ESET Research<p><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a> discovered previously unknown links between the <a href="https://infosec.exchange/tags/RansomHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RansomHub</span></a>, <a href="https://infosec.exchange/tags/Medusa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Medusa</span></a>, <a href="https://infosec.exchange/tags/BianLian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BianLian</span></a>, and <a href="https://infosec.exchange/tags/Play" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Play</span></a> ransomware gangs, and leveraged <a href="https://infosec.exchange/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDRKillShifter</span></a> to learn more about RansomHub’s affiliates. @SCrow357 <a href="https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/shifting-sands-ransomhub-edrkillshifter/</span></a> <br>RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted <a href="https://infosec.exchange/tags/LockBit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LockBit</span></a> and <a href="https://infosec.exchange/tags/BlackCat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BlackCat</span></a>. Since then, it dominated the ransomware world, showing similar growth as LockBit once did. <br>Previously linked to North Korea-aligned group <a href="https://infosec.exchange/tags/Andariel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Andariel</span></a>, Play strictly denies operating as <a href="https://infosec.exchange/tags/RaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RaaS</span></a>. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates. <br>BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.<br>Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected. <br>Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and <a href="https://infosec.exchange/tags/Embargo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Embargo</span></a> offer their killers as part of the affiliate program.<br>IoCs available on our GitHub: <a href="https://github.com/eset/malware-ioc/tree/master/ransomhub" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/eset/malware-ioc/tr</span><span class="invisible">ee/master/ransomhub</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
freiburg.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Ein Mastodon-Server für Freiburg und Umland betrieben durch den Verein freiburg.social e.V.: https://wir.freiburg.social
Administered by:
Server stats:
532active users
freiburg.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.4
#ESETresearch
0 posts · 0 participants · 0 posts today
ESET Research<p><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a> has discovered a zero day exploit abusing <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE</span></a>-2025-24983 vulnerability in the Windows kernel 🪟 to elevate privileges (<a href="https://infosec.exchange/tags/LPE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LPE</span></a>). First seen in the wild in March 2023, the exploit was deployed through <a href="https://infosec.exchange/tags/PipeMagic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PipeMagic</span></a> backdoor on the compromised machines.</p><p>The exploit targets Windows 8.1 and Server 2012 R2. The vulnerability affects OSes released before Windows 10 build 1809, including still supported Windows Server 2016. It does not affect more recent Windows OSes such as Windows 11.</p><p>The vulnerability is a use after free in Win32k driver. In a certain scenario achieved using the <a href="https://infosec.exchange/tags/WaitForInputIdle" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WaitForInputIdle</span></a> API, the <a href="https://infosec.exchange/tags/W32PROCESS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>W32PROCESS</span></a> structure gets dereferenced one more time than it should, causing UAF. To reach the vulnerability, a race condition must be won.</p><p>The patches were released today. Microsoft advisory with security update details is available here: <br><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24983" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">msrc.microsoft.com/update-guid</span><span class="invisible">e/vulnerability/CVE-2025-24983</span></a></p>
ESET Research<p><a href="https://infosec.exchange/tags/ESETResearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETResearch</span></a>’s monitoring of <a href="https://infosec.exchange/tags/AceCryptor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AceCryptor</span></a> revealed a significant decrease in prevalence of the malware in H2 2024: we only observed around 3k unique samples as opposed to 13k in H1 2024. Overall hits went down by 68% compared to H1, and by 87% compared to H2 2023.</p><p>Similarly, the number of unique users targeted by AceCryptor campaigns decreased by 58% between H1 and H2 2024, and the decrease was even more pronounced when compared to H2 2023, amounting to 85%.</p><p>As for the malware families packed by the cryptor, we could yet again see the usual suspects such as <a href="https://infosec.exchange/tags/Rescoms" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Rescoms</span></a>, <a href="https://infosec.exchange/tags/Smokeloader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Smokeloader</span></a>, and <a href="https://infosec.exchange/tags/Stealc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Stealc</span></a> among the most delivered threats.