SecurityWeek
In Other News: National Laboratory Breach, Airplane GPS Attacks, Russia Accuses Allies of Hacking
Idaho National Laboratory breach, GPS attacks target airplanes, Russian accuses China and North Korea of hacking.
Bleeping Computer
DarkGate and Pikabot malware emerge as Qakbot’s successors
A sophisticated phishing campaign pushing the DarkGate malware infections has recently added the PikaBot malware into the mix, making it the most advanced phishing campaign since the Qakbot operation was dismantled.
Infosecurity News
DarkGate and PikaBot Activity Surge in the Wake of QakBot Takedown
DarkGate and PikaBot have been observed as part of phishing campaigns using the same tactics as the ones used by QakBot perpetrators
The Hacker News
DarkGate and PikaBot Malware Resurrect QakBot's Tactics in New Phishing Attacks
New high-volume phishing campaigns mimic tactics of defunct QakBot trojan, hijacking email threads and using unique URLs to deliver DarkGate & PikaBot
The Record
FBI takes down IPStorm malware botnet as hacker behind it pleads guilty
The FBI dismantled the IPStorm botnet proxy network and its infrastructure this week following a September plea deal with the hacker behind the operation.
The Record
Ransomware tracker: The latest figures [November 2023]
The number of ransomware attacks targeting educational institutions shot up to a record high in June, with ransomware gangs publicly claiming more than one attack against a school per day on average.
SecurityWeek
Mozi Botnet Likely Killed by Its Creators
The recent shutdown of the Mozi botnet is believed to have been carried out by its creators, possibly forced by Chinese authorities.
The Record
Ragnar Locker ransomware site taken down by FBI, Europol
The leak site of the prolific ransomware gang Ragnar Locker was replaced with a takedown notice from the FBI, Europol and several law enforcement agencies in Europe on Thursday.
Bleeping Computer
DarkGate malware spreads through compromised Skype accounts
Between July and September, DarkGate malware attacks have used compromised Skype accounts to infect targets through messages containing VBA loader script attachments.
Trend Micro
DarkGate Opens Organizations for Attack via Skype, Teams
We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s system, additional payloads were introduced to the environment.
Infosecurity News
Qakbot Gang Still Active Despite FBI Takedown
Cisco Talos found new evidence that Qakbot-affiliated actors were still distributing ransomware despite the August FBI takedown of the threat group
CSO
Qakbot malware’s creators ride again, despite FBI takedown
The bad actors behind a dangerous malware campaign may not have been put completely out of action by law enforcement, the Talos research group at Cisco warned today.
DarkReading
Unkillable? Qakbot Infections Fly On Even After Its High-Profile Raid
A literal seven-nation (cyber) army wasn't enough to hold back the famous initial access broker (IAB) for long — it's been chugging along, spreading ransomware, despite a massive takedown in August.
The Hacker News
QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks
🕵️♂️ Despite infrastructure disruption, QakBot malware operators are still active in an ongoing phishing campaign, delivering Ransom Knight ransomwa
SecurityWeek
Qakbot Hackers Continue to Push Malware After Takedown Attempt
Qakbot cybercriminals continue to push malware, which shows they are still operational after the recent takedown attempt.
The Record
Qakbot hackers now pushing Cyclops/Ransom Knight ransomware, Cisco says
Just weeks after an international effort took down the Qakbot botnet's infrastructure, researchers from Cisco Talos say the hackers behind the group have pivoted to spreading ransomware.
Infosecurity News
#mWISE: FBI Director Urges Greater Private-Public Collaboration
FBI director Christopher Wray said that partnerships with the private sector have changed the FBI’s approach to fighting cybercrime
CyberSecurity Dive
FBI director urges private sector to work with the agency on cyber threats
Christopher Wray told attendees at Mandiant’s mWISE 2023 private sector assistance contributed to the success of several recent operations.
The Hacker News
Cybercriminals Combine Phishing and EV Certificates to Deliver Ransomware Payloads
Cybercriminals behind RedLine and Vidar info-stealers have shifted their focus towards ransomware, employing phishing campaigns.
