Archiving and File names - Information Management Today

Internet Archive data breach impacted 31M users

Security Affairs

OCTOBER 11, 2024

The Internet Archive disclosed a data breach, the security incident impacted more than 31 million users of its “The Wayback Machine.” As of September 5, 2024, the Internet Archive held more than 42.1 Internet Archive hacked. Hunt also verified the authenticity of the information included in the stolen archive.

Archiving

Archiving Data breaches Passwords File names

PLAYFULGHOST backdoor supports multiple information stealing features

Security Affairs

JANUARY 5, 2025

In one case analyzed by the researchers, the attack chain begins by tricking the victim into opening a malicious RAR archive disguised as an image file by using a.jpg extension. Upon executing the archive, it drops a malicious Windows executable, which eventually downloads and executesthe PLAYFULGHOST payloadfrom a remote server.

File names

File names Archiving Phishing Encryption

Specially Crafted ZIP archives allow bypassing secure email gateways

Security Affairs

NOVEMBER 7, 2019

Experts observed a new phishing campaign that used a specially crafted ZIP archive that was designed to bypass secure email gateways to distribute malware. Attackers have devised a new technique to distribute malware bypassing secure email gateways and other security solutions by using a specially crafted ZIP file. Pierluigi Paganini.

Archiving

Archiving Security File names Phishing

Webinars

Automation, Evolved: Your New Playbook For Smarter Knowledge Work

MORE WEBINARS

MikroTik botnet relies on DNS misconfiguration to spread malware

Security Affairs

JANUARY 16, 2025

In late November, the experts spotted a malspam campaign impersonating DHL which used emails about freight invoices, attaching zip files named “Invoice###.zip” The zip archive contains an obfuscated JavaScript file, which creates and executes a PowerShell script that connects to the C2 (62.133.60[.]137),

File names

File names Authentication Access Archiving

Threat actors attempted to capitalize CrowdStrike incident

Security Affairs

JULY 20, 2024

The attackers attempted to trick the company’s customers into opening a ZIP archive file named “ crowdstrike-hotfix.zip.” ” The archive includes a loader named Hijack Loader used to execute the Remcos RAT. The ZIP archive contains a HijackLoader payload that, when executed, loads RemCos.

File names

File names Archiving Cybersecurity Communications

Experts warn of a new wave of Bumblebee malware attacks

Security Affairs

OCTOBER 22, 2024

Most Bumblebee infections started by users executing LNK files which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment or a link to the malicious archive containing Bumblebee. “the new Bumblebee payload is delivered via MSI files.

File names

File names Phishing Ransomware Archiving

Nemty ransomware “LOVE_YOU” malspam campaign

Security Affairs

MARCH 2, 2020

All the spam messages used a ZIP archive as attachment with a filename with a specific format ( ‘LOVE_YOU_######_2020. “Attached to each email is a ZIP archive with a name formatted as with only the #s changing,” reads the advisory published by IBM X-Force IRIS. zip’).

Ransomware

Ransomware File names Archiving Encryption

Threat actors attempted to capitalize CrowdStrike incident

Security Affairs

JULY 20, 2024

The attackers attempted to trick the company’s customers into opening a ZIP archive file named “ crowdstrike-hotfix.zip.” ” The archive includes a loader named Hijack Loader used to execute the Remcos RAT. The ZIP archive contains a HijackLoader payload that, when executed, loads RemCos.

File names

File names Archiving Cybersecurity Communications

Crooks bypass a Microsoft Office patch for CVE-2021-40444 to spread Formbook malware

Security Affairs

DECEMBER 23, 2021

In the initial attacks observed by the researchers, the malicious code downloads a Microsoft Cabinet (CAB) archive containing a malicious executable. “In the initial versions of CVE-2021-40444 exploits, malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or.CAB) file.

