We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents.
In this blog post, we will provide details on a BlackCat ransomware incident that occurred in February 2023, where we observed a new capability, mainly used for the defense evasion phase.
An overview of the Lemon Group’s use of preinfected mobile devices, and how this scheme is potentially being developed and expanded to other internet of things (IoT) devices. This research was presented in full at the Black Hat Asia 2023 Conference in Singapore in May 2023.
We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.
We detected Mac malware MacStealer spreading via websites, social media, and messaging platforms Twitter, Discord, and Telegram. Cybercriminals lure victims to download it by plagiarizing legitimate play-to-earn (P2E) apps’ images and offering jobs as beta testers.
In this blog entry, we provide technical details and analysis on the 3CX attacks as they happen. We also discuss available solutions which security teams can maximize for early detection and mitigate the impact of 3CX attacks.
We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.
We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.
We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures.
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).
We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.
Open-source applications are a practical way to save money while keeping up with your productivity. However, this can be abused by threat actors to steal your data. Find out how one app was used to gather information of Apple users.
Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint
TeamTNT is a threat group that was known for primarily targeting the cloud and container environments around the world. This group has been documented to leverage the cloud and container resources by deploying cryptocurrency miners in the victim environments. While the group has been active since 2019 and announced it was quitting in 2021, our recent observations make it appear as if TeamTNT has returned — or a copycat group imitating the routines of TeamTNT — and has been deploying an XMRig cryptocurrency miner. Analysis of the attack patterns and other technical details of the code has also led us to believe that the routines are mimicking TeamTNT’s arsenal, but are likely deployed by another cryptocurrency mining group named WatchDog.
We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.
In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware
We compare the targeting and business models of the Conti and LockBit ransomware groups using data analysis approaches. This will be presented in full at the 34th Annual FIRST Conference on June 27, 2022.
Trend Micro Research detected “Cheerscrypt”, a new Linux-based ransomware variant that compromises ESXi servers. We discuss our initial findings in this report.
Trend Micro Threat Research observed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965, which allows malicious actors to weaponize and execute the Mirai botnet malware. The exploitation allows threat actors to download the Mirai sample to the “/tmp” folder and execute them after permission change using “chmod”.
We began seeing malicious activities at the start of April 2022. We also found the malware file server with other variants of the sample for different CPU architectures.
We discovered a now-patched vulnerability in macOS SUHelper, designated as CVE-2022-22639. If exploited, the vulnerability could allow malicious actors to gain root privilege escalation.
