This analysis is part of an incident investigation led by the FortiGuard Incident Response Team.
Fortiguard Incident Response Team discovered malware that had been running on a compromised machine for several weeks. The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process. Although obtaining the original malware executable was difficult, a memory dump of the running malware process and a full memory dump of the compromised machine (the “fullout” file, size 33GB) were successfully acquired.
Read more…
Source: Fortinet
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Stone Wolf employs Meduza Stealer to hack Russian companies
September 2, 2024
BI.ZONE Threat Intelligence reports an increase in criminal activity employing commercial malware available on underground resources. Recently, the researchers identified a malicious campaign by a cluster later dubbed Stone Wolf. The adversaries send out phishing emails on behalf of a legitimate provider of industrial automation solutions. The goal of the attackers is to deliver Meduza Stealer ...
- Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence
August 30, 2024
Trend Micro observed a new attack vector of weaponization for the vulnerability CVE-2023-22527 using the Godzilla backdoor. Following initial exploitation, a loader was loaded into the Atlassian victim server which loads a Godzilla webshell. On January 16, 2024, Atlassian released a security advisory for CVE-2023-22527, a vulnerability that affects Confluence Data Center and Confluence Server products. In ...
- Deep Analysis of Snake Keylogger’s New Variant
August 28, 2024
Fortinet’s FortiGuard Labs recently caught a phishing campaign in the wild with a malicious Excel document attached to the phishing email. Fortinet researchers performed a deep analysis on the campaign and discovered that it delivers a new variant of Snake Keylogger. Snake Keylogger (aka “404 Keylogger” or “KrakenKeylogger”) is a subscription-based keylogger with many capabilities. It ...
- HZ Rat backdoor for macOS attacks users of China’s DingTalk and WeChat
August 27, 2024
In June 2024, Kaspersky discovered a macOS version of the HZ Rat backdoor targeting users of the enterprise messenger DingTalk and the social network and messaging platform WeChat. The samples Kaspersky found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form ...
- An investigation into the tools and methods used by the Higaisa group
August 19, 2024
In March 2020 specialists from the PT Expert Security Center conducted an analysis on the activities of the APT group Higaisa. This group was first studied by security analysts at Tencent in November 2019. In that analysis, Tencent specialists reached the conclusion that Higaisa has its origins in South Korea. The group, which is still active ...
- Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
August 16, 2024
In the shadowy world of cybercrime, even the most cunning hackers can make blunders that expose their operations. In this article CPR describes the discovery of Styx Stealer, a new malware variant derived from the notorious Phemedrone Stealer. Check Point investigation revealed critical missteps by the developer of Styx Stealer, including a significant operational security (OpSec) ...