Archiving

Archiving File names Security Ransomware

New SPIKEDWINE APT group is targeting officials in Europe

Security Affairs

FEBRUARY 29, 2024

The PDF included a link to a fake questionnaire that redirects users to a mailcious ZIP archive hosted on a compromised site. The ZIP archive contains an HTA file named wine.hta that contains obfuscated JavaScript code. The JavaScript code retrieves an encoded ZIP archive containing WINELOADER from the same domain.

Archiving

Archiving File names IT Information Security

Qakbot operations continue to evolve to avoid detection

Security Affairs

JULY 13, 2022

“Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 ThreatLabz reported that the attackers are using various different file names to disguise attachments designed to deliver Qakbot.

File names

File names Archiving Compliance IT

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Security Affairs

APRIL 18, 2021

“The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).” ” The attack used a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth). .

File names

File names Archiving Passwords Communications

Russia-linked Armageddon APT targets Ukrainian state organizations, CERT-UA warns

Security Affairs

APRIL 5, 2022

The messages use the HTML-file “War criminals of the Russian Federation.htm” as attachment. Upon opening the file, a RAR-archive named “Viyskovi_zlochinci_RU.rar” is created. .

Military

Military Phishing File names Archiving

PLAYFULGHOST backdoor supports multiple information stealing features

Security Affairs

JANUARY 5, 2025

In one case analyzed by the researchers, the attack chain begins by tricking the victim into opening a malicious RAR archive disguised as an image file by using a.jpg extension. Upon executing the archive, it drops a malicious Windows executable, which eventually downloads and executesthe PLAYFULGHOST payloadfrom a remote server.

File names

File names Archiving Phishing Encryption

BlackWater, a malware that uses Cloudflare Workers for C2 Communication

Security Affairs

MARCH 15, 2020

Researchers from MalwareHunterTeam discovered a suspicious RAR file named “COVID-19-” that was being distributed online, likely through phishing emails. "Important The RAR archive contains a file named “Important – COVID-19” that displays a Word icon.

Communications

Communications File names Archiving Phishing

A crafty phishing campaign targets Microsoft OneDrive users

Security Affairs

JULY 30, 2024

When this.html file is opened, it displays an image designed to create a sense of urgency about accessing the document, thereby increasing the likelihood that the user will follow the provided instructions.” “The command, as illustrated above, first runs ipconfig /flushdns, then creates a folder on the C: drive named “downloads.”

Phishing

Phishing File names Archiving Access

Introducing the PhishingKitTracker

Security Affairs

JULY 17, 2020

In stats folder are maintained two up-to-date files: files_name it holds the frequency of the found file-names associate with kits. In other words every phishing kit is saved on the phishing host with a name. filke_name keeps track about every file names and its frequency.

Phishing

Phishing File names Archiving IT

New ransomware group Hive leaks Altus group sample files

Security Affairs

JUNE 26, 2021

The provided sample of exfiltrated files includes business data and documents, as well as Argus certificates and development files. The sample archive is password protected – but the file names and types are clearly visible. Altus Group has been informed about the new development.

Ransomware

Ransomware File names Archiving Encryption

Recently patched Windows flaw CVE-2024-43461 was actively exploited as a zero-day before July 2024

Security Affairs

SEPTEMBER 16, 2024

User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” “The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. ” reads the advisory published by ZDI.

Archiving

Archiving File names Libraries Passwords

Nemty ransomware operators launch their data leak site

Security Affairs

MARCH 3, 2020

Nemty ransomware first appeared on the threat landscape in August 2019, the name of the malware comes after the extension it adds to the encrypted file names. The ransomware deletes shadow copies of encrypted files to make in impossible any recovery procedure. they also announced a working tool for version 1.5.

Ransomware

Ransomware File names Encryption Archiving

GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon

Security Affairs

MARCH 28, 2022

The phishing messages use a RAR-archive named “Saboteurs.rar”, which contains RAR-archive “Saboteurs 21.03.rar.” “The archive contains documents and images of the bait, as well as VBScript code (Thumbs.db), which will create and run the.NET program “dhdhk0k34.com.”

