Cyber Threat

New Sardonic Backdoor from FIN8 Threat Actor


August 26, 2021

Attack Flow
The attackers began with network reconnaissance, obtaining information about the domain (users, domain controllers) and continued with lateral movement and privilege escalation. In addition to the use of WMIExec, SMBExec from the same toolset (Impacket), along with, of course, the offensive features of their signature backdoor, BADHATCH.
The BADHATCH loader was deployed using PowerShell scripts downloaded from the 104.168.237[.]21 IP address
using the legitimate service. It was used during the reconnaissance, lateral movement, privilege escalation
and possibly impact stages.
There were multiple attempts to deploy the Sardonic backdoor on domain controllers in order to continue with
privilege escalation and lateral movement, but the malicious command lines were blocked.

Deployment of this backdoor begins by running the Sardonic loader. First, a PowerShell script named “sldr.ps1” (SHA256 edfd3ae4def3ddffb37bad3424eb73c17e156ba5f63fd1d651df2f5b8e34a6c7) is copied to the victim machine and executed.
This was performed manually by the attackers, rather than being installed at one point as part of an automated loader process.
This script contains two base-64 strings, corresponding to two additional PowerShell scripts: the first is an RC4-encrypted second stage, and the second one implements the decryption algorithm for the former.
In an improvement from earlier loaders used by FIN8, the decryption key “B4a0f3AE251b7689CFdDe1” is not included in the sample, but is given as a command-line argument.

.NET loader and downloader shellcode
This stage consists of a .NET assembly that contains a piece of shellcode, compressed using GZip and RC4-encrypted, using the key “CA0ac8F6655244d2E10e7819BD337bf9”, which is contained in the binary.
Since the shellcode is both self-modifying and contains a self-inject feature, an unmodified copy of itself is required.
It is prepended by a null-terminated “4BMARC2WKL” marker and copied in the same buffer, immediately before the
copy that is executed.
The second copy of the shellcode is executed from the beginning, using the Marshal.GetDelegateForFunctionPointer method.

Sardonic backdoor
The Sardonic backdoor is written in C++ and has the same C&C servers as the downloader shellcode (“api-cdn[.]net”, “git-api[.]com”, “api-cdnw5[.]net”), and talks over port 443 as well.
It can obtain information about the system, execute commands, and has a plugin system that can load specially made DLLs and execute their functions.
Research groups believe that more than one person developed this project, as there are some differences in code style and level of use of the C++ standard library between functions.

Sign Up For The Threat Alerts

Receive a daily email with important information and simple remediation tips.


More Threats

No Longer Just Theory-Linux Executables Deployed As Stealth Windows Loaders

Sep 19, 2021

Researchers recently identified several malicious files that were written primarily in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating s...

Stolen Images Evidence Campaign Continues Pushing BazarLoader Malware

Sep 14, 2021

Analysts have been focusing on BazarLoader as it comes through various distribution channels. One such channel is the "Stolen Images Evidence" campaign, described by Microsoft . The "Stolen I...

Grayfly: Chinese Threat Actor

Sep 14, 2021

Recent campaigns involved exploits against Exchange and MySQL servers. Group has heavy focus on telecoms sector. Symantec, part of Broadcom Software, has linked the recently discovered Sidewalk ...

CVE-2021-40444 vulnerability utilized by attackers

Sep 13, 2021

New details have emerged about the recent Windows CVE-2021-40444 zero-day vulnerability, how it is being exploited in attacks, and the threat actor's ultimate goal of taking over corporate networks...

TeamTNT with new campaign aka Chimaera

Sep 09, 2021

Researchers has discovered a new campaign by threat group TeamTNT that is targeting multiple operating systems and applications. The campaign uses multiple shell/batch scripts, new open source to...

Fake pirated software sites serve up malware droppers as a service – Stop ransomware and Glupteba backdoor

Sep 02, 2021

Most of the bait pages are hosted on WordPress blog platforms. Download buttons on these pages link to another host, passing a set of parameters that includes the package name and affiliate ident...

New Mirai Variant Targets WebSVN Vulnerability

Sep 01, 2021

Palo Alto Networks observed exploits in the wild for a recently disclosed command injection vulnerability affecting WebSVN, an open-source web application for browsing source code. The critical ...