Trend Micro
RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware
In this blog, we investigate how threat actors used information-stealing malware with EV code signing certificates and later delivered ransomware payloads to its victims via the same delivery method.
Infosecurity News
UK and US Sanction 11 Russians Tied to Conti/TrickBot Ransomware
These new sanctions follow a first wave in February 2023, where seven Russians involved with Trickbot and Conti were also sanctioned
The Record
DOJ unseals indictments against alleged Trickbot and Conti cybercriminals
The indictments are the latest example of a more aggressive U.S. law enforcement strategy to battling cybercrime.
Cyber Security News
Common Tactics Used by Threat Actors to Weaponize PDFs
Researchers bserved an uptick in threat actors using PDFs for email-based initial access, highlighting a growing trend in evasive tactics.
The Record
FBI’s Qakbot operation opens door for more botnet takedowns
Last week's global takedown of the Qaknet botnet was momentous, but if history is a lesson there is no guarantee the malware won't resurface.
Latest Hacking News
FBI Disrupts Qakbot (QBot) Malware Network – Frees Victim PCs
After years of malicious activities, the notorious QakBot (or QBot) malware finally meets its fate as the FBI disrupts the botnet network. Besides taking down the botnet, FBI also cleaned infected systems from the malware. FBI
Cyber Security News
Threat and Vulnerability Roundup for the week of August 27th to September 2nd
The latest attack techniques, significant weaknesses, and exploits have all been highlighted. We also provide the most latest software upgrades available to keep your devices secure.
SecurityWeek
In Other News: Hacking Encrypted Linux Computers, Android Fuzzing, Skype Leaking IPs
Weekly cybersecurity news roundup providing a summary of noteworthy stories that might have slipped under the radar.
SecurityWeek
Industry Reactions to Qakbot Botnet Disruption: Feedback Friday
Industry professionals comment on the law enforcement operation targeting the Qakbot botnet and its implications.
Trend Micro
FBI Qakbot Takedown: Unanswered Questions
A long and challenging journey against cybercrime around the world
Cyber Security News
FBI Dismantle the Notorious Qakbot Infrastructure Used For Ransomware Attacks
More than 700,000 victim computers were infected by the Qakbot malware, which contributed to ransomware deployments and caused damage worth hundreds of millions of dollars.
Infosecurity News
FBI-Led Operation Duck Hunt Shuts Down QakBot Malware
With Operation Duck Hunt, the FBI took control of the botnet, allowed victims to uninstall the malware loader and seized $8.6m in cryptocurrency
CyberSecurity Dive
US leads takedown of Qakbot malware, which automated initial infections
The botnet and malware had infected more than 700,000 computers worldwide and was linked to the abuse of OneNote files.
SecurityWeek
DreamBus Botnet Exploiting RocketMQ Vulnerability to Delivery Cryptocurrency Miner
The DreamBus botnet has resurfaced and it has been exploiting a recently patched Apache RocketMQ vulnerability to deliver a Monero miner.
Cyber Security News
Top 3 Malware Loaders of 2023 that Fueling 80% of Cyber Attacks
Cybersecurity Analysts at ReliaQuest have recently uncovered a multitude of malware loaders that were observed to be the most active this year in 2023.
The Hacker News
FBI Dismantles QakBot Malware, Frees 700,000 Computers, Seizes $8.6 Million
Operation Duck Hunt takes down QakBot, a powerful Windows malware! Over 700,000 computers globally compromised. $8.6 Million in crypto seized.
DarkReading
Sprawling Qakbot Malware Takedown Spans 700,000 Infected Machines
"Operation Duck Hunt" is not likely to eliminate the initial access botnet forever, but the proactive removal of the malware from victim machines by law enforcement is one of the largest and most significant efforts of its kind.
Bleeping Computer
How the FBI nuked Qakbot malware from infected Windows PCs
The FBI announced today the disruption of the Qakbot botnet in an international law enforcement operation that not only seized infrastructure but also uninstalled the malware from infected devices.