</p><p>While much smaller in scale than in previous periods, we still detected two notable campaigns of the malware. First, on July 11, 2024, 500 victims in Germany 🇩🇪 were sent emails with malicious attachments disguised as financial documents inside a password protected archive.</p><p>Instead of the documents, the archive contained an AceCryptor executable packing the Racoon Stealer successor <a href="https://infosec.exchange/tags/RecordBreaker" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RecordBreaker</span></a>, which then exfiltrated the victim information to a C&C server with the IP address of 45[.]153[.]231[.]163.</p><p>Then on September 23, 2024 more than 1,600 endpoints of small businesses in Czechia 🇨🇿 received emails whose attachments contained an AceCryptor binary packing the <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XWorm</span></a> RAT 🪱🐀. As a C&C, XWorm RAT used easynation[.]duckdns[.]org.</p><p>The list of 🔍 Indicators of Compromise (IoCs) can be found in our GitHub repository: <a href="https://github.com/eset/malware-ioc/tree/master/ace_cryptor" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/eset/malware-ioc/tr</span><span class="invisible">ee/master/ace_cryptor</span></a></p>
ESET Research<p><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a> discovered and reported to <span class="h-card" translate="no"><a href="https://bird.makeup/users/certcc" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>certcc</span></a></span> a vulnerability that allows bypassing UEFI Secure Boot on most UEFI-based systems. This vulnerability, <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE</span></a>-2024-7344, was found by <span class="h-card" translate="no"><a href="https://infosec.exchange/@smolar_m" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>smolar_m</span></a></span> in a UEFI app signed by Microsoft’s 3rd-party UEFI certificate.</p><p>The vulnerability is caused by the use of an unsafe PE/COFF-loading mechanism, lacking any Secure Boot-related checks, which allows loading arbitrary (even unsigned) UEFI applications.</p><p>We reported our findings to CERT/CC in June 2024, who successfully contacted the affected vendors. The issue has now been fixed in these vendors’ products and the old, vulnerable binaries were revoked by Microsoft in the January 14th Patch Tuesday update.</p><p>Instructions to check whether you’re affected by this vulnerability and to verify that the necessary revocations have been installed on your system can be found in our blogpost: <a href="https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/</span></a></p>
ESET Research<p>With cryptocurrencies reaching record values in H2 2024, cryptocurrency wallet data was one of the prime targets of cybercriminals. In ESET telemetry, this was reflected in a rise in <a href="https://infosec.exchange/tags/cryptostealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptostealer</span></a> detections across multiple platforms, specifically Windows, macOS, Android.</p><p>The increase was most dramatic on macOS, where Password Stealing Ware targeting cryptocurrency wallets more than doubled. Windows <a href="https://infosec.exchange/tags/cryptostealers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptostealers</span></a> grew by 56%, and Android financial threats, targeting banking apps and wallets, grew by 20%.</p><p>Read more about threats targeting cryptocurrency wallets on various platforms in the latest <a href="https://infosec.exchange/tags/ESETThreatReport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETThreatReport</span></a> from <a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a>: <a href="https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22024.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">web-assets.esetstatic.com/wls/</span><span class="invisible">en/papers/threat-reports/eset-threat-report-h22024.pdf</span></a></p>
ESET Research<p>We are aware of a security incident which affected our partner company in Israel last week. Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure. ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation. <a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a></p>
Tarnkappe.info<p>📬 Hamster Kombat-Imitationen bergen Spyware und Infostealer<br><a href="https://social.tchncs.de/tags/Gaming" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gaming</span></a> <a href="https://social.tchncs.de/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.tchncs.de/tags/Adware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Adware</span></a> <a href="https://social.tchncs.de/tags/ESETResearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETResearch</span></a> <a href="https://social.tchncs.de/tags/HamsterKombat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HamsterKombat</span></a> <a href="https://social.tchncs.de/tags/Infostealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infostealer</span></a> <a href="https://social.tchncs.de/tags/Luk%C3%A1%C5%A1%C5%A0tefanko" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Lukᚊtefanko</span></a> <a href="https://social.tchncs.de/tags/spyware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>spyware</span></a> <a href="https://sc.tarnkappe.info/90e6c8" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">sc.tarnkappe.info/90e6c8</span><span class="invisible"></span></a></p>
