From infostealer development to data exfiltration, cloud service providers are increasingly being abused by threat actors for malicious schemes. While in this case the ransomware samples we examined contained hard coded AWS credentials, this is specific to this single threat actor and in general, ransomware developers leverage other online services as part of their tactics.
In line with this, Trend Micro examined ransomware samples written in Go language (aka Golang), targeting Windows and MacOS environments. Most of the samples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket controlled by the threat actor.
Read more…
Source: Trend Micro
Related:
- Coyote Banking Trojan: A Stealthy Attack via LNK Files
January 30, 2025
Over the past month, FortiGuard Labs has identified several similar LNK files containing PowerShell commands designed to execute malicious scripts and connect to remote servers. These files are part of multi-stage operations that ultimately deliver the Coyote Banking Trojan. This malware primarily targets users in Brazil, seeking to harvest sensitive information from over 70 financial applications ...
- Europol: Law enforcement takes down two largest cybercrime forums in the world
January 30, 2025
A Europol-supported operation, led by German authorities and involving law enforcement from eight countries, has led to the takedown of the two largest cybercrime forums in the world. The two platforms, Cracked and Nulled, had more than 10 million users in total. Both of these underground economy forums offered a quick entry point into the cybercrime ...
- DeepSeek leaks one million sensitive records in a major data breach
January 30, 2025
A New York-based cybersecurity firm, Wiz, has uncovered a critical security lapse at DeepSeek, a rising Chinese AI startup, revealing a cache of sensitive data openly accessible on the internet. According to a report published by Wiz, the exposed data included over a million lines of log entries, digital software keys, backend details, and user chat ...
- A closer look at the Tria stealer campaign
January 30, 2025
Since mid-2024, Kaspersky researchers observed a malicious Android campaign leveraging wedding invitations as a lure to social-engineer victims into installing a malicious Android app (APK), which they have named “Tria Stealer” after unique strings found in campaign samples. The primary targets of the campaign are users in Malaysia and Brunei, with Malaysia being the most affected ...
- CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia
January 29, 2025
We identified a cluster of activity that we track as CL-STA-0048. This cluster targeted high-value targets in South Asia, including a telecommunications organization. This activity cluster used rare tools and techniques including the technique we call Hex Staging, in which the attackers deliver payloads in chunks. Their activity also includes exfiltration over DNS using ping, and ...
- UK: Whitehall is at risk from hackers due to poor cyber defences
January 29, 2025
Whitehall departments are at growing risk of being hacked because anti-cyber attack defences are ‘lower’ than thought, an alarming report has found. The inquiry by the National Audit Office (NAO) was branded a ‘wake-up call’ for officials to step-up defences against hostile actors.It identified a shortage of cyber skills within departments and risks posed by outdated ...