securityintelligence.com Open in urlscan Pro
2606:4700:3033::ac43:86d6  Public Scan

Submitted URL: http://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/
Effective URL: https://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/
Submission: On November 06 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET /

<form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1">
  <amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first="" submit-on-enter="" on="select:search.submit" tabindex="-1"
    class="i-amphtml-element i-amphtml-layout-container i-amphtml-built i-amphtml-layout" i-amphtml-layout="container" role="combobox" aria-haspopup="listbox" aria-expanded="false" aria-owns="92_AMP_content_">
    <input id="search__input" tabindex="-1" type="text" name="s" autocomplete="off" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required="" dir="auto" aria-autocomplete="both" role="textbox"
      aria-controls="92_AMP_content_" aria-multiline="false">
    <div class="i-amphtml-autocomplete-results" role="listbox" id="92_AMP_content_" hidden=""></div>
  </amp-autocomplete>
  <button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search">
    <amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"
      class="i-amphtml-element i-amphtml-layout-responsive i-amphtml-layout-size-defined i-amphtml-built i-amphtml-layout" i-amphtml-layout="responsive"><i-amphtml-sizer slot="i-amphtml-svc" style="padding-top: 100%;"></i-amphtml-sizer><img
        decoding="async" alt="Search" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" class="i-amphtml-fill-content i-amphtml-replaced-content"></amp-img>
    <span>Search</span>
  </button>
  <button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link">
    <amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"
      class="i-amphtml-element i-amphtml-layout-responsive i-amphtml-layout-size-defined i-amphtml-built i-amphtml-layout" i-amphtml-layout="responsive"><i-amphtml-sizer slot="i-amphtml-svc" style="padding-top: 100%;"></i-amphtml-sizer><img
        decoding="async" alt="Close" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" class="i-amphtml-fill-content i-amphtml-replaced-content"></amp-img>
  </button>
</form>

Text Content

SECURITY INTELLIGENCE

News Series Topics X-Force Podcast
News Series Topics Threat Research Podcast

Search
{{#articles}}


{{TITLE}}

{{/articles}} View All News

{{#articles}}


{{TITLE}}

{{/articles}} View All Series

Application Security Artificial Intelligence CISO Cloud Security Data Protection
Endpoint
Fraud Protection Identity & Access Incident Response Mainframe Network Risk
Management
Intelligence & Analytics Security Services Threat Hunting Zero Trust
Infographic: Zero trust policy Timeline: Local Government Cyberattacks
Industries Banking & Finance Energy & Utility Government Healthcare
View All Topics
{{#articles}}


{{TITLE}}

{{/articles}} View More From X-Force

{{#articles}}


{{TITLE}}

{{/articles}} View All Episodes



News Series


TOPICS

All Categories Application Security Identity & Access Artificial Intelligence
Incident Response CISO Mainframe Cloud Security Mobile Security Data Protection
Network Endpoint Risk Management Fraud Protection Threat Hunting Security
Services Security Intelligence & Analytics
Industries Banking & Finance Energy & Utility Government Healthcare
X-Force Podcast





HIVE0051’S LARGE SCALE MALICIOUS OPERATIONS ENABLED BY SYNCHRONIZED
MULTI-CHANNEL DNS FLUXING

Threat Intelligence

--------------------------------------------------------------------------------

October 30, 2023 By Golo Mühr
Claire Zaboeva
Joe Fasulo
12 min read

--------------------------------------------------------------------------------



--------------------------------------------------------------------------------

For the last year and a half, IBM X-Force has actively monitored the evolution
of Hive0051’s malware capabilities. This Russian threat actor has accelerated
its development efforts to support expanding operations since the onset of the
Ukraine conflict. Recent analysis identified three key changes to capabilities:
an improved multi-channel approach to DNS fluxing, obfuscated multi-stage
scripts, and the use of fileless PowerShell variants of the Gamma malware.

