Category: Unit 42

Evaluation of a new variant of Mispadu, a banking Trojan, highlights how infostealers evolve over time and can be hard to pin to past campaigns. The post Exploring the Latest Mispadu Stealer Variant appeared first on Unit 42. This article…

Read more →

A network of over 130k domains was part of a campaign to deliver shareware, PUPs and other scams. We unravel the threads of this campaign from entry point to payload. The post ApateWeb: An Evasive Large-Scale Scareware and PUP Delivery…

Read more →

We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption. The post Threat Assessment: BianLian appeared first on Unit 42. This article has been indexed from Unit 42 Read the…

Read more →

Traffic detection system Parrot has infected tens of thousands of websites worldwide. We outline the scripting evolution of this injection campaign and its scope. The post Parrot TDS: A Persistent and Evolving Malware Campaign appeared first on Unit 42. This…

Read more →

Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication. The post Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 (Updated) appeared first on Unit 42. This article has been indexed…

Read more →

Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication. The post Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 appeared first on Unit 42. This article has been indexed from…

Read more →

Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users. The post Financial Fraud APK Campaign appeared first on Unit 42. This article has been indexed…

Read more →

Medusa ransomware gang has not only escalated activities but launched a leak site. We also analyze new TTPS encountered in an incident response case. The post Medusa Ransomware Turning Your Files into Stone appeared first on Unit 42. This article…

Read more →

Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples. The post Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer appeared first on Unit 42. This…

Read more →

From October-December, the activities of DarkGate, Pikabot, IcedID and more were seen and shared with the broader community via social media The post From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence appeared first on…

Read more →

Two issues in Google Kubernetes Engine (GKE) create a privilege escalation chain. We examine second-stage attacks which exploit the container environment. The post Dual Privilege Escalation Chain: Exploiting Monitoring and Service Mesh Configurations and Privileges in GKE to Gain Unauthorized…

Read more →

Malicious JavaScript is used to steal PPI via survey sites, web chat APIs and more. We detail how JavaScript malware is implemented and evades detection. The post Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript…

Read more →

Using machine learning to target stockpiled malicious domains, the results of our detection pipeline tool highlight campaigns from phishing to scams. The post Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains appeared first on Unit 42. This…

Read more →

In three campaigns over the past 20 months, Russian APT Fighting Ursa has targeted over 30 organizations of likely strategic intelligence value using CVE-2023-23397. The post Fighting Ursa Aka APT28: Illuminating a Covert Campaign appeared first on Unit 42. This…

Read more →

A new toolset comprised of malware (Agent Raccoon and Ntospy) and a custom version of Mimikatz (Mimilite) was used to target organizations in the U.S., Middle East and Africa. The post New Tool Set Found Used Against Organizations in the…

Read more →

A new toolset comprised of malware (Agent Raccoon and Ntospy) and a custom version of Mimikatz (Mimilite) was used to target organizations in the U.S., Middle East and Africa. The post New Tool Set Found Used Against Middle East, Africa…

Read more →

A security risk discovered in the Google Cloud Platform domain-wide delegation feature allows a user to generate an access token to Google Workspace, granting unauthorized access to data and other key tools. The post Exploring a Critical Risk in Google…

Read more →

Two ongoing campaigns bear hallmarks of North Korean state-sponsored threat actors, posing in job-seeking roles to distribute malware or conduct espionage. The post Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors appeared first…

Read more →

We observed three Stately Taurus campaigns targeting entities South Pacific entities with malware, including the Philippines government. The post Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific appeared first on Unit 42. This article has been…

Read more →

In July 2023, pro-Russian APT Storm-0978 targeted support for Ukrainian NATO admission with an exploit chain. Analysis of it reveals the new CVE-2023-36584. The post In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584 appeared first on Unit…

Read more →

Clickbait articles are highlighted in this article. A jump in compromised sites exploiting CVE-2023-3169 stresses the danger of web-based threats. The post High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites appeared…

Read more →

Cambodian government entities were targeted by a Chinese APT masquerading as cloud backup services. Our findings include C2 infrastructure and more. The post Chinese APT Targeting Cambodian Government appeared first on Unit 42. This article has been indexed from Unit…

Read more →

A cyberattack series by APT Agonizing Serpens (Agrius) targeting Israeli sectors started in January 2023. We analyze the novel wipers and other tools used. The post Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors appeared first…

Read more →

Threat brief on CVE-2023-4966 (aka Citrix Bleed) affecting multiple Netscaler products covers attack scope, threat hunting queries and interim guidance. The post Threat Brief: Citrix Bleed CVE-2023-4966 appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

Unit 42 uses machine learning to create detection for a red team tool used by threat actors. The post Conducting Robust Learning for Empire Command and Control Detection appeared first on Unit 42. This article has been indexed from Unit…

Read more →

We examine a variant of the .NET backdoor Kazuar used by Pensive Ursa. This includes previously undocumented features from system profiling to injection modes. The post Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive…

Read more →

We analyze an attack path starting with GitHub IAM exposure and leading to creation of AWS Elastic Compute instances — which TAs used to perform cryptojacking. The post CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys appeared…

Read more →

A breakdown of how Linux pluggable authentication modules (PAM) APIs are leveraged in malware. We include malware families that leverage PAM. The post When PAM Goes Rogue: Malware Uses Authentication Modules for Mischief appeared first on Unit 42. This article…

Read more →