Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

67% of the malware downloads Netskope blocks come from popular cloud applications being abused by attackers. One of the services commonly abused by threat actors is Discord, which is abused to host malware such as TroubleGrabber using public attachment URLs. In this blog post, we will analyze a recent DBatLoader (a.k.a. ModiLoader) sample that uses this technique on Discord to deliver a malware known as Warzone (a.k.a. Ave Maria), a Remote Access Trojan created in 2018.

During a ransomware attack, a victims vital internal processes are seized and encrypted, completely forcing their business offline. These crippling actions are only reversed if a ransom payment is made. Ransomware attacks are an escalating threat to global security and the Australian Government is taking a firm stance against it. With global ransomware damage costs predicted to reach $20 billion and increasing cyberattack complexity, this isn't a fight a single country can win alone.

The US Government has issued an alert to organisations about the threat posed by the BlackMatter ransomware group. The government’s Cybersecurity & Infrastructure Security Agency (better known as CISA) issued the advisory earlier this week, following a series of BlackMatter ransomware attacks since July 2021 targeting US critical infrastructure, including two American organisations working in the food and agriculture sector.

Someone in your organization gets an email with an attached document. The sender seems legitimate, but when they click on the link, it’s not what it claims to be. Soon your organization’s data is encrypted and you receive a message: pay a ransom to the attackers if you want the decryption key. You’ve just been the victim of a ransomware attack. Ransomware has become a major attack vector in 2021.

Banks continue to be a top target for cyber criminals. As we indicated in our blogpost on the risks to financial services networks, in 2020 alone there were more than 1,500 cyberattacks on banks, and in recent months, we’ve seen incidents such as the cyberattack on the New Zealand Federal Reserve and against the largest bank in Ecuador. Now, a new threat has emerged, and the main targets are Australian and German banks.

Ransomware groups have generated so much damage that the United States Federal government has made it a top priority to thwart such efforts including, hosting a major international summit on the topic, setting up a ransomware task force and repeatedly urging organizations to improve their cyber resilience.

In Part 1 of our BlackByte ransomware analysis, we covered the execution flow of the first stage JScript launcher, how we extracted BlackByte binary from the second stage DLL, the inner workings of the ransomware, and our decryptor code. In this blog, we will detail how we analyzed and de-obfuscated the JScript launcher, BlackByte’s code, and strings.

Please click here for Part 2 UPDATE 19.October.2021 - Based on some reactions and responses to our BlackByte analysis, and specifically, the included decryptor, we wanted to provide an update and some clarification. First off, we’ve updated the decryptor on github to include two new files. One is the compiled build of the executable to make the tool more accessible and the second is a sample encrypted file “spider.png.blackbyte” that can be used to test the decryptor.

A document sent to the US Congress published by Motherboard, the technology section of Vice, confirms that CIA personnel, the NSA and other members of the US Intelligence Community widely use ad blockers in their Internet browsers. This measure was adopted to remove the distraction of adverts on web pages for employees, but it provides additional protection against malware.

The FBI recently published a warning stating that ransomware gang OnePercent Group has been attacking companies in the US since November 2020. This gang of cybercriminals targets individuals within an organization with social engineering tactics designed to fool them into opening a document from a ZIP file attached to an email. Ransomware is then downloaded and the breach is underway.