As of October 2023, IBM X-Force has also observed a significant increase in
Hive0051’s activity featuring the new multi-channel approach of rapidly rotating
C2 infrastructure facilitating at least 1,027 active infections featuring more
than 327 unique malicious domains observed in a single 24-hour period. While
Hive0051 has leveraged DNS fluxing to avoid detection since at least as early as
December 2022, the automated synchronized fluxing of dynamic DNS records across
Telegram channels and Telegraph sites at scale points to a potential elevation
in actor resources and capability devoted to ongoing operations. In addition, by
deploying multiple consecutive stages of Hive0051’s exclusive Gamma variant
malware, the actor is able to remap victims to separate sets of actor-controlled
C2 fluxing clusters.

Based on X-Force observations, these Gamma variants have evolved over time from
the initial VBS-based GammaLoad variant, to include multiple obfuscation stages
and several scripts designed to enumerate victims and spread malware via
connected USB devices. Of note, the most recent iterations of the GammaLoad
PowerShell variant moved to a fileless approach and stored all malicious code
dispersed in the registry. Likewise, the same has been observed for the
GammaSteel PowerShell variant used to exfiltrate files upon infection.

X-Force assesses with high confidence that the evolution of rapid remapping of
infrastructure to include multi-channel DNS fluxing, continuous malware
development and the growing sophistication of malware and obfuscation is
evidence of Hive0051’s increasingly elevated level of capability.


KEY FINDINGS

 * For at least the last 12 months, Hive0051 has utilized a “multi-channel”
   fluxing approach to rapidly remap infrastructure to conduct operations and
   obfuscate activity.

 * X-Force is tracking multiple infrastructure clusters with dedicated Telegram
   channels, DNS apex domains, and Telegraph sites.

 * Hive0051 is able to graduate victims from one cluster to another by deploying
   multiple consecutive stages of Gamma variants.

 * Based on X-Force observations, Hive0051 has continuously evolved its malware
   development, experimenting with new techniques, adding obfuscation and
   several scripts designed to enumerate victims and spread malware to connected
   USB devices.

 * The recent PowerShell variant of the Gamma malware has switched to using a
   fileless approach, storing all malicious code dispersed in the Windows
   registry. The same has been observed for the GammaSteel PowerShell variant
   used to exfiltrate files and credentials upon infection.

 * It is highly likely that Hive0051 will continue to foster evolving
   methodologies to facilitate operations potentially indicating increasingly
   elevated levels of capability.


ANALYSIS


WHAT IS MULTI-CHANNEL DNS FLUXING? 

Standard DNS fluxing or fast-fluxing, is a technique threat actors use to
rapidly rotate infrastructure by regularly changing the IP address their C2
domain points to in public DNS records. Hive0051 has adopted the novel use
of multiple channels to store DNS records as opposed to a traditional DNS record
configuration. In this methodology, public Telegram channels and Telegraph sites
are essentially used as DNS servers and are fluxed in synchrony together with
the DNS records. This enables Hive0051 to fallback to secondary channels in
order to resolve the currently active C2 server, should the domain be blocked
via any of the other channels. 


INFECTION CHAIN

The use of fast fluxing in place of definite subdomains to facilitate operations
is a relatively new technique employed by Hive0051 to obfuscate activity and
avoid threat detection. During the course of routine tracking of Hive0051
activity, X-Force uncovered new HTA files delivering Hive0051’s exclusive
GammaLoad malware. The machine-translated text of collected HTA filenames
pointing to a wscript.exe executable, appear in multiple Slavic languages and
are crafted to appear as legitimate legal or project notifications to
manufacture a sense of urgency. Given past Hive0051 operations, the files were
likely delivered via phishing campaigns; however, X-Force observed the added
functionality featured in the uncovered VBS and PS GammaLoad variants which
enables its spread via USB drives signaling the potential use of physical access
via infected USB devices.

Activation of the malicious links initiates the infection chain illustrated in
the following diagram, which visualizes the various stages of a GammaLoad
infection observed by X-Force.



