Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Large scale Google Ads campaign targets utility software

Source: Malwarebytes LABS

Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking. Read more.

Mind the (air) gap: GoldenJackal gooses government guardrails

Source: welivesecurity

These toolsets provide GoldenJackal a wide set of capabilities for compromising and persisting in targeted networks. Victimized systems are abused to collect interesting information, process the information, exfiltrate files, and distribute files, configurations and commands to other systems. Read more.

Awaken Likho is awake: new techniques of an APT group

Source: SECURE LIST

Analysis of the campaign revealed that the attackers had significantly changed the software they used in their attacks. The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems. Read more.

How Malware is Evolving: Sandbox Evasion and Brand Impersonation

Source: VERITI

According to the MITRE ATT&CK framework, malware can check for signs of a sandbox by monitoring system behavior, including checking for user actions like mouse clicks or running time-based checks. Once the malware detects it is inside a sandbox, it can change its behavior, often terminating its execution or connecting to benign domains to avoid raising suspicion. Read more.

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

Source: Aqua

During one of our sandbox tests, the threat actor utilized one of the malware’s backdoors to access the honeypot and started deploying some new utilities to better understand the nature of our server, trying to understand what exactly we are doing to its malware. Read more.

Scam Information and Event Management

Source: SECURE LIST

The attackers distributed the malicious files using websites for downloading popular software (uTorrent, Microsoft Office, Minecraft, etc.) for free. These websites were shown to users in the top search results in Yandex. Malware was also distributed through Telegram channels targeted at crypto investors and in descriptions and comments on YouTube videos about cryptocurrency, cheats and gambling. Read more.

Crypto-Stealing Code Lurking in Python Package Dependencies

Source: Checkmarx

On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets. Read more.

Stonefly: Extortion Attacks Continue Against U.S. Targets

Source: Symantec

In several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently documented by Microsoft were found on the compromised networks. Read more.

Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users

Source: Group-IB

Pig Butchering is a term used to describe a sophisticated and manipulative scam in which cybercriminals lure victims into fraudulent investment schemes, typically involving cryptocurrency or other financial instruments. The name of the scam refers to the practice of fattening a pig before slaughter. Read more.

BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell

Source: G Data

In a complex infection chain that starts with an email containing an ISO image, this malware stands out by its way of compiling C# code directly on the infected machine. It also uses a technique known as AppDomain Manager Injection to advance execution. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Tyson Ransomware

Source: EnigmaSoft

The Tyson Ransomware infiltrates systems, encrypts data, and holds files hostage, demanding payment for decryption. Once installed on a device, it immediately starts locking down files and appends a “.tyson” extension to encrypted files. Read more.

Undetected Android Spyware Targeting Individuals In South Korea

Source: CYBLE

The Spyware is capable of exfiltrating sensitive information from an infected device, including SMSs, contact lists, images, and videos. The stolen data, stored openly on the S3 bucket, suggests poor operational security, potentially leading to unintended leaks of sensitive information. Read more.

How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections

Source: TREND MICRO

The RansomHub ransomware’s attack chain includes exploiting the Zerologon vulnerability (CVE-2020-1472). Left unpatched, it can enable threat actors to take control of an entire network without needing authentication. Read more.

The Vanilla Tempest cybercrime gang used INC ransomware for the first time in attacks on the healthcare sector

Source: Security Affairs

Microsoft Threat Intelligence team revealed that a financially motivated threat actor, tracked as Vanilla Tempest (formerly DEV-0832) is using the INC ransomware for the first time to target the U.S. healthcare sector. Read more.

Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool

Source: UNIT 42

Splinter is developed in Rust, a relatively new programming language that’s recommended for developing memory-safe software. However, it has densely layered runtime code, which amounts for up to 99% of a program’s code. This density makes analysis a real challenge for malware reverse engineers. Read more.

UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks

Source: Google Cloud

A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. Read more.

Walmart customers scammed via fake shopping lists, threatened with arrest

Source: Malwarebytes LABS

Case in point, a malicious ad campaign is abusing Walmart Lists, a kind of virtual shopping list customers can share with family and friends, by embedding rogue customer service phone numbers with the appearance and branding of the official Walmart site. Read more.

Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Source: TREND MICRO

Threat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other countries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401. Read more.

An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader

Source: Google Cloud

UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies. Mandiant has observed UNC2970 copy and tailor job descriptions to fit their respective targets. Read more.

Malware locks browser in kiosk mode to steal Google credentials

Source: BLEEPING COMPUTER

Specifically, the malware “locks” the user’s browser on Google’s login page with no obvious way to close the window, as the malware also blocks the “ESC” and “F11” keyboard keys. The goal is to frustrate the user enough that they enter and save their Google credentials in the browser to “unlock” the computer. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Reputation Hijacking with JamPlus: A Maneuver to Bypass Smart App Control (SAC)

Source: CYBLE

This campaign utilizes a recently demonstrated proof-of-concept (PoC) that repurposes the JamPlus build utility to execute malicious scripts while evading detection. Read more.

Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401

Source: FORTINET

Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. Read more.

BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar

Source: Zscaler

BlindEagle has leveraged a version of BlotchyQuasar for attacks, which is heavily protected by several nested obfuscation layers. Read more.

Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords

Source: BLEEPING COMPUTER

Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. Read more.

Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command

Source: TREND MICRO

Notorious Mekotio and BBTok are having a resurgence targeting Latin American users. Mekotio’s latest variant suggests the gang behind it is broadening their target, while BBTok is seen abusing MSBuild.exe to evade detection. Read more.

Mallox ransomware: in-depth analysis and evolution

Source: SECURE LIST

In the first half of 2024, the malware was still being actively developed, with new versions being released several times a month, while the Mallox RaaS affiliate program advertised on dark web forums was seeking new partners. Read more.

Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk

Source: JFrog

This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they’re removed from PyPI’s index by the original owner; a technique we’ve dubbed “Revival Hijack”. Read more.

Hacker Leaks Data of 390 Million Users from VK, a Russian Social Network

Source: HACK READ

A hacker using the alias “HikkI-Chan” has leaked the personal details of over 390 million VK users (specifically, 390,425,719) on the notorious cybercrime and hacker platform Breach Forums. Read more.

In plain sight: Malicious ads hiding in search results

Source: We Live Security

Malvertising campaigns typically involve threat actors buying top ad space from search engines to lure potential victims into clicking on their malicious ads; attackers have delivered ads imitating popular software such as Blender, Audacity, GIMP, and MSI Afterburner, to name a few. Read more.

North Korean threat actor Citrine Sleet exploiting Chromium zero-day

Source: Microsoft

Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to dive deeper into Reputation Jacking, visit the Malware Patrol Blog Post: Reputation Jacking: Unknown Threats on Well-Known Sites to learn more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms

Source: The Hacker News

These vulnerabilities, which are described as inherent- and implementation-based flaws, could have severe consequences, ranging from arbitrary code execution to loading malicious datasets. Read more.

Newly Discovered Group Offers CAPTCHA-Solving Services to Cybercriminals

Source: Infosecurity Magazine

ACTIR described Greasy Opal’s CAPTCHA-bypassing tool as an easy, fast, and flexible tool for the automatic recognition of a wide array of CAPTCHAs. Greasy Opal’s tool boasts a 10-time faster efficiency than typical CAPTCHA-solving solutions, such as AntiGate (Anti-Captcha), RuCaptcha or DeCaptcher. Read more.

PEAKLIGHT: Decoding the Stealthy Memory-Only Malware

Source: Google Mandiant

Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. Read more.

China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches

Source: Sygnia

The modus-operandi of ‘Velvet Ant’ highlights risks and questions regarding third-party appliances and applications that organizations onboard. Due to the ’black box‘ nature of many appliances, each piece of hardware or software has the potential to turn into the attack surface that an adversary is able to exploit. Read more.

PG_MEM: A Malware Hidden in the Postgres Processes

Source: Aqua

Aqua Nautilus researchers have uncovered PG_MEM, a new PostgreSQL malware, that brute forces its way into PostgreSQL databases, delivers payloads to hide its operations, and mines cryptocurrency. Read more.

Qilin ransomware caught stealing credentials stored in Google Chrome

Source: Sophos

During a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints – a credential-harvesting technique with potential implications far beyond the original victim’s organization. Read more.

MSC file distribution exploiting Amazon services

Source: ASEC

Recently, ASEC (AhnLab SECURITY INTELLIGENCE CENTER) confirmed that malicious MSC files exploiting Amazon services are being distributed. The MSC extension is characterized by its XML file format structure and is executed by MMC (Microsoft Management Console). Read more.

MoonPeak malware from North Korean actors unveils new details on attacker infrastructure

Source: Cisco Talos

This campaign consists of distributing a variant of the open-source XenoRAT malware we’re calling “MoonPeak,” a remote access trojan (RAT) being actively developed by the threat actor. Analysis of XenoRAT against MoonPeak malware samples we’ve discovered so far illustrates the evolution of the malware family after it was forked by the threat actors. Read more.

