Communications and File names - Information Management Today

BlackWater, a malware that uses Cloudflare Workers for C2 Communication

Security Affairs

MARCH 15, 2020

Researchers from MalwareHunterTeam discovered a suspicious RAR file named “COVID-19-” that was being distributed online, likely through phishing emails. "Important The RAR archive contains a file named “Important – COVID-19” that displays a Word icon. "Important – COVID-19.rar"

Communications

Communications File names Archiving Phishing

ToxicEye RAT exploits Telegram communications to steal data from victims

Security Affairs

APRIL 24, 2021

“The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example of a file name we found was ‘paypal checker by saint.exe’). The post ToxicEye RAT exploits Telegram communications to steal data from victims appeared first on Security Affairs. Pierluigi Paganini.

Communications

Communications File names Encryption Education

Threat actors attempted to capitalize CrowdStrike incident

Security Affairs

JULY 20, 2024

The attackers attempted to trick the company’s customers into opening a ZIP archive file named “ crowdstrike-hotfix.zip.” ” The archive includes a loader named Hijack Loader used to execute the Remcos RAT. ” reads the report published by Kaspersky.

File names

File names Archiving Cybersecurity Communications

Webinars

Automation, Evolved: Your New Playbook For Smarter Knowledge Work

MORE WEBINARS

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

Security Affairs

MARCH 17, 2022

The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability. The name B1txor20 is based on the file name “b1t” used for the propagation and the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

Honeypots

Honeypots File names Communications Encryption

A new Linux version of TargetCompany ransomware targets VMware ESXi environments

Security Affairs

JUNE 6, 2024

The malware then enters “VM mode” to encrypt files with specific extensions. Once executed, the ransomware drops a text file named TargetInfo.txt that contains victim information. Like the Windows variant of the ransomware, the content of the file TargetInfo.txt is then sent to a C2 server.

Ransomware

Ransomware File names Encryption Communications

Night Sky, a new ransomware operation in the threat landscape

Security Affairs

JANUARY 7, 2022

Once encrypted a file, the ransomware appends the ‘ nightsky ‘ extension to encrypted file names. Experts pointed out that the gang communicates with victims via email and a clear website running an instance of the Rocket.Chat. Source MalwareHunterTeam.

Ransomware

Ransomware Encryption File names Communications

North Korea-linked Kimsuky APT attack targets victims via Messenger

Security Affairs

MAY 17, 2024

However, the fact that mutual communication and reliability were promoted through Facebook Messenger shows that the boldness of Kimsuky APT attacks is increasing day by day.” “And if you compare the two malicious file execution screens, you can see the same pattern. ” reads the report published by GSC.

File names

File names Phishing Communications Security

New ransomware group Hive leaks Altus group sample files

Security Affairs

JUNE 26, 2021

IT back-office and communications systems, such as email have been taken offline at the time. The provided sample of exfiltrated files includes business data and documents, as well as Argus certificates and development files. The sample archive is password protected – but the file names and types are clearly visible.

Ransomware

Ransomware File names Archiving Encryption

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Security Affairs

FEBRUARY 26, 2020

Figure 4: Piece of the encrypted file downloaded from “share.]dmca.]gripe”. Inside it, two files named “filename1.vbs” Figure 5: Installed files. The content of the VBScript is straightforward: it simply is the launching point to run executable file. Figure 10: Piece of network communication intercepted.

File names

File names Communications Encryption IT

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

Security Affairs

JUNE 24, 2024

While investigating a security incident from March 2024 on a client’s Linux host, Positive Technologies researchers discovered a file named “scrond.” The communication between GoRed and its C2 server relies on the RPC protocol.

File names

File names Communications Mining Archiving

Threat actors attempted to capitalize CrowdStrike incident

Security Affairs

JULY 20, 2024

The attackers attempted to trick the company’s customers into opening a ZIP archive file named “ crowdstrike-hotfix.zip.” ” The archive includes a loader named Hijack Loader used to execute the Remcos RAT. ” reads the report published by Kaspersky.

File names

File names Archiving Cybersecurity Communications

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Security Affairs

APRIL 18, 2021

“The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).” ” The attack used a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth). .

File names

File names Archiving Passwords Communications

Experts found a bug in the Linux version of RansomHub ransomware

Security Affairs

JUNE 22, 2024

RansomHub claimed responsibility for attacks against multiple organizations, including Change Healthcare, Christie’s , and Frontier Communications. The experts at Insikt Group noticed that the ESXi version of RansomHub creates a file named /tmp/app.pid to ensure the exclusive execution of RansomHub processes.

