File names and Information Security - Information Management Today

PLAYFULGHOST backdoor supports multiple information stealing features

Security Affairs

JANUARY 5, 2025

“Mandiant observed a second, more sophisticated execution scenario which begins with a Windows LNK file named QQLaunch.lnk. ThisLNK file combines a text file named h which contains the characters “MZ” and a second file t which contains the rest of PE payload to construct a new malicious DLL named libcurl.dll.”

File names

File names Archiving Phishing Encryption

Internet Archive data breach impacted 31M users

Security Affairs

OCTOBER 11, 2024

HIBP confirmed that the stolen archive had 31M records, including email address, screen name, bcrypt password hash, and timestamps for password changes. Troy Hunt told BleepingComputer that the leaked Internet Archive’s file is a 6.4GB SQL file named “ia_users.sql.”

Archiving

Archiving Data breaches Passwords File names

Glove Stealer bypasses Chrome’s App-Bound Encryption to steal cookies

Security Affairs

NOVEMBER 15, 2024

Since App-Bound encryption enforces path validation, the supporting module must be placed within Chrome’s Program Files directory, requiring Glove Stealer first to obtain local admin privileges. It then connects to the C2 server to confirm a successful bypass (ID=4).

Encryption

Encryption File names Phishing Passwords

Webinars

Automation, Evolved: Your New Playbook For Smarter Knowledge Work

MORE WEBINARS

MikroTik botnet relies on DNS misconfiguration to spread malware

Security Affairs

JANUARY 16, 2025

In late November, the experts spotted a malspam campaign impersonating DHL which used emails about freight invoices, attaching zip files named “Invoice###.zip” The zip archive contains an obfuscated JavaScript file, which creates and executes a PowerShell script that connects to the C2 (62.133.60[.]137),

File names

File names Authentication Access Archiving

Experts warn of a new wave of Bumblebee malware attacks

Security Affairs

OCTOBER 22, 2024

The Bumblebee infection detected by Netskope likely begins with a phishing email containing a ZIP file with an LNK file named “Report-41952.lnk” “the new Bumblebee payload is delivered via MSI files. lnk” that, once executed, starts the attack chain. Once executed, it downloads the payload directly into memory.

File names

File names Phishing Ransomware Archiving

Threat actors attempted to capitalize CrowdStrike incident

Security Affairs

JULY 20, 2024

The attackers attempted to trick the company’s customers into opening a ZIP archive file named “ crowdstrike-hotfix.zip.” ” The archive includes a loader named Hijack Loader used to execute the Remcos RAT. ” reads the report published by Kaspersky.

File names

File names Archiving Cybersecurity Communications

Qakbot operations continue to evolve to avoid detection

Security Affairs

JULY 13, 2022

“Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 ThreatLabz reported that the attackers are using various different file names to disguise attachments designed to deliver Qakbot.

File names

File names Archiving Compliance IT

CERT-UA warns of a phishing campaign targeting government entities

Security Affairs

AUGUST 13, 2024

Threat actors sent out emails attempting to impersonate Security Service of Ukraine (SSU) and contains a link to download a file named “Documents.zip.” ” Upon clicking the link, an MSI file is downloaded. If the recipient then opens this file, the ANONVNC malware, tracked as MESHAGENT, is executed. .

Phishing

Phishing Government File names Access

Hackers abused swap files in e-skimming attacks on Magento sites

Security Affairs

JULY 23, 2024

Threat actors abused swap files in compromised Magento websites to hide credit card skimmer and harvest payment information. Security researchers from Sucuri observed threat actors using swap files in compromised Magento websites to conceal a persistent software skimmer and harvest payment information.

Cleanup

Cleanup CMS File names Analytics

STRRAT RAT spreads masquerading as ransomware

Security Affairs

MAY 20, 2021

The Java-based STRRAT RAT was distributed in a massive spam campaign, the malware shows ransomware-like behavior of appending the file name extension.crimson to files without actually encrypting them. pic.twitter.com/mGow2sJupN — Microsoft Security Intelligence (@MsftSecIntel) May 19, 2021.

Ransomware

Ransomware File names Encryption Passwords

A new Linux version of TargetCompany ransomware targets VMware ESXi environments

Security Affairs

JUNE 6, 2024

The malware then enters “VM mode” to encrypt files with specific extensions. Once executed, the ransomware drops a text file named TargetInfo.txt that contains victim information. Like the Windows variant of the ransomware, the content of the file TargetInfo.txt is then sent to a C2 server.

Ransomware

Ransomware File names Encryption Communications

FBI published a flash alert on Mamba Ransomware attacks

Security Affairs

MARCH 26, 2021

“Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key.” DiskCryptor is not inherently malicious but has been weaponized.” ” reads the alert published by the FBI.

