Sec posts on cve research

A new type of malware called UULoader is being used by threat actors to deliver next-stage payloads like  Gh0st RAT  and  Mimikatz . The Cyberint Research Team, which discovered the malware, said it's distributed in the form of malicious installers for legitimate applications targeting Korean and Chinese speakers. There is evidence pointing to UULoader being the work of a Chinese speaker due to the presence of Chinese strings in program database (PDB) files embedded within the DLL file. One of the executables is a legitimate binary that's susceptible to DLL side-loading, which is used to sideload the DLL file that ultimately loads the final stage, an obfuscate file named "XamlHost.sys" that's nothing but remote access tools such as Gh0st RAT or the Mimikatz credential harvester. Present within the MSI installer file is a Visual Basic Script (.vbs) that's responsible for launching the executable – e.g., Realtek – with some UULoader samples also running a decoy ...

Cybersecurity researchers have discovered new infrastructure linked to a financially motivated threat actor known as  FIN7 . The two clusters of potential FIN7 activity "indicate communications inbound to FIN7 infrastructure from IP addresses assigned to Post Ltd (Russia) and SmartApe (Estonia), respectively," Team Cymru  said  in a report published this week as part of a joint investigation with Silent Push and Stark Industries Solutions. The findings build on a  recent report  from Silent Push, which found several Stark Industries IP addresses that are solely dedicated to hosting FIN7 infrastructure. The latest analysis indicates that the hosts linked to the e-crime group were likely procured from one of Stark's resellers. "Reseller programs are common in the hosting industry; many of the largest VPS (virtual private server) providers offer such services," the cybersecurity company said. "Customers procuring infrastructure via resellers generally must fol...

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. StealC is an infostealer variant focused on theft of confidential information including browser-stored data, cookies, cryptocurrency wallets or data from various messaging applications. In a recent campaign StealC binaries have been disguised as installer/setup files for various well known applications or cracked software installations. The fake installers are distributed via publicly accessible file repositories such as GitHub, Mega or Dropbox, among others. Symantec protects you from this threat, identified by the following: Behavior-based SONAR.Stealer!gen2 File-based Trojan.Gen.MBT WS.Malware.1 Machine Learning-based Heur...

A 27-year-old Russian national has been sentenced to over three years in prison in the U.S. for peddling financial information, login credentials, and other personally identifying information (PII) on a now-defunct dark web marketplace called  Slilpp . Georgy Kavzharadze, 27, of Moscow, Russia,  pleaded guilty  to one count of conspiracy to commit bank fraud and wire fraud earlier this February. In addition to a 40-month jail term, Kavzharadze has been ordered to pay $1,233,521.47 in restitution. The defendant, who went by the online monikers TeRorPP, Torqovec, and PlutuSS, is believed to have listed over 626,100 stolen login credentials for sale on Slilpp and sold more than 297,300 of them on the illicit marketplace between July 2016 and May 2021. "Those credentials were subsequently linked to $1.2 million in fraudulent transactions," the U.S. Department of Justice (DoJ)  said . Russian Citizen Sentenced to 40 Months for Selling Stolen Financial Information on the C...

A large-scale extortion campaign has compromised various organizations by taking advantage of publicly accessible environment variable files (.env) that contain credentials associated with cloud and social media applications. "Multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence of least privilege architecture," Palo Alto Networks Unit 42  said  in a Thursday report. The campaign is notable for setting its attack infrastructure within the infected organizations' Amazon Web Services (AWS) environments and using them as a launchpad for scanning more than 230 million unique targets for sensitive data. With 110,000 domains targeted, the malicious activity is said to have netted over 90,000 unique variables in the .env files, out of which 7,000 belonged to organizations' cloud services and 1,500 variables are linked to social media accounts. The campaign in...