Tag Archive for: strain

Sophisticated Latrodectus Malware Linked to 2017 Strain

/in


Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

New Malware With Ties to IcedID Loader Evades Detection, Gains Persistence

Prajeet Nair (@prajeetspeaks) •
April 5, 2024    

Sophisticated Latrodectus Malware Linked to 2017 Strain
Image: Shutterstock

Security researchers are warning about a relatively new malware called Latrodectus, believed to be an evolutionary successor to the IcedID loader. It has been detected in malicious email campaigns since November 2023, and recent enhancements make it harder to detect and mitigate.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

Proofpoint’s Threat Research team, in partnership with Team Cymru S2 Threat Research, spotted nearly a dozen campaigns delivering Latrodectus beginning in February 2024. The malware, used by initial access brokers, downloads payloads and executes arbitrary commands.

While initial analysis suggested Latrodectus is a new variant of IcedID, subsequent research found that it is a new malware most likely named Latrodectus because of a string identified in the code. Latrodectus employs infrastructure used in historic IcedID operations, indicating potential ties to the same threat actors. IcedID, first discovered in 2017, has been described as a banking Trojan and remote access Trojan.

Researchers discovered insights into the activities of threat actors TA577 and TA578 – the primary distributors of Latrodectus that illustrate the evolving tactics threat actors have used over time.

TA577, previously…

Source…

New strain of the Phobos ransomware discovered in VBA script

/in


A new variant of the Phobos ransomware called “FAUST” was discovered, one that’s a concern because it can maintain persistence in a network environment and creates multiple threads for efficient execution.

In a Jan. 25 blog post, FortiGuard Labs researchers said they found this by uncovering an Office document that contained a Visual Basic (VBA) script aimed at propagating the FAUST ransomware.

The researchers said the attackers used the Gitea service to store several files encoded in Base64, each carrying a malicious binary. FortiGuard Labs said when these files are injected into a system’s memory, they initiate a file encryption attack.

FortiGuard Labs researchers said the Phobos ransomware family emerged in 2019 and has since been involved in numerous cyberattacks. Phobos ransomware typically appends encrypted files with a unique extension and demands a ransom payment in cryptocurrency for the decryption key. The researchers said they have captured and reported on several ransomware variants from the Phobos family, including EKING and 8Base.

The Fortinet research on the FAUST variant of Phobos ransomware reveals it as a sophisticated threat, particularly because of its fileless attack method and ability to persistently embed itself within a network, said Anurga Gurtu, chief product officer at StrikeReady.

“While advising users not to click on suspicious links is a basic defense, it’s clear that more robust measures are needed,” said Gurtu. “Businesses should consider advanced cybersecurity strategies, including regular software updates, employee cybersecurity training, and employing comprehensive security systems to detect and mitigate such threats.”

John Bambenek, president at Bambenek Consulting, added that macros remain a dangerous part of malware delivery because VBAs offer functionality that many companies use for day-to-day applications.

“The safest way to deal with this threat is to disable VBA in Office entirely,” explained Bambenek. “However, if that’s not an option, organizations can at least disable ‘high-risk’ functionality in VBAs using Windows Defense Attack Surface Reduction, such as, preventing Office applications from creating child…

Source…

RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts

/in


Apr 27, 2023Ravie LakshmananLinux / Endpoint Security

Linux Ransomware

The threat actors behind RTM Locker have developed a ransomware strain that’s capable of targeting Linux machines, marking the group’s first foray into the open source operating system.

“Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code,” Uptycs said in a new report published Wednesday. “It uses a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files.”

RTM Locker was first documented by Trellix earlier this month, describing the adversary as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cybercrime group called Read The Manual (RTM) that’s known to be active since at least 2015.

The group is notable for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement, and hospitals so as to draw as little attention as possible. It also leverages affiliates to ransom victims, in addition to leaking stolen data should they refuse to pay up.

The Linux flavor is specifically geared to single out ESXi hosts by terminating all virtual machines running on a compromised host prior to commencing the encryption process. The exact initial infector employed to deliver the ransomware is currently unknown.

NAS and ESXi Hosts

“It is statically compiled and stripped, making reverse engineering more difficult and allowing the binary to run on more systems,” Uptycs explained. “The encryption function also uses pthreads (aka POSIX threads) to speed up execution.”

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Following successful encryption, victims are urged to contact the support team within 48 hours via Tox or risk getting their data published. Decrypting a file locked with RTM Locker requires the public key appended to the end of the encrypted file and the attacker’s private key.

The development comes as Microsoft revealed that vulnerable PaperCut servers are being actively targeted by threat…

Source…

This advanced new malware strain leaves you practically defenceless

/in


An extremely potent malware, delivered in a way that’s immune to most cybersecurity (opens in new tab) measures, was discovered infecting high-profile Chinese individuals. 

Cybersecurity researchers from Kaspersky have discovered malware they call WinDealer, distributed and used by a Chinese Advanced Persistent Threat (APT) actor called LuoYu. WinDealer, the researchers say, is capable of collecting “an impressive amount” of information. It can view and download any files stored on the device, as well as run a keyword search on all the documents.

Source…