Securelist

"The equipment they use is unlike what you find in a typical IT environment,” explains Emad Haffar, META’s Head of Tech Experts. “Heavy-duty, industrial machinery is integral to moving cargo and coordinating logistics. If even one of these machines is compromised, it could disrupt entire operations." Read the full interview with our expert Emad Haffar to discover how Kaspersky empowered a regional port to defend its critical operations: edgemiddleeast.com/security/how-k…

We've written extensively about the Lazarus APT and its BlueNoroff subgroup here at Kaspersky and they're often at the forefront of APT innovation and experimentation. Recently we detected a new Manuscrypt infection on the personal computer of a person living in Russia. This is interesting as Lazarus tend to target businesses, not individuals. What we found was prior to the detection of Manuscrypt, our technologies also detected exploitation of the Google Chrome web browser originating from the website detankzone[.]com. A decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game. However, under the hood we discovered that there was a hidden script which ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC. Additionally, the work that Lazarus put into the social engineering side of the campaign should be recognised: for several months, they were built a social media presence, made regular posts on X from multiple accounts and promoted their game with content produced by #GenerativeAI and graphic designers. Finally - the game that was used as bait, was actually found to work! Whilst rudimentary, it could very well be the first game created by an APT group. Learn more: securelist.com/lazarus-apt-st… #TheSAS2024

Grandoreiro is a well-known Brazilian banking trojan, which forms part of the Tetrade umbrella has been active since at least 2016. INTERPOL and law enforcement agencies across the globe continue to fight against it, and we're proud to be a big part in that fight, sharing TTPs and IoCs with law-enforcement agencies across the globe. In our latest article we look at how the gang operates, its evolution over time, and the new tricks that have been adopted by the malware (such as the usage of 3 DGAs (domain generation algorithm) in its C2 comms.) Learn more: securelist.com/grandoreiro-ba…

We've written extensively about the Lazarus APT and its BlueNoroff subgroup here at Kaspersky and they're often at the forefront of APT innovation and experimentation. Recently we detected a new Manuscrypt infection on the personal computer of a person living in Russia. This is interesting as Lazarus tend to target businesses, not individuals. What we found was prior to the detection of Manuscrypt, our technologies also detected exploitation of the Google Chrome web browser originating from the website detankzone[.]com. A decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game. However, under the hood we discovered that there was a hidden script which ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC. Additionally, the work that Lazarus put into the social engineering side of the campaign should be recognised: for several months, they were built a social media presence, made regular posts on X from multiple accounts and promoted their game with content produced by #GenerativeAI and graphic designers. Finally - the game that was used as bait, was actually found to work! Whilst rudimentary, it could very well be the first game created by an APT group. Learn more: securelist.com/lazarus-apt-st… #TheSAS2024

Grandoreiro is a well-known Brazilian banking trojan, which forms part of the Tetrade umbrella has been active since at least 2016. INTERPOL and law enforcement agencies across the globe continue to fight against it, and we're proud to be a big part in that fight, sharing TTPs and IoCs with law-enforcement agencies across the globe. In our latest article we look at how the gang operates, its evolution over time, and the new tricks that have been adopted by the malware (such as the usage of 3 DGAs (domain generation algorithm) in its C2 comms.) Learn more: securelist.com/grandoreiro-ba…

Analysis of new Crypt Ghouls threat group 👻 Last December, we discovered a new group targeting Russian businesses and government agencies with #ransomware. Investigation into this group’s activity suggests a connection between it and other groups which are actively targeting Russian entities. The group are deploying toolkits including Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and as the final payload, they deploy LockBit 3.0 and Babuk for final infection. Additionally, as previously noted, we've noticed a fair bit of overlap in the TTPs between this group and other well known groups such as MorLock, BlackJack and Shedding Zmiy. Read the full report ⇒ kas.pr/osu8

We've recently discovered a new Trojan, dubbed Awaken Likho which is targeting Russian government agencies and industrial enterprises Active since 2021, it has recently updated its toolkit and has replaced UltraVNC with MeshAgent, an open-source remote management tool. Additionally, the group is using AutoIt in the attack chain. The tactic for infiltrating target companies remains targeted phishing, with significant effort put into reconnaissance to produce convincing bait. Read our full report ⇒ kas.pr/1jp2

Although not exactly new, criminals are spreading malware through fake websites with popular software such as #uTorrent, Microsoft Office, and Minecraf. They're also looking to spread their malware through #Telegram and #YouTube channels, installing Wazuh SIEM agents on victims’ devices. Full story: kas.pr/f4en

For close to 20 years, we've used machine learning to help us automate threat detection, anomaly recognition, as well as enhance the accuracy of malware identification. In our latest article, we look at how we managed to achieve a 25% increase in APT detection via ML. Learn more: kas.pr/821t

Regular readers may recall when we wrote about 'Necro', which we first talked about it way back in 2019. Back then, we discovered a Trojan in CamScanner which had managed to clock up over 100 million downloads on Google Play. Fast-forward to today and the trojan has found its way inside Spotify mods, camera apps and even mods for Minecraft and WhatsApp. Full story: kas.pr/yo8a

-=TWELVE=- is a threat group which is primarily targeting Russian government organizations. They specialize in encrypting and then deleting victims’ data, which suggests that their main goal is to inflict as much damage as possible on endpoints. We look at the evolution of the group and how they're targeting victims. Full report: kas.pr/z98r

We have discovered a new web shell infection which is targeting a government entity in the Middle East. This is a new variant of a known China Chopper malware & has been attributed to Tropic Trooper group which has been active for over a decade. More ⇒ kas.pr/2aex

For clarity, we also break down the report into mobile and non-mobile statistics. You can read both here: Mobile: kas.pr/c87e Non-mobile: kas.pr/y653

Our Q2 Threat Evolution report is live. In the report we take a look at the XZ backdoor, the DuneQuixote targeting the Middle East, ToddyCat's focus on APAC as well as how threat actors are using LockBit to generate targeted ransomware. Full report: kas.pr/u8ac

HZ Rat backdoor for macOS attacks users of China’s DingTalk and WeChat 👉 kas.pr/c4gw

In large organizations, you might encounter incredibly old computers based on 1960s technologies. These mainframes are not only unique in their software and hardware architecture but also quite fragile — it's crucial not to disrupt their operation, as it directly impacts business continuity. So, how can you identify that you're dealing with a mainframe, what testing methods are acceptable for this technology, and what advantages do these systems offer to attackers? In our latest article we explore using an old IBM mainframes running z/OS. Full story: securelist.com/zos-mainframe-…

Recently we have discovered a well-known #Necro downloader hiding inside a modified #Spotify app: opentip.kaspersky.com/acb7a06803e6de…. It’s similar to the Triada trojan and is capable of downloading and launching arbitrary DEX files. It’s distributed through websites offering Spotify modifications. More details coming soon

🍎 Since the last SAS, we've all been very curious about iOS hacking, so a talk on this topic is a welcome addition to the #TheSAS2024 agenda! ✨ Lars Fröder (@opa334dev) will cover the state of iOS hacking in 2024 and discuss Apple's protections against kernel exploitation—and the workarounds for them. For agenda updates, visit kas.pr/6pyu

We look at memory corruption vulnerabilities in the open-source projects Suricata and FreeRDP and see what you can do to mitigate them. securelist.com/suricata-freer…