Ransomware

Ransomware Encryption File names Communications

Chinese APT Earth Baxia target APAC by exploiting GeoServer flaw

Security Affairs

SEPTEMBER 23, 2024

The phishing emails in this campaign have carefully tailored subject lines, with a ZIP file attachment containing a decoy MSC file named RIPCOY. Upon opening this file, an obfuscated VBScript downloads multiple files from a public cloud service like AWS, including a decoy PDF,NET applications, and a configuration file.

Phishing

Phishing File names Cloud Government

Multiple threat actors exploit PHP flaw CVE-2024-4577 to deliver malware

Security Affairs

JULY 11, 2024

The botnet shell script downloads an ELF file named “pty3” from a different IP address, likely a sample of Muhstik malware. top, which was observed in Muhstik botnet activities, and communicates via Internet Relay Chat. The bot also connects to the command and control domain p.findmeatthe[.]top,

Honeypots

Honeypots File names Mining IoT

New RedLine malware version distributed as fake Omicron stat counter

Security Affairs

JANUARY 12, 2022

The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant. Over the course of the few weeks after this variant was released, we noticed one IP address in particular communicating with this C2 server.”

Manufacturing

Manufacturing File names Archiving Encryption

Threat actors leverage Microsoft Teams to spread malware

Security Affairs

FEBRUARY 17, 2022

. “Most employees have been trained to second-guess identities in email, but few know how to make sure that the name and photo they see in a Teams conversation are real. It is simple to edit a profile and become most anyone you like. ” concludes the report. Follow me on Twitter: @securityaffairs and Facebook. Pierluigi Paganini.

File names

File names Phishing Data breaches Access

Prometei, a new modular crypto-mining botnet exploits Windows SMB

Security Affairs

JULY 22, 2020

The main branch also has auxiliary modules that allow the Prometei botnet to communicate through TOR or I2P networks, to collect information about processes running on the system, check of open ports on target systems and to crawl the file systems in search for file names given as the argument to the module.

Mining

Mining File names Passwords Communications

Evilnum APT used Python-based RAT PyVil in recent attacks

Security Affairs

SEPTEMBER 3, 2020

The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. The new infection chain starts by including just one LNK file in the ZIP archive attached to spear-phishing messages. The PyVil RAT stores the malware settings (i.e.

Phishing

Phishing Encryption File names Metadata

China-linked APT41 group targets Hong Kong with Spyder Loader

Security Affairs

OCTOBER 18, 2022

. “We also saw Mimikatz being executed on victim networks, as well as a Trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control (C&C) server, while the other would load a payload from the provided file name in the command-line.”

File names

File names Encryption Manufacturing Libraries

Zeus Sphinx spam campaign attempt to exploit Coronavirus outbreak

Security Affairs

MARCH 30, 2020

“Current malspam campaigns feature booby-trapped document files named “COVID 19 relief” and subject lines relying on the same theme. Sphinx’s targets have not changed from its past configuration files as it continues to focus on banks in the US, Canada, and Australia.” ” continues the post.”Next,

File names

File names Passwords Sales Government

New PowerExchange Backdoor linked to an Iranian APT group

Security Affairs

MAY 26, 2023

The backdoor uses emails for C2 communications, where the C2 is the victim’s Microsoft Exchange server. The infection chain commenced with spear phishing messages using a zip file named Brochure.zip in attachment. ” reads the analysis published by Fortinet. It also acts as a proxy for the attacker to mask himself.”

Communications

Communications File names Archiving Government

New PowerShell-based Backdoor points to MuddyWater

Security Affairs

NOVEMBER 30, 2018

But, unlike previous incidents using POWERSTATS, the command and control (C&C) communication and data exfiltration in this case is done by using the API of a cloud file hosting provider.” OS name, domain name, user name, IP address) into one long string. ” continues the experts.

Communications

Communications File names Cloud Government

Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers

Security Affairs

JULY 28, 2021

In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors. The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

Encryption

Encryption File names Communications IT

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Security Affairs

MARCH 3, 2020

Hash 757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f Threat Kimsuky loader Brief Description Scr file, initial loader Ssdeep 12288:APWcT1z2aKqkP/mANd2JiEWKZ52zfeCkIAYfLeXcj6uuLl:uhT1z4q030JigZUaULeXc3uLl. Figure 2: Written file (AutoUpdate.dll) in the “%AppData%LocalTemp” path. hwp” extension. Bypassing AV Detection.

IT

IT File names Libraries Communications

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Security Affairs

APRIL 14, 2020

a United States defense research entity, a Turkish government agency managing public works, several large technology and communications firms headquartered in Canada, Germany, and the United Kingdom, and medical organizations/medical research facilities located in Japan and Canada). ” reads the analysis published by PaloAlto Networks.

