Cyber Hub

This week, security researchers reported a new technique of the LockBit 3.0 operation, one that leverages Microsoft Defender as a tool to load Cobalt Strike payloads.

This week, security researchers disclosed a new Linux-based ransomware, targeting compromised VMware ESXi servers.

During the past week, security researchers shared a thorough investigation into the XorDDoS malware. Additionally, researchers detected a campaign that has been targeting vulnerable MS SQL servers. Finally, security researchers shared a research report covering recent developments of the UpdateAgent malware dropper.

This past week, several different malware campaigns were observed. The campaigns included malware such as Emotet, Agent Tesla, and others. The targeted operating systems throughout all of the malware campaigns mentioned include Windows, Linux, and macOS. Furthermore, the initial access for each campaign is different, but it seems that plenty of these malwares are spreading in phishing campaigns.

During the past week, security researchers shared a research report covering an emerging APT group named UNC3524. This highly sophisticated threat actor - suspected to be of Russian origins - was able to remain under the radar for 18 months without being detected. Additionally, researchers encountered a sophisticated malware framework named NetDooka, and have taken a closer look into the notorious Winnti Group’s operations, campaigns, and arsenal. Finally, last week, cyber security researchers also spotted a new Windows malware named Raspberry Robin, with worm-like capabilities that propagate through removable USB devices.

During the past week, security researchers shared a research report specifying new delivery techniques tested in a recent Emotet malware campaign. In addition, researchers disclosed a new malware loader called Bumblebee - used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID. Researchers also observed a RIG Exploit Kit campaign using exploits found in Internet Explorer, to deliver the RedLine Stealer. Finally, security researchers did a deep dive into the SaintStealer malware, a C# .NET-based information stealer developed by the Saint gang. The malware is not packed and has multiple functionalities to steal credentials and system information.

During the past week, security researchers shared an in-depth report on an ongoing LemonDuck botnet campaign that targets Docker to mine crypto currency on Linux machines. In addition, researchers disclosed a new information stealer abusing fake Windows 11 installers to lure victims.

Over the past week, researchers exposed a new malware named Tarrask, used by the Chinese group Hafnium to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks. Moreover, researchers discovered a new QakBot infection vector that utilizes Windows Installer. Lastly, researchers uncovered two new Distributed Denial of Service (DDoS) botnets. The first one, named Fodcha, is known for its rapid mass infection capabilities. The second, named Enemybot, developed by the Keksec threat group, is using Linux-based Gafgyt source code and borrows several modules from the Mirai malware.

This past week, researchers delved deeper into Russian threat actor FIN7’s evolving toolkit and role in today’s ransomware scene. In addition, security researchers deep dove into the connection between the “Stolen Image Evidence” campaign and the IceID trojan, which has turned out to be a new way of spreading the Conti ransomware.

This week, cyber security researchers came across a new obfuscation technique while investigating a Hive ransomware attack. This technique was used to construct and execute a shellcode responsible for downloading a Cobalt Strike beacon. In addition, a new strain of Python ransomware is now targeting environments using the data visualization tool, Jupyter Notebook.