Today, in the Threat Hunting Rules category, we are pleased to present you a new rule developed by Ariel Millahuel, which detects Redaman RAT: https://tdm.socprime.com/tdm/info/gAF3sheoIG9y/qtkZmnMBQAH5UgbBy6do/?p=1 Redaman is a form of banking trojans distributed by phishing campaigns. It was first seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in […]
As you know, Malware-as-a-Service (MaaS) is a business that has already become commonplace and runs on the underground forums and black markets offering an array of services. The first attacks using Golden Chickens MaaS began back in 2017, and the Cobalt group was among their first “clients”. The success of this project heavily relies on […]
For never was a story of more woe than this of once again returning Emotet. This time, there were no full-scale campaigns for about seven months, although isolated cases of infection were recorded and researchers found documents distributing this malware. The attacks resumed last Friday, with the botnet sending about 250,000 emails in a matter […]
July turned out to be fruitful for disclosed critical vulnerabilities: CVE-2020-5903 (F5 BIG-IP), CVE-2020-8193 (Citrix ADC / Netscaler), CVE-2020-2034 (Palo Alto PAN-OS), CVE-2020-6287 (SAP Netweaver), CVE-2020-3330 (Cisco VPN / Firewalls), and CVE-2020-1350 (aka SIGRed, the vulnerability in Microsoft Windows DNS Server). Last week, Threat Bounty Program contributors and the SOC Prime team published a series […]
Today in the Threat Hunting Content section, we want to pay attention to the community rule released in Threat Detection Marketplace by Ariel Millahuel that detects fresh samples of SamoRAT malware: https://tdm.socprime.com/tdm/info/38LTISI1kgNm/w6aTR3MBQAH5UgbBM9Gi/?p=1 This remote access trojan appeared on the radars of researchers recently, the first SamoRAT samples were discovered about a month ago. The trojan […]
Living off the Land binaries (Lolbins) are legitimate binaries that advanced adversaries often misuse to perform actions beyond their original purpose. Cybercriminals actively use them to download malware, to ensure persistence, for data exfiltration, for lateral movement, and more. Just yesterday we wrote about a rule that detects attacks of the Evil Corp group, which […]
Today we want to tell you about the DropboxAES trojan used by the APT31 group in cyber espionage campaigns and also give a link to the Community Sigma rule to detect this malware. In general, DropboxAES does not stand out from the rest of the remote access trojan. This is a relatively new tool in […]
Last week, F5 Networks, one of the world’s largest provider of application delivery networking products, released a security advisory to warn their customers about a dangerous vulnerability that cybercriminals could start exploiting in the near future if it wasn’t already exploiting in the wild. The security flaw was discovered in multi-purpose networking devices (BIP-IP) that […]
Taurus information-stealing malware is a relatively new tool created by Predator The Thief team that promotes it on hacker forums. The infostealer can steal sensitive data from browsers, cryptocurrency wallets, FTP, email clients, and various apps. The malware is highly evasive and includes techniques to evade sandbox detection. Adversaries developed a dashboard where their customers […]
Last week, security researchers discovered a curious way to hide the malicious payload in plain sight, and this method is actively used in the wild. Adversaries use fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks. In the discovered […]