On to the end of January and we’re seeing banking malware such as Vadokrist and many others. Vadokrist is written in Delphi and has an unusually large amount of unused code in the binaries. It is believed that this is an attempt to evade detection and dissuade or slow analysis. Learn more about this and other latest cybersecurity news in this batch of InfoSec articles.

For more articles, check out our #onpatrol4malware blog.

Most Financial Services Have Suffered COVID-Linked Cyber-Attacks

Source: Infosecurity

Financial services firms were hit hard over the past year, with 70% experiencing a successful cyber-attack and most of these blaming COVID-related conditions for the incident, according to Keeper Security. Read more.

Expired Domain Allowed Researcher to Hijack Country’s TLD

Source: Security Week

A researcher claimed last week that he managed to take control of the country code top-level domain (ccTLD) for the Democratic Republic of Congo after an important domain name was left to expire. Read more.

Linux users should patch now to block new “FreakOut” malware which exploits new vulnerabilities

Source: Checkpoint

These ongoing attacks involve a new malware variant, called ‘FreakOut.’ The goal behind these attacks is to create an IRC botnet (a collection of machines infected with malware that can be controlled remotely). Read more.

Weaponizing Domain Names: how bulk registration aids global spam campaigns

Source: Spamhaus

A temporary restraining order against registrar Namecheap to suspend a domain that was used to host fake COVID test kits, citing that, “NameCheap, Inc. plays a critical role in the scheme by serving as the domain registrar of the website.” Read more.

A Chinese hacking group is stealing airline passenger details

Source: ZDNet

A suspected Chinese hacking group has been attacking the airline industry for the past few years with the goal of obtaining passenger data. The intrusions have been linked to a threat actor under the name of Chimera. Read more.

Vadokrist: A wolf in sheep’s clothing

Source: WeLiveSecurity

Vadokrist is a Latin American banking trojan and that is active almost exclusively in Brazil. Vadokrist is written in Delphi. It is has unusually large amount of unused code in the binaries. It is believed that this is an attempt to evade detection and dissuade or slow analysis. Read more.

Cyber Criminals Leave Stolen Phishing Credentials in Plain Sight

Source: Check Point

The attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet. With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker. Read more.

Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop

Source: Microsoft

Solorigate is one of the most sophisticated and protracted intrusion attacks of the decade. These attackers appear to be knowledgeable about operations security and performing malicious activity with minimal footprint. Read more.

Understanding Known Adversary Tactics and Techniques

Source: Threat Quotient

The MITRE ATT&CK framework has been key to many organizations combating cyber threats. Essentially the framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. Read more.

MITRE ATT&CK: The Magic of Segmentation

Source: Cisco

For the Trusted Relationship technique, MITRE recommends Network Segmentation as one of just two mitigations. The other is User Account Control, a Windows configuration step that helps stop adversaries from gaining elevated process access. Read more.

LogoKit: Simple, Effective, and Deceptive

Source: RiskIQ

RiskIQ is tracking a phishing kit aimed at simplicity of deployment and range of targeting. The overall phish kit, dubbed LogoKit, is designed to be fully modularized, allowing for easy reuse and adaptation by other threat actors. Read more.

New Year, New Version of DanaBot

Source: proofpoint

Researchers discovered an updated version of DanaBot in the wild. DanaBot is a banking/stealer malware first discovered in May 2018. There have been at least three significant versions of the malware. This will be the fourth major update. Read more.