Backdoor.Win32 Carbanak (Anunak) / Named Pipe Null DACL
Read Article Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32 Carbanak (Anunak) Vulnerability: Named Pipe Null DACL Family: Carbanak Type: PE32 MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1 Vuln ID: MVID-2024-0667 Dropped files: AlhEXlUJ.exe, AlhEXlUJbVpfX1EMVw.bin Disclosure: 01/09/2024 Description: Carbanak malware creates 8 named pipes used for C2 and interprocess…
Which type of malware resides only in RAM? Explaining fileless malware
Read Article Explaining malware which resides only in RAM Unlike traditional malware, which typically involves downloading and running an executable file, fileless malware operates in the system’s memory (RAM) and often exploits legitimate tools (like PowerShell, WMI, or Windows Registry) and scripts already present on the target system (such as JavaScript or VBScript). This means…
Hacked in China
Read Article foreign government’s response to a U.S. strategy document rarely earns front page coverage, but in the case of the Chinese Communist Party’s (CCP) recent reaction to the U.S. government’s new cyber strategy, we should all be paying attention. Tensions continue to escalate in the cyber domain, given the recent Chinese-backed intrusions into U.S….
Financially motivated threat actors misusing App Installer
Read Article Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware. In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this…
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors
Read Article Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with activity reported in From DarkGate to DanaBot. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and…
Turkish Hackers Exploiting Poorly Secured MS SQL Servers Across the GlobeTurkish Hackers Exploiting Poorly Secured MS SQL Servers Across the Globe
Read Article Poorly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin American (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access. “The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host,…
The Underground Economist: Volume 4, Issue 1
https://www.zerofox.com/blog/the-underground-economist-volume-4-issue-1/ On December 27, 2023, threat actor “APTlord” announced on the dark web forum RAMP that they were selling source code and other information owned by marinetraffic[.]com, which was allegedly obtained by the theft of backup data from web-based Git repository GitLab. Marinetraffic[.]com is an open-source analytics platform that provides real-time information on maritime vessels…
Custom GPTs: A Case of Malware Analysis and IoC Analyzing
Read Article On November 6, 2023, CustomGPTs, a new feature that OpenAI stated on its blog, became available. We can already say that the emergence of Custom Generative Pre-trained Transformers (GPTs) could mark a significant shift in the dynamics of both digital defense and offense. AI models, customizable for specific tasks, could represent a new frontier in…
