LATEST THREAT INTELLIGENCE.
Uncovering .NET Malware Obfuscated by Encryption and Virtualization
Description: This article examines advanced obfuscation techniques used in popular malware families like Agent Tesla, XWorm, and FormBook/XLoader. The techniques include code virtualization, staged payload delivery, dynamic code loading, AES encryption, and multi-stage payloads. The malware uses a three-stage process: an encrypted payload in the PE overlay, a virtualized payload using KoiVM, and a final payload that is typically Agent Tesla or XWorm. The obfuscation methods aim to evade sandbox detection and hinder static analysis. The article provides insights into extracting configuration parameters through unpacking each stage and discusses potential automation opportunities for sandboxes performing static analysis.
Created at: 2025-03-03T16:54:17.150000
Updated at: 2025-04-02T16:03:07.051000
Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency
Description: Cybercriminals are exploiting a live stream featuring Elon Musk, Cathie Wood, and Jack Dorsey discussing cryptocurrency to conduct scams. They modify the original video, adding frames that advertise malicious websites claiming to double users' cryptocurrency investments. Multiple YouTube channels were identified streaming this altered content. The scam sites use fake transaction tables to create an illusion of legitimacy. As of May 5, 2022, the associated crypto wallets had received transactions totaling $280,000. The scam expanded rapidly, with 15 additional sites discovered within 24 hours, bringing the total value in the wallets to over $1,300,000. Users are urged to be vigilant against such schemes that promise unrealistic returns.
Created at: 2025-04-02T14:21:15.789000
Updated at: 2025-04-02T14:23:04.720000
Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants
Description: Silent Push Threat Analysts have uncovered a sophisticated phishing campaign targeting individuals sympathetic to Ukraine's defense, Russian citizens, and potential informants. The operation, believed to be orchestrated by Russian Intelligence Services, employs four major phishing clusters impersonating the CIA, Russian Volunteer Corps, Legion Liberty, and Hochuzhit. These campaigns aim to collect personal information from victims through fake websites and forms. The threat actors utilize bulletproof hosting, domain spoofing, and Google Forms to lure targets into providing sensitive data. The campaign's persistence, long-term targeting of specific groups, and impersonation of official organizations without apparent financial motives strongly suggest state-sponsored involvement. Mitigation efforts include identifying and blocking associated domains and IPs.
Created at: 2025-04-01T14:48:14.039000
Updated at: 2025-04-02T08:46:38.980000
Analysis of New Mobile Banking Malware
Description: Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal and banking data, including Aadhaar numbers, PAN card details, and net banking credentials. It exfiltrates stolen information in real-time to both a phishing server and a Telegram-based Command and Control server. Salvador Stealer also intercepts SMS messages to capture one-time passwords and banking verification codes, bypassing two-factor authentication. The malware demonstrates persistence mechanisms, automatically restarting itself if stopped and surviving device reboots. Analysis revealed exposed infrastructure, including an accessible admin panel, potentially linking the attacker to India.
Created at: 2025-04-01T21:23:35.173000
Updated at: 2025-04-02T08:22:48.301000
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
Description: The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. They exploit Microsoft Teams and Quick Assist for unauthorized access and privilege escalation. The malware is deployed through abuse of OneDriveStandaloneUpdater.exe, which side-loads malicious DLLs. The attackers utilize commercial cloud storage services to host and distribute malicious files. Since October 2024, most incidents occurred in North America and Europe, with the US being the most affected. The manufacturing sector was the primary target, followed by financial and real estate industries.
Created at: 2025-03-03T08:12:05.908000
Updated at: 2025-04-02T08:00:39.297000
Astrill VPN: New IPs Publicly Released on VPN Service Heavily Used by North Korean Threat Actors
Description: North Korean threat actors, particularly from the Lazarus Group, continue to utilize Astrill VPN to conceal their IP addresses during attacks. Recent infrastructure and logs from the 'Contagious Interview' subgroup confirmed ongoing use of Astrill VPN in their operations. Google's Mandiant and Recorded Future's Insikt Group have also reported on DPRK threat actors' preference for this VPN service. Silent Push analysts have developed a 'Bulk Data Feed' of Astrill VPN IPs, updated in real-time, to help protect against threats. The research includes confirmation of Astrill VPN usage in recent attacks, including the $1.4 billion ByBit heist. A sample list of active Astrill VPN IP addresses is provided, with more comprehensive data available to enterprise users.
Created at: 2025-03-01T18:36:14.364000
Updated at: 2025-04-02T00:04:46.454000
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
Description: In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor authentication and gain access to the MSP's ScreenConnect environment. They deployed their own ScreenConnect instance across multiple customer networks, performed reconnaissance, collected and exfiltrated data, and ultimately deployed Qilin ransomware. This attack matches a pattern of similar incidents dating back to 2022, utilizing fake ScreenConnect domains and the evilginx framework to intercept credentials and session cookies. The attackers employed various tools for lateral movement and defense evasion, including PsExec, NetExec, and WinRM.
Created at: 2025-04-01T15:24:41.705000
Updated at: 2025-04-01T17:39:42.954000
The Shelby Strategy
Description: The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and uses GitHub for initial registration and key retrieval. SHELBYC2 communicates with the attacker's infrastructure using GitHub API, allowing for file uploads, downloads, and command execution. The campaign targets Iraqi telecommunications and potentially UAE airports, utilizing highly targeted phishing emails. Despite its sophistication, the malware's design has a critical flaw: anyone with the embedded Personal Access Token can control infected machines, exposing a significant security vulnerability.
Created at: 2025-04-01T14:48:12.579000
Updated at: 2025-04-01T17:35:06.404000
Delivering Trojans Via ClickFix Captcha
Description: A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting users to a ClickFix captcha that tricks them into executing a malicious command on their local machine. The command downloads and executes obfuscated PowerShell scripts, which then retrieve and deploy the actual malware payload. The attackers use sophisticated obfuscation techniques, including fake ZIP files and PHP-based droppers, to evade detection and analysis. This method's success lies in exploiting user trust in captchas and legitimate-looking websites, increasing the likelihood of unknowing malware execution.
Created at: 2025-04-01T14:48:06.639000
Updated at: 2025-04-01T17:22:40.685000
TsarBot Trojan Hits 750+ Banking & Crypto Apps!
Description: A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Services. TsarBot employs overlay attacks to steal credentials, records and remotely controls screens, and uses a fake lock screen to capture device lock credentials. It communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and execute on-device fraud. The malware's capabilities include screen recording, keylogging, and SMS interception. Evidence suggests the threat actor behind TsarBot is likely of Russian origin.
Created at: 2025-04-01T14:48:05.908000
Updated at: 2025-04-01T17:20:18.808000