SecurityWeek
Operation ‘Duck Hunt’: Qakbot Malware Disrupted, $8.6 Million in Cryptocurrency Seized
U.S. law enforcement announce the disruption of the notorious Qakbot cybercrime operation and the release of an auto-disinfection tool.
Bleeping Computer
Qakbot botnet dismantled after infecting over 700,000 computers
Qakbot, one of the largest and longest-running botnets to date, was taken down following a multinational law enforcement operation spearheaded by the FBI and known as Operation 'Duck Hunt.'
The Hacker News
DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates
New malspam campaign uses DarkGate malware to steal data, mine cryptocurrency, and evade detection.
Infosecurity News
Four in Five Cyber-Attacks Powered by Just Three Malware Loaders
ReliaQuest found that 80% of cyber intrusion campaigns used either QakBot, SocGholish or Raspberry Robin
The Record
US, European agencies dismantle Qakbot network used for ransomware and scams
FBI officials said the international action involved seizure of Qakbot's infrastructure as well as the remote removal of the related malware from victim computers.
SecurityWeek
3 Malware Loaders Detected in 80% of Attacks: Security Firm
QakBot, SocGholish, and Raspberry Robin are the three most popular malware loaders, accounting for 80% of the observed incidents.
Infosecurity News
Creative QakBot Attack Tactics Challenge Security Defenses
Threat actors use unique infection chains to deploy QakBot malware
The Hacker News
QakBot Malware Operators Expand C2 Network with 15 New Servers
New findings: QakBot malware operators set up 15 new command-and-control servers, raising questions about their activities during the 'break' period.
The Hacker News
AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service
Beware of AVRecon botnet! It exploits compromised routers for illegal proxy services.
The Hacker News
IcedID Malware Adapts and Expands Threat with Updated BackConnect Module
Latest findings reveal that the IcedID malware is getting even more dangerous with updates to its BackConnect module for post-compromise activity.
The Hacker News
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries
Alert! A new malware strain called AVrecon has quietly targeted over 70,000 small office/home office (SOHO) routers worldwide.
The Hacker News
Evasive QBot Malware Leverages Short-lived Residential IPs for Dynamic Attacks
New study unveils QBot's crafty techniques: It conceals its constantly evolving C&C infrastructure within residential IP space, with 25% of servers ac
Infosecurity News
Ransomware Gangs Adopting Business-like Practices to Boost Profits
Cyber-criminal gangs are mirroring the practices of legitimate businesses to drive efficiencies and increase profits
Security Affairs
Industrial automation giant ABB disclosed data breach after ransomware attack
Swiss electrification and automation technology giant ABB confirmed it has suffered a data breach after a ransomware attack. ABB has more than 105,000 employees and has $29.4 billion in revenue for 2022. On May 7, 2023, the Swiss multinational company, leading electrification and automation technology provider, suffered a cyber attack that reportedly impacted its business operations. […]
Bleeping Computer
QBot malware abuses Windows WordPad EXE to infect devices
The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software.
Security Affairs
German arms manufacturer Rheinmetall suffered Black Basta ransomware attack
The German automotive and arms manufacturer Rheinmetall announced it was victim of a Black Basta ransomware attack that took place last month. Rheinmetall is a German automotive and arms manufacturer that is listed on the Frankfurt stock exchange. The company this week announced it was victim of a ransomware attack conducted by the Black Basta ransomware group. The incident took place […]
Security Affairs
The Black Basta ransomware gang hit multinational company ABB
Swiss electrification and automation technology giant ABB suffered a Black Basta ransomware attack that impacted its business operations. Swiss multinational company ABB, a leading electrification and automation technology provider, it the last victim of the notorious Black Basta ransomware group. The company has more than 105,000 employees and has $29.4 billion in revenue for 2022. […]
Bleeping Computer
Multinational tech firm ABB hit by Black Basta ransomware attack
Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations.
Cyber Security News
QBot Malware Hijack Business Emails To Drop Malware Via Weaponized PDF Files
Beware of phishing campaigns that are distributing the QBot malware via PDFs & Windows Script Files (WSF) to infiltrate your Windows devices.
