November IOC highlights
Linux.Ngioweb botnet is updated to target IoT devices
Recently, a new variant of Ngioweb with new capabilities has been found targeting multiple CPU arquitectures. Ngioweb bot malware is to implement Back-Connect Proxy on the victim’s machine.The attacker builds multiple bots into a Proxies Pool and controls it through a double-layer C2 protocol, and then provides a Rotating Reverse Proxy Service. This configuration uses AES encryption for storage. Decrypt the information when it needs to be used, and destroy it after use.
[2461 IOCs] Learn more >
Lazarus supply‑chain attack in South Korea
Recently there have been observed some attempts to deploy Lazarus malware via a supply-chain attack in South Korea. In order to deliver its malware, the attackers used an unusual supply-chain mechanism, abusing legitimate South Korean security software and digital certificates stolen from two different companies. Attackers are particularly interested in supply-chain attacks, because they allow them to covertly deploy malware on many computers at the same time. The combination of compromised websites with WIZVERA VeraPort support and specific VeraPort configuration options that allow attackers to perform this attack. options.
[25 IOCs] Learn more >
Malsmoke operators abandon exploit kits in favor of social engineering scheme
Malsmoke is a campaign in which threat actors have been malvertising via adult websites since the beginning of the year. The new campaign is tricking visitors to adult websites with a fake Java update. This change is significant because it drastically increases the target audience, no longer limiting it to Internet Explorer users running outdated software, they’ve now extended their reach to all browsers. As far as web threats go, such schemes are here to stay for the foreseeable future.
[15 IOCs] Learn more >
QBot Trojan delivered via malspam campaign exploiting US election uncertainties
The 2020 US elections have been the subject of intense scrutiny and emotions, while happening in the middle of a global pandemic. As election night ended and uncertainty regarding the results began to creep in, threat actors decided to jump in on it too. A new spam campaign was observed delivering malicious attachments that exploit doubts about the election process. The QBot banking Trojan operators are behind this themed spam wave using the same hijacked email thread technique as in other campaigns, enticing victims with malicious election interference attachments. They contain zip attachments aptly named ElectionInterference_[8 to 9 digits].zip.
[15 IOCs] Learn more >