Fig. 1: GammaLoad multi-stage infection graph


INFECTION VECTOR

GammaLoad infections can be traced back to a number of malicious .XHMTL files.
These contain obfuscated and Base64 encoded data, revealing a JavaScript
dropper.



Fig. 2: .XHMTL file containing space separated Base64 data



Fig. 3: JavaScript dropper 

The dropper contains a payload which is decoded and downloaded by the browser as
a RAR file. It also loads a remotely hosted resource, only displayed as a single
pixel, in order to track successful downloads. 

The resulting RAR archive contains a folder and an .HTA file (HTML Application),
both using enticing names designed to trick victims into opening it:



Fig. 4: .HTA file with filename lure

Once opened, the .HTA file runs a short VBScript block to download and execute
another remote .HTA file via the windows binary mshta.exe.



Fig. 5: .HTA downloader


GAMMADROP: HTA VARIANT

The downloaded .HTA is the VBScript-based GammaLoad installer, which has been
used consistently for several months as of October 2023. It drops the embedded
GammaLoad payload as a text file to:

%APPDATA%\Microsoft\jealous

Scroll to view full table

Note that the filename differs among samples. 

The most recent variants also search for a specific process running on the host:
QHActiveDefense.exe. This process is part of the 360 Total Security anti-virus
software. If it is detected, the embedded GammaLoad payload is run using the
command:

wscript.exe “%APPDATA%\Microsoft\jealous” //e:vbscript /log /bpt /cbl //b

Scroll to view full table

without establishing persistence in the registry. 

If the installer does not detect the anti-virus process, it additionally writes
the above command into a registry key at:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TaskMedia

Scroll to view full table

The name of the registry key also varies between samples.

Lastly, the installer attempts to open a document located at:

C:\ProgramFiles (x86)\Microsoft Office\Office <version>\Document Microsoft
Office.docx

Scroll to view full table

This may intentionally throw an unobtrusive error.


GAMMALOAD: VBS VARIANT

One of the most commonly observed variants of GammaLoad is written in VBS. It
runs its main function in regular intervals of approx. 90 seconds. During a run,
it will start by resolving its C2 server. GammaLoad has several techniques to
accomplish this, also depending on the variant. All variants support resolving
an IP via DNS. GammaLoad uses a unique mechanism, by executing a WMI query:

select * from win32_pingstatus where
address=‘<prefix><random_integer>.<apex_domain>’

Scroll to view full table

This runs the ping command against a specific domain. The prefix used is often a
hardcoded keyword found in VBScript, for example, “FileExists” or “Asc”. It is
then concatenated with a random integer between 1 and 100 that is generated at
runtime. Each sample also contains a hardcoded apex domain, which is used to
build the subdomain for the DNS query. A few such example domains would be:

FileExists64.blakurin[.]ru

FileExists23.blakurin[.]ru

Asc16.acaenaso[.]ru

Asc88.acaenaso[.]ru

Scroll to view full table

Secondary mechanisms to resolve C2 IPs include querying hardcoded Telegram
channels or Telegraph websites.



Fig. 6: Telegram channel



Fig. 7: GammaLoad parsing C2 IP from Telegram



Fig. 8: Telegraph site displaying C2 IP and Telegram channel ID

The more recent variants would not only resolve an IP address but also a
corresponding Telegram channel ID. Both are written into text files and dropped
to the %TEMP% directory or a folder within %APPDATA%.

Once GammaLoad retrieves an active C2 IP address, it goes on to craft multiple
HTTP requests. The target URLs would often contain multiple random integers at
specific locations, as well as hardcoded paths. These differ between samples,
just like the custom HTTP headers added to the requests. Below is a list of
different attempted header variants incorporating hardcoded values:

Referer: <hardcoded URL, mostly unrelated>

Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4

Cookie: <hardcoded word>

Content-Length: <hardcoded value>

User-Agent: <used for profiling>

Scroll to view full table

Note that some of these headers are actually overwritten by the MSXML2.XMLHTTP
object and cannot be manually set by the malware (such as Content-Length). This
may be used to identify requests crafted by researchers, as well as non-matching
hardcoded values such as Cookie. 

