Lokibot is trojan-type malware designed to collect a wide range of sensitive data. It was first noticed in 2015 and remains very popular among cybercriminals as it can be purchased at the underground forum by any attacker. A couple of years ago, “tinkerers” learned how to add C&C infrastructure addresses to the Trojan on their […]
This week our Rule Digest covers more content than usual. It compiles rules for detecting recent attacks of state-sponsored actors, malware campaigns conducted by cybercriminals, and abusing Windows telemetry. Mustang Panda is the China-based threat group that has demonstrated an ability to rapidly assimilate new tools and tactics into its operations. This APT group […]
Today in the Rule of the Week section we want to highlight a new threat hunting rule from Ariel Millahuel which helps to detect samples of Bunitu Proxy Trojan: https://tdm.socprime.com/tdm/info/3evdCZVz3mCX/_WrlonIBPeJ4_8xctGPi/?p=1 Bunitu Trojan is used for turning infected systems into a proxy for remote clients. Its malicious actions can slow down the network traffic, and adversaries […]
Higaisa APT has been known since November 2019, when Tencent researchers first documented its activities. The group was discovered recently, but attackers have been operating for several years and use common tools to complicate the attribution. They mainly use mobile malware and the Gh0st and PlugX trojans. Researchers believe that Higaisa APT is a South […]
Despite the fact that new ransomware families appear quite often, most of them are focused exclusively on Windows systems. Way more interesting is Tycoon, a multi-platform Java ransomware that can encrypt files on both Windows and Linux systems. This family has been observed in-the-wild since at least December 2019. Its authors compiled it into a […]
Russian state-sponsored cyber espionage unit known for its destructive attacks is actively compromising Exim mail servers via a critical security vulnerability (CVE-2019-10149). At the end of May, the National Security Agency released a Cyber Security Advisory that warned of a campaign linked to Sandworm Group. The group is best known for its BlackEnergy campaign, the […]
Hello everyone, we are back with five fresh rules submitted this week by participants of the Threat Bounty Program. You can check our previous digests here, and if you have any questions, then welcome to the chat. Pykspa worm-like malware can install itself to maintain persistence, listen to incoming port for additional commands, and drop […]
In the Rule of the Week section, we present you the Command Execution on Azure VM (via azureactivity) rule by SOC Prime Team: https://tdm.socprime.com/tdm/info/A5uYMlcWOmeq/RYxlfnIB1-hfOQirCXZy/?p=1# Â Â Adversaries can misuse Azure VM functionality to establish a foothold in an environment, which could be used to persist access and escalate privileges. They can exploit the Run Command feature that […]
Today’s post is dedicated to the Himera loader malware that adversaries have been using in COVID-19 related phishing campaigns since last month. Cybercriminals continue to exploit the Family and Medical Leave Act requests related to the ongoing COVID19 pandemics as a lure, as this theme have already proven its effectiveness in distributing Trickbot and Kpot […]
Today, under the Threat Hunting Content column, we are heightening your interest in AsyncRAT Detection (Sysmon Behavior) community rule by Emir Erdogan. The rule enables the detection of AsyncRat by using sysmon logs. According to the author of the project on GitHub, AsyncRat is a Remote Access Tool designed to remotely monitor and control other […]