Blogs

Summary: A New Strain of Ransomware 

In mid-April 2023, intelligence researchers discovered a new strain of ransomware called CrossLock. CrossLock follows current trends of malware increasingly being written in the Golang (Go) programming language and using the double-extortion technique in ransomware attacks. It’s capable of performing several actions that reduce the chances of data recovery while simultaneously increasing the attack’s effectiveness.  

Summary: What is Domino Malware? 

Domino (a.k.a. Minodo) is a new malware family that consists of two components, the Domino Backdoor and Domino Loader, which was first discovered in use in the fall of 2022.

Summary: What is Typhon? 

The creator of Typhon Reborn announced the release of version 2 of the information stealer in early 2023. This is the third iteration of Typhon in less than a year with version 2 boasting new features, including anti-analysis and anti-virtual machine (VM) capabilities. Like its predecessors, it is available for sale on underground forums for a monthly, yearly, or a lifetime subscription.

RTM Locker Summary  

Read-the-Manual (RTM) Locker is a private ransomware-as-a-service (RaaS) provider that is now capable of targeting Linux machines. The locker malware developed to infect Linux was designed to single out Elastic Sky X integrated (ESXi) hosts to prevent the RaaS being executed on virtual machines running on a compromised host prior to commencing the encryption process.

Summary  

North Korean threat actor, Lazarus Group, was observed shifting their focus and evolving tools and tactics as part of a long-running campaign called Operation Dream Job cluster, also tracked under the monikers DeathNote or NukeSped. While the group is known for targeting the cryptocurrency sector, recent attacks have targeted the medical, automotive, academic, energy, and defense sectors in Eastern Europe and other parts of the world.

What is the Legion Hacking Tool? 

Legion, a new Python-based credential harvester and Simple Mail Transfer Protocol (SMTP) hijacking tool, has been developed to target online email services for phishing and spam campaigns, and is being advertised for sale on Telegram. The malware is primarily intended to scan for and parse Laravel application secrets from exposed user environment variables (.env) files.

How Big is the Cybercrime Economy? 

According to the World Economic Forum (WEF), cybercrime is now the world’s third-largest economy coming in behind the United States and China.

Summary  

Mélofée, a new malware family, was recently discovered being used by the Chinese state-sponsored hacking groups Winnti Advanced Persistent Threat (APT) group, and Earth Berberoka targeting Linux servers. There are three different samples of the malware being circulated. All three versions of the malware share a common code base that uses shell commands to download the rootkit and the main implant from an attacker-controlled server.

MDR services are gaining popularity as organizations seek more effective measures to identify and respond to security threats. With the increasing frequency and sophistication of cyberattacks, it's crucial to choose the right MDR provider to reduce your risk exposure and protect your critical assets. 

FusionCore is a group that operates as both malware developers and threat actors, providing malware subscriptions as well as hacker-for-hire services. They specialize in a wide range of malware and use phishing as their primary attack vector for initial access.  

The threat actors behind the IcedID (a.k.a. BokBot) banking trojan are making strides to update and improve the malware. Analysis of several recent campaigns show new variants of the malware are shifting away from its original functionality to deliver additional payloads instead, specifically ransomware. Additionally, the creators removed unnecessary functions making IcedID stealthier, and increasing its detection and evasion capabilities.