Ransomware

Ransomware Encryption File names Passwords

Microsoft warns of Dexphot miner, an interesting polymorphic threat

Security Affairs

NOVEMBER 26, 2019

“The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Doxphot stands out for its evasion techniques and its level of sophistication. ”reads the analysis published by Microsoft.

File names

File names Encryption Mining Security

BlackWater, a malware that uses Cloudflare Workers for C2 Communication

Security Affairs

MARCH 15, 2020

Researchers from MalwareHunterTeam discovered a suspicious RAR file named “COVID-19-” that was being distributed online, likely through phishing emails. "Important The RAR archive contains a file named “Important – COVID-19” that displays a Word icon. "Important – COVID-19.rar"

Communications

Communications File names Archiving Phishing

North Korea-linked Kimsuky APT attack targets victims via Messenger

Security Affairs

MAY 17, 2024

“And if you compare the two malicious file execution screens, you can see the same pattern. The malicious file, named “Console Root task window ‘Security Mode’,” hid certain window styles and tabs. ” reads the analysis. If the victims launch it the multi-stage attack chain starts.

File names

File names Phishing Communications Security

Fortinet fixes critical vulnerabilities in FortiNAC and FortiWeb

Security Affairs

FEBRUARY 17, 2023

The two vulnerabilities, tracked as CVE-2022-39952 and CVE-2021-42756 , are respectively an external control of file name or path in Fortinet FortiNAC and a collection of stack-based buffer overflow issues in the proxy daemon of FortiWeb. is an external control of file name or path in the keyUpload scriptlet of FortiNAC.

File names

File names Cybersecurity Security IT

Experts warn of attacks on sites using flawed Kaswara Modern WPBakery Page Builder Addons

Security Affairs

JULY 15, 2022

“Based on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php “This file is an uploader under the control of the attacker.

File names

File names Security Information Security IT

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Security Affairs

APRIL 18, 2021

“The attack begins with a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth).” ” The attack used a PowerShell command to retrieve a file named win_r.zip from another compromised server’s Outlook Web Access logon path (/owa/auth). .

File names

File names Archiving Passwords Communications

Carderbee APT targets Hong Kong orgs via supply chain attacks

Security Affairs

AUGUST 23, 2023

EsafeNet is owned by Chinese information security firm NSFOCUS. This downloader was used to install the Korplug backdoor on the infected systems. “The downloader attempted to download a file named update.zip from the following location: [link] continues the report. This file is not saved on disk.

File names

File names Encryption Archiving Information Security

A crafty phishing campaign targets Microsoft OneDrive users

Security Affairs

JULY 30, 2024

When this.html file is opened, it displays an image designed to create a sense of urgency about accessing the document, thereby increasing the likelihood that the user will follow the provided instructions.” ” reads the report published by Trellix.

Phishing

Phishing File names Archiving Access

Emsisoft released a new free decryption tool for the Avest ransomware

Security Affairs

SEPTEMBER 27, 2019

. “The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data.” ” reads the user guide published by Emsisoft.

Ransomware

Ransomware File names Encryption Security

Night Sky, a new ransomware operation in the threat landscape

Security Affairs

JANUARY 7, 2022

Once encrypted a file, the ransomware appends the ‘ nightsky ‘ extension to encrypted file names. Researchers from MalwareHunterteam first spotted a new ransomware family dubbed Night Sky that implements a double extortion model in attacks aimed at businesses.

Ransomware

Ransomware Encryption File names Communications

PoC exploit code for critical Fortinet FortiNAC bug released online

Security Affairs

FEBRUARY 21, 2023

The two vulnerabilities, tracked as CVE-2022-39952 and CVE-2021-42756 , are respectively an external control of file name or path in Fortinet FortiNAC and a collection of stack-based buffer overflow issues in the proxy daemon of FortiWeb. is an external control of file name or path in the keyUpload scriptlet of FortiNAC.

File names

File names Archiving Access Security

Introducing the PhishingKitTracker

Security Affairs

JULY 17, 2020

In stats folder are maintained two up-to-date files: files_name it holds the frequency of the found file-names associate with kits. In other words every phishing kit is saved on the phishing host with a name. filke_name keeps track about every file names and its frequency.

Phishing

Phishing File names Archiving IT

Evil Corp rebrands their ransomware, this time is the Macaw Locker

Security Affairs

OCTOBER 21, 2021

The Macaw Locker ransomware encrypts victims’ files and append the .macaw macaw extension to the file name of the encrypted files. Bleeping Computer, citing Emsisoft CTO Fabian Wosar, reported that the Macaw Locker ransomware is the latest rebrand of Evil Corp.