Archiving

Archiving CMS File names Phishing

PoC exploit code for critical Fortinet FortiNAC bug released online

Security Affairs

FEBRUARY 21, 2023

The two vulnerabilities, tracked as CVE-2022-39952 and CVE-2021-42756 , are respectively an external control of file name or path in Fortinet FortiNAC and a collection of stack-based buffer overflow issues in the proxy daemon of FortiWeb. is an external control of file name or path in the keyUpload scriptlet of FortiNAC.

File names

File names Archiving Access Cybersecurity

Fake Falcon crash reporter installer used to target German Crowdstrike users

Security Affairs

JULY 28, 2024

The spear-phishing page included a download link pointing to a ZIP archive file that contained a malicious InnoSetup installer. The installer injected the executable into a JavaScript file named “jquery-3.7.1.min.js” min.js” to evade detection.

Passwords

Passwords Phishing File names Metadata

WinRAR CVE-2018-20250 flaw exploited in multiple campaigns

Security Affairs

MARCH 28, 2019

The recently patched vulnerability affecting the popular archiver utility WinRAR has been exploited to deliver new malware to targeted users. The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive. ” continues the analysis.

Archiving

Archiving File names Education Libraries

Previously undetected ThirdEye malware appears in the threat landscape

Security Affairs

JUNE 29, 2023

Fortinet started investigating the threat after the discovery of an archive file with a file name in Russian, “Табель учета рабочего времени.zip” (“time sheet” in English). The zip archive contains two files with.exe extension preceded by another document-related extension (double extension).

File names

File names Archiving IT Security

Chinese APT Earth Baxia target APAC by exploiting GeoServer flaw

Security Affairs

SEPTEMBER 23, 2024

The phishing emails in this campaign have carefully tailored subject lines, with a ZIP file attachment containing a decoy MSC file named RIPCOY. Upon opening this file, an obfuscated VBScript downloads multiple files from a public cloud service like AWS, including a decoy PDF,NET applications, and a configuration file.

Phishing

Phishing File names Cloud Government

Ursnif campaign targets Italy with a new infection Chain

Security Affairs

MARCH 17, 2020

The script creates a new file named “ pinumber.vbs ” and starts filling it with the instructions through the “echo” function appending the strings to the next vbs stage. An evidence about the presence of the malicious file hosted on the legit website is shown in the following figure: Figure 5: Communication with the DropUrl.

Archiving

Archiving Passwords Encryption IT

A 15-Year-Old Unpatched Python bug potentially impacts over 350,000 projects

Security Affairs

SEPTEMBER 22, 2022

A user-assisted remote attacker can trigger the issue to overwrite arbitrary files via a. dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. sequence to filenames in a TAR archive.” however, in most cases an attacker exploit this issue to gain code execution from the file write. .

Archiving

Archiving File names Metadata Security

“gitgub” malware campaign targets Github users with RisePro info-stealer

Security Affairs

MARCH 17, 2024

The researchers noticed that the users must unpack several layers of archives using the password “GIT1HUB1FREE,” which is provided in the README.md file, to access the installer named “Installer_Mega_v0.7.4t.msi.” All unique passwords are stored in a file named “brute.txt”.

Passwords

Passwords File names Archiving Cybersecurity

Experts found components of a complex toolkit employed in macOS attacks

Security Affairs

JUNE 19, 2023

“For MacOS devices, the function writes a file to /Users/Shared/AppleAccount.tgz. The content that is written to the archive is also encoded as base64 when received from server. It unpacks the archive to the /Users/Shared folder, then opens the /Users/Shared/TempUser/AppleAccountAssistant.app application.”