DarkReading
QBot Expands Initial Access Malware Strategy With PDF-WSF Combo
The infamous Trojan's operators are switching up tactics with the use of simulated business correspondence, which helps instill trust with intended victims, and a stealthier payload.
CSO
New Qbot campaign delivers malware by hijacking business emails
The new Qbot email campaign uses a combination of PDF and WSF to install the malware and steal the victim’s banking credentials.
Security Affairs
New QBot campaign delivered hijacking business correspondence
Kaspersky researchers warn of a new QBot campaign leveraging hijacked business emails to deliver malware. In early April, Kaspersky experts observed a surge in attacks that QBot malware attacks (aka Qakbot, QuackBot, and Pinkslipbot). QBot has been active since 2008, it is used by threat actors for collecting browsing data and banking credentials, and other […]
Bleeping Computer
Ex-Conti members and FIN7 devs team up to push new Domino malware
Ex-Conti ransomware members have teamed up with the FIN7 threat actors to distribute a new malware family named 'Domino' in attacks on corporate networks.
The Hacker News
New QBot Banking Trojan Campaign Hijacks Business Emails to Spread Malware
Researchers have uncovered a new QBot malware campaign that is using hijacked business correspondence to lure unsuspecting victims.
Infosecurity News
Qbot Banking Trojan Increasingly Delivered Via Business Emails
Observed by Kaspersky, the campaign relied on emails written in English, German, Italian and French
Bleeping Computer
New QBot email attacks use PDF and WSF combo to install malware
QBot malware is now distributed in phishing campaigns utilizing PDFs and Windows Script Files (WSF) to infect Windows devices.
Security Affairs
Threat Report Portugal: Q3 & Q4 2022
The Threat Report Portugal: H2 2022 compiles data collected on the malicious campaigns that occurred from July to December, H2, 2022. The Portuguese Abuse Open Feed 0xSI_f33d is an open-sharing database with the ability to collect indicators from multiple sources, developed and maintained by Segurança-Informática. This feed is based on automatic searches and is supported by a healthy […]
Computerworld
Ransomware as a service? Windows users can still fight back.
With Attack Surface Reduction rules in Windows 10 and 11 (and other tweaks), users can make it harder for attackers to succeed.
DarkReading
Phishing Emails Up a Whopping 569% in 2022
Credential phishing emails are the clear favorite of threat actors, with a 478% spike last year, new research shows.
CSO
55 zero-day flaws exploited last year show the importance of security risk management
Cybercriminals are now exploiting zero-day vulnerabilities for higher profits, which might require a reassessment of your risk.
The Hacker News
Emotet Rises Again: Evades Macro Security via OneNote Attachments
Emotet is back, now hiding in Microsoft OneNote email attachments to bypass macro-based security restrictions and compromise systems.
CSO
DNS data shows one in 10 organizations have malware traffic on their networks
Akamai report highlights how widespread malware threats remain, noting the dangers of threats specific to DNS infrastructure.
Cyber Security News
Royal Ransomware Made Upto $11 Million USD Using Custom-Made Encryption Malware
CISA Advisory (CSA) revealing that the threat actors behind the Rayal ransomware made up to $11 million in Crypto.
Bleeping Computer
How to prevent Microsoft OneNote files from infecting Windows with malware
The seemingly innocuous Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Here's how to block malicious OneNote phishing attachments from infecting Windows.
Security Affairs
The U.S. CISA and FBI warn of Royal ransomware operation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of the capabilities of the recently emerged Royal ransomware. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars. Unlike other ransomware operations, Royal doesn’t offer Ransomware-as-a-Service, it appears to be a private group without […]
The Hacker News
U.S. Cybersecurity Agency Raises Alarm Over Royal Ransomware's Deadly Capabilities
Royal ransomware is back and targeting US and international organizations! It infiltrates networks, disables antivirus software.
Infosecurity News
Time to Deploy Ransomware Drops 94%
Extortion was most common impact from cyber-attacks in 2022
The Record
War brought big spikes in cyberattacks on Ukraine, NATO allies, Google says
Google's Threat Analysis Group reports that cyberattacks on Ukraine and its supporters increased aggressively as Russia waged war.
