Recently, the SonicWall Capture Labs threat research team has identified various malware strains being distributed through a custom VMDetector Loader. This loader is typically delivered to the victim’s system via image files embedded with steganography. The primary payloads observed include popular malware families such as Remcos, VIPKeyLogger, AveMariaRAT, DCRAT, FormBook, and others.
Attackers send an email with an archive file that includes either JavaScript, VBScript, or HTA content. The embedded scripts employ basic obfuscation through string replacement and base64 encoding, making them appear benign while evading straightforward detection.
Read more…
Source: Sonicwall
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- New Sh1mmer ChromeBook exploit unenrolls managed devices
January 31, 2023
A new exploit called ‘Sh1mmer’ allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps they wish and bypass device restrictions. When Chromebooks are enrolled with a school or an enterprise, they are managed by policies established by the organization’s administrators. This allows admins to force-install browser extensions, apps, and to restrict how ...
- CISA Releases One Industrial Control Systems Advisory
January 31, 2023
CISA released one Industrial Control Systems (ICS) advisory on January 31, 2023. This advisory provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations. Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency
- Prilex modification now targeting contactless credit card transactions
January 31, 2023
Prilex is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware – actually, the most advanced PoS threat Kaspersky have seen so far, as described in a previous article. Forget about those old memory scrapers seen in PoS attacks. Prilex goes beyond these, and it has evolved very differently. This ...
- Exploit released for critical VMware vRealize RCE vulnerability
January 31, 2023
Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances. VMware patched four security vulnerabilities in its vRealize log analysis tool last week, two being critical and allowing remote attackers to execute code on compromised devices. Read more… Source: Bleeping Computer
- University of Michigan Health says cyber attack impacted public websites, not patient info
January 30, 2023
Michigan Health officials say its public websites experienced issues due to a cyber attack but claims the issue did not impact patient information. In a statement on Monday, officials say the attack affected a “third-party vendor we use to host some of our sites.” Read more… Source: CBS Detroit News
- Come to the dark side: hunting IT professionals on the dark web
January 30, 2023
The dark web is a collective name for a variety of websites and marketplaces that bring together individuals willing to engage in illicit or shady activities. Dark web forums contain ads for selling and buying stolen data, offers to code malware and hack websites, posts seeking like-minded individuals to participate in attacks on companies, and ...