Martijn Lammerts
My own digital place with a little of everything

Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication

17 July 2018

Blackgear (also known as Topgear and Comnie) is a cyberespionage campaign dating back to 2008, at least based on the Protux backdoor used by its operators. It targets organizations in Japan, South Korea, and Taiwan, leveling its attacks on public sector agencies and telecommunications and other high-technology industries. In 2016, for instance, we found their campaigns attacking Japanese organizations with various malware tools, notably the Elirks backdoor. Blackgear’s operators are well-organized, developing their own tools, which we observed to have been recently fine-tuned, based on their latest attacks.

The post Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication appeared first on .

Continue reading...

New Andariel Reconnaissance Tactics Hint At Next Targets

16 July 2018

Reconnaissance plays a vital role in criminal operations, and some groups go to great lengths to investigate their targets' systems. A recent example is the Andariel Group, a known branch of the notorious Lazarus Group. Last month, we tracked new scouting techniques coming from Andariel, used mainly against South Korean targets.

The post New Andariel Reconnaissance Tactics Hint At Next Targets appeared first on .

Continue reading...

VPNFilter-affected Devices Still Riddled with 19 Vulnerabilities

13 July 2018

This blog tackles the recently ill-famed VPNFilter malware and if deployed devices are vulnerable to it. VPNFilter is a newly discovered, multi-stage malware (detected by Trend Micro as ELF_VPNFILT.A, ELF_VPNFILT.B, ELF_VPNFILT.C, and ELF_VPNFILT.D) that affects many models of connected devices. Based on our data from June 1 to July 12, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities, not only taken advantage of by VPNFilter but other malware as well, can still be detected in devices up to this day.

The post VPNFilter-affected Devices Still Riddled with 19 Vulnerabilities appeared first on .

Continue reading...

Malicious Macro Hijacks Desktop Shortcuts to Deliver Backdoor

3 July 2018

by Loseway Lu Despite being around for decades, cybercriminals are still using malicious macro to deliver malware, albeit in more creative ways to make them more effective. The threat actors behind a recent case used macro in a more roundabout way, with a macro that searches for specific shortcut files in the user’s system, which...

The post Malicious Macro Hijacks Desktop Shortcuts to Deliver Backdoor appeared first on .

Continue reading...

Down but Not Out: A Look Into Recent Exploit Kit Activities

2 July 2018

Exploit kits may be down, but they’re not out. While they're still using the same techniques that involve malvertisements or embedding links in spam and malicious or compromised websites, their latest activities are making them significant factors in the threat landscape again. This is the case with Rig and GrandSoft, as well as the private exploit kit Magnitude — exploit kits we found roping in relatively recent vulnerabilities to deliver cryptocurrency-mining malware, ransomware, botnet loaders, and banking trojans.

The post Down but Not Out: A Look Into Recent Exploit Kit Activities appeared first on .

Continue reading...

The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors

28 June 2018

by Anita Hsieh, Rubio Wu, Kawabata Kohei Six years after it was first spotted in the wild, the Necurs malware botnet is still out to prove that it’s a malware chameleon.  We recently discovered noteworthy changes to the way Necurs makes use of its bots, such as pushing infostealers on them and showing a special...

The post The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors appeared first on .

Continue reading...

Cryptocurrency-Mining Bot Targets Devices With Running SSH Service via Potential Scam Site

26 June 2018

Our honeypot sensors, which are designed to emulate Secure Shell (SSH), Telnet, and File Transfer Protocol (FTP) services, recently detected a mining bot related to the IP address 192.158.228.46. The address has been seen to search for both SSH- and IoT-related ports, including 22, 2222, and 502. In this particular attack, however, the IP has landed on port 22, SSH service. The attack could be applicable to all servers and connected devices with a running SSH service.

The post Cryptocurrency-Mining Bot Targets Devices With Running SSH Service via Potential Scam Site appeared first on .

Continue reading...