The User-Agent string follows a specific format. It usually contains a real user
agent, followed by the C-drive serial number and the computer name environment
variable. The information is likely used to register a victim with the C2 server
and control further payloads.

User-Agent: mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml,
like gecko) chrome/85.0.4183.121 safari/537.36
opr/71.0.3770.284::<computername>_<serial_number_hex>::/.<hardcoded word>/.

Scroll to view full table

As a response, GammaLoad expects two types of payloads. If the response is
between 5 and 20 characters long, it treats it as a new telegram ID and updates
the corresponding file. Any longer response is deobfuscated, base64-decoded and
executed as VBScript in memory.


GAMMADROP: VBS VARIANT

One of the GammaLoad payloads X-Force observed is a more sophisticated variant
of GammaDrop. It consists of a large VBScript file, with multiple encoded and
hardcoded payloads. Each of the components accomplishes a different task, by
either deobfuscating others, establishing persistence, or being the next
payload. 

This variant of GammaDrop creates a new scheduled task after dropping its
payload. The payload is another variant of GammaLoad. Of note, GammaDrop already
writes the two text files GammaLoad needs, containing a hardcoded IP address and
Telegram chat ID. By deploying another variant of GammaLoad on an already
infected host, the threat actor is able to sort victims and transfer them to a
new C2 cluster.


USB SPREADER

GammaLoad also has the capability to spread via USB drives. It does this by
copying itself recursively into subfolders of connected USB drives. In order to
lure victims into executing it, GammaLoad uses enticing filenames for Windows
shortcut files pointing to wscript.exe with a hidden payload.



Fig. 9: Deobfuscated GammaLoad USB spreader

The USB drives’ subfolders are recursively infected up to a depth of 3.  


GAMMALOAD: FILELESS PS VARIANT

In addition to the VBScript-based variants, there is also a PowerShell version.
Most of its functionality such as the USB spreading, C2 resolving and
communication works very similarly. One observed advantage of the PowerShell
version is the storing of all necessary code in the registry, making it almost
completely fileless:



Fig. 10: GammaLoad code stored in the registry 

In order to run, this variant dynamically loads and stores PowerShell code under
the registry path

HKCU:\System\

Scroll to view full table

The following diagram illustrates how the different PowerShell execution blocks
are used:



Fig. 11: GammaLoad PowerShell registry execution

Most of the code is executed as a PowerShell job after being loaded from the
registry. Before copying to the USB drive, GammaLoad makes sure to merge all of
the codebase back into a single PowerShell template, which also writes the
initial registry persistence key and populates the registry again for the next
victim. 

Just like the VBS variant, it chooses from a list of potentially luring
filenames to create malicious shortcut files:



Fig. 12: GammaLoad preparing shortcut file

The PowerShell variant of GammaLoad also uses a different prefix for resolving
its C2 address and is likely operated by a separate cluster of C2 servers.


C2 INFRASTRUCTURE

GammaLoad uses several different mechanisms to resolve its C2 server’s IP
address. To avoid detection and takedown, the C2 infrastructure also makes use
of a technique known as fast-fluxing. 

Every GammaLoad sample contains (or receives) a hardcoded apex domain, as well
as a telegram channel ID. In some cases, there is an additional telegraph URL,
which is used as well. The apex domain is set up with a wildcard DNS record,
causing all subdomains to resolve. Since GammaLoad chooses random subdomains of
a specific pattern, the DNS queries are always for a different subdomain. 

The C2 infrastructure consists of a large cluster of IP addresses. A GammaLoad
sample’s apex domain rotates through these IP addresses, by having its DNS
records changed frequently. Currently the IP addresses are updated between 1-3
times a day.

Below is a table outlining the scale of one campaign. A large quantity of
actor-controlled domain names resolves to one active C2 IP address.



