In June 2024, Kaspersky discovered a macOS version of the HZ Rat backdoor targeting users of the enterprise messenger DingTalk and the social network and messaging platform WeChat.
The samples Kaspersky found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server. The researchers noticed that some versions of the backdoor use local IP addresses to connect to C2, which led us to believe the threat may be targeted. This also points to an intention to exploit the backdoor for lateral movement through the victim’s network.
Read more…
Source: Kaspersky
Related:
- New Miori Variant Uses Unique Protocol to Communicate with C&C
July 10, 2019
We first detailed a new Mirai variant called Miori in a report late last year after finding the malware spreading via a ThinkPHP Remote Code Execution (RCE) vulnerability. It has recently reappeared bearing a notable difference in the way it communicates with its command-and-control (C&C) server. This Miori variant departs from the usual binary-based protocol and uses ...
- Anubis Android Malware Returns with Over 17,000 Samples
July 8, 2019
The 2018 mobile threat landscape had banking trojans that diversified their tactics and techniques to evade detection and further monetize their malware — and in the case of the Anubis Android malware, retooled for other malicious activities. Anubis underwent several changes since it first emerged, from being used for cyberespionage to being retooled as a banking malware, combining information ...
- ‘Twas the night before
July 4, 2019
Recently, the United States Cyber Command (USCYBERCOM Malware Alert @CNMF_VirusAlert) highlighted several VirusTotal uploads of theirs – and the executable objects relating to 2016 – 2017 NewsBeef/APT33 activity are interesting for a variety of reasons. Before continuing, it’s important to restate yet again that we defend customers, and research malware and intrusions, regardless of their source. Accordingly, subscribers to ...
- Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
July 4, 2019
Since our last research on TA505, we have observed new activity from the group that involves campaigns targeting different countries over the last few weeks. We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines, and South Korea. This ...
- Sodin ransomware exploits Windows vulnerability and processor architecture
July 3, 2019
When Sodin (also known as Sodinokibi and REvil) appeared in the first half of 2019, it immediately caught our attention for distributing itself through an Oracle Weblogic vulnerability and carrying out attacks on MSP providers. In a detailed analysis, we discovered that it also exploits the CVE-2018-8453 vulnerability to elevate privileges in Windows (rare among ransomware), and uses legitimate processor ...
- Making Intelligence Actionable: Cybersecurity Preparedness in the Credit Union Industry
July 3, 2019
As the threat landscape continues to evolve, organizations need to be increasingly proactive in their approach to cybersecurity. One industry that’s taken proactive measures toward cybersecurity preparedness is the credit union industry. Over the last couple of years, the National Credit Union Administration (NCUA) developed a tool called the Automated Cybersecurity Examination Tool (ACET) to help credit unions ...