The Hacker News
Hackers Targeting U.S. and German Firms Monitor Victims' Desktops with Screenshotter
Researchers are tracking a new financially motivated threat actor, TA866, which has been active since October 2022 and using custom hacking tools.
CSO
HTML smuggling campaigns impersonate well-known brands to deliver malware
Researchers cite an increased prevalence of HTML smuggling activity including impersonation of brands such as Adobe Acrobat, Google Drive, and the US Postal Service.
Bleeping Computer
New QakNote attacks push QBot malware via Microsoft OneNote files
A new QBot malware campaign dubbed "QakNote" has been observed in the wild since last week, using malicious Microsoft OneNote' .one' attachments to infect systems with the banking trojan.
The Hacker News
Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware
Watch out! Microsoft OneNote documents are the latest weapon of choice for cybercriminals to spread malware.
Infosecurity News
Black Basta Deploys PlugX Malware in USB Devices With New Technique
The variant is “wormable” and can infect USB devices to hide itself from the Windows OS
CSO
Hackers abuse legitimate remote monitoring and management tools in attacks
Researchers and government agencies warn that threat actors are increasing their use of commercial RMM tools to enable financial scams.
The Hacker News
Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices
Cybersecurity researchers uncover a new variant of PlugX that infects attached USB media devices to spread the malware to other systems.
CSO
Attackers move away from Office macros to LNK files for malware delivery
Barriers that Microsoft has placed to prevent malicious macros has forced some cybercriminals to use LNK files for malware delivery, but at the cost of easier detection.
DarkReading
Microsoft to Block Excel Add-ins to Stop Office Exploits
The company will block the configuration files, which interact with Web applications — since threat actors increasingly use the capability to install malicious code.
The Hacker News
New Research Delves into the World of Malicious LNK Files and Hackers Behind Them
New study by cybersecurity experts shows potential to identify relationships among threat actors by analyzing metadata of malicious LNK files.
Trend Micro
Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).
The Hacker News
IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours
Beware of IcedID malware - it's using attack techniques borrowed from other hackers to quickly compromise Active Directory domains
ZDNet
Ransomware decryption tool: Victims of MegaCortex can now unlock their files for free
Joint venture by cybersecurity researchers and law enforcement agencies provides a free decryption tool for ransomware that has hit victims around the world.
Security Affairs
Bitdefender released a free decryptor for the MegaCortex ransomware
Antivirus firm Bitdefender released a decryptor for the MegaCortex ransomware allowing its victims to restore their data for free. Antivirus firm Bitdefender released a decryptor for the MegaCortex ransomware, which can allow victims of the group to restore their data for free. The MegaCortex ransomware first appeared on the threat landscape in May 2019 when […]
The Hacker News
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media
Vidar stealer now uses throwaway accounts on social media platforms to retrieve the address of its command-and-control servers and steal information.
SecurityWeek
Researchers Link Royal Ransomware to Conti Group
Royal ransomware appears to be operated by seasoned threat actors who used to be part of Conti Team One.
Trend Micro
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
From September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks.
The Record
Number of command-and-control servers spiked in 2022: report
The number of unique command-and-control servers increased 30% in 2022, an indication that cybercriminals are increasingly using them in attacks
Security Affairs
Crooks use HTML smuggling to spread QBot malware via SVG files
Talos researchers uncovered a phishing campaign distributing the QBot malware to Windows systems using SVG files. Talos researchers uncovered a phishing campaign distributing the QBot malware using a new technique that leverages Scalable Vector Graphics (SVG) images embedded in HTML email attachments. HTML smuggling is a highly evasive technique for malware delivery that leverages legitimate HTML5 […]
The Hacker News
Hacking Using SVG Files to Smuggle QBot Malware onto Windows Systems
Cybercriminals are using SVG and HTML smuggling techniques in malicious email campaigns to hide Qakbot malware in HTML email attachments and webpages.
Bleeping Computer
Microsoft patches Windows zero-day used to drop ransomware
Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver payloads in Magniber ransomware attacks.
