Latin American banking trojans are just about to make a separate trend in malware writing. Adversaries regularly create new Trojans or Exploit Kits to attack bank users in Brazil, Mexico, and Peru, and with each new malicious campaign expand their target lists first to neighboring countries, and then to worldwide campaigns. In our recently published […]
Zoom-themed lures continue to be actively used by cybercriminals, taking pride of place in the top ten most used topics in phishing campaigns. From the very beginning of the lockdown, as the Zoom popularity grew, the number of attacks increased, and even after researchers discovered serious security problems with the service, many organizations did not […]
Lokibot is trojan-type malware designed to collect a wide range of sensitive data. It was first noticed in 2015 and remains very popular among cybercriminals as it can be purchased at the underground forum by any attacker. A couple of years ago, “tinkerers” learned how to add C&C infrastructure addresses to the Trojan on their […]
This week our Rule Digest covers more content than usual. It compiles rules for detecting recent attacks of state-sponsored actors, malware campaigns conducted by cybercriminals, and abusing Windows telemetry. Mustang Panda is the China-based threat group that has demonstrated an ability to rapidly assimilate new tools and tactics into its operations. This APT group […]
Today in the Rule of the Week section we want to highlight a new threat hunting rule from Ariel Millahuel which helps to detect samples of Bunitu Proxy Trojan: https://tdm.socprime.com/tdm/info/3evdCZVz3mCX/_WrlonIBPeJ4_8xctGPi/?p=1 Bunitu Trojan is used for turning infected systems into a proxy for remote clients. Its malicious actions can slow down the network traffic, and adversaries […]
Higaisa APT has been known since November 2019, when Tencent researchers first documented its activities. The group was discovered recently, but attackers have been operating for several years and use common tools to complicate the attribution. They mainly use mobile malware and the Gh0st and PlugX trojans. Researchers believe that Higaisa APT is a South […]
Despite the fact that new ransomware families appear quite often, most of them are focused exclusively on Windows systems. Way more interesting is Tycoon, a multi-platform Java ransomware that can encrypt files on both Windows and Linux systems. This family has been observed in-the-wild since at least December 2019. Its authors compiled it into a […]
Russian state-sponsored cyber espionage unit known for its destructive attacks is actively compromising Exim mail servers via a critical security vulnerability (CVE-2019-10149). At the end of May, the National Security Agency released a Cyber Security Advisory that warned of a campaign linked to Sandworm Group. The group is best known for its BlackEnergy campaign, the […]
Hello everyone, we are back with five fresh rules submitted this week by participants of the Threat Bounty Program. You can check our previous digests here, and if you have any questions, then welcome to the chat. Pykspa worm-like malware can install itself to maintain persistence, listen to incoming port for additional commands, and drop […]
In the Rule of the Week section, we present you the Command Execution on Azure VM (via azureactivity) rule by SOC Prime Team: https://tdm.socprime.com/tdm/info/A5uYMlcWOmeq/RYxlfnIB1-hfOQirCXZy/?p=1# Â Â Adversaries can misuse Azure VM functionality to establish a foothold in an environment, which could be used to persist access and escalate privileges. They can exploit the Run Command feature that […]