Ransomware has been a hot topic the last couple of weeks. We’re seeing its versatility, with distribution techniques spanning server vulnerabilities to advertising platforms, along with the use of AV tools to distract from its activities. There’s yet another CISA Malware Analysis Report (MAR) focused on the North Korean government’s malicious cyber activity, this time the malware variant known as ELECTRICFISH.
For more articles, check out our #onpatrol4malware blog.
A journey to Zebrocy land
Source: ESET
At the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components. Read more.
Nigerian BEC Scammers Shifting to RATs As Tool of Choice
Source: BleepingComputer
Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids. Read more.
Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses
Source: Malwarebytes
CrySIS, aka Dharma […] has become increasingly active lately, increasing by a margin of 148 percent from February until April 2019. Read more.
MAR-10135536-21 – North Korean Tunneling Tool: ELECTRICFISH
Source: CISA
Working with U.S. Government partners, DHS and FBI identified a malware variant used by the North Korean government. This malware has been identified as ELECTRICFISH. Read more.
Qakbot Assembles Itself from Encrypted Halves to Evade Detection
Source: BleepingComputer
A malware campaign was observed disseminating a new Qakbot banking Trojan variant which comes with a novel persistence technique that improves its evasion skills…. Read more.
Dharma Ransomware Uses AV Tool to Distract from Malicious Activities
Source: Trendmicro
The Dharma ransomware has been around since 2016, but it has continued to target and successfully victimize users and organizations around the world. Read more.
Hawkeye keylogger using fileless delivery system via Amazon AWS
Source: My Online Security
We have been seeing a massive increase in Malspam emails delivering Hawkeye keylogger / infostealer trojan [using] a zip file containing the trojan itself or a malformed word doc either containing macros or…. Read more.
Sodinokibi Ransomware Being Installed on Exploited WebLogic Servers
Source: BleepingComputer
Attackers are exploiting a recently disclosed WebLogic vulnerability to install a new ransomware called Sodinokibi. As this vulnerability is trivial to exploit, it is important [to] patch immediately…. Read more.
Buhtrap backdoor and ransomware distributed via major advertising platform
Source: ESET
This is just what has been happening for the past few months, where a group using two well-known backdoors — Buhtrap and RTM — as well as ransomware and cryptocurrency stealers, has targeted organizations, mainly in Russia. Read more.