A new self-destructing backdoor called Mistic used in intrusions since April appears to be linked to a criminal gang that compromises corporate networks and then sells that access to ransomware groups, according to security researchers.
This backdoor, also tracked as MLTBackdoor, was first documented by Zscaler earlier this month, with the security shop suggesting the novel malware is “likely used in ransomware attacks to establish a foothold for lateral movement.”
Read more…
Source:
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
May 19, 2022
In Part 1 of this two-part blog series, Unit 42 researchers discussed briefly how XLL files are exploited to deploy Agent Tesla. During December 2021, they continued to observe Dridex and Agent Tesla exploiting XLL in different ways for initial payload delivery. A more in-depth look at the Dridex infection chain follows. Threat actors behind Dridex ...
- Protecting Android users from 0-Day attacks
May 19, 2022
To protect our users, Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. In 2021, we reported nine 0-days affecting Chrome, Android, Apple and Microsoft, leading to patches to protect users from these attacks. This blog is a follow up to our July 2021 post on four 0-day vulnerabilities we discovered in 2021, ...
- Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control
May 18, 2022
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud ...
- Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
May 18, 2022
On February 13, 2022, a novel, lesser-known ransomware collective posted the alleged financial documents of the San Francisco 49ers football team on their underground site. The threat group, known as BlackByte, was widely credited with the orchestration of the attack—However, AdvIntel’s sensitive primary-source intelligence and factual data evidence (including IOCs) point to a different conclusion: ...
- Wizard Spider hackers hire cold callers to scare ransomware victims into paying up
May 18, 2022
Researchers have exposed the inner workings of Wizard Spider, a hacking group that pours its illicit proceeds back into the criminal enterprise. On Wednesday, PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups. According to the cybersecurity firm, Wizard Spider, ...
- The BlackByte ransomware group is striking users all over the globe
May 18, 2022
The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Cisco Talos has been monitoring BlackByte for several months and Talos can confirm ...