Infosecurity News
Hackers Use Archive Files and HTML Smuggling to Bypass Detection Tools
HP's latest report suggests 44% of malware was delivered via archive files in Q3 2022
ZDNet
These file types are the ones most commonly used by hackers to hide their malware
Careful when you click: Cyber criminals are hiding malicious payload to make it more difficult for users - and anti-virus software - to detect.
CyberScoop
Wave of cyber-enabled scams target FIFA World Cup fans
Digital scams looking to steal data and dollars from World Cup fans are in full force as the tournament enters week two.
DarkReading
Black Basta Gang Deploys Qakbot Malware in Aggressive Cyber Campaign
The ransomware group is using Qakbot to make the initial point of entry before moving laterally within an organization’s network.
Security Affairs
Security Affairs newsletter Round 395
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other […]
Security Affairs
An aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta Ransomware
Researchers warn of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US. Experts at the Cybereason Global SOC (GSOC) team have observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US. In the last two […]
The Hacker News
Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware
Black Basta ransomware gang is actively infiltrating U.S. companies with the Qakbot malware to create an initial entry point.
Infosecurity News
Qakbot Infections Linked to Black Basta Ransomware Campaign
Threat actors obtained admin access in two hours and then deployed ransomware in under 12 hours
Cyber Security News
Microsoft Said that Hackers Use Google Ads to Deliver Royal Ransomware Payloads
According to a recent analysis from Microsoft's Security Threat Intelligence team, in one of its campaigns, hackers used Google Ads to spread several payloads, which resulted in the deployment of the Royal ransomware.
Security Affairs
DEV-0569 group uses Google Ads to distribute Royal Ransomware
Microsoft warns that a threat actor, tracked as DEV-0569, is using Google Ads to distribute the recently discovered Royal ransomware. Researchers from the Microsoft Security Threat Intelligence team warned that a threat actor, tracked as DEV-0569, is using Google Ads to distribute various payloads, including the recently discovered Royal ransomware. The DEV-0569 group carries out […]
The Record
Phishing attacks targeting Middle East countries double ahead of World Cup: report
Phishing attacks leveraging FIFA and targeting people living in Middle Eastern countries have grown 100% in the last month as the World Cup approaches.
Bleeping Computer
QBot phishing abuses Windows Control Panel EXE to infect devices
Phishing emails distributing the QBot malware are using a DLL hijacking flaw in the Windows 10 Control Panel to infect computers, likely as an attempt to evade detection by security software.
DarkReading
Retail Sector Prepares for Annual Holiday Cybercrime Onslaught
Retailers and hospitality companies expect to battle credential harvesting, phishing, bots, and various malware variants.
DarkReading
FIN7 Cybercrime Group Likely Behind Black Basta Ransomware Campaign
Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.
The Hacker News
Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers
A new analysis of the hacking tools employed by the Black Basta ransomware operation has revealed its links to FIN7 (aka Carbanak) hacker group.
Security Affairs
Experts link the Black Basta ransomware operation to FIN7 cybercrime gang
Sentinel Labs found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7. Security researchers at Sentinel Labs shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7. The experts analyzed tools used by the ransomware gang in attacks, some of […]
Cyber Security News
Follina Exploit Let Hackers Compromise the Domain Controller Via RDP Session
An intrusion was detected by The DFir Report in early June 2022 that leveraged the Follina vulnerability, CVE-2022-30190 to gain initial access.
The DFIR Report
Follina Exploit Leads to Domain Compromise
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain.
Trend Micro
Where is the Origin QAKBOT Uses Valid Code Signing
Code signing certificates help us assure the file's validity and legitimacy. However, threat actors can use that against us. In this blog, discover how QAKBOT use such tactic and learn ways how to prevent it.
Bleeping Computer
The Week in Ransomware - October 14th 2022 - Bitcoin Trickery
This week's news is action-packed, with police tricking ransomware into releasing keys to victims calling ransomware operations liars.
