CopperStealer binary was observed being encrypted and appended to a legitimate application with its entry point overwritten by a shellcode. This shellcode reads an offset of the payload and XOR decryption key from the executable file header.
While the updates did not change much in terms of overall functionality, researchers believe that it aims to optimize its execution, minimize unintended system behavior, and provide technical support to ransomware victims if they choose to negotiate.
DeadBolt is peculiar not only for the scale of its attacks but also for several advanced tactics and techniques that its malicious actors have implemented, such as giving multiple payment options, one for the user and two for the vendor.
Researchers observed a VBScript file executed through sqlservr.exe. This led them to the suspicion that the device had been exploited through a vulnerability that allowed malicious actors to execute arbitrary codes remotely.
Black Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks. This blog entry takes a closer look at the Black Basta ransomware and analyzes this newcomer’s familiar infection techniques.
The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured RAT that implements its own network communication protocol.
While previous AvosLocker infections employ similar routines, this is the first sample researchers observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys).