loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Malware

cyberthreat

loading..
loading..
loading..

Dorkbot Malware

Dorkbot, a member of the infectious malware family that used to conduct Denial of Service (DoS) attacks

loading..
  09-Jun-2020
loading..
 4 min read

Related Articles

loading..

Stealthy

Malware

Ghhj...

VhjjBjjj

loading..
  25-May-2022
loading..
  1 min read
loading..

Backdoor

FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat act...

A new stealthy backdoor known as Saitama has been discovered in a spear-phishing attempt targeting Jordan's foreign ministry. Malwarebytes and Fortinet FortiGuard Labs researchers connected the attack to an Iranian cyber espionage threat actor known as APT34, citing similarities to previous campaigns launched by the outfit. The email, like many of these assaults, contained a malicious attachment, according to Fortinet researcher Fred Gutierrez. "The associated danger, however, was not your typical virus. Instead, it possessed advanced persistent threat (APT) capabilities and methodologies." APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, has been active in the Middle East and North Africa (MENA) since at least 2014 and has a history of targeting the telecom, government, defense, oil, and banking sectors with targeted phishing assaults. ESET linked the group to a long-running information gathering operation targeting diplomatic institutions, technological corporations, and medical groups in Israel, Tunisia, and the United Arab Emirates earlier this February. Backdoor in Saitama The newly discovered phishing mail includes a weaponized Microsoft Excel sheet, which when opened urges the potential victim to activate macros, allowing a malicious Visual Basic Application (VBA) macro to drop the malware payload ("update.exe"). In addition, the macro provides implant permanence by including a scheduled job that runs every four hours. Saitama is a.NET-based malware that uses the DNS protocol to conceal its command-and-control (C2) connections while executing commands received from a C2 server using a "finite-state machine" technique. CyberSecurity "This suggests this virus is getting tasks from a DNS response," Gutierrez stated. DNS tunneling, as the name implies, allows other programs or protocols' data to be encoded in DNS queries and answers. The command execution results are then transmitted back to the C2 server, along with the exfiltrated data embedded in a DNS request. "Given the amount of effort put into constructing this virus, it does not appear to be the sort to execute once and then destroy itself," Gutierrez added. "This virus does not build any persistence mechanisms, maybe to avoid triggering any behavioral detections. Instead, a scheduled process is used to generate persistence using an Excel macro."

loading..
  13-May-2022
loading..
  1 min read
loading..

Rebrand

Black Basta

Ransomware

Black Basta, a newly emerged name around the ransomware families, is getting pop...

