In recent weeks, Rapid7 has observed an increased volume of incidents involving domains generated by domain generation algorithms (DGAs).
DGAs are a known technique leveraged by malware authors to quickly create a large number of domain names, which will point to command and control (C2) servers operated by the attackers. Observed domains shared multiple commonalities such as .infotop-level domains and a fixed length of 24 alphanumeric characters. Attacks that start with a ClickFix social engineering lure quickly morph into more sophisticated campaigns using PowerShell scripts hosted on a remote server for in-memory execution of obfuscated .NET loader, which in turn injects a newly-discovered infostealer into MSBuild.exe via process hollowing.
Read more…
Source: Rapid7
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- ‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell
September 9, 2019
Exploit kits may no longer be as prolific as it was back when their activities were detected in the millions, but their recurring activities in the first half of 2019 indicate that they won’t be going away any time soon. The Rig exploit kit, for instance, is known for delivering various payloads — such as downloader trojans, ransomware, cryptocurrency-mining malware, and information stealers — whose ...
- Critical Exim Flaw Opens Millions of Servers to Takeover
September 9, 2019
Researchers are urging users to upgrade their Exim servers immediately after millions of servers were found to be vulnerable to a critical flaw that could allow a remote, unauthenticated attacker to take full control of them. Exim, which is free software used on Unix-like operating systems (including Linux or Mac OSX) serves as a mail transfer ...
- Newly discovered cyber-espionage malware abuses Windows BITS service
September 9, 2019
Security researchers have found another instance of a malware strain abusing the Windows Background Intelligent Transfer Service (BITS). The malware appears to be the work of a state-sponsored cyber-espionage group that researchers have been tracking for years under the name of Stealth Falcon. The first and only report on this hacking group has been published in 2016 by ...
- An inside job: The human factor of cybersecurity
September 9, 2019
As businesses continue their digital transformation, ensuring the sensitive information they handle always remains safe and secure is now a priority. However, even deploying just the latest cybersecurity applications might not enough to offer full protection. The latest research from the Telstra 2019 Security Report makes for worrying reading as it concludes 89% of cybersecurity risks are ...
- China’s APT3 Pilfers Cyberweapons from the NSA
September 6, 2019
Large portions of APT3’s remote code-execution package were likely reverse-engineered from prior attack artifacts. The advanced persistent threat (APT) group known as APT3, which researchers across the board link to the Chinese government, has built a full in-house battery of exploits and cybertools collectively dubbed “UPSynergy.” An analysis of the toolkit has uncovered a geopolitical cat-and-mouse spy ...
- Thousands of servers infected with new Lilocked (Lilu) ransomware
September 6, 2019
Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu). Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned. Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only. First reports date to mid-July, after ...