Ailurophile: New Infostealer sighted in the wild

Source: G Data

We discovered a new stealer in the wild called ‘”Ailurophile Stealer”. The stealer is coded in PHP and the source code indicates potential Vietnamese origins. It is available for purchase through a subscription model via its own webpage. Through the website’s web panel, its customers are provided the ability to customize and generate malware stubs. Read more.

Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset

Source: Cisco Talos

The lure purported to invite the target to be a guest on a podcast hosted by ISW. After receiving a response from the target (outside of Proofpoint visibility), TA453 replied with a DocSend URL. The DocSend URL was password protected and led to a text file that contained a URL to the legitimate ISW Podcast being impersonated by TA453. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources

Source: Aqua

These vulnerabilities could have impacted any organization in the world that has ever used any of these services. In this blog, we thoroughly explain the “Shadow Resource” attack vector, which may lead to resource squatting, and the “Bucket Monopoly” technique that dramatically increases the success rate of an attacker. Read more.

Vulnerability in Windows Driver Leads to System Crashes

Source: Infosecurity Magazine

This issue, identified by Fortra cybersecurity researcher, Ricardo Narvaja, highlights a flaw that could allow an unprivileged user to cause a system crash, resulting in Blue Screen of Death (BSOD). Read more.

A Dive into Earth Baku’s Latest Campaign

Source: Trend Micro

The group uses public-facing applications such as IIS servers as entry points, deploying advanced malware toolsets such as the Godzilla webshell, StealthVector, StealthReacher, and SneakCross. Read more.

Unmasking the Overlap Between Golddigger and Gigabud Android Malware

Source: Cyble

Gigabud is now using sophisticated phishing tactics, distributing its malware by disguising it as legitimate airline applications. These fake apps are being circulated through phishing sites that closely mimic the official Google Play Store, aiming to deceive unsuspecting users. Read more.

The i-Soon-Leaks: Industrialization of Cyber Espionage

Source: BfV

The internal documents show the extent of cooperation between the Chinese cybersecurity company i-Soon and the Chinese government and intelligence services. In four consecutive reports BfV examines the leak in detail and describes the level of industrialization of cyber espionage activities by privately organized companies, who carry out cyber-attacks for state entities. Read more.

Double Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site

Source: Cyble

The phishing site’s primary goal is to deceive users into downloading a file that purports to be Google Authenticator. In reality, this file is a malicious application designed to install additional malicious software on the victim’s system. The malicious file drops two distinct types of malware: Latrodectus and ACR Stealer. Read more.

Botnet 7777: Are You Betting on a Compromised Router?

Source: Team Cymru

Identification of a potential expansion of the Quad7 threat operator’s modus operandi to include a second tranche of bots, characterized by an open port 63256. The port 63256 botnet appears to be comprised mainly of infected Asus routers. Read more.

Thousands of Devices Wiped Remotely Following Mobile Guardian Hack

Source: Security Week

According to the company, which specializes in MDM solutions for the education sector, it detected unauthorized access to its platform on August 4. In response to the intrusion, servers were shut down to contain the incident and prevent further disruption. The incident involved unauthorized access to iOS and Chrome OS devices enrolled in the Mobile Guardian platform. Read more.

Google warns of an actively exploited Android kernel flaw

Source: Security Affairs

Google fixed a high-severity flaw, tracked as CVE-2024-36971, impacting the Android kernel. The IT giant is aware that the vulnerability has been actively exploited in the wild. The company did not share details of the attacks exploiting this vulnerability. The vulnerability is a remote code execution impacting the kernel. Read more.

APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

Source: Cisco Talos

The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption

Source: Microsoft

The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Read more.

“EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch Millions of Perfectly Spoofed Emails

Source: Guardio

Dubbed “EchoSpoofing”, this issue allowed threat actors to dispatch millions of perfectly spoofed phishing emails, leveraging Proofpoint’s customer base of well-known companies and brands such as Disney, IBM, Nike, Best Buy, and Coca-Cola. Read more.

Malicious Python Package Targets macOS Developers To Access Their GCP Accounts

Source: Checkmarx

A package called “lr-utils-lib” was uploaded to PyPi in early June 2024, containing malicious code that executes automatically upon installation. The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data. The harvested credentials are sent to a remote server. Read more.

WhatsApp for Windows lets Python, PHP scripts execute with no warning

Source: BLEEPING COMPUTER

A security issue in the latest version of WhatsApp for Windows allows sending Python and PHP attachments that are executed without any warning when the recipient opens them. For the attack to be successful, Python needs to be installed, a prerequisite that may limit the targets to software developers, researchers, and power users. Read more.

5 ways threat actors are taking advantage of the CrowdStrike outage

Source: SC Media

The CrowdStrike outage incident exposed both widespread security shortcomings across organizations and the ruthless, opportunistic nature of cybercriminals in the wake of a worldwide disaster. Read more.