Ransomware

Ransomware File names Encryption Government

New ransomware group Hive leaks Altus group sample files

Security Affairs

JUNE 26, 2021

The provided sample of exfiltrated files includes business data and documents, as well as Argus certificates and development files. The sample archive is password protected – but the file names and types are clearly visible. Altus Group has been informed about the new development.

Ransomware

Ransomware File names Archiving Encryption

Fortinet FortiNAC CVE-2022-39952 flaw exploited in the wild hours after the release of PoC exploit

Security Affairs

FEBRUARY 23, 2023

The two vulnerabilities, tracked as CVE-2022-39952 and CVE-2021-42756 , are respectively an external control of file name or path in Fortinet FortiNAC and a collection of stack-based buffer overflow issues in the proxy daemon of FortiWeb. is an external control of file name or path in the keyUpload scriptlet of FortiNAC.

Honeypots

Honeypots File names Cybersecurity Security

PlugX malware delivered by exploiting flaws in Chinese programs

Security Affairs

MARCH 11, 2023

The PlugX backdoor has been used since 2008 by multiple China-linked APT groups, including Mustang Panda , Winnti , and APT41 In the attacks observed by ASEC, once exploited the vulnerability, threat actors executed a PowerShell command to create a file named esetservice.exe.

File names

File names Security IT Information Security

Russia-linked Armageddon APT targets Ukrainian state organizations, CERT-UA warns

Security Affairs

APRIL 5, 2022

The messages use the HTML-file “War criminals of the Russian Federation.htm” as attachment. Upon opening the file, a RAR-archive named “Viyskovi_zlochinci_RU.rar” is created. .

Military

Military Phishing Archiving File names

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

Security Affairs

MARCH 17, 2022

The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability. The name B1txor20 is based on the file name “b1t” used for the propagation and the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

Honeypots

Honeypots File names Communications Encryption

New SPIKEDWINE APT group is targeting officials in Europe

Security Affairs

FEBRUARY 29, 2024

The ZIP archive contains an HTA file named wine.hta that contains obfuscated JavaScript code. The campaign is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed by the threat actors.

Archiving

Archiving File names IT Information Security

BlackCocaine Ransomware, a new malware in the threat landscape

Security Affairs

JUNE 5, 2021

“The WHOIS information for the domain reveals that the domain of the BlackCocaine ransomware was registered on May 28, 2021” The researchers reported that a file named a.BlackCocaine was recently submitted to different public sandboxes. BlackCocaine ” to the filenames of encrypted files.

Ransomware

Ransomware Encryption File names Financial Services

Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw

Security Affairs

APRIL 22, 2024

APT28 deployed GooseEgg to gain elevated access to target systems and steal credentials and sensitive information. GooseEgg is usually deployed with a batch script, commonly named execute.bat or doit.bat. This script creates a file named servtask.bat, which includes commands for saving or compressing registry hives.

Military

Military File names Education Phishing

New variant of Dridex banking Trojan implements polymorphism

Security Affairs

JULY 1, 2019

In attacks observed on June 17, the malware was using 64-bit DLLs with file names loaded by legitimate Windows system executables. Duncan pointed out that file paths, file names, and associated hashes would change at every computer login. “Given the same-day deployment and implementation of the ssl-pert[.]com

File names

File names Encryption Security Access

Fake Falcon crash reporter installer used to target German Crowdstrike users

Security Affairs

JULY 28, 2024

The spear-phishing page included a download link pointing to a ZIP archive file that contained a malicious InnoSetup installer. The installer injected the executable into a JavaScript file named “jquery-3.7.1.min.js” min.js” to evade detection.

Passwords

Passwords Phishing File names Metadata

Another Ransomware For Linux Likely In Development

Security Affairs

SEPTEMBER 2, 2022

Also, a list of all the encrypted files gets stored in a file named wrkman.log.0. Opens <target_file> crypted and writes the encrypted content to it using combination of lseek and write call. Figure 4: Inside the start_routine. Conclusion.

Ransomware

Ransomware Encryption File names IT

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Security Affairs

FEBRUARY 26, 2020

Figure 4: Piece of the encrypted file downloaded from “share.]dmca.]gripe”. Inside it, two files named “filename1.vbs” Figure 5: Installed files. The content of the VBScript is straightforward: it simply is the launching point to run executable file. vbs” and “filename1.exe” exe” appeared.

File names

File names Communications Encryption IT

New APT34 campaign uses LinkedIn to deliver fresh malware

Security Affairs

JULY 22, 2019

The fake profiles asked the victims to open the weaponized excel file named ERFT-Details. “For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security.” xls that was used as a dropper.

File names

File names Phishing Government Passwords

macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

Security Affairs

FEBRUARY 10, 2024

The researchers noticed that the backdoor contained a plist file named ‘test’. The first variant of the backdoor that was detected in November 2023 was likely a test version that did not support a persistence mechanism. “We identified multiple variants of the embedded Apple script, but all of them are meant for data exfiltration.”

