We identified a cluster of activity that we track as CL-STA-0048. This cluster targeted high-value targets in South Asia, including a telecommunications organization.
This activity cluster used rare tools and techniques including the technique we call Hex Staging, in which the attackers deliver payloads in chunks. Their activity also includes exfiltration over DNS using ping, and abusing the SQLcmd utility for data theft. Based on an analysis of the tactics, techniques and procedures (TTPs), as well as the tools used, the infrastructure and the victimology, Unit 42 assess with moderate-high confidence that this activity originates in China.
Read more…
Source: Palo Alto Unit 42
Related:
- Adwind RAT Scurries By AV Software With New DDE Variant
September 24, 2018
A newly-discovered spam campaign is spreading the Adwind 3.0 remote-access tool (RAT) – and using a fresh take on the Dynamic Data Exchange (DDE) code-injection technique for anti-virus evasion. The spam campaign features two types of droppers that leverage a new variant to the already-known DDE code-injection attack on Microsoft Excel – enabling them to bypass ...
- New Virobot malware works as ransomware, keylogger, and botnet
September 21, 2018
A newly discovered malware strain is a multi-tasking threat that besides working as ransomware and encrypting users’ files, it can also log and steal their keystrokes, and add infected computers to a spam-sending botnet. This new threat is named Virobot and appears to be under development, and comprised of multiple components that allow it to work ...
- Major Irish utility networks vulnerable to cyber attacks set to have security increased
September 19, 2018
Our water supplies, electricity and gas grids and phone networks are all vulnerable to cyber-attacks from tech-terrorists and are about to have their security beefed-up. That is because all of our utilities and essential State services are in some way or another reliant on digital technology, which in turn makes them vulnerable to digital attack. Minister Denis ...
- Cybercrime: Ransomware remains a ‘key’ malware threat says Europol
September 18, 2018
Targeted attacks replace spam campaigns, but Europol’s annual cybercrime report also warns that cryptojacking malware “may overtake ransomware as a future threat”. Ransomware remains the top malware threat to organisations, causing millions of dollars of damage and remaining a potent tool for cyber criminals and nation-state attackers. The rise of highly targeted file-locking malware campaigns and the ...
- Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras
September 17, 2018
Firmware used in up to 800,000 CCTV cameras open to attack thanks to buffer overflow zero-day bug. Between 180,000 and 800,000 IP-based closed-circuit television cameras are vulnerable to a zero-day vulnerability that allows hackers to access surveillance cameras, spy on and manipulate video feeds or plant malware. According to a Tenable Research Advisory issued Monday, the bugs are ...
- New Cold Boot Attack Unlocks Disk Encryption On Nearly All Modern PCs
September 13, 2018
Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption. The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after ...