File names

File names Archiving IT Security

Recently fixed WinRAR bug actively exploited in the wild

Security Affairs

MARCH 15, 2019

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive. DLL, handles the extraction of files compressed in ACE data format. The malicious RAR file (Ariana_Grande-thank_u,_next(2019)_[320].rar)

Archiving

Archiving Libraries File names Security

Bronze Starlight targets the Southeast Asian gambling sector

Security Affairs

AUGUST 18, 2023

Then the loaders retrieve a second-stage payload stored in password-protected ZIP archive from Alibaba buckets. “The zip archives downloaded by agentupdate_plugins.exe and AdventureQuest.exe contain sideloading capabilities. The attackers used modified installers for chat applications to download a.NET malware loaders.

Archiving

Archiving File names Encryption Passwords

New RedLine malware version distributed as fake Omicron stat counter

Security Affairs

JANUARY 12, 2022

Stolen data are stored in an archive (logs) before being uploaded to a server under the control of the attackers. The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant.

Manufacturing

Manufacturing File names Archiving Encryption

Vietnamese threat actors linked to DarkGate malware campaign

Security Affairs

OCTOBER 22, 2023

.” A Vietnamese group observed by the researchers used very similar lures and delivery methods in different attacks attempting to deliver: DarkGate Ducktail Lobshot Redline stealer The attack chain began with the download of a file named “Salary and new products.8.4.zip” zip” and the execution of the content.

File names

File names Archiving IT Access

Borat RAT, a new RAT that performs ransomware and DDoS attacks

Security Affairs

APRIL 3, 2022

Files in the Borat RAT archive (Cyble). If it can find a connected microphone, the RAT records all audio and saves it in a file named micaudio.wav. The Borat RAT allows its operators to compile the malware binary for performing specific features, including DDoS and ransomware attacks.

Ransomware

Ransomware File names Archiving Encryption

China-linked LuminousMoth APT targets entities from Southeast Asia

Security Affairs

JULY 14, 2021

The Dropbox link leads to a RAR archive that masquerades as a Word document by setting the “file_subpath” parameter to point to a filename with a.DOCX extension. “The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files.

Archiving

Archiving File names Government Libraries

A month later Gamaredon is still active in Eastern Europe

Security Affairs

JUNE 4, 2019

The infection chain is composed by different stages of password protected SFX (self extracting archive), each containing vbs or batch scripts. Despite its apparent triviality, the Matryoshka of SFX archives reached a low detection rate, making it effective. Information about initial SFX file. Technical Analysis. scr” extension.

Archiving

Archiving Passwords File names Military

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

Security Affairs

JUNE 24, 2024

While investigating a security incident from March 2024 on a client’s Linux host, Positive Technologies researchers discovered a file named “scrond.” The backdoor serializes, encrypts, archives, and sends the collected data to a designated server that stores compromised data.

File names

File names Communications Mining Archiving

Hades ransomware gang targets big organizations in the US

Security Affairs

MARCH 26, 2021

Experts noticed that each Hades ransomware sample uses a different extension to files that it encrypts and drops a ransom note with file name “HOW-TO-DECRYPT-[extension].txt”. “In addition to data theft, actors deploy Hades ransomware to encrypt files identified on the victim network. ” concludes the report.

Ransomware

Ransomware Encryption File names Manufacturing

Cyclops Ransomware group offers a multiplatform Info Stealer

Security Affairs

JUNE 6, 2023

.” Encrypted file contents in Windows Encrypted file contents in Linux The Windows version of the info-stealer can be downloaded from the Cyclops admin panel as part of an archive containing the stealer.exe and config.json. The data is then exfiltrated to the attacker’s server.” ” continues the report.

Ransomware

Ransomware Encryption Archiving File names

Malware researchers decrypted the Qrypter Payload

Security Affairs

MARCH 29, 2019

This messages warned the users about imminent summons against them, inviting them to read the attached lawsuit, a not so innocent looking file named “ Avviso del tribunale.jar ”. Encryption key used to decrypt all the other files. Encryption key used to decrypt all the other files. Technical Analysis.