Security Affairs
Experts analyzed the evolution of the Emotet supply chain
Threat actors behind the Emotet bot are continually improving their tactics, techniques, and procedures to avoid detection. VMware researchers have analyzed the supply chain behind the Emotet malware reporting that its operators are continually shifting their tactics, techniques, and procedures to avoid detection. The Emotet banking trojan has been active at least since 2014, the botnet is operated by […]
DarkReading
Many ZTNA, MFA Tools Offer Little Protection Against Cookie Session Hijacking Attacks
Many of the technologies and services that organizations are using to isolate Internet traffic from the internal network lack session validation mechanisms, security startup says.
Infosecurity News
Cyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Report
The report shows an 11% rise in archive files containing malware, including LNK files
SecurityWeek
US, Australian Cybersecurity Agencies Publish List of 2021's Top Malware
A new joint cybersecurity advisory from CISA and the Australian Cyber Security Centre details 2021’s top malware strains.
CyberSecurity Dive
The 11 most-prevalent malware strains of 2021 fuel cybercrime
Cybercriminals remain the most prolific users of malware, wielding these top strains to deliver ransomware and steal data.
The Record
U.S. and Australian security agencies release list of 2021's 'top' malware strains
The most commonly seen malware strains in 2021 include Agent Tesla, Qakbot, TrickBot, GootLoader and several others, according to a new list released by CISA and the Australian Cyber Security Centre.
Bleeping Computer
Cybersecurity agencies reveal last year’s top malware strains
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released today a list of the most detected malware strains during last year in a joint advisory with the Australian Cyber Security Centre (ACSC).
Security Affairs
Security Affairs newsletter Round 376 by Pierluigi Paganini
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs for free in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Reading the “ENISA THREAT LANDSCAPE FOR RANSOMWARE ATTACKS” report CISA orders to patch an actively exploited […]
The Hacker News
Hackers Opting New Attack Methods After Microsoft Blocked Macros by Default
After Microsoft took steps to block VBA macros by default across Office applications, hackers are turning to new attack methods.
DarkReading
In a Post-Macro World, Container Files Emerge as Malware-Delivery Replacement
With Microsoft disabling Office macros by default, threat actors are increasingly using ISO, RAR, LNK, and similar files to deliver malware because they can get around Windows protections.
Security Affairs
Threat actors leverages DLL-SideLoading to spread Qakbot malware
Qakbot malware operators are using the Windows Calculator to side-load the malicious payload on target systems. Security expert ProxyLife and Cyble researchers recently uncovered a Qakbot campaign that was leveraging the Windows 7 Calculator app for DLL side-loading attacks. Dynamic-link library (DLL) side-loading is an attack method that takes advantage of how Microsoft Windows applications handle DLL […]
Cyber Security News
QBot Malware Using Windows Calculator to Deploy Payload
By using Windows Calculator, the QBot malware operators are able to side-load their malicious payload onto the computers that are compromised. In short, Windows Calculator is being used to distribute dangerous code.
DarkReading
Qakbot Is Back With a New Trick: DLL Sideloading
In the latest iteration, Qakbot operators are using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection.
Bleeping Computer
QBot phishing uses Windows Calculator sideloading to infect devices
The operators of the QBot malware have been using the Windows Calculator to side-load the malicious payload on infected computers.
The Hacker News
Microsoft Resumes Blocking Office VBA Macros by Default After 'Temporary Pause'
Microsoft has officially resumed blocking VBA macros by default in all Office applications, weeks after temporarily announcing plans to roll back the
DarkReading
Ransomware Volume Nearly Doubles 2021 Totals in a Single Quarter
Like a hydra, every time one ransomware gang drops out (REvil or Conti), plenty more step up to fill the void (Black Basta).
The Hacker News
Cybersecurity Experts Warn of Emerging Threat of "Black Basta" Ransomware
Cybersecurity experts are warning about the "Black Basta" ransomware gang, which has attacked dozens of companies worldwide.
Infosecurity News
Microsoft’s Final Patch Tuesday Fixes Follina Bug
Redmond giant will switch to Windows Autopatch service
DarkReading
Black Basta Ransomware Targets ESXi Servers in Active Campaign
The new ransomware strain Black Basta is now actively targeting VMware ESXi servers in an ongoing campaign, encrypting files inside a targeted volumes folder.