Black Basta, a new addition to the ransomware family, has sprung into operation this month, infecting at least 12 business entities in just a few weeks. It was first spotted in the second week of April, appearing as a Black Basta attack as the operation quickly broke out, attacking companies globally. <br> While there have been multiple ransom requests, each likely varying according to the nature of the attack on the victim, one victim got a demand for nearly $2 million from the Black Basta gang to unlock files and not expose data. <br> There is little other information about the new ransomware group, as they have not yet begun marketing their business or recruiting associates on hacker forums. <br> However, based on their capacity to rapidly accumulate new victims and how they negotiate, this is most likely not a new operation but a rebranding of a former top-tier ransomware group that brought along their associates. <br> ## Deciphering the encrypting nature of Black Basta <br> As with previous ransomware operations that target businesses, Black Basta will take corporate data and documents prior to encrypting the company's equipment. The threat actors then demand a ransom in exchange for a decryptor in order to avoid the publication of the victim's stolen data in so-called "double-extortion" assaults. <br> The 'Black Basta Blog' or 'Basta News' Tor site provides a list of all victims who have not paid a ransom, and this is where the data extortion takes place. Black Basta intends to coerce each victim into paying a ransom by steadily leaking their personal information. <br> ![data-leak-site.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/data_leak_site_85b6b48322.jpg) <br> There are now data leak pages for eleven firms on the Black Basta data leak site. Besides, it is worth noting that the existence of a few victims remains non-existent and has not yet been included on the data breach website. <br> Among their most recent victims is German wind turbine manufacturer Deutsche Windtechnik, the **[victim of a ransomware assault on April 11th](https://renewablesnow.com/news/deutsche-windtechnik-hit-by-targeted-cyberattack-781048/)** but had not yet publicized it. <br> ## Brief Analysis of Black Basta <br> From the few accessible samples, a quick investigation of the Black Basta ransomware has revealed the following: <br> ![Black Basta Command .jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Black_Basta_Command_e507a12d74.jpg) <br> When performed, the Black Basta encryptor requires administrator rights to work correctly. Once launched, the encryptor will use the following command to erase Volume Shadow Copies: <br> ![fax-service.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/fax_service_396b38e041.jpg) <br> It then hijacks an already-running Windows service and uses it to execute the ransomware encryptor executable. In our experiments, the stolen Windows service was the 'Fax' service, as seen below. <br> ![wallpaper.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/wallpaper_98e4f1cc39.jpg) <br> Additionally, the ransomware will modify the wallpaper to display a warning that reads, _"The Black Basta organization encrypts your network. Instructions are included in the readme.txt file."_ <br> ![encrypted-files(1).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/encrypted_files_1_d4a0330222.jpg) <br> The ransomware will now reboot the machine into Safe Mode with Networking, at which point the hijacked Windows service will begin automatically encrypting the device's data. <br> According to ransomware specialist **[Michael Gillespie](https://twitter.com/demonslay335)**, who thoroughly researched Black Basta's encryption process, found that it encrypts data using the ChaCha20 algorithm. The ChaCha20 encryption key is encrypted using the executable's public RSA-4096 key. <br> When the ransomware encrypts files, it appends the.basta extension to the file's name. Thus, test.jpg is encrypted and renamed test.jpg.basta. <br> Hence in order to demonstrate the custom icon attributed with the .basta extension, the ransomware will build a custom extension in the Windows Registry and associate the icon with a randomly named ICO file in the %Temp% folder. This custom icon is very similar to the **[icy.tools app](https://apps.apple.com/cm/app/icy-tools/id1594432759)**. <br> Windows Registry Editor Version 5.00> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.basta] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.basta\DefaultIcon] @="C:\\Windows\\TEMP\\fkdjsadasd.ico" <br> The ransomware will create a readme.txt file in each folder on the encrypted device providing information about the attack as along with a URL and unique ID necessary to check in to their negotiating chat session. <br> ![tor-chat-site.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/tor_chat_site_31cb4f668d.jpg) <br> 'Chat Black Basta' Tor negotiation site hosts a login page and a webchat that may be used to negotiate with threat actors. <br> Threat actors use this screen to display a welcome message that includes a ransom demand, a warning that data will be disclosed if payment is not made in seven days, and a promise of a security report if the ransom is paid. <br> <br> There is no free method to decrypt encrypted algorithms, according to Gillespie. <br> ## Ransomware Rebranding Attempts <br> This is most likely a rebrand of an infamous operation across the ransomware family, based on how rapidly Black Basta amassed victims and the manner of their discussions. According to one opinion shared between security researcher **[MalwareHunterTeam](https://twitter.com/malwrhunterteam/)** and this author, Black Basta may be a mere rebranding attempt by the Conti ransomware campaign like any other ransomware. <br> **[Conti ransomware group has been under intense scrutiny](https://bit.ly/2Zqu0xz)** over the last two months after the publication of a treasure trove of private communications and the ransomware's source code by a Ukrainian researcher. <br> As a result, it has been hypothesized that Conti will rename their organization and restart under a new name in order to elude government authorities. While the Black Basta encryptor is somewhat different from Conti's, MalwareHunterTeam thinks their negotiating technique and website design have significant similarities. <br> ![mht-tweet.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/mht_tweet_2f9d4890f9.jpg) <br> Additionally, Black Basta disclosed the details for a brand-new victim after revealing a screenshot of the negotiation. This "penalty" is identical to what Conti instituted in order to quell the flood of leaked negotiations on Twitter. While these ties are thin, the Black Basta gang should be actively observed, given they have just recently begun operating.

loading..
  03-May-2022
loading..
  1 min read