Have you ever heard about “FakeBat”? 👀 🔎 It’s a loader malware in MSI format that offers “several anti-detection features, such as bypassing the Unwanted Software Policy of Google and Windows Defender alerts and being protected from VirusTotal”. 📈 During the first semester of 2024, #FakeBat was one of the most widespread loaders using the drive-by download technique. It’s commonly used to distribute loaders such as #IcedID, #Lumma, #Redline, SmokeLoader, SectopRAT…🚨 📝 In our new report, Sekoia Threat Detection & Research (TDR) team present the activities of the FakeBat operators, an analysis of previously undocumented campaigns distributing FakeBat. 🔐Additionally, IoCs, YARA rules and tracking heuristics to monitor the FakeBat distribution and C2 infrastructures are also available at the end of the report. 💡To read the report, click here: https://lnkd.in/eyCTr3pr
Sekoia.io’s Post
More Relevant Posts
-
Cybercriminals progressively shift from phishing to drive-by download attacks through user web browsing. These techniques allow them to spread malware to a large number of victims, thereby gaining initial access to valuable accounts. In 2024, FakeBat is one of the most widespread malware through drive-by download attacks. We published an in-depth analysis of FakeBat to present: - the business of FakeBat operators on cybercrime forums - three distribution campaigns using malvertising, fake web browser errors on compromised websites, and social engineering schemes on social networks - the Command & Control (C2) infrastructure and tips to track the C2 servers and distribution clusters Your feedback on our work is greatly appreciated!
Have you ever heard about “FakeBat”? 👀 🔎 It’s a loader malware in MSI format that offers “several anti-detection features, such as bypassing the Unwanted Software Policy of Google and Windows Defender alerts and being protected from VirusTotal”. 📈 During the first semester of 2024, #FakeBat was one of the most widespread loaders using the drive-by download technique. It’s commonly used to distribute loaders such as #IcedID, #Lumma, #Redline, SmokeLoader, SectopRAT…🚨 📝 In our new report, Sekoia Threat Detection & Research (TDR) team present the activities of the FakeBat operators, an analysis of previously undocumented campaigns distributing FakeBat. 🔐Additionally, IoCs, YARA rules and tracking heuristics to monitor the FakeBat distribution and C2 infrastructures are also available at the end of the report. 💡To read the report, click here: https://lnkd.in/eyCTr3pr
Exposing FakeBat loader: distribution methods and adversary infrastructure
blog.sekoia.io
To view or add a comment, sign in
-
From password-protected ZIP archives and ISO files to HTML smuggling and Windows shortcuts, BumbleBee strategically employs a diverse array of strategies to infiltrate systems. VMRay explores and dissects these innovative delivery mechanisms. We gain valuable insights into the evolution of malware, offering a unique perspective that is crucial for effective threat detection and mitigation strategies.
Understanding BumbleBee Loader: The Delivery
https://www.vmray.com
To view or add a comment, sign in
-
The Rapid7 blog post outlines the discovery and analysis of a new malware loader, IDAT Loader, used in conjunction with BruteRatel C4 for cyberattacks. It details the malware's distribution through a FakeUpdates campaign, its evasion techniques against analysis tools, and its method of loading additional payloads via PNG file data. https://lnkd.in/dssrFbAM
Stories from the SoC Part 1: IDAT Loader to BruteRatel | Rapid7 Blog
rapid7.com
To view or add a comment, sign in
-
EXPLOITING A VULNERABLE MINIFILTER DRIVER TO CREATE A PROCESS KILLER Bring Your Own Vulnerable Driver (BYOVD) is a technique that uses a vulnerable driver in order to achieve a specific goal. BYOVD is often used by malware to terminate processes associated with security solutions such as an EDR. There are many examples of open-source software that (ab)use a vulnerable driver for this purpose. One the most used driver is the Process Explorer driver. In this case we cannot talk about a vulnerability since it is a feature of the application to permit process termination from its UI... https://zurl.co/Pi1k
Exploiting a vulnerable Minifilter Driver to create a process killer
https://securityaffairs.com
To view or add a comment, sign in
-
