In recent weeks, Rapid7 has observed an increased volume of incidents involving domains generated by domain generation algorithms (DGAs).
DGAs are a known technique leveraged by malware authors to quickly create a large number of domain names, which will point to command and control (C2) servers operated by the attackers. Observed domains shared multiple commonalities such as .infotop-level domains and a fixed length of 24 alphanumeric characters. Attacks that start with a ClickFix social engineering lure quickly morph into more sophisticated campaigns using PowerShell scripts hosted on a remote server for in-memory execution of obfuscated .NET loader, which in turn injects a newly-discovered infostealer into MSBuild.exe via process hollowing.
Read more…
Source: Rapid7
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- AMEO ‘concerned’ about nation-state attacks on power grids
August 22, 2019
“For the energy sectors and critical infrastructure sectors, particularly around electricity, we are concerned about nation-state actors,” says Tim Daly, chief security officer (CSO) for the Australian Energy Market Operator (AEMO). “Nation-states are looking to have capability and implants that are persistent within critical organisations,” he told the Gartner Security and Risk Management Summit in Sydney ...
- Russian Hacking Group Targeting Banks Worldwide With Evolving Tactics
August 21, 2019
Silence APT, a Russian-speaking cybercriminal group, known for targeting financial organizations primarily in former Soviet states and neighboring countries is now aggressively targeting banks in more than 30 countries across America, Europe, Africa, and Asia. Active since at least September 2016, Silence APT group’s most recent successful campaign was against Bangladesh-based Dutch-Bangla Bank, which lost over $3 ...
- A botnet has been cannibalizing other hackers’ web shells for more than a year
August 21, 2019
A major botnet operation has been attacking and taking over the web shells (backdoors on web servers) of other malware operations for more than a year, security researchers from Positive Technologies revealed today. Researchers linked the botnet to a former Windows trojan named Neutrino (also known as Kasidet), whose operators appear to have shifted from targeting desktop users ...
- Unpatchable security flaw found in popular SoC boards
August 20, 2019
Security researchers have discovered an unpatchable security flaw in a popular brand of system-on-chip (SoC) boardsmanufactured by Xilinx. The vulnerable component is Xilinx’s Zynq UltraScale+ brand, which includes system-on-chip (SoC), multi-processor system-on-chip (MPSoC), and radio frequency system-on-chip (RFSoC) products used inside automotive, aviation, consumer electronics, industrial, and military components. According to security researchers with Inverse Path — F-Secure’s hardware ...
- Hackers Planted Backdoor in Webmin, Popular Utility for Linux/Unix Servers
August 20, 2019
Following the public disclosure of a critical zero-day vulnerability in Webmin last week, the project’s maintainers today revealed that the flaw was not actually the result of a coding mistake made by the programmers. Instead, it was secretly planted by an unknown hacker who successfully managed to inject a backdoor at some point in its build ...
- Newly Registered Domains: Malicious Abuse by Bad Actors
August 20, 2019
Newly registered domains (NRDs) are known to be favored by threat actors to launch malicious campaigns. Academic and industry research reports have shown statistical proof that NRDs are risky, revealing malicious usage of NRDs including phishing, malware, and scam. Therefore, best security practice calls for blocking and/or closely monitoring NRDs in enterprise traffic. Despite the evidence, there hasn’t yet ...