Attacker impersonates a client employee via Microsoft Teams call, manipulates the victim into downloading AnyDesk for remote access after a failed attempt to install Microsoft Remote Support application.
Category: Engage Reports
Engage Report: HeartCrypt Packer-as-a-Service
The HeartCrypt packer utilizes several obfuscation techniques, including:
- Packing malware into legitimate binaries
- Employing position-independent code (PIC)
- Implementing control flow obfuscation through stack strings, dynamic API resolution, jump instructions, and junk bytes
- Utilizing multiple layers of encoding and byte substitution
- Hiding shellcode in resources disguised as bitmap images
Engage Report: VEILDrive
The attacker impersonated an IT team member from a previously compromised organization (Org A) and used Microsoft Teams to send spearphishing messages to four employees at the targeted organization (Org C). The messages requested access to the employees’ devices via the Quick Assist remote utility tool.
Engage Report: Stealthy Stalker – Remcos RAT
The malware creates a new registry entry in the Run key of the Windows Registry under HKCU (HKEY_CURRENT_USER). This registry entry ensures that a PowerShell script (yrnwr.ps1) located in the System Update folder inside the misleading LocalLow directory is executed at every user login.
Engage Report: Head Mare Group’s PhantomCore Campaign
The Head Mare group distributes malicious ZIP archives, likely through spam emails disguised as invoices or financial documents, to deceive recipients into executing the malicious payload.
Engage Report: Zloader Trojan Analysis
Zloader has been observed to utilize legitimate remote management tools like AnyDesk, TeamViewer, and Microsoft Quick Assist for initial access. Threat actors leverage social engineering tactics to convince victims to grant them remote access to their systems. Once they gain remote access, the attackers proceed to deploy Zloader.
Technique: System Access [T1078] –> Remote Services [T1021] –> Remote Desktop Protocol [T1021.001]
China attacks U.S. Companies
The attackers leveraged WMI, Microsoft’s command-line tool, to execute commands on a remote computer, indicating a possible exploitation of external remote services for gaining initial access to the network.
Engage Report: Termite Ransomware
The Termite ransomware attempts to delete all Shadow Copies on the victim’s machine by executing the vssadmin.exe process with the necessary arguments. This is done to prevent the victim from recovering their system to a state before the files were encrypted.
Snowblind – The Invisible Hand of Secret Blizzard
Secret Blizzard compromised command-and-control (C2) infrastructure used by Storm-0156, a Pakistani-based threat actor, to gain access to their targets’ networks and data. They leveraged Storm-0156’s existing access to deploy their own malware, “TwoDash” and “Statuezy,” into Afghan government networks. They also potentially acquired Storm-0156’s tools, C2 and target network credentials, and exfiltrated data from previous operations.
Threat Actor Targets the Manufacturing Industry with Lumma Stealer and Amadey Bot
The attack begins with a spear-phishing email containing an LNK file disguised as a PDF document. This LNK file is hosted on a remote WebDAV share and impersonates LogicalDOC, a cloud-based document management system. When executed, the LNK file launches ssh.exe to run a PowerShell command that fetches and executes a malicious payload from a remote server. This server is accessed via a URL that abuses Google’s Accelerated Mobile Pages (AMP) framework, combined with a shortened URL. The PowerShell code then triggers another malicious script hosted on Pastebin, which downloads a ZIP archive to the Temp directory, extracts its contents, and executes a legitimate executable that sideloads a malicious DLL file. This DLL injects malicious code into various processes, ultimately leading to the deployment of Lumma Stealer and Amadey Bot.