Over the past two weeks, we saw New PurpleFox botnet variant uses WebSockets for C2 communication. In addition, since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization.  

For more articles, check out our #onpatrol4malware blog.

New “Yanluowang” Ransomware Variant Discovered

Source: InfoSecurity

Security researchers are warning of a newly discovered ransomware variant currently being used in targeted attacks. Read more.

RANSOMWARE  IN A GLOBAL CONTEXT

Source: VIRUSTOTAL

This initiative is designed to help researchers, security practitioners and the general public better understand the nature of ransomware attacks by sharing VirusTotal’s visibility. Read more.

CISA, FBI, and NSA Release Joint Cybersecurity Advisory on BlackMatter Ransomware

Source: CISA

Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Read more.

New PurpleFox botnet variant uses WebSockets for C2 communication

Source: Bleeping Computer

The PurpleFox botnet has refreshed its arsenal with new vulnerability exploits and dropped payloads, now also leveraging WebSockets for C2 bidirectional communication. Read more.

Russian-speaking cybercrime evolution: What changed from 2016 to 2021

Source: Secure List

Experts at Kaspersky overview what kind of attacks are now carried out by cybercriminals and what influenced this change — including such factors as changes in vulnerability market and browser safety. Read more.

PurpleFox Adds New Backdoor That Uses WebSockets

Source: TrendMicro

In September 2021, Trend Micro looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks. Read more.

Necro Python Botnet Goes After Vulnerable VisualTools DVR

Source: Juniper Networks

In the last week of September 2021, Juniper Threat Labs detected a new activity from Necro Python (a.k.a N3Cr0m0rPh , Freakout, Python.IRCBot) that is actively exploiting some services, including a new exploit added to its arsenal. Read more.

Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis

Source: Mandiant

Cobalt Strike is a commercial adversary simulation software that is marketed to red teams but is also stolen and actively used by a wide range of threat actors from ransomware operators to espionage-focused Advanced Persistent Threats (APTs). Read more.