Fig. 13: Passive DNS results for GammaLoad (VBS) C2

The subdomains contain a specific keyword, which is hardcoded in each sample.
For instance, a single day of activity in late September 2023 and a single C2
server, hosted more than 120 unique apex domains found in passive DNS data.
Using the hardcoded prefixes X-Force was able to estimate a lower bound of
infected victims within that 24-hour period – adding up to at least 247
infections. It is virtuality certain the actual number of infections is higher,
as these calculations are based solely on directly observed unique keyword+apex
pairs and DNS requests whose visibility is limited by the scope of available DNS
telemetry. However, the number of infections may also be impacted by
“intentional” infections caused by the engagement of researchers executing
payloads within sandbox environments.

Over the course of X-Force monitoring, Hive0051 has demonstrated a notable
increase in volume of attacks. In late October 2023, a single C2 server hosted a
minimum of 1,027 active GammaLoad VBS infections spanning across 327 unique
domains in a single 24-hour period.

For comparison, GammaLoad’s PowerShell variant uses a different prefix for its
apex domains, consisting only of a random integer, in order to avoid generating
duplicate subdomains:



Fig. 14: Passive DNS results for GammaLoad (PS) C2

By looking at the domain history of some of these domains, we can pivot to find
further IP addresses used for C2 communication: 



Fig. 15: Domain history for apex domain antarcticos[.]ru



Fig. 16: Domain history for apex domain garibdo[.]ru

Both domains show the same pool of rotated IP addresses in their historic DNS
records, with only a few exceptions. This is an indicator that both domains are
used by the same campaign and GammaLoad variant. 

Of note, GammaLoad fluxes its DNS records in sync with its multi-channel
infrastructure; like Telegram and Telegraph. Every time the DNS record is
updated, the corresponding telegram channel’s operator deletes the last message
and sends a new one containing the latest IP address. This
“multi-channel-fluxing” technique ensures correct dynamic IP resolving, even if
the apex domain has been found and blocked by a DNS server.


SECONDARY PAYLOADS

After connecting to its C2 server, GammaLoad quickly downloads and executes
further payloads. These are often VBS/PS scripts with different objectives.
Firstly, it is not uncommon for GammaLoad to drop another stage of GammaLoad
onto an infected host. This is often a different variant, containing a new apex
domain and telegram channel ID. Presumably, this is done to “graduate” infected
machines into another cluster after initial infection, making it easier to sort
victim machines. The new C2 apex and telegram combination often has little to no
overlap with the previous one. The next stage of GammaLoad may include
additional functions that support more payloads, enumeration or USB spreading. 

GammaLoad also downloads data exfiltration and reconnaissance scripts within
minutes of infection. These are often PowerShell-based, per the example below:



Fig. 17: PowerShell reconnaissance script

The full script collects the following information:

 * Screenshot

 * Anti-virus products

 * System info

 * * OS Name
   
   * OS Version
   
   * Original Install Date
   
   * System Boot Time
   
   * System Type
   
   * System Directory
   
   * Logon Server
   
   * Domain
   
   * Total Physical Memory
   
   * Available Physical Memory

 * Drives

 * Running processes

 * Registry keys (installed software):

 * * HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*
   
   * HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*

 * Desktop items

 * System drive serial number

 * Computer name


GAMMASTEEL

X-Force also observed a PowerShell-based GammaSteel variant residing in the
registry, dispersed among different keys just like GammaLoad. GammaSteel makes
use of a database file “layout.xml” to store pseudo-hashes of exfiltrated files
and avoid duplicate uploads. The files are selected based on hardcoded
extensions and copied into a temporary directory before the upload.



