Entries by GoVanguard

China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations

The Anomali Threat Research Team has identified an ongoing campaign which it believes is being conducted by the China-based threat group, Mustang Panda. The team first revealed these findings on Wednesday, October 2, during Anomali Detect 19, the company’s annual user conference, in a session titled: “Mustang Panda Riding Across Country Lines.” REFERENCE: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations TAG: […]

Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods

Charming Kitten, an Iranian APT group, plays a role in the domain of cyber-attacks for the purpose of interfering with democratic procedures. On 4th of October 2019, Microsoft has announced that Phosphorus (known as Charming Kitten) attempted to attack email accounts that are associated with the following targets: U.S. presidential campaign, current and former U.S. […]

FunkyBot: A New Android Malware Family

By monitoring the campaign primarily targeting Japanese service providers, FortiGuard Labs was able to identify this campaign and what, to the best of our knowledge, is a new malware family. During our analysis, we also encountered other samples that were not completely developed and lacked some of the functionalities discussed in this blogpost, suggesting that […]

Qbot/Qakbot Attempts to Evade Detection By Overwriting Itself

Qbot, or Qakbot, is a banking trojan that has been seen in the wild for at least 10 years. Recent campaigns have been often delivered by exploit kits and weaponized documents delivered via context-aware phishing campaigns. Qbot has also been suspected of delivering MegaCortex ransomware. Many recent samples are observed to conduct worm-like behavior to […]

New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign

We found a new modular fileless botnet malware, which we named “Novter,” (also reported and known as “Nodersok” and “Divergent”) that the KovCoreG campaign has been distributing since March. We’ve been actively monitoring this threat since its emergence and early development, and saw it being frequently updated. KovCoreG, active since 2011, is a long-running campaign […]

PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware

Over the course of the last two years, BlackBerry Cylance researchers uncovered a suspected Chinese advanced persistent threat (APT) group conducting attacks against technology companies located in south-east Asia. The threat actors deployed a version of the open-source PcShare backdoor modified and designed to operate when side-loaded by a legitimate NVIDIA application. REFERENCE: https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html TAGS: […]

TrickBot or Treat

The FortiGuard SE Team discovered a particularly interesting targeted attack towards the end of August in Virus Total. The attack targeted a supplier for a distribution/logistics provider to a nation state. The email contained an attachment that appeared to have been sent by a company that manufactures and distributes electrical components and other parts, and […]

Magecart: Swiper, No Swiping

Threat hunters from IBM X-Force Incident Response and Intelligence Services (IRIS) have identified malicious activity we have attributed to a financially motivated cybercrime faction known as Magecart 5 (MG5). Our research reveals that MG5 is likely testing malicious code designed for injection into benign JavaScript files loaded by commercial grade Layer 7 routers, routers that […]

New WhiteShadow downloader uses Microsoft SQL to retrieve malware

Proofpoint researchers encountered new Microsoft Office macros, which collectively act as a staged downloader that we dubbed “WhiteShadow.” Since the first observed occurrence of WhiteShadow in a small campaign leading to infection with an instance of Crimson RAT, we have observed the introduction of detection evasion techniques. These changes include ordering of various lines of […]

How Tortoiseshell created a fake veteran hiring website to host malware

Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec as Tortoiseshell, deployed a website called hxxp://hiremilitaryheroes[.]com that posed as a website to help U.S. military veterans find jobs. The URL is strikingly close to the legitimate […]