QNodeService: Node.js Trojan Spread via Covid-19 Lure
blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/ We recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as QNodeService.
Tropic Troopers Back: USBferry Attack Targets Air-gapped Environments
blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/ We found that Tropic Troopers latest activities center on targeting Taiwanese and the Philippine militarys physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that . performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage. We started tracking this particular campaign in 2018, and our analysis shows that it uses a fake executable decoy and a USB trojan strategy to steal information.
RATicate: an attackers waves of information-stealing malware
news.sophos.com/en-us/2020/05/14/raticate/ Weve identified five separate campaigns between November, 2019 and January, 2020 in which the payloads used similar packing code and pointed to the same command and control (C&C) infrastructure. The campaigns targeted industrial companies in Europe, the Middle East, and the Republic of Korea. This leads us to believe that they are all the work of the same actorsa group weve dubbed RATicate.
Hashes in PowerShell
isc.sans.edu/forums/diary/Hashes+in+PowerShell/26128/ As a follow up to yesterday’s how-to, I thought hashing might a thing to cover. We use hashes all the time, but it’s annoying that md5sum, sha1sum and sha256sum aren’t part of the windows command set – or are they?
THE STATE OF RANSOMWARE 2020 [PDF]
www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf 94% of organizations whose data was encrypted got it back. Paying the ransom doubles the cost of dealing with a ransomware attack