TruKno

In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information. (23TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/gFj7mAzW

The attackers create fake news groups on social media and publish advertisements containing links to a file-sharing service or Telegram channel. These links lead to a version of the AsyncRAT malware, modified to look for cryptocurrency wallets and communicate with a Telegram bot. Detailed analysis of the incidents and victims showed that Egypt, Libya, the UAE, Russia, Saudi Arabia, and Turkey were the most targeted countries. We have named the threat actor "Desert Dexter", after one of the suspected attackers. This story contains the full breakdown of their kill chain... (24TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/gu6d5f_K

Cybercriminals are leveraging DeepSeek's popularity by creating websites hosted on fake look-alike domains to deceive users and deliver the Vidar information stealer.  The malware campaign uses a fake CAPTCHA page to conduct clipboard injection, secretly copying a malicious PowerShell command for users to execute. It is crucial for organizations to have well defined policies and security controls governing the use of generative AI models and applications in their environment, both for sanctioned and unsanctioned applications... (18TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/gKCMYuCP

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses. (28TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/gFd_TPUg

Formbook, as seen since 2016, has evolved in many ways from stealth features to evasion techniques. Being sold on hacking forums as Malware as a Service, we can see a number of variants. While the evasion technique remains the same, multiple layers are used before deploying the payload, and they are loaded only in memory to avoid getting identified. As with other variants, this also uses steganography to hide malicious files inside images, decrypting them to load and invoke in memory... (23TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/gAM_N9D2

LinkedIn may be a vital tool for job seekers and professionals, but it has also become a playground for cybercriminals exploiting its credibility. From fake job offers and elaborate phishing schemes to scams and even state-sponsored threat actors who prey on people’s career aspirations and trust in professional networks. The scam begins with an enticing message: an opportunity to collaborate on a decentralized cryptocurrency exchange. While the details are left deliberately vague, the promise of remote work, part-time flexibility, and reasonable pay can lure unsuspecting individuals. Variations of this scam have also been observed, with projects supposedly related to travel or financial domains. (23TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/g_HNDq9t

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.   The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. (31TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/gt_dQ6fh

ESET researchers provide details on a previously undisclosed China-aligned APT group that we track as PlushDaemon and one of its cyberespionage operations: the supply-chain compromise in 2023 of VPN software developed by a South Korean company, where the attackers replaced the legitimate installer with one that also deployed the group’s signature implant that we have named SlowStepper – a feature-rich backdoor with a toolkit of more than 30 components... (54TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/guGB7GFw

Ongoing campaigns targeting Chinese language speakers with malicious installers masquerading as legitimate software like Telegram and the Opera web browser. Infection chains employ injection and DLL side-loading using a custom loader (SADBRIDGE). SADBRIDGE deploys a newly-discovered variant of the QUASAR backdoor written in Golang (GOSAR). GOSAR is a multi-functional backdoor under active development with incomplete features and iterations of improved features observed over time... (34TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/g8A-TG96

The BlackSuit ransomware operation emerged as an evolution of the Royal ransomware group, which was active from September 2022 through June 2023. While maintaining significant code similarities with its predecessor, BlackSuit has demonstrated enhanced capabilities and a more aggressive operational tempo. The group has extorted over $500 million in total ransom demands, with individual demands ranging from $1 million to a staggering $60 million. (23TTPs with 'Procedure' level details on the TruKno blog) https://lnkd.in/gZkZbjWa