Upon entering the second to the last month of the year, there are a lot of botnets, banking malware, and malware making the news. But one that stands out is Kimsuky. Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access to victim networks. Spearphishing — with a malicious attachment embedded in the email — is the most observed Kimsuky tactic. Read more about it and other malware in this week’s InfoSec articles.
For more articles, check out our #onpatrol4malware blog.
WIZARD SPIDER Update: Resilient, Reactive and Resolute
Source: Crowdstrike
WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking malware. Read more.
Monthly Threat Actor Group Intelligence Report, August 2020
Source: Red Alert
This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from July 21, 2020 to August 20, 2020. Read more.
Ryuk Ransomware Attacks Continue Following TrickBot Takedown Attempt
Source: Security Week
The threat actor behind the Ryuk ransomware continues to conduct attacks following the recent attempts to disrupt the TrickBot botnet, CrowdStrike reports. Read more.
This new malware uses remote overlay attacks to hijack your bank account
Source: ZDNet
The new malware variant, dubbed Vizom by IBM, is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services. Read more.
GravityRAT: The spy returns
Source: SecureList
The spyware GravityRAT used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017. Its creators are believed to be Pakistani hacker groups. Read more.
Defining ATT&CK Data Sources, Part I: Enhancing the Current State
Source: ATT&CK
Discussion around ATT&CK often involves tactics, techniques, procedures, detections, and mitigations, but a significant element is often overlooked: data sources. Data sources for every technique provide valuable context and opportunities to improve your security posture and impact your detection strategy. Read more.
ENISA Threat Landscape – 2020
Source: Enisa
The ENISA, with the support of the European Commission, EU Member States and the CTI Stakeholders Group, has published the 8th annual ETL report, identifying and evaluating the top cyber threats for the period January 2019-April 2020. Read more.
LockBit Ransomware Uses Automation Tools to Pick Targets
Source: Bank Info Security
The operators behind the LockBit ransomware strain use several automation tools and techniques that help the crypto-locking malware spread quickly through a compromised network and assist in picking specific targets. Read more.
North Korean Advanced Persistent Threat Focus: Kimsuky
Source: CISA
Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access to victim networks. Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic. Read more.
Is the Abaddon RAT the first malware using Discord as C&C?
Source: Security Affairs
Abaddon is the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform Discord as a command & control server. Read more.
Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Source: Accenture
Turla continues to target government organizations using custom malware, including updated legacy tools, designed to maintain persistence through overlapping backdoor access while evading their victim’s defenses. Read more.
MAR-10310246-2.v1 – PowerShell Script: ComRAT
Source: CISA
FBI has high-confidence that Russian-sponsored APT actor Turla is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations. Read more.