FormBook – a data stealer that is being distributed as a MaaS

Aug 31, 2021

FormBook stealer is a rojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal ...

Fake DMCA and DDoS complaints lead to BazaLoader malware

Aug 30, 2021

Cybercriminals behind the BazaLoader malware came up with a new lure to trick website owners into opening malicious files: fake notifications about the site being engaged in distributed denial-of-s...

The SideWalk new backdoor is as dangerous as the crosswalk

Aug 29, 2021

SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C server, makes use of Google Docs as a dead drop resolver, and uses Cloudflare workers as a C&C ...

New Sardonic Backdoor from FIN8 Threat Actor

Aug 26, 2021

Key facts about Sardonic: Sardonic is a new backdoor in the FIN8 ecosystem Sardonic is a project still under development and includes several components The new components were identified in a r...

OnePercent Group – Ransomware

Aug 26, 2021

he FBI has learned of a cyber-criminal group who self identifies as the "OnePercent Group" and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020....

LockFile: Ransomware Uses PetitPotam Exploit On DC Servers

Aug 24, 2021

LockFile - What appears to be a new ransomware family is being used to target victims in various industries around the globe. The LockFile ransomware was first observed on the network of a U.S. ...

Microsoft Exchange Servers Vulnerable To ProxyShell Exploit

Aug 23, 2021

Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year.

Shadowpad – Privately sold malware espionage tool

Aug 22, 2021

ShadowPad emerged as the successor to PlugX. The relationship between PlugX and ShadowPad has been publicly discussed before. However, analysts discovered other evidence proving th...

HiveNightmare attacks – CVE-2021-36934

Aug 18, 2021

It has been a tough for many enterprise security teams fighting a series of severe bugs in Microsoft Windows 10. Shortly after being 'all hands on deck' dealing with the remote code execution (RCE...

Indra – Recent Attacks on Iran

Aug 17, 2021

Iranian Railways and the Ministry of Roads and Urban Development systems became the subject of targeted cyber attacks. Attacks heavily rely on the attacker's previous knowledge and reconnaissance...

Aggah Using Compromised Websites to Target Businesses Across Asia

Aug 16, 2021

Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry throughout Asia. The tactics, techniques, and proced...

Teaching an Old Dog New Tricks-2017 Magniber Ransomware Uses PrintNightmare Vulnerability to Infect Victims in South Korea

Aug 15, 2021

Magniber ransomware makes a comeback using the same methods: exploiting unpatched vulnerabilities on South Korean victims In July 2021, analysts identified Magniber ransomware attempting to use a ...

New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices

Aug 12, 2021

A new variant of eCh0raix ransomware targeting Synology network-attached storage (NAS) and Quality Network Appliance Provider (QNAP) NAS devices. To achieve this, attackers are also leveraging CVE-...

UNC215: Chinese Espionage Campaign in Israel

Aug 11, 2021

Mandiant attributes this campaign to Chinese espionage operators which tracked as UNC215 a Chinese espionage operation that has been suspected of targeting organizations around the world since at l...

CVE-2021-20090 – A fresh vulnerability exploited in the wild

Aug 10, 2021

Juniper Threat Labs continuously monitors in-the-wild network traffic for malicious activity. Recently, they have discovered an active exploitation of a vulnerability that was disclosed days ago. ...

Raccoon stealer

Aug 08, 2021

Advertised as a 'Malware-as-a-Service' (MaaS) threat on various cybercriminal forums, Raccoon is an information stealer targeting victim credentials and cryptocurrency wallets. Seemingly favored...

DeadRinger-Exposing Chinese Threat Actors Targeting Major Telcos

Aug 05, 2021

Following Biden administration's public rebuke of China's Ministry of State Security for the recent HAFNIUM attacks that exploited vulnerabilities in unpatched Microsoft Exchange Servers and put t...

MeteorExpress-Mysterious Wiper Paralyzes Iranian Trains with Epic Troll

Aug 03, 2021

The attackers taunted the Iranian government as hacked displays instructed passengers to direct their complaints to the phone number of the Iranian Supreme Leader Khamenei's office. SentinelLabs r...

Solarmarker InfoStealer Malware Is Back

Aug 02, 2021

Healthcare and education sectors are the frequent targets of a new surge in credential harvesting activity from what's a "highly modular" .NET-based information stealer and keylogger, charting the ...