ESET Research<p><a href="https://infosec.exchange/tags/BREAKING" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BREAKING</span></a> <a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a> discovered Operation Texonto, a disinformation campaign intended to demoralize Ukrainians. We detected two spam waves: November and late December 2023. The emails warn about drug or food shortages, or suggest amputating a limb to avoid military. 🇺🇦🇷🇺<br>One of the attached PDF documents, allegedly from the Ukrainian Ministry of Agriculture and created for the first campaign, suggests that its readers eat “pigeon risotto”. The attackers most likely wanted to troll their targets.<br>We were able to link this information operation campaign to a broader set of malicious activities, including spearphishing links leading to fake Office 365 login pages targeting a Ukrainian defense company and an EU agency, but also fake Canadian pharmacy spam. <br>We currently do not attribute Operation Texonto to a specific threat actor. However, given the TTPs, targeting, and the spread of messages, we attribute the operation with high confidence to a group that is Russian aligned.<br>To read a detailed analysis of Operation Texonto, head over to <a href="https://www.welivesecurity.com/en/eset-research/operation-texonto-information-operation-targeting-ukrainian-speakers-context-war/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/operation-texonto-information-operation-targeting-ukrainian-speakers-context-war/</span></a></p>
ESET Research<p>Spain’s National Police stated that over the course of 2 years they arrested a total of 133 mules in 🇪🇸 tied to <a href="https://infosec.exchange/tags/Grandoreiro" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Grandoreiro</span></a>. Their operation is directly linked to the one by Brazil’s Federal Police where <a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a> played a crucial role. <a href="https://www.policia.es/_es/comunicacion_prensa_detalle.php?ID=16066" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">policia.es/_es/comunicacion_pr</span><span class="invisible">ensa_detalle.php?ID=16066</span></a><br>The Spanish Police estimates the victims in Spain lost over €5 million in 🇪🇸 only. According to Caixa Bank in 🇪🇸,the damage caused by Latin American banking trojans amounts to €110 million. 1/2</p>
Barberousse<p><a href="https://todon.eu/tags/ESETResearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETResearch</span></a> analyzed a new <a href="https://todon.eu/tags/MustangPanda" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MustangPanda</span></a> backdoor. It uses the open-source QMQTT library to communicate with its C&C server over <a href="https://todon.eu/tags/MQTT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MQTT</span></a> so we named it MQsTTang. This library depends on parts of the Qt framework, statically linked in the executable. <a href="https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">welivesecurity.com/2023/03/02/</span><span class="invisible">mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/</span></a> </p><p>A sample of MQsTTang was identified by @Unit42_Intel@twitter.com on 2023-02-17. As stated in that thread, the backdoor uses the legitimate MQTT broker 3.228.54.173. This has the benefit of hiding their actual C&C servers from victims and analysts. <a href="https://twitter.com/Unit42_Intel/status/1626613722700472320" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">twitter.com/Unit42_Intel/statu</span><span class="invisible">s/1626613722700472320</span></a> </p><p>This malware family is also tracked as "Kumquat" by @threatinsight@twitter.com: <a href="https://twitter.com/aRtAGGI/status/1628067706443374592" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">twitter.com/aRtAGGI/status/162</span><span class="invisible">8067706443374592</span></a></p><p>Like in previous <a href="https://todon.eu/tags/MustangPanda" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MustangPanda</span></a> campaigns, filenames related to politics and diplomacy are used to lure targets. These include:<br> - CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exe<br> - Documents members of delegation diplomatic from Germany.Exe<br> - PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE </p><p>IoCs:<br>📄 SHA-1<br>02D95E0C369B08248BFFAAC8607BBA119D83B95B<br>430C2EF474C7710345B410F49DF853BDEAFBDD78<br>0EA5D10399524C189A197A847B8108AA8070F1B1<br>740C8492DDA786E2231A46BFC422A2720DB0279A<br>🚨 ESET Detection Name<br>Win32/Agent.AFBI trojan<br>🌐 Servers<br>80.85.156[.]151<br>80.85.157[.]3<br>185.144.31[.]86</p><p><span class="h-card"><a href="https://infosec.exchange/@ESETresearch" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>ESETresearch</span></a></span></p>
ESET Research<p>On Nov 21st <a href="https://infosec.exchange/tags/ESETResearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETResearch</span></a> detected and alerted @_CERT_UA of a wave of ransomware we named <a href="https://infosec.exchange/tags/RansomBoggs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RansomBoggs</span></a>, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to <a href="https://infosec.exchange/tags/Sandworm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Sandworm</span></a>. 1/9</p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload