Recently, the SonicWall Capture Labs threat research team has identified various malware strains being distributed through a custom VMDetector Loader. This loader is typically delivered to the victim’s system via image files embedded with steganography. The primary payloads observed include popular malware families such as Remcos, VIPKeyLogger, AveMariaRAT, DCRAT, FormBook, and others.
Attackers send an email with an archive file that includes either JavaScript, VBScript, or HTA content. The embedded scripts employ basic obfuscation through string replacement and base64 encoding, making them appear benign while evading straightforward detection.
Read more…
Source: Sonicwall
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Iranian and Russian hackers targeting politicians and journalists, warn UK officials
January 26, 2023
Iranian and Russian hackers are targeting British politicians and journalists with espionage attacks, officials have warned. The National Cyber Security Centre has issued a fresh alert about increasing attempts to steal information from specific groups and individuals. Read more… Source: BBC News
- Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched
January 26, 2023
Most Windows-powered datacenter systems and applications remain vulnerable to a spoofing bug in CryptoAPI that was disclosed by the NSA and the UK National Cyber Security Center (NCSC) and patched by Microsoft last year, according to Akamai’s researchers. CryptoAPI helps developers secure Windows-based apps using cryptography; the API can be used, for instance, to validate certificates ...
- New Mimic Ransomware Abuses Everything APIs for its Encryption Process
January 26, 2023
Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. This ransomware (which Trend Micro researchers named Mimic based on a string we found in its binaries), was first ...
- HHS: Ransomware groups continue to target U.S. health sector
January 25, 2023
The Royal and Blackcat ransomware groups continue to aggressively target the U.S. health sector, according to a recent advisory from the Department of Health and Human Services. Just this week, the Washington Post described an apparent recent attack by Blackcat on NextGen Healthcare, a company that provides electronic health record and practice management software to ...
- Data breach may have leaked classified law enforcement operations information to criminals
January 24, 2023
A company that provides tech solutions to law enforcement agencies has reportedly suffered a breach that might jeopardize ongoing police operations and undercover personnel. It is unclear if criminals currently under investigation have accessed the information, but the fact that cybercriminals have it and could potentially sell it is disturbing. On January 11, Wired reported that ...
- ACSC Ransomware Profile – Royal
January 24, 2023
The Australian Cyber Security Centre (ACSC) is aware of a ransomware variant called Royal, which is being used by cybercriminals to conduct ransomware attacks against multiple sectors and organisations worldwide, including Australia. Once gaining access to a victim’s environment, cybercriminals use this ransomware for similar purposes to other variants such as encrypting their data and ...