Six-day, 14.7 Million RPS Web DDoS Attack Campaign Attributed to SN_BLACKMETA

Source: Radware

This year has been marked by a record-breaking six-day attack campaign consisting of multiple four to 20-hour Web DDoS waves, amounting to a total of 100 hours of attack time and sustaining an average of 4.5 million RPS with a peak of 14.7 million RPS. Read more.

APT45: North Korea’s Digital Military Machine

Source: Google Cloud

APT45 has gradually expanded into financially-motivated operations, and the group’s suspected development and deployment of ransomware sets it apart from other North Korean operators. Read more.

Stargazers Ghost Network

Source: Check Point Research

Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate. Read more.

Daggerfly: Espionage Group Makes Major Update to Toolset

Source: Symantec

Among the new additions to Daggerfly’s arsenal are a new malware family based on the group’s MgBot modular malware framework and a new version of the Macma macOS backdoor. Read more.

Novel ICS Malware Sabotaged Water-Heating Services in Ukraine

Source: DARK READING

The malware, dubbed FrostyGoop by researchers at Dragos who discovered it, is the first known malware that lets threat actors interact directly with operational technology (OT) systems via Modbus, a widely used communication protocol in ICS environments. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack

Source: SECURITY WEEK

AT&T on Friday said almost all its wireless subscribers were exposed in a massive hack that occurred between April 14 and April 25, 2024, where a hacker exfiltrated files containing “records of customer call and text interactions” between approximately May 1 and October 31, 2022, as well as on January 2, 2023. Read more.

Disney’s Internal Slack Breached? NullBulge Leaks 1.1 TiB of Data

Source: HACK READ

A self-proclaimed hacktivist group named NullBulge, aiming to “protect artists’ rights and ensure fair compensation for their work,” claims to have breached Disney and leaked 1.1 TiB (1.2 TB) of the company’s internal Slack infrastructure. These claims were posted on the notorious cybercrime and hacker platform Breach Forums on July 12, 2024. Read more.

Malware that is ‘not ransomware’ wormed its way through Fujitsu Japan’s systems

Source: The Register

Fujitsu’s description of the unnamed malware made it sound as though it was wormable. After infecting the first machine, it later spread to 48 other business computers, all localized to its internal Japan network. Read more.

Microsoft Employees Data Leaked Online Via Thrid-Patry Data Breach | Exclusive!

Source: Cyber Press

The Cyber Press Research Team uncovered a data leak file that exposed the personal and professional information of 2,073 Microsoft employees obtained from Microsoft’s third-party vendor data breach. A threat actor named @888, which is actively leaking data in underground forums, leaked the Microsoft employees’ data today and claimed it was a third-party breach. Read more.

Ransomware attack on blood-testing service puts lives in danger in South Africa

Source: Bitdefender

On June 22, the BlackSuit ransomware group hit NHLS, leaving it unable to process millions of blood tests. This means serious conditions have been left undiagnosed and lives endangered. This included details of tests that screened for diseases like tuberculosis and HIV/AIDS, as well as the mpox (also known as monkeypox) outbreak that is currently impacting parts of Africa. Read more.

People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action

Source: CISA

Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability. Read more.

Decrypted: DoNex Ransomware and its Predecessors

Source: DECODED avast.io

The DoNex ransomware has been rebranded several times. The first brand, called Muse, appeared in April 2022. Multiple evolutions followed, resulting in the final version of the ransomware, called DoNex. Read more.

Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions

Source: BlackBerry

Coyote is a .NET banking Trojan that has been observed targeting Brazilian financial institutions, primarily banks. It has an execution chain that clearly distinguishes it from other banking Trojans. First identified by researchers in February 2024, Coyote got its name due to the fact it abuses Squirrel, a valid non-malicious software to manage the installation and update of Windows applications. Read more.

Exploring Compiled V8 JavaScript Usage in Malware

Source: CHECK POINT RESEARCH

In recent months, CPR has been investigating the usage of compiled V8 JavaScript by malware authors. Compiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode. This technique assists attackers in evading static detections and hiding their original source code, rendering it almost impossible to analyze statically. Read more.

Distribution of AsyncRAT Disguised as Ebook

Source: ASEC

The compressed file disguised as an ebook contains a malicious LNK file disguised with a compressed file icon, a text file containing a malicious PowerShell script, additional compressed files disguised with a video file extension, and a normal ebook file. The LNK file contains malicious commands and reads the RM.TXT file containing the PowerShell script to execute it. Read more.

Want more articles? Check out the previous edition of Security Signals.