Crimea Manifesto deploys VBA Rat using double attack vectors

Aug 01, 2021

On July 21, 2021, reseach teams identified a suspicious document named "Manifest.docx" that downloads and executes two templates: one is macro-enabled and the other is an html object that contains ...

LockBit ransomware now encrypts Windows domains using group policies

Jul 29, 2021

A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. The LockBit ransomware operation launched in Sep...

Wiper Malware Riding the 2021 Tokyo Olympic Games

Jul 27, 2021

As society becomes increasingly reliant on technology, and as the world is more connected than ever, attacks by threat actors are not only more prevalent but also more disruptive. Because of the v...

Spanish Language Lures used to Distribute Seldom Observed Bandook Malware

Jul 26, 2021

Proofpoint researchers identified a new group, TA2721 distributing Spanish-language email threats. The group often targets individuals with Spanish-language surnames at global organizations repres...

Remcos RAT delivered via Visual Basic

Jul 25, 2021

Over the past months, researchers have been tracking a unique malspam campaign delivering the Remcos remote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malici...

Fresh Malware Dmechant Hunts for Crypto Wallet and Credentials

Jul 22, 2021

The researches were recently monitoring a new phishing campaign that uses the classic strategy of attaching a malicious Microsoft Word document to an unsolicited email that recipients were then ask...

Lampion – Evade Sandboxes With a Single Bit

Jul 21, 2021

Unit 42 has discovered a specific single bit (Trap Flag) in the Intel CPU register that can be abused by malware to evade sandbox detection in general purposes. Malware can detect whether it is ...

LuminousMoth APT-Sweeping attacks for the chosen few

Jul 20, 2021

Analysts recently came across unusual APT activity that exhibits the latter trait - it was detected in high volumes, albeit most likely aimed at a few targets of interest. This large-scale and high...

IcedID and Cobalt Strike vs Antivirus

Jul 19, 2021

Although IcedID was originally discovered back in 2017, it did not gain in popularity until the latter half of 2020. "The DFIR Report" have analyzed a couple ransomware cases in 2021 (Sodinokibi &...

Malicious Drivers within the gaming sector

Jul 18, 2021

As the industry moves closer to the adoption of a Zero Trust security posture with broad and layered defenses, analysts remain committed to sharing threat intelligence with the community to shine a...

Investigating and Mitigating Malicious Drivers

Jul 18, 2021

As the industry moves closer to the adoption of a Zero Trust security posture with broad and layered defenses, analysts remain committed to sharing threat intelligence with the community to shine a...

BIOPASS RAT-New Malware Sniffs Victims via Live Streaming

Jul 18, 2021

BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. It also has the ability to compro...

Global Phishing Campaign Targets Energy Sector and its Suppliers

Jul 14, 2021

Intezer's research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The atta...

InSideCopy: How this APT continues to evolve its arsenal

Jul 12, 2021

Cisco Talos is tracking an increase in SideCopy's activities targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe). SideCop...

Lazarus campaign TTPs and evolution

Jul 11, 2021

Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. The most publicly...

Fake Kaseya VSA security update backdoors networks with Cobalt Strike

Jul 08, 2021

Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA securi...

WildPressure targets the macOS platform

Jul 08, 2021

Kaspersky were able to find a newer version of the WildPressure malware. It contains the C++ Milum Trojan, a corresponding VBScript variant with the same version (1.6.1) and a set of modules that ...

Diavol – A New Ransomware Used By Wizard Spider

Jul 06, 2021

The ransomware drops a ransom note in a text format in every folder it goes over. According to the note, the authors claim they stole data from the victim's machine, though analysts did not find a...

iavol – A New Ransomware Used By Wizard Spider?

Jul 06, 2021

The ransomware drops a ransom note in a text format in every folder it goes over. According to the note, the authors claim they stole data from the victim's machine, though analysts did not find a...

IndigoZebra APT continues to attack Central Asia with evolving tools

Jul 05, 2021

Check Point research recently discovered an ongoing spear-phishing campaign targeting the Afghan government. Further investigation revealed this campaign was a part of a long-running activity tar...