Fig. 18: GammaSteel PowerShell variant

This particular sample also used a hardcoded IP address as a fallback C2 server,
obfuscated as an integer array:



Fig. 19: GammaSteel script defining configuration values


CONCLUSION

Hive0051’s signature style is the use of relatively simple yet effective
malware. Evidence of this is this group’s wide arsenal of different variants as
well as the large scale of its campaigns and infrastructure, observed in passive
DNS data. Hive0051 does not appear to focus on staying under the radar but
rather relies on increasing obfuscation and using longer infection chains before
deploying more novel or advanced variants. Over time Hive0051 has exhibited the
tendency to reuse code, TTPs, and infrastructure. Nevertheless, Hive0051 has
steadily introduced credible improvements and explored new techniques such as
moving code to the registry, dispersing payloads, switching C2 request patterns,
and adding further functionality to its toolsets. 

It is highly likely Hive0051 will continue to focus activity against entities
based in and surrounding Ukraine given its established mission space
and demonstrated operations tempo. The observed malware undergoes constant
improvement, making it more resilient against detection and blocking. The new
use of multi-channel DNS Fluxing capability to rapidly remap infrastructure to
conduct activity may possibly point to an elevated threat capability. X-Force
recommends entities in-region remain at heightened level of defensive security.


RECOMMENDATIONS

 * Ensure anti-virus software and associated files are up to date.

 * Exercise caution with suspicious filetypes:

 * * .HTA
   
   * .HTML
   
   * .XHTML
   
   * .LNK

 * Hunt for processes executing malicious scripts:

 * * wscript.exe with arguments “//e:vbscript” and others such as “/log” “/bpt”
     or junk options
   
   * powershell.exe

 * Monitor for suspicious WMI queries:

 * * “Select * from win32_pingstatus where address=<C2_domain>”

 * Monitor for suspicious connections to Telegram and Telegraph services

 * Hunt for registry keys containing PowerShell code.

 * Search for existing signs of the indicated IoCs in your environment. 

 * Keep applications and operating systems running at the current released patch
   level.

 * Exercise caution with attachments and links in emails.

To learn how IBM Security X-Force can help with anything regarding cybersecurity
including incident response, threat intelligence or offensive security services,
schedule a meeting here: IBM Security X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact IBM
Security X-Force for help: US hotline 1-888-241-9812 | Global hotline (+001)
312-212-8034.

Golo Mühr


IBM X-Force Research | Malware | Malware Analysis | Russia | X-Force
Golo Mühr
X-Force Threat Intelligence, IBM
Claire Zaboeva
Senior Strategic Cyber Threat Analyst, IBM
Joe Fasulo
Cyber Threat Researcher - IBM X-Force
Continue Reading
POPULAR
Risk Management October 26, 2023


WHY CYBERSECURITY TRAINING ISN’T WORKING (AND HOW TO FIX IT)

3 min read - Early to a meeting, an employee decides to check direct messages on
their favorite social network. Uh, oh. A message from the social network’s
security team says their account has been hacked. They’ll need to click on the
link to…

CISO October 27, 2023


THE EVOLUTION OF 20 YEARS OF CYBERSECURITY AWARENESS

3 min read - Since 2004, the White House and Congress have designated October
National Cybersecurity Awareness Month. This year marks the 20th anniversary of
this effort to raise awareness about the importance of cybersecurity and online
safety. How have cybersecurity and malware evolved…

Artificial Intelligence October 31, 2023


COULD A THREAT ACTOR SOCIALLY ENGINEER CHATGPT?

3 min read - As the one-year anniversary of ChatGPT approaches, cybersecurity
analysts are still exploring their options. One primary goal is to understand
how generative AI can help solve security problems while also looking out for
ways threat actors can use the technology.…





MORE FROM THREAT INTELLIGENCE

September 13, 2023


“AUTHORIZED” TO BREAK IN: ADVERSARIES USE VALID CREDENTIALS TO COMPROMISE CLOUD
ENVIRONMENTS

4 min read - Overprivileged plaintext credentials left on display in 33% of
X-Force adversary simulations Adversaries are constantly seeking to improve
their productivity margins, but new data from IBM X-Force suggests they aren’t
exclusively leaning on sophistication to do so. Simple yet reliable tactics that
offer ease of use and often direct access to privileged environments are still
heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape
Report, detailing common trends and top threats observed against cloud
environments over the past…

