Sekoia.io’s Post

Cybercriminals progressively shift from phishing to drive-by download attacks through user web browsing. These techniques allow them to spread malware to a large number of victims, thereby gaining initial access to valuable accounts. In 2024, FakeBat is one of the most widespread malware through drive-by download attacks. We published an in-depth analysis of FakeBat to present: - the business of FakeBat operators on cybercrime forums - three distribution campaigns using malvertising, fake web browser errors on compromised websites, and social engineering schemes on social networks - the Command & Control (C2) infrastructure and tips to track the C2 servers and distribution clusters Your feedback on our work is greatly appreciated!

From password-protected ZIP archives and ISO files to HTML smuggling and Windows shortcuts, BumbleBee strategically employs a diverse array of strategies to infiltrate systems. VMRay explores and dissects these innovative delivery mechanisms. We gain valuable insights into the evolution of malware, offering a unique perspective that is crucial for effective threat detection and mitigation strategies.

The Rapid7 blog post outlines the discovery and analysis of a new malware loader, IDAT Loader, used in conjunction with BruteRatel C4 for cyberattacks. It details the malware's distribution through a FakeUpdates campaign, its evasion techniques against analysis tools, and its method of loading additional payloads via PNG file data. https://lnkd.in/dssrFbAM

EXPLOITING A VULNERABLE MINIFILTER DRIVER TO CREATE A PROCESS KILLER Bring Your Own Vulnerable Driver (BYOVD) is a technique that uses a vulnerable driver in order to achieve a specific goal. BYOVD is often used by malware to terminate processes associated with security solutions such as an EDR. There are many examples of open-source software that (ab)use a vulnerable driver for this purpose. One the most used driver is the Process Explorer driver. In this case we cannot talk about a vulnerability since it is a feature of the application to permit process termination from its UI... https://zurl.co/Pi1k

EXPLOITING A VULNERABLE MINIFILTER DRIVER TO CREATE A PROCESS KILLER Bring Your Own Vulnerable Driver (BYOVD) is a technique that uses a vulnerable driver in order to achieve a specific goal. BYOVD is often used by malware to terminate processes associated with security solutions such as an EDR. There are many examples of open-source software that (ab)use a vulnerable driver for this purpose. One the most used driver is the Process Explorer driver. In this case we cannot talk about a vulnerability since it is a feature of the application to permit process termination from its UI... https://zurl.co/Pi1k

Malware alert! Raspberry Robin continues to demonstrate high adaptability, introducing two new 1-day LPE exploits and leveraging Discord for propagation. This evolution in its operations could indicate a strong capacity for exploit development or a connection to a specialized exploit developer. Find out more here: https://lnkd.in/eJqcHt5t

Over the years, I have used and implemented many platforms and software components. WinRAR is one of the original platforms of compression/uncompression tools. While I have moved on, I know there are people out there who still use this valuable tool. Please share this news amongst your tech teams and partners to either switch or upgrade as soon as possible. "The vulnerability being exploited by attackers, tracked as CVE-2023-38831, centers on how the WinRAR software processes .zip files. Attackers can subvert that process so that when a user double-clicks a file to open, the user instead opens malware."

_Image: Bing Create_ New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber #intelligence operations, relying on the domain name system (DNS) for command and control activity. While Infoblox #only analyzed DecoyDog's DNS and #network traffic, as it is based on Pupy, it likely has the ability to download malware payloads on infected devices and execute commands sent by the attackers. Decoy Dog was discovered in early April after Infoblox specialists found anomalous DNS beaconing activity from half a dozen domains that acted as command and control (C2) servers for the malware:. Whoever operates the toolkit did not cease activity after Infoblox #announced their discovery and published a technical analysis showing that Decoy Dog was heavily based on the Pupy open-source post-exploitation remote access trojan (RAT). Decoy Dog requires #Python 3.8 * numerous improvements including Windows compatibility and better memory operations * Decoy Dog significantly expands the communications vocabulary in Pupy by adding multiple communications modules * Decoy Dog responds to replays of previous DNS queries where Pupy does not

IBM X-Force helped several organizations respond to successful Ivanti appliance compromises in early 2024, identifying Ivanti file modifications and post-exploitation malware. Explore the full research results: https://ibm.co/3PcRr4t

🔒🌐 Old Loader, New Threat - Exploring Xworm Great research by Adarsh S and Pratik Pachpor! Xworm is a malware that scans the internet for exposed web services, sending the information back to its C&C server. It's an evolved version of the Xshell and Xscan malware families, which have been active since 2013. What's particularly interesting about Xworm is its evolution. It's become more advanced, with added functionalities and improved evasion techniques. This is a stark reminder of how cybercriminals are constantly adapting, using old malware in innovative ways...