EXPLOITING A VULNERABLE MINIFILTER DRIVER TO CREATE A PROCESS KILLER Bring Your Own Vulnerable Driver (BYOVD) is a technique that uses a vulnerable driver in order to achieve a specific goal. BYOVD is often used by malware to terminate processes associated with security solutions such as an EDR. There are many examples of open-source software that (ab)use a vulnerable driver for this purpose. One the most used driver is the Process Explorer driver. In this case we cannot talk about a vulnerability since it is a feature of the application to permit process termination from its UI... https://zurl.co/Pi1k
Exploiting a vulnerable Minifilter Driver to create a process killer
https://securityaffairs.com
To view or add a comment, sign in
-
Malware alert! Raspberry Robin continues to demonstrate high adaptability, introducing two new 1-day LPE exploits and leveraging Discord for propagation. This evolution in its operations could indicate a strong capacity for exploit development or a connection to a specialized exploit developer. Find out more here: https://lnkd.in/eJqcHt5t
Malware alert! Raspberry Robin continues to demonstrate high adaptability, introducing two new 1-day LPE exploits and leveraging Discord for propagation. This evolution in its operations could indicate a strong capacity for exploit development or a connection to a specialized exploit developer. Find out more here: https://lnkd.in/gdRpJkKw
Raspberry Robin: An Evolving Cyber Threat with Advanced Exploits and Stealth Tactics
blog.checkpoint.com
To view or add a comment, sign in
-
Information Technology Executive | Technology Roadmap | Project Management | Business Transformation | ITIL
Over the years, I have used and implemented many platforms and software components. WinRAR is one of the original platforms of compression/uncompression tools. While I have moved on, I know there are people out there who still use this valuable tool. Please share this news amongst your tech teams and partners to either switch or upgrade as soon as possible. "The vulnerability being exploited by attackers, tracked as CVE-2023-38831, centers on how the WinRAR software processes .zip files. Attackers can subvert that process so that when a user double-clicks a file to open, the user instead opens malware."
Nation-State Hackers Exploiting WinRAR, Google Warns
databreachtoday.com
To view or add a comment, sign in
-
_Image: Bing Create_ New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber #intelligence operations, relying on the domain name system (DNS) for command and control activity. While Infoblox #only analyzed DecoyDog's DNS and #network traffic, as it is based on Pupy, it likely has the ability to download malware payloads on infected devices and execute commands sent by the attackers. Decoy Dog was discovered in early April after Infoblox specialists found anomalous DNS beaconing activity from half a dozen domains that acted as command and control (C2) servers for the malware:. Whoever operates the toolkit did not cease activity after Infoblox #announced their discovery and published a technical analysis showing that Decoy Dog was heavily based on the Pupy open-source post-exploitation remote access trojan (RAT). Decoy Dog requires #Python 3.8 * numerous improvements including Windows compatibility and better memory operations * Decoy Dog significantly expands the communications vocabulary in Pupy by adding multiple communications modules * Decoy Dog responds to replays of previous DNS queries where Pupy does not
Mysterious Decoy Dog malware toolkit still lurks in DNS shadows
To view or add a comment, sign in
-
IBM X-Force helped several organizations respond to successful Ivanti appliance compromises in early 2024, identifying Ivanti file modifications and post-exploitation malware. Explore the full research results: https://ibm.co/3PcRr4t
Widespread exploitation of recently disclosed Ivanti vulnerabilities
https://securityintelligence.com
To view or add a comment, sign in
-
🔒🌐 Old Loader, New Threat - Exploring Xworm Great research by Adarsh S and Pratik Pachpor! Xworm is a malware that scans the internet for exposed web services, sending the information back to its C&C server. It's an evolved version of the Xshell and Xscan malware families, which have been active since 2013. What's particularly interesting about Xworm is its evolution. It's become more advanced, with added functionalities and improved evasion techniques. This is a stark reminder of how cybercriminals are constantly adapting, using old malware in innovative ways...
Uncovering the XWorm Malware Campaign
trellix.com
To view or add a comment, sign in