Tag Archive for: Variants

Trend Micro Dissects Big Head Ransomware Variants Currently Making The Rounds

/in


big head ransomware technical analysis shows still developing malware strain

Earlier this year, reports of a new ransomware family dubbed ‘Big Head’ appeared online in various malware databases. This malware is making the rounds through malvertisement campaigns that look like Windows updates and Word installers, which is rather concerning becuase less savvy users often fall for these attacks.

Researchers at Trend Micro began to dig into this malware as it and three variants were discovered, and have published a technical report on the samples. The first sample is a .NET compiled binary that drops three subsequent executables, 1.exe, Archive.exe, and Xarch.exe, which all have different purposes.

sample1 big head ransomware technical analysis shows still developing malware strain

1.exe embeds itself on the system, encrypts files with the ‘.poop’ extension, creates the ransom note, and changes the victim’s desktop background. Archive.exe drops another executable, a Telegram tool that establishes a line of communication with the threat actor to execute remote activities. Xarch.exe finally drops BXluSsB.exe, another ransomware that encrypts files and displays a fake Windows update to make the malicious activity seem legitimate.

sample2 big head ransomware technical analysis shows still developing malware strain

The second sample has similar activity, but substitutes an extra ransomware binary for an information stealer binary. This malware, identified as the WorldWind stealer, will grab browsing history, directory listings, running processes, product keys, network connections, and screenshots, all of which are likely exfiltrated to the threat actor’s Telegram.

sample3 big head ransomware technical analysis shows still developing malware strain

The third and final sample includes Neshta, a virus “designed to infect and insert its malicious code into executable files.” The researchers believe that this is a diversion technique to prevent tools designed to detect ransomware from triggering. It is also noted that with this sample, the ransom note and wallpaper are different from previous samples but contain similar information.

sample2 note big head ransomware technical analysis shows still developing malware strain

Though there are notable differences between all of the analyzed samples, the researchers at Trend Micro suspect that all of them come from the same malware developer. Trend thinks this is the case because the samples have similar routines or structures in their infection process, have the same email and Telegram accounts, and have other similar mistakes in the malware…

Source…

Truebot Malware Variants Abound, According to CISA Advisory

/in


An advisory from the Cybersecurity and Infrastructure Security Agency (CISA), several US organizations, and the Canadian Center for Cyber Security (CCCS) warns of Truebot malware variants that are increasingly being utilized by threat actors against various organizations in the US and Canada.

Truebot, alternatively known as Silence.Downloader, is a botnet used by malicious cybergroups such as Cl0p ransomware cybergang to gather information from the victims they target. Older variants of Truebot were mainly distributed by threat actors by phishing email attacks in the form of malicious attachments. Newer versions of the malware allow these threat actors to gain initial access by exploiting a remote code execution (RCE) vulnerability in Netwrix Auditor — otherwise listed as CVE-2022-31199.

Cyber-threat actors are also using phishing campaigns with malicious hyperlinks to deliver their Truebot variants. The agencies urge those searching for this kind of malicious activity to apply vendor patches to the 10.5 version of Netwrix Auditor and to use the outlined guidance in the joint advisory.

“Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI,” the organizations stated. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Source…

CISA Warns Against Latest Truebot Malware Variants – MeriTalk

/in


The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the Canadian Centre for Cyber Security (CCCS), released a new Cybersecurity Advisory (CSA) on July 6 warning against Truebot malware variants.

The agencies warned that Truebot malware has recently been utilized to target organizations in the United States and Canada to obtain sensitive data.

“In recent months, open-source reporting has detailed an increase in Truebot malware infections,” particularly from cyber threat actors using new tactics, techniques, and procedures (TTPs), and delivery methods, the agencies said.

“Based on the nature of observed Truebot operations, the primary objective of a Truebot infection is to exfiltrate sensitive data from the compromised host(s) for financial gain,” they said.

Some of the techniques cyber criminals use to lure possible victims with the Truebot malware include phishing and the exploitations of the CVE-2022-31199 a commonly used remote code.

“Cyber threat actors have shifted tactics, exploiting, in observable manner, a remote code execution vulnerability software used for on-premises and cloud-based IT system auditing,” stated the agencies.

“Through exploitation of this CVE, cyber threat actors gain initial access, as well as the ability to move laterally within the compromised network,” they said.

CISA and its partners said that organizations should use phishing-resistant multifactor authentication (MFA) to mitigate any possible use of Truebot malware against them, as well as continually testing organizations cybersecurity measures.

“The authoring organizations recommend hunting for the malicious activity using the guidance outlined in this CSA, as well as applying vendor patches,” they said.

Source…

Researchers warn of two new variants of potent IcedID malware loader

/in


Security researchers have seen attack campaigns using two new variants of IcedID, a banking Trojan program that has been used to deliver ransomware in recent years. The two new variants, one of which appears to be connected to the Emotet botnet, are lighter compared to the standard one because certain functionality has been stripped.

“It is likely a cluster of threat actors is using modified variants to pivot the malware away from typical banking Trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery,” researchers from Proofpoint said in a new report. “Additionally, based on artifacts observed in the codebase, timing, and association with Emotet infections, Proofpoint researchers suspect the initial developers of Emotet have partnered with IcedID operators to expand their activities including using the new Lite variant of IcedID that has different, unique functionality and likely testing it via existing Emotet infections.”

IcedID is favored by initial access brokers

IcedID first appeared in 2017 and at origin was a Trojan designed to steal online banking credentials by injecting rogue content into local browsing sessions — an attack known as webinject. From 2017 until last year, the Trojan’s codebase remained largely unchanged. However, some attacker groups started using it in recent years for its ability to serve as a loader for additional malware payloads than for its bank fraud capabilities.

During 2022 and 2023, Proofpoint has seen hundreds of attack campaigns using the IcedID Trojan and managed to link them to five distinct threat actors, most of which operate as initial access brokers, meaning they sell access into corporate networks to other cybercriminals, usually ransomware gangs.

A group that Proofpoint tracks as TA578 has been using IcedID since June 2020. Its email-based malware distribution campaigns typically use lures such as “stolen images” or “copyright violations”. The group uses what Proofpoint considers to be the standard variant of IcedID, but has also been seen delivering Bumblebee, another malware loader favored by initial access brokers.

Another group that uses the…

Source…