Threat Research – Sophos News
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” 21 January 2025 at 05:30

Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”

21 January 2025 at 05:30

Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware.

A screenshot of Python code from an obfuscated copy of RPivot dropped by the STAC5143 attackers.

Figure 2:Sophos Central investigation screen of threat actor’s incoming activity captured by Microsoft Office 365 integration

Threat Research – Sophos News
Gootloader inside out 16 January 2025 at 11:00

Gootloader inside out

Threat Research – Sophos News

By:Gabor Szappanos

16 January 2025 at 11:00

Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware - without needing a lawyer afterward

A list of Gootloader JScript filenames, which correspond to the search query that led victims to download them

Gootloader has poisoned search results in multiple languages, including German, French, and Korean

Source of the Gootkit/Gootloader landing pages reveal a number of different search terms and phrases the threat actors wanted search engines to index. The linked subpages (selected with green) don't actually exist. The injected WordPress code defines a few hooks, one of them is for non-existing pages. This will serve the fake forum discussion, when the victim clicks on the search result

A screenshot of the source code from a Gootkit/Goodloader landing page. Image courtesy of Sucuri Research.

The WordPress database dump included this table that contains a set of the first three octets of IP addresses, a block list of IP ranges that cannot revisit the Gootloader website on the same day

A block of base64-encoded data stored as a variable named $pposte in a WordPress database

Malicious SEO content phrases embedded in a WordPress database table, linking the site to an Excel spreadsheet converter search query

The "place marker" string appears in the OpenGraph metadata SEO headers of a Gootkit/Gootloader-modified web page

Files that contain references to the Gootloader "mothership" website (screenshot courtesy of VirusTotal)

Commented text, preceded with double slashes, documents the Gootkit characteristics of modified web pages

A SQL dump from a compromised WordPress installation contains base64-encoded elements of the Gootkit/Gootloader modifications

The decoded base64 data from the WordPress database reveals the PHP script that handles decoding the malicious content for a site visitor

A simple command shell Gootkit inserts into the PHP running in a WordPress site the threat actors have comrpomised

The portion of the Gootkit code that collects the HTML content of the fake page it will later draw over the top of the compromised website

The Gootkit code blocks repeat visitors by adding not only the visitor's IP address range to a block list, but the entire class C IPv4 address range on either side of the visitor's address, just for good measure

The Gootkit/Gootloader fake forum page, featuring a "question" and an "answer" that links to the Gootloader JScript first-stage payload

The unique key is linked in a Javascript code snippet embedded in the compromised WordPress server page.

A set of commands that deletes from view the original page content on the compromised WordPress server page the visitor lands on

The replacement content includes the text of the "Questions And Answers" fake forum page

The download link points to a php script hosted on a different server. This link delivers the .js file packed into a Zip archive which comprises the first stage Gootloader payload

A Gootkit/Gootloader fake forum page in German. The source code of the page shows the link points to a file named down.php hosted on a completely different server than the one where the page appears. The link marked in red will connect to the server that is hosting the first-stage download JScript.

The source code of the PHP script that delivers the first stage Gootloader payload

Screenshot of the modified HelloDolly.php script (courtesy of the Rich Infante blog)

Another format of the modified HelloDolly.php script shows the unique identifier string

A variation on the modified HelloDolly.php script

A screenshot that summarizes the modification process Gootloader uses (image courtesy of the Rich Infante blog)

A WordPress database dump contains the same elements that the Rich Infante blog references

The encoded form of a PHP script that delivers the .js payload

A screenshot of a file uploaded to VirusTotal shows references to the IP address formerly used to host the Gootkit/Gootloader "mothership" server

The my-game website as it appeared in 2014, a Russian-language gambling site called "Casino Game Life"

The my-game domain that continues to host the Gootkit/Gootloader mothership originally belonged to a German team that played the game Counter-Strike competitively

Threat Research – Sophos News
159-CVE January Patch Tuesday smashes single-month record 14 January 2025 at 21:09

159-CVE January Patch Tuesday smashes single-month record

Threat Research – Sophos News

By:Angela Gunn

14 January 2025 at 21:09

Brace yourselves... and consider reading your email in plaintext for now

A bar chart showing the distribution of severities of bugs patched in the January 2025 Patch Tuesday set, as described in the article text

A bar chart showing the distribution of product families affected by bugs patched in the January 2025 Patch Tuesday set, as described in the article text

A bar chart showing 61 months of overall CVEs counts for Microsoft Patch Tuesdays since January 2020; the rightmost bar indicates the numbers for january 2025 and is taller than the rest

Threat Research – Sophos News
Prioritizing patching: A deep dive into frameworks and tools – Part 2: Alternative frameworks 30 December 2024 at 09:05

Prioritizing patching: A deep dive into frameworks and tools – Part 2: Alternative frameworks

Threat Research – Sophos News

By:Matt Wixey

30 December 2024 at 09:05

In the second of a two-part series on tools and frameworks designed to help with remediation prioritization, we explore some alternatives to CVSS

Threat Research – Sophos News
Prioritizing patching: A deep dive into frameworks and tools – Part 1: CVSS 27 December 2024 at 11:33

Prioritizing patching: A deep dive into frameworks and tools – Part 1: CVSS

Threat Research – Sophos News

By:Matt Wixey

27 December 2024 at 11:33

In the first of a two-part series exploring tools and frameworks which can help organizations with remediation prioritization, Sophos X-Ops takes a look at the Common Vulnerability Scoring System (CVSS)

Threat Research – Sophos News
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces 19 December 2024 at 09:11

Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces

Threat Research – Sophos News

By:gallagherseanm

19 December 2024 at 09:11

A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar

A screenshot of a Rockstar2FA "decoy" page, a fake auto dealer site.

Screen shots of the developer view of Chrome showing web requests sent from a Rockstar2FA phishing portal.

A pie chart showing the distribution of top-level domains the 10 most heavily used domain names were registered with. A third were .ru, a fifth were .com.

A bar chart showing the distribution of TLDs and number of URLs detected per month for Rockstar2FA. The number of .ru domains decreased significantly over time.

A screenshot of a failed connection error for a Rockstar decoy page.

A screenshot of an animated Office365 logo for Outlook used by Rockstar's phishing portal pages.

A screenshot of a Chrome developer view of a Rockstar pages.dev phishing portal failing to connect to a backend server.

Figure 9: the EnteraID log for a sign-in by the adversary-in-the-middle script on the phishing service’s back-end server.

Figure 10: the HTTP header data for a phishing page’s backend server communications on a separate host

Figure 11: A developer browser view of the phishing page protectivewearsupplies[.]doclawfederal[.]com/wQBPg/

Figure12: The document object model of a Rockstar2FA phishing page

Figure 13: The DOM of an older FlowerStorm phishing page (from June 2024)

Figure 14: The DOM of a newer FlowerStorm phishing page; the algorithm generating the title and function names uses a combination of two botanical-themed words

Figure 15: A chart plotting daily page detections for Rockstar2FA and FlowerStorm through the end of November 2024

Figure 16: The ten countries most targeted by attackers using FlowerStorm, based on Sophos detections

Figure 17: The ten business sectors most targeted by attackers using FlowerStorm

Threat Research – Sophos News
The Bite from Inside: The Sophos Active Adversary Report 12 December 2024 at 08:00

The Bite from Inside: The Sophos Active Adversary Report

Threat Research – Sophos News

By:Angela Gunn

12 December 2024 at 08:00

A sea change in available data fuels fresh insights from the first half of 2024

A bar chart showing an increase in LOLbins in the span between 2021 and the first half of 2024; the totals increased from just over 100 to nearly 190

A stacked bar chart showing the relationship between artifact and LOLbin counts between 2021 and the first half of 2024, as described in text

A bar chart showing the prevalence of the top 29 LOLbins noted in the first half of 2024, ranging from RDP at just under 90 percent to findstr.exe at 10 percent

A table showing the changes in prevalence of the top 29 1H24 LOLbins between 2023 and the first half of the year; all but five of the listed LOLbins increased in frequency of usage

A table showing RDP usage in attacks in 2022, 2023, and the first half of 2024

Five funnel-shaped charts showing the prevalence of ransomware attributions between 2020 and the first half of 2024; in this format they resemble different types of trees as described in text

A table showing the root causes of 1H24 cases for the entire report, for IR's portion of the data, and for MDR's portion of the data

A table showing changes in artifact prevalence in AAR cases from 2021 to the first half of 2024

A world map showing locations in which cases appearing in this report occurred

Security Operations – Sophos News
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” 21 January 2025 at 05:30

Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”

Security Operations – Sophos News

By:gallagherseanm

21 January 2025 at 05:30

Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware.

Security Operations – Sophos News
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces 19 December 2024 at 09:11

Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces

Security Operations – Sophos News

By:gallagherseanm

19 December 2024 at 09:11

A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar

Security Operations – Sophos News
The Bite from Inside: The Sophos Active Adversary Report 12 December 2024 at 08:00

The Bite from Inside: The Sophos Active Adversary Report

Security Operations – Sophos News

By:Angela Gunn

12 December 2024 at 08:00

A sea change in available data fuels fresh insights from the first half of 2024

Security Operations – Sophos News
Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater” 20 November 2024 at 11:12

Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater”

Security Operations – Sophos News

By:gallagherseanm

20 November 2024 at 11:12

Sophos MDR has observed a new campaign that uses targeted phishing to entice the target to download a legitimate remote machine management tool to dump credentials. We believe with moderate confidence that this activity, which we track as STAC 1171, is related to an Iranian threat actor commonly referred to as MuddyWater or TA450. The […]

Screenshot of download site used by STAC

A screen shot of activity associated with the adversary's Atera RMM tool.

Security Operations – Sophos News
VEEAM exploit seen used again with a new ransomware: “Frag” 8 November 2024 at 11:10

VEEAM exploit seen used again with a new ransomware: “Frag”

Security Operations – Sophos News

By:gallagherseanm

8 November 2024 at 11:10

Last month, Sophos X-Ops reported several MDR cases where threat actors exploited a vulnerability in Veeam backup servers. We continue to track the activities of this threat cluster, which recently included deployment of a new ransomware. The vulnerability, CVE-2024-40711, was used as part of a threat activity cluster we named STAC 5881. Attacks leveraged compromised […]

Security Operations – Sophos News
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign 6 November 2024 at 05:30

Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign

Security Operations – Sophos News

By:gallagherseanm

6 November 2024 at 05:30

The Internet is full of cats—and in this case, malware-delivering fake cat websites used for very targeted search engine optimization.

Figure 1: An SEO-poisoned site hosting a malicious .zip file

Figure 2: A log of running processes, including the execution of wscript.exe to launch the second stage via a scheduled task.

Figure 3: A scheduled task is created to launch the second stage JavaScript.

Figure 4: A PowerShell command line spawned by CSript.exe

Figure 5: PowerShell reaching out to various URIs

Figure 6: Sandboxed browser (Browserling) results when accessing the website and clicking on the malicious hyperlinked URL

Figure 7: The Strings output of are bengal cats legal in australia 72495.js

Figure 9: Mandiant’s python script for auto-decoding GootLoader’s JavaScript displays the output of Are_bengal_cats_legal_in_australia_72495.js

Figure 10: The process Monitor CreateFile event for WScript.exe upon execution of Are_bengal_cats_legal_in_australia_72495.js

Figure 11: Process behavior observed within Source Forge's Process Hacker

Figure 12: Process Hacker process properties and Scheduled Task creation

Figure 14: Malicious domain names observed within DNS requests through Wireshark PCAP

Threat Research – Sophos News
February Patch Tuesday delivers 57 packages 11 February 2025 at 14:17

February Patch Tuesday delivers 57 packages

Threat Research – Sophos News

By:Angela Gunn

11 February 2025 at 14:17

After January’s deluge, a calmer update volume returns

Threat Research – Sophos News
Scalable Vector Graphics files pose a novel phishing threat 5 February 2025 at 11:01

Scalable Vector Graphics files pose a novel phishing threat

Threat Research – Sophos News

By:Andrew Brandt

5 February 2025 at 11:01

The SVG file format can harbor malicious HTML, scripts, and malware

Threat Research – Sophos News
Update: Cybercriminals still not fully on board the AI train (yet) 28 January 2025 at 07:00

Update: Cybercriminals still not fully on board the AI train (yet)

Threat Research – Sophos News

By:Matt Wixey

28 January 2025 at 07:00

A year after our initial research on threat actors’ attitudes to generative AI, we revisit some underground forums and find that many cybercriminals are still skeptical – although there has been a slight shift

Normal view