Tag: drop | SpinSafe

Malicious Microsoft Office docs drop LokiBot malware

July 13, 2023/in Computer Security

It’s been a busy week for Microsoft. Lost in the crush of news about a Chinese APT attack and exploited zero-days fixed in Patch Tuesday, FortiGuard Labs observed several malicious Microsoft Office documents that, when executed, drop the LokiBot malware onto a victim’s system.

In a blog post July 12, FortiGuard Labs said the malicious Microsoft Office documents exploited known remote code execution vulnerabilities: CVE-2021-40444 (CVSS 7.8) and CVE-2022-30190 (CVSS 7.8). Patches have been available for both bugs for well over a year.

The researchers said LokiBot, also known as Loki PWS, has been a well-known information-stealing trojan active since 2015. LokiBot primarily targets Windows systems and aims to gather sensitive information from infected machines.

LokiBot exploits various vulnerabilities and employs Visual Basic for Applications (VBA) macros to launch attacks. It also leverages a Visual Basic injector to evade detection or analysis. Leveraging the injector, it can bypass certain security measures and pose a significant threat to users.

“Users should exercise caution when dealing with any Office documents or unknown files, especially those that contain links to external websites,” the researchers said. “It’s essential to be vigilant and avoid clicking on suspicious links or opening attachments from untrusted sources. Additionally, keeping the software and operating systems up-to-date with the latest security patches can help mitigate the risk of exploitation by malware.”

Andrew Barratt, vice president at Coalfire, said these are challenging known vulnerabilities that leverage the classic social engineering methods preying on end users — dropping an alluring attachment in the hopes that a misguided or under protected end user will open it.

Barratt said that fortunately Microsoft has been on top of the problem from a resolution-and-workaround perspective, so it’s imperative that we remind security teams to keep their endpoint protection products current.

“As with any remote code execution vulnerability, it’s very important to consider them the highest threat,” said Barratt. “Teams that are concerned it may have slipped through should look through the…

Source…

LockBit 3.0 remains the most active threat actor as ransomware attacks drop in January

February 27, 2023/in Internet Security

In a surprising finding, a new report from NCC Group plc finds that the number of ransomware attacks dropped in January from December, but the number of attacks was still the highest for January in three years.

The NCC Group Monthly Threat Pulse for January 2023 details 165 ransomware attacks in January, down 38% from December 2022. Lockbit 3.0 was found to remain the most active threat actor, with 50 attacks, 30% of those detected. Vice Society sat in second place with 13% of attacks, followed by Blackcat at 12%.

Lockbit 3.0, which emerged midway through last year, targeted 32% of its attacks against the industrial sector, followed by consumer cyclicals at 16% and technology organizations at 14%. By contrast Vice Society, a Russian ransomware-as-a-service group, targeted 45% of their attacks at academic and educational services.

BlackCat had a broader attack range, with 25% of its attacks targeting the industrial sector, followed by basic materials, healthcare and consumer cyclicals, each hitting 15% of the group’s targets.

By region, North America topped the ransomware attack list in January, attracting 41%, or 68 attacks, followed by Europe at 34% and Asia at 12%. By sector, industrials attracted 30% of attacks, followed by consumer cyclicals at 15% and academic and education at 11%. The report notes that it was the first time in a year that academic and education had surpassed the technology and government sectors into third place, driven by a spike in activity from Vice Society.

The report also highlights the rise of threat actor “AcridRain.” The group first emerged in October 2022 and has started to gain traction with a revamped “infostealer,” which is malware designed to steal victim information, including passwords.

The new iteration of malware from AcridRain is described as “one to look out for,” since it rebrands itself to fit the current “market” standard functionality of infostealers. This is said to allow the group to refocus on targeting cryptocurrency and crypto wallets specifically, renting out stealer software to other actors. NCC Group expects AcridRain to evolve further and develop its operations, capability and reach over the coming…

Source…

ESET Threat Report T2 2022: RDP attacks see further drop; ransomware loses war-related messaging

October 6, 2022/in Mobile Security

DUBAI, DUBAI, UNITED ARAB EMIRATES, October 6, 2022 /EINPresswire.com/ — ESET released today its T2 2022 Threat Report, summarizing key statistics from ESET detection systems, and highlighting notable examples of ESET’s cybersecurity research. The latest issue of the ESET Threat Report (covering May to August 2022) sheds light on the changes in ideologically motivated ransomware, Emotet activity, the most-used phishing lures, how the plummeting cryptocurrency exchange rates affected online threats, and the continuation of the sharp decline of Remote Desktop Protocol (RDP) attacks. ESET analysts think these attacks continued to lose their steam due to the Russia-Ukraine war, along with the post-COVID return to offices and overall improved security of corporate environments.

Even with declining numbers, Russian IP addresses continued to be responsible for the largest portion of RDP attacks. “In T1 2022, Russia was also the country that was most targeted by ransomware, with some of the attacks being politically or ideologically motivated by the war. However, ESET Threat Report T2 2022 shows that this hacktivism wave has declined in T2, and ransomware operators turned their attention towards the United States, China, and Israel,” explains Roman Kováč, Chief Research Officer at ESET.

According to ESET telemetry, August was a vacation month for the operators of Emotet, the most influential downloader strain. The gang behind it also adapted to Microsoft’s decision to disable VBA macros in documents originating from the internet and focused on campaigns based on weaponized Microsoft Office files and LNK files.

The report also examines threats mostly impacting home users. ESET phishing feeds showed a sixfold increase in shipping-themed phishing lures, most of the time presenting the victims with fake DHL and USPS requests to verify shipping addresses. “In terms of threats directly affecting virtual and physical currencies, a web skimmer known as Magecart remains the leading threat going after online shoppers’ credit card details. We also saw a twofold increase in cryptocurrency-themed phishing lures and a rising number of…

Source…

Malicious PyPI packages drop ransomware, fileless malware

August 12, 2022/in Computer Security

In this Help Net Security video, Ax Sharma, Senior Security Researcher at Sonatype, discusses newly found PyPI packages that pack ransomware, and another package that appears to be safe but silently drops fileless malware to mine cryptocurrency (Monero) on the infected system – all while evading detection.

Source…

Tag Archive for: drop