Ransomware

Ransomware Phishing Government File names

Redfly group infiltrated an Asian national grid as long as six months?

Security Affairs

SEPTEMBER 13, 2023

According to Microsoft, the campaign aims at building capabilities that could disrupt critical communications infrastructure between the United States and Asia region in the case of future crises. “On May 29, the attackers returned and used a renamed version of ProcDump (file name: alg.exe) to dump credentials from LSASS.”

File names

File names Access Encryption Communications

STOP ransomware encrypts files and steals victim’s data

Security Affairs

MARCH 11, 2019

.” One of the variants analyzed by BleepingComputer encrypts data and appends the.promorad extension to encrypted files, then it creates ransom notes named _readme.txt as shown below. The Promorad Ransomware variant samples tested by the experts also download a file named 5.exe exe and executed it.

Encryption

Encryption Ransomware Passwords File names

Sofacy APT group used a new tool in latest attacks, the Cannon

Security Affairs

NOVEMBER 20, 2018

” Cannon acts as a downloader and relies on emails to communicate with the C2 server and receive instructions. Hackers used weaponized files named ‘crash list (Lion Air Boeing 737).docx’ Once successfully executed, the macro will install a payload and save a document to the system.”

File names

File names Phishing Communications Government

Crooks exploit exposed Docker APIs to build AESDDoS botnet

Security Affairs

JUNE 15, 2019

“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.

File names

File names Mining Access Communications

New APT34 campaign uses LinkedIn to deliver fresh malware

Security Affairs

JULY 22, 2019

The fake profiles asked the victims to open the weaponized excel file named ERFT-Details. The Tonedeaf malware is a backdoor which communicates with a single command-and-control (C2) server via HTTP GET and POST requests. xls that was used as a dropper.

File names

File names Phishing Government Passwords

WinRAR CVE-2018-20250 flaw exploited in multiple campaigns

Security Affairs

MARCH 28, 2019

The malicious code allows the attackers to download and execute files on the infected machine. “Interestingly, the backdoor communicates with the command and control (C2) server using the value of the Authorization HTTP header ” continues the analysis. The payload is executed the next time Windows starts up.”

Archiving

Archiving File names Education Libraries

APT34: Glimpse project

Security Affairs

MAY 2, 2019

At this stage we might appreciate two communication ways. One of the most important function is the aa_AdrGen_bb which is the communication manager. It implements the control layer in order to send and to receive control informations such as: commands, bytes received, if the file transfer has been close, and so on and so forth.

Computer and Electronics

Computer and Electronics Communications Government Security

Conti ransomware gang also breached Ireland Department of Health (DoH)

Security Affairs

MAY 19, 2021

” reads an update published by the Irish Department of the Environment, Climate and Communications. The malware involved in the attack is Conti Ransomware v3 (32 bit), which attempted to encrypt all files with the exception of the following file names: – CONTI_LOG.txt – readme.txt – *.FEEDC

Ransomware

Ransomware Encryption File names IoT

Russia-linked Cyclops Blink botnet targeting ASUS routers

Security Affairs

MARCH 18, 2022

Upon executing the core component, the malware first checks if its executable file name starts with “[k” If it does not, it performs the following routine: It redirects both stdout and stderr file descriptors to /dev/null. It sets the default handlers for SIGTERM, SIGINT, SIGBUS, SIGPIPE, and SIGIO signals.

IoT

IoT Military File names Communications

Chinese APT FunnyDream targets a South East Asian government

Security Affairs

NOVEMBER 17, 2020

FunnyDream is a custom-made backdoor that supports advanced persistence and communication capabilities, it was used by the APT group to gathering intelligence and data exfiltration. “The attackers used the backdoor prevalently as DLL files, but we observed an executable to be used as well.” ” continues the report.

Government

Government File names Communications Access

Dacls RAT, the first Lazarus malware that targets Linux devices

Security Affairs

DECEMBER 17, 2019

The name Dacls comes from its file name and the hard-coded strings, the malware has a modular structure that could extend its capabilities by loading plugins. “With connection proxy, the number of target host connections can be reduced, and the communication between the target and the real C2 can be hidden.”

CMS

CMS File names Encryption Access

China-linked LuminousMoth APT targets entities from Southeast Asia

Security Affairs

JULY 14, 2021

. “The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files. We found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19 Case 12-11-2020(MOTC).rar” ” reads the analysis published by Kaspersky.

Archiving

Archiving File names Government Libraries

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Security Affairs

JULY 7, 2020

Figure 6: Deofuscated VBS file – Lampion trojan July 2020. Some parts of the code are highlighted in Figure 6 and described below: Function to generate random strings is used to generate arbitrary folders and file names. LNK files from the Windows startup folder. VBS files from the Windows startup folder.

