Tag Archive for: Attack

New Phishing Attack Delivers Keylogger Disguised as Bank Payment Notice


Mar 27, 2024NewsroomVulnerability / Cybercrime

A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called Agent Tesla.

Trustwave SpiderLabs said it identified a phishing email bearing this attack chain on March 8, 2024. The message masquerades as a bank payment notification, urging the user to open an archive file attachment.

The archive (“Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz”) conceals a malicious loader that activates the procedure to deploy Agent Tesla on the compromised host.

“This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods,” security researcher Bernard Bautista said in a Tuesday analysis.

“The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies to further obfuscate traffic.”

The tactic of embedding malware within seemingly benign files is a tactic that has been repeatedly employed by threat actors to trick unsuspecting victims into triggering the infection sequence.

Cybersecurity

The loader used in the attack is written in .NET, with Trustwave discovering two distinct variants that each make use of a different decryption routine to access its configuration and ultimately retrieve the XOR-encoded Agent Tesla payload from a remote server.

In an effort to evade detection, the loader is also designed to bypass the Windows Antimalware Scan Interface (AMSI), which offers the ability for security software to scan files, memory, and other data for threats.

It achieves this by “patching the AmsiScanBuffer function to evade malware scanning of in-memory content,” Bautista explained.

The last phase involves decoding and executing Agent Tesla in memory, allowing the threat actors to stealthily exfiltrate sensitive data via SMTP using a compromised email account associated with a legitimate security system supplier in Turkey (“merve@temikan[.]com[.]tr”).

The approach, Trustwave said, not only does not raise any red flags, but also affords a layer of anonymity that makes it harder to trace the attack back to the adversary, not to mention save…

Source…

TAD to hold emergency meeting Monday to address ransomware attack


The Tarrant Appraisal District will hold an emergency board meeting March 25 after a criminal ransomware attack disrupted the agency’s network March 21, causing the website to crash.

The district has taken steps to secure the network and is working with cybersecurity experts to investigate, respond and restore the network, it said in a press release.

The incident was reported to the Federal Bureau of Investigation and the Texas Department of Information Resources.

The website is now live again, but emails and phone lines remain down.

Appraisal board member Alan Blaylock, who is also a Fort Worth City Council member, said board members anticipate receiving more detailed information at the March 25 meeting.

“I think that the chief appraiser and the new team are going to great pains to communicate all they can as they are able,” Blaylock said, “and I expect that there will be significant communication coming forward early next week as investigations into what happened continue.”

This is the second criminal cyberattack on the appraisal district’s website. In October 2022, a security breach potentially exposed sensitive taxpayer information. However, the final report found that data was not stolen.

Ransomware attacks were on the rise in 2023, according to data from the FBI. More than 2,800 complaints about ransomware were reported last year, including 156 from government facilities.

Source…

OODA Loop – Ransomware Group Takes Credit for Attack on Boat Dealer MarineMax


The Rhysida ransomware group has claimed responsibility for a recent cyberattack on boat dealer MarineMax and is offering to sell allegedly stolen data from the company for a significant sum, starting at 15 bitcoin ($950,000). MarineMax, one of the largest retailers of recreational boats and yachts globally, reported being targeted in a cyberattack that caused some disruption, as disclosed in an SEC filing. Although MarineMax has not provided extensive details about the incident, screenshots of financial documents and spreadsheets have been published by the cybercriminals to demonstrate the theft of valuable data. However, MarineMax stated in its regulatory filing that sensitive data is not stored in the compromised environment. The Rhysida ransomware group, known for targeting various sectors including government, IT, manufacturing, healthcare, and education, encrypts files on compromised systems and demands ransom. Despite researchers developing a decryption tool for Rhysida in February 2024, it is uncertain if the cybercriminals have since updated the malware to render the tool ineffective. The extent of file encryption or data theft in the MarineMax attack remains unclear, and further information from the company is awaited.

Read more:https://www.securityweek.com/ransomware-group-takes-credit-for-attack-on-boat-dealer-marinemax/

Source…

Polycab targeted by ransomware attack


New Delhi: Polycab India was targeted by a ransomware attack but the incident has not impacted the core systems and operations of the company.

The electricals and cables major said the cyber-security incident occurred on March 17, 2024, wherein the company’s IT infrastructure was targeted by a ransomware attack.

“However, the incident has not impacted the core systems and operations of the company. Currently, the company’s systems are up and running, all factories are operating, and the company continues to serve its customers,” Polycab India said.

“The technical team of the company along with a specialised team of external cyber-security experts is working actively on analysing the incident,” the company said.

Polycab India shares are up 3 per cent in trade at Rs 4874. The company has a market cap of Rs 73,234 crore.

Source…