Vidar distributed through backdoored Windows 11 downloads and abusing Telegram
Summary In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. We discovered these domains by monitoring suspicious traffic in our Zscaler cloud. The spoofed sites were created to distribute malicious ISO files which ... Read More
CloudFall Targets Researchers and Scientists Invited to International Military Conferences in Central Asia and Eastern Europe
In August 2021, Zscaler ThreatLabz identified several malicious Microsoft Word documents which used a multi-stage attack-chain abusing Cloudflare Workers and features of MS Office Word to target users in Central Asia and Eastern Europe. Based on the social engineering lures used in the decoy content, we conclude with a moderate ... Read More
Demystifying the full attack chain of MineBridge RAT
Introduction In March 2021, threat actors started distributing MineBridge RAT with an updated distribution mechanism. Morphisec blogged about the partial attack chain of this new attack but they could not find the origin or initial stages of the attack chain. In May 2021, Zscaler ThreatLabz was able to uncover all ... Read More
Threat Actors Distribute Malicious VPN Apps Masquerading as Popular Vendors
Introduction In May 2021, Zscaler ThreatLabZ observed several new domains registered by a threat actor for distribution of spoofed and malicious versions of popular VPN softwares. Threat actors have shifted their tactics, techniques, and procedures (TTPs) to target VPN users over the past year, taking advantage of the increase in ... Read More
Low-volume multi-stage attack leveraging AzureEdge and Shopify CDNs
Introduction In Feb 2021, Threatlabz observed a few instances of a low-volume multi-stage web attack in Zscaler cloud. This web attack leveraged legitimate servers of Microsoft (azureedge.net), Dropbox and content delivery network of Shopify (cdn.shopify.com) to host the malicious files. The attack chain started from a Wordpress site with a ... Read More
Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures
Introduction In Jan 2021, Zscaler ThreatLabZ discovered new instances of the MINEBRIDGE remote-access Trojan (RAT) embedded in macro-based Word document files crafted to look like valid job resumes (CVs). Such lures are used as social engineering schemes by threat actors; in this case, the malware was targeted at security researchers ... Read More
