Following detections from our Managed Threat Detection (CyberSOC) teams, our CERT analysts were able to uncover several recent campaigns leading to CryptBot and Lumma infostealers.
Some of these campaigns are still active and target various organizations worldwide.
These campaigns leverage a little-documented loader we dubbed “Emmenhtal”, (because we are cheese lovers), which hides in the padding of a modified legitimate Windows binary and uses HTA.
Emmenhtal likely surfaced at the beginning of 2024 and is possibly being distributed by several financially motivated threat actors through various means (from traditional email phishing lures to fake videos).
IoCs can be found on our dedicated GitHub page here.
Note: The analysis cut-off date for this report was August 07, 2024.
(6 Months later CZAT 7 Server is offline or changed to another ip address , this post was written 6 months ago, published today 9/2/2024)
I’m a big fan of trains, i like them, but never tough that someday i would take over train traction power substation located in Poland from my home in Costa Rica.
I’m not a train expert/engineer and i had no idea how the train management works , I’m a cyber security professional doing research in the internet about OT Industrial equipment exposed potentially vulnerable or misconfigured.
Everything explained here is just what i learned reading official documentation from the Elester-pkp website . https://elester-pkp.com.pl/
Threat actors called Vanir Ransomware Group posted a few listings in July. Tonight, however, their onion site has a seized message:
” THIS HIDDEN SITE HAS BEEN SEIZED
by the State Bureau of Investigation Baden-Württemberg as a part of a law enforcement action taken against Vanir Ransomware Group “
VMware warned that an attacker with network access could send a specially crafted packet to execute remote code. CVSS severity score 9.8/10.
Bluenoroff or APT38, more commonly referred to as Lazarus Group is a threat group which has been tied to the North Korean government since as early as 2009 primarily being financially motivated utilizing malware custom built for each target.
Early on, the threat group gained notoriety for cyberattacks such as Sony Pictures Hack in 2014 and $81M Bangladesh Bank heist in 2016 and in more recent years has shifted focus to targets in the cryptocurrency industry.
Analytics firms such as TRM and Chainalysis release annual reports summarizing crypto related incidents linked to DPRK and since 2017 they estimate between $3B to $4.1B has been stolen.
Antivirus firm Dr.Web has flagged a type of Android malware known as Android.Vo1d that has infected about 1.3 million TV boxes across 197 countries.
The malware effectively enables a backdoor into the TV box's system that allows an attacker to download and install malicious third-party software. The R4 TV box model running Android 7.1.2, a TV Box running Android 12.1, and the KJ-SMART4KVIP TV box running Android 10.1 were the types of devices reportedly impacted.