Month: May 2024
Intego discovers new “Cuckoo” Mac malware mimicking Homebrew
A fake Homebrew site, part of an AMOS/Cuckoo Mac malware campaign. Recent headlines have used the malware or campaign name “ Cuckoo ” to describe [more…]
Springtail aka Kimsuky: New Linux Backdoor Added to Toolkit
The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers [more…]
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
Command ID Description 2 Retrieve file listing from desktop directory 3 Retrieve process ancestry 4 Collect system information 12 Download and execute PE 13 Download [more…]
ITG05 Uses Fake Hamas Execution Video as Bait
In early May 2024, IBM X-Force uncovered a potential ITG05 web page designed to use the Israel-Hamas war as lure material. ITG05 is a multi-cluster [more…]
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
In other words, attackers seem to target users who store cryptocurrency wallet address or password information by capturing screenshots and saving them as image files, [more…]
Revealing Spammer Infrastructure With Passive DNS – 226 Toll-Themed Domains Targeting Australia
This simple pivot revealed 50 associated domains, 42 of which were first seen within days of, and all contained toll-related themes primarily targeting Australia. Scrolling [more…]
Exploring the Metamorfo Banking Trojan
Browsing the above URL, it downloads a PowerShell script which is again obfuscated HTML contains basic obfuscation which on de-obfuscating gives the URL which the [more…]
Log4j Exploited by XMRig Cryptominer Malware: Analysis and Mitigation
During routine sandbox hunting analysis, the Uptycs Threat Research team uncovered evidence of an ongoing live campaign exploiting the Log4j vulnerability, which commenced in January [more…]
Payload Trends in Malicious OneNote Samples
In this post, we look at the types of embedded payloads that attackers leverage to abuse Microsoft OneNote files. While larger binary embedded payloads such [more…]
Springtail: New Linux Backdoor Added to Toolkit
The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers [more…]