Shutdown Kaseya VSA servers now amidst cascading REvil attack

Jul 04, 2021

Kaseya has released a new statement confirming they were the victim of a sophisticated cyberattack. At this time they are still urging customers to keep their on-premise VSA servers offline. Acc...

Leaked Babuk Locker ransomware builder used in new attacks

Jul 01, 2021

Last week, security researchers discovered that someone uploaded the Babuk operation's ransomware builder to VirusTotal. When tested the builder, it was simplistic to generate a customized ransomw...

Spear Phishing Campaign with New Techniques Aimed at Aviation Companies

Jun 30, 2021

The FortiGuard Labs team has identified yet another spear phishing campaign, this one targeting aviation companies. In this campaign, a malicious link that distributes an AsyncRAT payload is sent ...

Suspected Pakistani Actor Compromises Indian Power Company With New ReverseRat

Jun 29, 2021

Lumen's Black Lotus Labs detected a new remote access trojan - ReverseRat. Based on Lumen's global telemetry and analysis, the actor is targeting government and energy organizations in the South a...

SSLoader: Recoded and Reloaded

Jun 28, 2021

Proofpoint researchers observed a new variant of the downloader JSSLoader in several campaigns impacting a variety of organizations. This version of the malware loader was rewritten from .NET to t...

The Ghosts of Mirai

Jun 27, 2021

It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, c...

Vigilante malware rats out software pirates while blocking ThePirateBay

Jun 24, 2021

In one of the strangest cases in a while, researchrs discovered a malware campaign whose primary purpose appears to stray from the more common malware motives: Instead of seeking to steal passwords...

Klingon RAT Holding on for Dear Life

Jun 23, 2021

With more malware written in Golang than ever before, the threat from Go-based Remote Access Trojans (RATs) has never been higher. Not only has the number of Go malware increased but also the soph...

Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions

Jun 22, 2021

A recently discovered Bash ransomware piqued interest in multiple ways. Upon investigating, it was found that the attack chain is fully implemented as a bash script, but it also seems that the scri...

New TA402 Molerats Malware Targets Governments in the Middle East

Jun 21, 2021

Proofpoint researchers identified a malware called LastConn distributed by TA402, a threat actor also known as Molerats. The malware targeted government institutions in the Middle East and global ...

Phishing Malware Hijacks Bitcoin Addresses and Delivers New Agent Tesla Variant

Jun 20, 2021

Researchers recently captured a fresh phishing campaign in which a Microsoft Excel document attached to a spam email downloaded and executed several pieces of VBscript code. This malware is used ...

Matanbuchus is Malware-as-a-Service with Demonic Intentions

Jun 17, 2021

In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typ...

Hades Ransomware Operators Use Distinctive Tactics and Infrastructure

Jun 16, 2021

Hades ransomware has been on the scene since December 2020, but there has been limited public reporting on the threat group that operates it. Secureworks incident response (IR) engagements in the ...

Cuba Ransomware – double extortion attacks

Jun 15, 2021

Cuba is a C++ based ransomware tool targeting Windows systems. It is used in double extortion attacks against a wide range of industries in Europe and America, with the extracted information poste...

BackdoorDiplomacy-Upgrading from Quarian to Turian

Jun 13, 2021

n APT group that is called BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

PuzzleMaker attacks with Chrome zero-day exploit chain

Jun 09, 2021

Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windo...


Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...


Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

SharpPanda: Chinese APT Group Targets Southeast Asian Government

Jun 07, 2021

Check Point Research identified an ongoing surveillance operation targeting a Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office ...

Necro Python bot adds new exploits and Tezos mining to its bag of tricks

Jun 06, 2021

Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition ...

Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat

Jun 03, 2021

There is a honeypot that mimics a misconfigured Docker daemon and explore the data obtained between March and April 2021, including 33 different kinds of attacks with a total of 850 attacks. More...

US seizes domains used by APT29 in recent USAID phishing attacks

Jun 02, 2021

The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain acces...

APT Actors Exploiting Fresh Fortinet Vulnerabilities

Jun 01, 2021

The FBI published information about the continuous exploitation of Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks. In early April,...

A new ransomware enters the fray-Epsilon Red

May 31, 2021

In the past week, analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red. The malware was delivered as the final executable payload in a hand-con...