September 12, 2023


EMAIL CAMPAIGNS LEVERAGE UPDATED DBATLOADER TO DELIVER RATS, STEALERS

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware
samples delivered in recent email campaigns, signaling a heightened risk of
infection from commodity malware families associated with DBatLoader activity.
X-Force has observed nearly two dozen email campaigns since late June leveraging
the updated DBatLoader loader to deliver payloads such as Remcos, Warzone,
Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by
cybercriminals to install commodity malware remote access Trojans (RATs) and
infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023


NEW HIVE0117 PHISHING CAMPAIGN IMITATES CONSCRIPTION SUMMONS TO DELIVER
DARKWATCHMAN MALWARE

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by
Hive0117 delivering the fileless malware DarkWatchman, directed at individuals
associated with major energy, finance, transport, and software security
industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman
malware is capable of keylogging, collecting system information, and deploying
secondary payloads. Imitating official correspondence from the Russian
government in phishing emails aligns with previous Hive0117 campaigns delivering
DarkWatchman malware, and shows a possible significant effort to induce a sense
of urgency as…

August 3, 2023


BRINGING THREAT INTELLIGENCE AND ADVERSARY INSIGHTS TO THE FOREFRONT: X-FORCE
RESEARCH HUB

3 min read - Today defenders are dealing with both a threat landscape that’s
constantly changing and attacks that have stood the test of time. Innovation and
best practices co-exist in the criminal world, and one mustn’t distract us from
the other. IBM X-Force is continuously observing new attack vectors and novel
malware in the wild, as adversaries seek to evade detection innovations. But we
also know that tried and true tactics — from phishing and exploiting known
vulnerabilities to using compromised credentials and…


TOPIC UPDATES

Get email updates and stay ahead of the latest threats to the security
landscape, thought leadership and research.
Subscribe today

Analysis and insights from hundreds of the brightest minds in the cybersecurity
industry to help you prove compliance, grow business and stop threats.

Cybersecurity News By Topic By Industry Exclusive Series Threat Research Podcast
Events Contact About Us
Follow us on social
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature


IBM web domains

ibm.com, ibm.dev, ibm.org, ibm-zcouncil.com, insights-on-business.com, jazz.net,
merge.com, micromedex.com, mobilebusinessinsights.com, promontory.com,
proveit.com, ptech.org, resource.com, s81c.com, securityintelligence.com,
skillsbuild.org, softlayer.com, storagecommunity.org, strongloop.com,
teacheradvisor.org, think-exchange.com, thoughtsoncloud.com, trusteer.com,
truven.com, truvenhealth.com, alphaevents.webcasts.com, betaevents.webcasts.com,
ibm-cloud.github.io, ibmbigdatahub.com, bluemix.net, mybluemix.net, ibm.net,
ibmcloud.com, redhat.com, galasa.dev, blueworkslive.com, swiss-quantum.ch,
altoromutual.com, blueworkslive.cn, blueworkslive.com, cloudant.com, ibm.ie,
ibm.fr, ibm.com.br, ibm.co, ibm.ca, silverpop.com,
community.watsonanalytics.com, eclinicalos.com, datapower.com,
ibmmarketingcloud.com, thinkblogdach.com, truqua.com, my-invenio.com,
skills.yourlearning.ibm.com, bluewolf.com, asperasoft.com, instana.com,
taos.com, envizi.com, carbondesignsystem.com
About cookies on this site Our websites require some cookies to function
properly (required). In addition, other cookies may be used with your consent to
analyze site usage, improve the user experience and for advertising. For more
information, please review your cookie preferences  options. By visiting our
website, you agree to our processing of information as described in IBM’s
privacy statement. To provide a smooth navigation, your cookie preferences will
be shared across the IBM web domains listed here.

Accept all Required only

Cookie Preferences