Tag: T1059

CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks

T1566 – CyberVolk has been observed utilizing phishing emails and LinkedIn messages to distribute malicious links to targets.

T1490 – The ransomware terminates processes associated with Microsoft Management Console (MMC) or Task Manager.

T1486 – The ransomware displays a payment screen with a decryption timer and payment details, including BTC and USDT options. The ransom amount is set to $1000.00, and the timer is set to 5 hours.

Read more...

Pygmy goat Backdoor

Pygmy Goat uses the LD_PRELOAD environment variable to inject itself into the sshd process, ensuring it’s loaded and executed whenever the SSH daemon starts.

Read more...

Phishing by Design – Two-Step Attacks Using Microsoft Visio Files

  • Initial Access: Attackers compromise a legitimate email account and send phishing emails containing a malicious URL, either directly in the email body or within an attached .eml file. The email often impersonates a trusted entity and may include branding to appear legitimate. The URL leads to a compromised SharePoint page hosting a weaponized Visio (.vsdx) file.
  • Execution: The Visio file contains a malicious URL hidden behind a clickable element, such as a “View Document” button. Victims are instructed to hold down the Ctrl key while clicking the element to access the URL, a technique designed to evade automated security scanners. This URL redirects the victim to a fake Microsoft login page designed to steal credentials.
  • Persistence (Implied): Although not explicitly mentioned in the document, attackers likely leverage the stolen credentials for persistent access to the victim’s environment. This may involve establishing backdoors, creating new accounts, or modifying existing ones.
  • Command and Control: After gaining access, attackers likely establish a command-and-control (C2) channel using application layer protocols like HTTP to communicate with the compromised system, issue commands, and manage the attack. 
  • Exfiltration: Attackers exfiltrate sensitive data from the victim’s environment over the established C2 channel.
Read more...