Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published an out-of-band patch for Cobalt Strike which stated that there was potential for Remote Code Execution (RCE).

Some time ago I was using Logic Pro to record some of my music and I needed a way to start and stop the recording from an iPhone, so I found about Logic Remote and was quite happy with it.

Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.

During Spring 2022, a company discovered that one of their equipments was communicating with a known command and control server. As a result, the company decided to contact CERT Intrinsec in order to get help to handle the security breach and manage the crisis. CERT Intrinsec gathered information about malicious activities that were discovered on victim’s information system, and past incidents. Our in-depth analysis led us to conclude that an advanced persistent threat dubbed APT27 (a.k.a LuckyMouse, EmissaryPanda) actually compromised the company’s internal network for more than a year by exploiting a public facing application. Our analysis showed that the threat actor managed to compromise five different domains and to gain persistence on many equipments while trying to hide in plain sight. Besides, APT27 operators collected technical and business-related informations and exfiltrate almost three terabytes of data. As investigations went on, we observed tactics, techniques and procedures that had already been documented in papers, but we discovered new ones as well. CERT Intrinsec wanted to share with the community fresh and actionnable threat-intelligence related to APT27. That is why this report presents a timeline of actions taken by the attackers and the tactics, techniques and procedures seen during our incident response. It provides as well a MITRE ATT&CK diagram and several recommendations to follow if you came across such incident, and to prevent them.

CRIL Investigates the resurgence of ERMAC Android Malware as an increasing number of users are falling prey to their phishing attacks.

BlueSky Ransomware is a modern malware using advanced techniques to evade security defences. It predominantly targets Windows hosts and utilizes the Windows multithreading model for fast encryption.

ThreatLabz has discovered, hiding in app stores, a PHP variant of the Ducktail infostealer used to hijack Facebook Business accounts.

Cyble Research and Intelligence Labs analyzes Fake ransomware, a destructive malware capable of wiping out system drives.

CISA analyzed 15 files associated with China Chopper malware. The files are modified Offline Address Book (OAB) Virtual Directory (VD) configuration files for Microsoft Exchange servers. The files have been modified with a variant of the China Chopper webshell. The webshells allow an attacker to remotely access the server and execute arbitrary code on the system(s).referenced in this bulletin or otherwise.

CISA analyzed 4 files associated with HyperBro malware. The files creates a backdoor program that is capable of uploading and downloading files to and from the system. The RAT is also capable of logging keystrokes and executing commands on the system.

The spring of 2022 saw a spike in activity of Bumblebee loader, a recent threat that has garnered a lot of attention due to its many links to several well-known malware families.

CISA received seven files for analysis. Six Java Server Pages (JSP) webshells and a Bourne Again SHell (bash) file. Five JSP webshell files are designed to parse inbound requests for commands for execution, download files, and upload files. One JSP webshell file contains a form with input fields that prompts the attacker to enter the command in the input box and click "run" to execute. The command output will be displayed in a JSP page. The bash file is designed to perform ldapsearch queries and store the output into a newly created directory.

Analysis of APT28/Fancy Bear PowerPoint mouse-over campaign

Multiple self-proclaimed hacktivist groups are conducting attacks in support of Russian interests.

Domain shadowing is a special case of DNS hijacking where attackers stealthily create malicious subdomains under compromised domain names.

This post describes how I took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users’ terminals.

Could TeamTNT be back? Our honeypots were attacked by malware that bears a resemblance to these threat actors and we analyze the possible connection.

The VMware Carbon Black MDR team goes in depth on the latest variants of the Chromeloader malware and how to detect them.

On March 14, 2022, a new English-language cybercrime forum called Breached (also known as BreachForums) launched, as a response to the closure and seizure of the popular RaidForums. Breached was launched with the same design by the threat actor “pompompurin” as “an alternative to RaidForums,” offering large-scale database leaks, login credentials, adult content, and hacking tools.

Users often store passwords in third-party software for convenience – but credential gathering techniques can target this behavior.