Communications

Communications Cloud Phishing Encryption

Outlaw is Back, a New Crypto-Botnet Targets European Organizations

Security Affairs

APRIL 28, 2020

The executed crypto miner is the file named “” kswapd0 ” based on the famous XMRIG monero crypto miner. It is composed only by three files: “ a”, “run”, “stop ”. They are three bash scripts, which we start to analyze: Figure 10: Content of the “a” script file. The initial script is the file named “ a ”.

Mining

Mining File names Honeypots IT

Emissary Panda updated its weapons for attacks in the past 2 years

Security Affairs

MARCH 1, 2019

“This Gh0st RAT sample communicated with IP address 43 [. ] In all the cases, attackers deliver a WinRAR self-extracting (SFX) file that installs the SysUpdate stage 1 payload, that gains persistence and downloads and executes the second stage payload, SysUpdate Main. Windows NT 6.3; ” continues the analysis.

IT

IT File names Financial Services Communications

New Linux Ransomware BlackSuit is similar to Royal ransomware

Security Affairs

JUNE 3, 2023

According to government experts, the Royal ransomware attacks targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare and public healthcare (HPH), and education. ReadMe file name: README.BlackSuit.txt. New #ransomware #BlackSuit targets Windows, #Linux. Extension: blacksuit.

Ransomware

Ransomware Encryption File names Cybersecurity

Discovery of Simps Botnet Leads To Ties to Keksec Group

Security Affairs

MAY 18, 2021

On execution of the Simps binary, it drops a log file containing that the device has been infected with malware by Simps Botnet (see Figure 2). Figure 2: Dropped log file. Figure 3: C2 communication. Figure 10: keksec.infected.you.log file. The binary also connects to the C2 23.95.80[.]200 200 (see figure 3).

IoT

IoT File names Communications Security

Russia-affiliated CheckMate ransomware quietly targets popular file-sharing protocol

Security Affairs

MAY 13, 2023

The CheckMate ransomware operators have been targeting the Server Message Block (SMB) communication protocol used for file sharing to compromise their victims’ networks. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README”

Ransomware

Ransomware Encryption Passwords File names

BlackWater, a malware that uses Cloudflare Workers for C2 Communication

ToxicEye RAT exploits Telegram communications to steal data from victims

Webinars

Trending Sources

Threat actors attempted to capitalize CrowdStrike incident

Webinars

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

A new Linux version of TargetCompany ransomware targets VMware ESXi environments

Night Sky, a new ransomware operation in the threat landscape

North Korea-linked Kimsuky APT attack targets victims via Messenger

New ransomware group Hive leaks Altus group sample files

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

Threat actors attempted to capitalize CrowdStrike incident

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Experts found a bug in the Linux version of RansomHub ransomware

Chinese APT Earth Baxia target APAC by exploiting GeoServer flaw

Multiple threat actors exploit PHP flaw CVE-2024-4577 to deliver malware

New RedLine malware version distributed as fake Omicron stat counter

Threat actors leverage Microsoft Teams to spread malware

Prometei, a new modular crypto-mining botnet exploits Windows SMB

Evilnum APT used Python-based RAT PyVil in recent attacks

China-linked APT41 group targets Hong Kong with Spyder Loader

Zeus Sphinx spam campaign attempt to exploit Coronavirus outbreak

New PowerExchange Backdoor linked to an Iranian APT group

New PowerShell-based Backdoor points to MuddyWater

Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers

The North Korean Kimsuky APT threatens South Korea evolving its TTPs

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Redfly group infiltrated an Asian national grid as long as six months?

STOP ransomware encrypts files and steals victim’s data

Sofacy APT group used a new tool in latest attacks, the Cannon

Crooks exploit exposed Docker APIs to build AESDDoS botnet

New APT34 campaign uses LinkedIn to deliver fresh malware

WinRAR CVE-2018-20250 flaw exploited in multiple campaigns

APT34: Glimpse project

Conti ransomware gang also breached Ireland Department of Health (DoH)

Russia-linked Cyclops Blink botnet targeting ASUS routers

Chinese APT FunnyDream targets a South East Asian government

Dacls RAT, the first Lazarus malware that targets Linux devices

China-linked LuminousMoth APT targets entities from Southeast Asia

New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

Outlaw is Back, a New Crypto-Botnet Targets European Organizations

Emissary Panda updated its weapons for attacks in the past 2 years

New Linux Ransomware BlackSuit is similar to Royal ransomware

Discovery of Simps Botnet Leads To Ties to Keksec Group

Russia-affiliated CheckMate ransomware quietly targets popular file-sharing protocol

Stay Connected