handle financially motivated cybercrimes and it is the most profitable threat actor in the cryptocurrency scene which managed to steal about $2 billion. In 2017 alone, the group stole more than half a billion dollars in cryptocurrency, so their interest […]

Read More
BLINDINGCAN RAT

Late last week, Ariel Millahuel released community threat hunting rule to detect BLINDINGCAN Remote Access Trojan that is used by North Korean state-sponsored hackers: https://tdm.socprime.com/tdm/info/pi0B7x1SzQlU/FiBkEHQBSh4W_EKGcibk/?p=1 The rule is based on a malware analysis report recently published by CISA experts. Threat actor used BLINDINGCAN RAT in a cyberespionage campaign primarily targeted at the US defense and […]

Read More
Detection Content: Drovorub Malware

Last week, the FBI and NSA released a joint security alert containing details about Drovorub malware, a new utility in APT28’s hands. This is a Linux malware that is used to deploy backdoors in compromised networks. The malware is a multi-component system that consists of a kernel module rootkit, an implant, a C&C server, a […]

Read More
Detection Content: Mekotio Banking Trojan

Mekotio is one more Latin American banking trojan that is targeted at users mainly in Brazil, Mexico, Spain, Chile, Peru, and Portugal. This is persistent malware that is distributed via phishing emails and ensures persistence either by creating an LNK file in the startup folder or using a Run key. It is capable of stealing […]

Read More
CVE-2020-17506 and CVE-2020-17505 exploitation detection (Artica Proxy)

By today’s post, we want to inform you about several vulnerabilities recently discovered in Artica Proxy, a system enabling users with basic technical skills to manage a proxy server in a transparent mode, as well as connection to AD and OpenLDAP, version 4.30. The freshly reported CVE-2020-17506 vulnerability of Artica Proxy enables hackers to abuse […]

Read More
Detection Content: CVE-2019-16759 exploitation with new method

Today, we would like to put a notice about the CVE-2019-16759 vulnerability in vBulletin, the most extensively used forum software, observed for version 5 and higher. The vulnerability affords hackers an opportunity to run remote commands via the widgetConfig[code] parameter in an HTTP POST request and depending on the user’s permissions in vBulletin, receive control […]

Read More