BazarLoader (sometimes referred to as BazaLoader) is a popular downloader among criminals, used to distribute multiple malicious payloads including Ryuk and Conti ransomware. According to a recent report by Phishlabs, during Q3 2021 this malware accounted for 24.7% of all attacks, earning the unwelcome accolade of being the most common payload.
Following a series of headline-grabbing ransomware attacks that disrupted critical services in the US, FBI Director Christopher Wray likened the threat posed by ransomware to the September 11 terrorist attacks of 2001. According to Wray, recent attacks against one of the largest oil pipeline operators in the United States and a major meat processing operation may be just a harbinger of what is to come.
67% of the malware downloads Netskope blocks come from popular cloud applications being abused by attackers. One of the services commonly abused by threat actors is Discord, which is abused to host malware such as TroubleGrabber using public attachment URLs. In this blog post, we will analyze a recent DBatLoader (a.k.a. ModiLoader) sample that uses this technique on Discord to deliver a malware known as Warzone (a.k.a. Ave Maria), a Remote Access Trojan created in 2018.
During a ransomware attack, a victims vital internal processes are seized and encrypted, completely forcing their business offline. These crippling actions are only reversed if a ransom payment is made. Ransomware attacks are an escalating threat to global security and the Australian Government is taking a firm stance against it. With global ransomware damage costs predicted to reach $20 billion and increasing cyberattack complexity, this isn't a fight a single country can win alone.
The US Government has issued an alert to organisations about the threat posed by the BlackMatter ransomware group. The government’s Cybersecurity & Infrastructure Security Agency (better known as CISA) issued the advisory earlier this week, following a series of BlackMatter ransomware attacks since July 2021 targeting US critical infrastructure, including two American organisations working in the food and agriculture sector.
Someone in your organization gets an email with an attached document. The sender seems legitimate, but when they click on the link, it’s not what it claims to be. Soon your organization’s data is encrypted and you receive a message: pay a ransom to the attackers if you want the decryption key. You’ve just been the victim of a ransomware attack. Ransomware has become a major attack vector in 2021.
Banks continue to be a top target for cyber criminals. As we indicated in our blogpost on the risks to financial services networks, in 2020 alone there were more than 1,500 cyberattacks on banks, and in recent months, we’ve seen incidents such as the cyberattack on the New Zealand Federal Reserve and against the largest bank in Ecuador. Now, a new threat has emerged, and the main targets are Australian and German banks.
Ransomware groups have generated so much damage that the United States Federal government has made it a top priority to thwart such efforts including, hosting a major international summit on the topic, setting up a ransomware task force and repeatedly urging organizations to improve their cyber resilience.
In Part 1 of our BlackByte ransomware analysis, we covered the execution flow of the first stage JScript launcher, how we extracted BlackByte binary from the second stage DLL, the inner workings of the ransomware, and our decryptor code. In this blog, we will detail how we analyzed and de-obfuscated the JScript launcher, BlackByte’s code, and strings.
Please click here for Part 2 UPDATE 19.October.2021 - Based on some reactions and responses to our BlackByte analysis, and specifically, the included decryptor, we wanted to provide an update and some clarification. First off, we’ve updated the decryptor on github to include two new files. One is the compiled build of the executable to make the tool more accessible and the second is a sample encrypted file “spider.png.blackbyte” that can be used to test the decryptor.