SecurityWeek
IBM Dives Into TrickBot Gang's Malware Crypting Operation
Researchers with IBM Security’s X-Force division have analyzed 13 crypters employed by the cybercrime group behind the infamous TrickBot and Conti malware.
CyberNews
Ransomware empire on streak: extortion demands up by 45% | CyberNews
Ransomware gangs have become greedier. Hive requested a whopping $240 million from MediaMarkt, and the average ransom demand grew to $247,000 in 2021.
Trend Micro
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware
During the first quarter of 2022, we discovered a significant number of infections using multiple new Emotet variants that employed both old and new techniques to trick their intended victims into accessing malicious links and enabling macro content.
The Hacker News
Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang
Researchers reveal the inner workings of a cybercriminal group known as the Wizard Spider.
The Hacker News
Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government
Russian-speaking Conti ransomware gang has threatened to overthrow the newly elected government of Costa Rica with a cyberattack.
Infosecurity News
Microsoft: RaaS Relies on the Gig Economy
Report reveals big variety in affiliate groups
ZDNet
Microsoft: The ransomware world is changing, here's what you need to know | ZDNet
Knowing what type of ransomware has hit you is only just the beginning.
Bleeping Computer
Qbot malware switches to new Windows Installer infection vector
The Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages.
ZDNet
Ransomware: Conti gang is still in business, despite its own massive data leak | ZDNet
The internal dealings of Conti ransomware gang were published online, detailing how the operation works. But it hasn't slowed them down.
Infosecurity News
Qakbot Debuts New Technique
Old botnet performs new trick by inserting itself into the middle of email threads
ZDNet
Watch out for this phishing attack that hijacks your email chats to spread malware | ZDNet
Hackers know you are more likely to trust messages which look like they're part of an ongoing conversation.
ThreatPost
Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads
The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things.
Security Affairs
Threat Report Portugal: Q4 2021
The Threat Report Portugal: Q4 2021 compiles data collected on the malicious campaigns that occurred from July to September, Q4, of 2021. The Portuguese Abuse Open Feed 0xSI_f33d is an open sharing database with the ability to collect indicators from multiple sources, developed and maintained by Segurança-Informática. This feed is based on automatic searches and is also supported […]
The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of QBot (a.k.a. Quakbot/Qakbot) malware.
ZDNet
This malware is reading your email just 30 minutes after infecting your PC | ZDNet
Qbot is old malware but its operators appreciate efficiency.
Bleeping Computer
Qbot needs only 30 minutes to steal your credentials, emails
The widespread malware known as Qbot (aka Qakbot or QuakBot) has recently returned to light-speed attacks, and according to analysts, it only takes around 30 minutes to steal sensitive data after the initial infection.
The DFIR Report
Qbot Likes to Move It, Move It
In this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an environment while stealing browser information and emails.
ZDNet
There's been a big rise in phishing attacks using Microsoft Excel XLL add-ins | ZDNet
Cybersecurity researchers warn that multiple forms of malware are being stealthily delivered via Microsoft Excel XLL files.
Trend Micro
This Week in Security News - January 7, 2022
This week, read about Log4j vulnerabilities in connected cars and charging stations and how iOS malware can fake iPhone shutdowns to snoop on cameras and microphones.
Trend Micro
Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager
We analyzed a fileless QAKBOT stager possibly connected to the recently reported Squirrelwaffle campaign.
Bleeping Computer
Microsoft: These are the building blocks of QBot malware attacks
As QBot campaigns increase in size and frequency, researchers are looking into ways to break the trojan's distribution chain and tackle the threat.
ZDNet
This decade-old malware has picked up some nasty new tricks | ZDNet
The crafty Qakbot trojan has added ransomware delivery to its malware building blocks.
Bleeping Computer
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent.
The DFIR Report
Cobalt Strike, a Defender's Guide
As you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage. Some of the most common droppers we see are IcedID (a.k.a. BokBot), ZLoader, Qbot (a.k.a. QakBot), Ursnif, Hancitor, Bazar and TrickBot.