New sophisticated email-based attack from NOBELIUM

May 30, 2021

A wide-scale malicious email campaign operated by NOBELIUM, was uncovered. NOBELIUM-the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware,...

TeamTNT targets Kubernetes, nearly 50.000 IPs Compromised in Worm-like Attack

May 27, 2021

Kubernetes is the most widely adopted container orchestration platform for automating the deployment, scaling, and management of containerized applications. Unfortunately, like any widely used ap...

Apostle Wiper to ransomware – striking targets in Israel

May 26, 2021

Dubbed Apostle, never-before-seen wiper masquerades as ransomware. Researchers say they have uncovered never-before-seen disk-wiping malware that is disguising itself as ransomware as it unleash...

MountLocker ransomware uses Windows API to worm through networks

May 25, 2021

The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS) wh...

BazarCall Method: Call Centers Help Spread BazarLoader Malware

May 24, 2021

BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected Windows host. After a client is infected, criminals use this backdoor access to send follo...

Threat Actors Use MSBuild to Deliver RATs Filelessly

May 23, 2021

A campaign was discovered, in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine...

AHK RAT loader in unique delivery campaigns

May 20, 2021

There is a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language-a fork of the AutoIt l...

Snip3 – A Highly Evasive RAT Loader

May 19, 2021

Morphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto target machines. The Crypter is most commonly delivered through phishing ema...

Bizarro banking Trojan expands its attacks to Europe

May 18, 2021

Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. Users are being targeted in Spain, Portugal, France and Italy. Attempts hav...

Transparent Tribe APT expands its Windows malware arsenal

May 16, 2021

Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco T...

Lemon Duck spreads its wings-Actors target Microsoft Exchange servers and incorporate new TTPs

May 13, 2021

Since April 2021, researchers have observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers an...

The Linux side of Darkside

May 12, 2021

A new sample of Darkside was found, this time it is a linux variant. Darkside develops their ransomwares to support both Windows and Linux regularly. It is unknown if this variant was the one t...

Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party

May 11, 2021

The emergence of several zero-day exploits relating to ProxyLogon, a Microsoft Exchange Server vulnerability that was discovered in late 2020, has allowed several threat actors to carry out attacks...

Cybergang US Pipeline attack identified as DarkSide

May 10, 2021

DarkSide is among ransomware gangs that have "professionalized" a criminal industry that has cost Western nations billions of dollars in losses. The cyberextortion attempt that has forced the sh...

The UNC2529 Triple Double-A Trifecta Phishing Campaign

May 09, 2021

Trifecta Phishing campaign started with 28 organizations that phishing emails were sent to, though targeting was likely broader than directly observed. These emails were sent using 26 unique ema...

Codecov starts notifying customers affected by supply-chain attack

May 06, 2021

As of a few hours ago, Codecov has started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Code...

PortDoor New Chinese APT Backdoor

May 05, 2021

The Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of t...

New Variant of Buer Loader Written in Rust

May 04, 2021

Proofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping notices in early April. Buer is a downloader sold on underground marketpl...

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

May 03, 2021

An aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by o...

N3tw0rm ransomware attack against organizations in Israel

May 02, 2021

The malicious actors behind it may be connected to previous campaigns of Pay2Key. This is a wave of ransomware attacks from a specfic group, identified as N3tw0rm. They use "commercial identity...

Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability

Apr 29, 2021

In January, appeared a new ransomware using .hello as its extension in one of our cases that possibly arrived via a SharePoint server vulnerability. This appeared to be a new ransomware family du...

Phorpiex a multi purpose malware

Apr 28, 2021

Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to sending spam emails, to ransomware and c...

Shlayer malware abusing Gatekeeper bypass on macOS

Apr 27, 2021

Shlayer malware detected allows an attacker to bypass Gatekeeper, Notarization and File Quarantine security technologies in macOS. The exploit allows unapproved software to run on Mac and is dist...

Emotet malware nukes itself today from all infected computers worldwide

Apr 26, 2021

Emotet, one of the most dangerous email spam botnets in recent history, is being uninstalled from all infected devices with the help of a malware module delivered in January by law enforcement. ...

New cryptomining malware builds an army of Windows, Linux bots

Apr 25, 2021

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads. ...

