Threat Research

    "Investigating A Web Shell Intrusion" details an incident where endpoint sensors detected suspicious activity from an IIS worker (w3wp.exe). The attacker uploaded a web shell to the IIS server, which was previously unrestricted....
    When executing large-scale attacks, threat actors often leave traces by reusing, rotating, or sharing parts of their infrastructure during campaign automation. Defenders can exploit this behavior by pivoting on known indicators to identify newer infrastructure....
    "Emerging Phishing Attack on Cyber Space of Bangladesh" refers to a recent surge in phishing campaigns targeting government organizations, law enforcement agencies, educational institutions, and other sectors in Bangladesh. These attacks involve impersonating official entities to steal sensitive information through malicious attachments and links....
    In this analysis, we examined the rootkit malware in detail. We first described how the kernel module establishes a Netfilter hook function on NF_INET_PRE_ROUTING to intercept incoming TCP traffic directed to the compromised system....
    Attackers exploit platforms like YouTube and social media to share links to fake installers, leveraging user trust to drive traffic to malicious sites. They often use trusted file hosting services like Mediafire and Mega.nz to hide the origin of malware and evade detection....
    "Potentially Suspicious Ping/Copy Command Combination" refers to the use of a command that combines both "ping" (typically used for network testing) and "copy" (used to duplicate files) in a single line....
    In December 2024, two critical vulnerabilities in Microsoft's Windows LDAP were addressed, including CVE-2024-49113, a denial-of-service (DoS) vulnerability. A fake proof-of-concept (PoC) exploit for CVE-2024-49113, known as LDAPNightmare, has been used to lure security researchers into downloading and executing information-stealing malware....
    For years, cybercriminals have been creating malicious Microsoft Office documents to exploit CVE-2017-0199. While this vulnerability primarily affects outdated systems, new exploited samples continue to emerge almost daily. One particular campaign, active since at least 2023, frequently distributes DBatLoader/GuiLoader....
    The "ScreenConnect User Database Modification - Security" detects changes to the temporary XML user database file, which may indicate local user modifications in the ScreenConnect server....
    Detects the execution of certutil with the "encode" flag to convert a file to Base64, targeting files located in potentially suspicious directories....
    Recent changes to HeartCrypt-packed malware include a shift in how the malware payload is hidden. Previously, the position-independent code (PIC) was stored in the PE file's resource data, but now the payload is hidden in two separate files disguised as BMP images. These files contain a fake BMP header, followed by junk data, an XOR key, and XOR-encrypted data....
    Identifies modifications to shell context menu commands. This rule can help uncover potential anomalies or suspicious shell commands....
    "Suspicious File Encoded To Base64 Via Certutil.EXE" examines the use of the Certutil tool with the "encode" flag to convert files into Base64 encoding. This technique is often employed by malicious actors to obfuscate files, particularly when the file extensions appear suspicious....
    Detects the remote execution of binaries or commands through the ScreenConnect Service. This rule can be used to hunt for potentially unusual activities initiated via ScreenConnect....
    "Inside FireScam: An Information Stealer with Spyware Capabilities" delves into the workings of FireScam, a sophisticated Android malware disguised as a Telegram Premium app. The report analyzes its distribution techniques, operational features, and impact on both individuals and organizations....
    Looking for Something?
    Threat Research Categories:
    Tags