Ransomware

Ransomware File names Passwords IT

Cyber Threat Trends Dashboard

Security Affairs

JANUARY 28, 2020

For such a reason a dedicated graph named Unknown Families Threat Level Distribution has created. TOP domains, TOP processes and TOP File Names. With a sliding window of 300 last analyzed samples, the backend extracts the TOP (in terms of frequency) contacted domains, spawned processes and utilized file names.

File names

File names Cybersecurity Ransomware IT

Evil Telegram campaign: Trojanized Telegram apps found on Google Play

Security Affairs

SEPTEMBER 10, 2023

. “When receiving a message, uploadTextMessageToService collects its contents, chat/channel title and ID, as well as sender’s name and ID. The collected information is then encrypted and cached into a temporary file named tgsync.s3. The app sends this temporary file to the command server at certain intervals.”

File names

File names Personal data Encryption Security

Japanese computers hit by a wiper malware ahead of 2021 Tokyo Olympics

Security Affairs

JULY 24, 2021

The actual attack vector seems to be a malicious executable disguised as PDF file, the malicious code was found in a Windows EXE file that was disguised as a PDF file named: [Urgent] Damage report regarding the occurrence of cyber attacks, etc. ” reads the report published by the security firm.

File names

File names Access Security IT

Emsisoft releases free decryptor for the victims of the Diavol ransomware

Security Affairs

MARCH 19, 2022

. “The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data. This file must be roughly 20KB or larger in size. ” reads the guide for the decryptor.

Ransomware

Ransomware File names Encryption Cybersecurity

Experts found a bug in the Linux version of RansomHub ransomware

Security Affairs

JUNE 22, 2024

The experts at Insikt Group noticed that the ESXi version of RansomHub creates a file named /tmp/app.pid to ensure the exclusive execution of RansomHub processes. “After processing command-line arguments and decrypting the configuration, RansomHub ESXi leverages the file /tmp/app.pid to check whether it is already running.

Ransomware

Ransomware Encryption File names Communications

PLAYFULGHOST backdoor supports multiple information stealing features

Internet Archive data breach impacted 31M users

Webinars

Trending Sources

Glove Stealer bypasses Chrome’s App-Bound Encryption to steal cookies

Webinars

MikroTik botnet relies on DNS misconfiguration to spread malware

Experts warn of a new wave of Bumblebee malware attacks

Threat actors attempted to capitalize CrowdStrike incident

Qakbot operations continue to evolve to avoid detection

CERT-UA warns of a phishing campaign targeting government entities

Hackers abused swap files in e-skimming attacks on Magento sites

STRRAT RAT spreads masquerading as ransomware

A new Linux version of TargetCompany ransomware targets VMware ESXi environments

FBI published a flash alert on Mamba Ransomware attacks

Microsoft warns of Dexphot miner, an interesting polymorphic threat

BlackWater, a malware that uses Cloudflare Workers for C2 Communication

North Korea-linked Kimsuky APT attack targets victims via Messenger

Fortinet fixes critical vulnerabilities in FortiNAC and FortiWeb

Experts warn of attacks on sites using flawed Kaswara Modern WPBakery Page Builder Addons

Monero Cryptocurrency campaign exploits ProxyLogon flaws

Carderbee APT targets Hong Kong orgs via supply chain attacks

A crafty phishing campaign targets Microsoft OneDrive users

Emsisoft released a new free decryption tool for the Avest ransomware

Night Sky, a new ransomware operation in the threat landscape

PoC exploit code for critical Fortinet FortiNAC bug released online

Introducing the PhishingKitTracker

Evil Corp rebrands their ransomware, this time is the Macaw Locker

New ransomware group Hive leaks Altus group sample files

Fortinet FortiNAC CVE-2022-39952 flaw exploited in the wild hours after the release of PoC exploit

PlugX malware delivered by exploiting flaws in Chinese programs

Russia-linked Armageddon APT targets Ukrainian state organizations, CERT-UA warns

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

New SPIKEDWINE APT group is targeting officials in Europe

BlackCocaine Ransomware, a new malware in the threat landscape

Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw

New variant of Dridex banking Trojan implements polymorphism

Fake Falcon crash reporter installer used to target German Crowdstrike users

Another Ransomware For Linux Likely In Development

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

New APT34 campaign uses LinkedIn to deliver fresh malware

macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

Cyber Threat Trends Dashboard

Evil Telegram campaign: Trojanized Telegram apps found on Google Play

Japanese computers hit by a wiper malware ahead of 2021 Tokyo Olympics

Emsisoft releases free decryptor for the victims of the Diavol ransomware

Experts found a bug in the Linux version of RansomHub ransomware

Stay Connected