HabitsRAT Used to Target Linux and Windows Servers

Apr 22, 2021

A new malware written in Go, which is called HabitsRAT, targeting both Windows and Linux machines, was discovered recently. The Windows version of the malware was first reported on in attacks aga...

Lazarus APT Hackers are now using BMP images to hide RAT malware

Apr 21, 2021

Spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap (.BMP) image file to drop a remote acce...

Malware That Spreads Via Xcode Projects Now Targeting Apple M1-based Macs

Apr 20, 2021

Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSS...

New FormBook Variant Delivered in Phishing Campaign

Apr 18, 2021

Researches have recently captured a phishing campaign that was sending a Microsoft PowerPoint document as an email attachment to spread the new variant of the FormBook malware. FormBook is a well...

Iran’s APT34 Returns with an Updated Arsenal

Apr 13, 2021

Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34 (aka OilRig), against what appears to be a Lebanese target, employing a new backdoor variant that was du...

Saint Bot downloader

Apr 12, 2021

In late March 2021, Malwarebytes analysts discovered a phishing email with an attached zip file containing unfamiliar malware. Contained within the zip file was a PowerShell script masquerading as...

Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware

Apr 11, 2021

It was found a sample that we identified as one belonging to the SysUpdate malware family, also named Soldier, FOCUSFJORD, and HyperSSL. SysUpdate was first described by the NCC Group in 2018. ...

The leap of a Cycldek-related threat actor

Apr 08, 2021

In the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous "DLL side-loading triad": a legitimate exe...

SynAck Ransomware Leverages Process Doppelganging for Evasion and Infection

Apr 06, 2021

SynAck ransomware family is the first to use Process Doppelganging to bypass known security solutions. While SynAck was discovered in September 2017 and Process Doppelganging presented in Decembe...

Phishing Trends With PDF Files

Apr 06, 2021

Palo Alto Networks noticed a dramatic 1,160% increase in malicious PDF files - from 411,800 malicious files to 5,224,056. PDF files are an enticing phishing vector as they are cross-platform and a...

Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool

Apr 05, 2021

Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Hancitor remains a threat and has evolved to use tools like Cobalt Str...

Malware hidden in game cheats and mods used to target gamers

Apr 04, 2021

Threat actors target gamers with backdoored game tweaks, patches, and cheats hiding malware capable of stealing information from infected systems. The attackers mostly use social media channels ...

BazarCall malware uses malicious call centers to infect victims

Apr 01, 2021

The new malware was discovered being distributed by call centers in late January and is named BazarCall. Like many malware campaigns, BazarCall starts with a phishing email but from there deviates...

Anchor DNS strikes again

Mar 31, 2021

The AnchorDNS malware performs C2 over DNS to two specific domains The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to...

New Pay2Decrypt variant

Mar 30, 2021

New Pay2Decrypt variant that appends the .aes and .lck extension, encrypts target files with AES+RSA and demands a ransom of 0.0002 BTC. Originally written on AutoIt.

FatFace hit by Conti ransomware

Mar 29, 2021

British clothing brand FatFace has sent a controversial 'confidential' data breach notification to customers after suffering a ransomware attack. Customers began receiving data breach notificati...

CopperStealer Performs Widespread Theft

Mar 25, 2021

Investigation uncovered an actively developed password and cookie stealer with a downloader function, capable of delivering additional malware after performing stealer activity. The earliest dis...

Black Kingdom ransomware Targets MS Exchange servers

Mar 24, 2021

Another ransomware operation known as 'Black Kingdom' is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. Over the weekend, security researcher Marcus Hutc...

Acer hit by 50 million dollar REvil ransomware

Mar 22, 2021

Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000. Acer is a Taiwanese electronics and computer ma...

New macOS malware Targets Xcode Developers

Mar 21, 2021

Threat actors are abusing the Run Script feature in Apple's Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects. XcodeSpy is a malicious Xcode project that installs a custo...

NimzaLoader is a New Initial Access Malware

Mar 18, 2021

The TA800 threat actor has predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new malware named NimzaLoader. One of NimzaLoader's distinguishing featu...

Pysa ransomware attacks on education organizations

Mar 17, 2021

The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.

Dharma ransomware keeps on being spread

Mar 15, 2021

Researchers keep noticing more and more new Dharma variants.