Encryption

Encryption File names Archiving IT

Carderbee APT targets Hong Kong orgs via supply chain attacks

Security Affairs

AUGUST 23, 2023

This downloader was used to install the Korplug backdoor on the infected systems. “The downloader attempted to download a file named update.zip from the following location: [link] continues the report. “The update.zip file is a zlib compressed archive file. This file is not saved on disk.

File names

File names Encryption Archiving Information Security

Gootkit delivery platform Gootloader used to deliver additional payloads

Security Affairs

MARCH 1, 2021

. “And if that same site visitor clicks the “direct download link” provided on this page, they receive a.zip archive file with a filename that exactly matches the search query terms used in the initial search, which itself contains another file named in precisely the same way.” ” continues the analysis.

Search queries

Search queries CMS Ransomware File names

OSX/Linker, a new piece of Mac malware that exploits Gatekeeper bypass

Security Affairs

JUNE 25, 2019

The second feature that was exploited to include within ZIP archives symbolic links pointing to arbitrary locations, in this case, automount endpoints. Cavallarin discovered that the software responsible for decompressing the ZIP archives does not perform any check on the symlinks. /net/evil-attacker.com/sharedfolder/).

Archiving

Archiving File names Security Access

Internet Archive data breach impacted 31M users

PLAYFULGHOST backdoor supports multiple information stealing features

Webinars

Trending Sources

Specially Crafted ZIP archives allow bypassing secure email gateways

Webinars

MikroTik botnet relies on DNS misconfiguration to spread malware

Threat actors attempted to capitalize CrowdStrike incident

Experts warn of a new wave of Bumblebee malware attacks

Nemty ransomware “LOVE_YOU” malspam campaign

Threat actors attempted to capitalize CrowdStrike incident

Crooks bypass a Microsoft Office patch for CVE-2021-40444 to spread Formbook malware

New SPIKEDWINE APT group is targeting officials in Europe

Qakbot operations continue to evolve to avoid detection

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Russia-linked Armageddon APT targets Ukrainian state organizations, CERT-UA warns

PLAYFULGHOST backdoor supports multiple information stealing features

BlackWater, a malware that uses Cloudflare Workers for C2 Communication

A crafty phishing campaign targets Microsoft OneDrive users

Introducing the PhishingKitTracker

New ransomware group Hive leaks Altus group sample files

Recently patched Windows flaw CVE-2024-43461 was actively exploited as a zero-day before July 2024

Nemty ransomware operators launch their data leak site

GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon

PoC exploit code for critical Fortinet FortiNAC bug released online

Fake Falcon crash reporter installer used to target German Crowdstrike users

WinRAR CVE-2018-20250 flaw exploited in multiple campaigns

Previously undetected ThirdEye malware appears in the threat landscape

Chinese APT Earth Baxia target APAC by exploiting GeoServer flaw

Ursnif campaign targets Italy with a new infection Chain

A 15-Year-Old Unpatched Python bug potentially impacts over 350,000 projects

“gitgub” malware campaign targets Github users with RisePro info-stealer

Experts found components of a complex toolkit employed in macOS attacks

Recently fixed WinRAR bug actively exploited in the wild

Bronze Starlight targets the Southeast Asian gambling sector

New RedLine malware version distributed as fake Omicron stat counter

Vietnamese threat actors linked to DarkGate malware campaign

Borat RAT, a new RAT that performs ransomware and DDoS attacks

China-linked LuminousMoth APT targets entities from Southeast Asia

A month later Gamaredon is still active in Eastern Europe

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

Hades ransomware gang targets big organizations in the US

Cyclops Ransomware group offers a multiplatform Info Stealer

Malware researchers decrypted the Qrypter Payload

Carderbee APT targets Hong Kong orgs via supply chain attacks

Gootkit delivery platform Gootloader used to deliver additional payloads

OSX/Linker, a new piece of Mac malware that exploits Gatekeeper bypass

Stay Connected