DreamBus Unleashes Metabase Mayhem With New Exploit Module
Introduction Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. However, in the last 6 months, the threat actor operating DreamBus has ... Read More
Mystic Stealer
Key Points Mystic Stealer is a new information stealer that was first advertised in April 2023 Mystic steals credentials from nearly 40 web browsers and more than 70 browser extensions The malware also targets cryptocurrency wallets, Steam, and Telegram The code is heavily obfuscated making use of polymorphic string obfuscation, ... Read More
Technical Analysis of Pikabot
Key Points Pikabot is a new malware trojan that emerged in early 2023 that consists of two components: a loader and a core module. The core module implements the malicious functionality that includes the ability to execute arbitrary commands and inject payloads that are provided by a command-and-control server. Pikabot ... Read More
Technical Analysis of Trigona Ransomware
Key Points Trigona is a ransomware family written in the Delphi programming language that has been active since at least June 2022 The Trigona threat group claims to perform double extortion attacks by combining data exfiltration with file encryption Trigona utilizes 4,112-bit RSA and 256-bit AES encryption in OFB mode ... Read More
Nevada Ransomware: Yet Another Nokoyawa Variant
Key Points Nevada ransomware was advertised in criminal forums in December 2022 as part of a new ransomware-as-a-service affiliate program Nevada is written in the Rust programming language with support for Linux and 64-bit versions of Windows Zscaler ThreatLabz has identified significant code similarities between Nevada and Nokoyawa ransomware including ... Read More
Nevada Ransomware: Yet Another Nokayawa Variant
Key Points Nevada ransomware was advertised in criminal forums in December 2022 as part of a new ransomware-as-a-service affiliate program Nevada is written in the Rust programming language with support for Linux and 64-bit versions of Windows Zscaler ThreatLabz has identified significant code similarities between Nevada and Nokoyawa ransomware including ... Read More
Nokoyawa Ransomware: Rust or Bust
Key Points Nokoyawa is a 64-bit Windows-based ransomware family that emerged in February 2022 The threat group behind Nokoyawa performs double extortion ransomware attacks: exfiltrating sensitive information from organizations, followed by file encryption and a ransom payment demand Nokoyawa was initially written in the C programming language using Elliptic Curve ... Read More
Back in Black… Basta
Key Points BlackBasta emerged in February 2022 with double extortion ransomware attacks against organizations The threat group exfiltrates sensitive information from organizations before performing file encryption and demanding a ransom payment The previous version of BlackBasta shared many similarities to the now defunct Conti ransomware, although the malware code itself ... Read More
The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA
Summary: ThreatLabz observed an update to the Ares banking trojan that introduces a domain generation algorithm (DGA), which mirrors the Qakbot DGA. Based on analyzing the malware code, there does not appear to be a direct link between these two malware families. The Ares DGA may be an effort for ... Read More
Conti Ransomware Attacks Persist With an Updated Version Despite Leaks
In late January 2022, ThreatLabz identified an updated version of Conti ransomware as part of the global ransomware tracking efforts. This update was released prior to the massive leak of Conti source code and chat logs on Februrary 27, 2022. The leaks were published by a Ukrainian researcher after the ... Read More
