Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Arctic Wolf Labs has been tracking two recent intrusions where threat actors leveraged a new Go-based malware downloader we are calling “CherryLoader” that allowed them to swap exploits without recompiling code. The loader’s icon and name masqueraded as the legitimate CherryTree note taking application to trick the victims.

Imagine a virtual phantom slipping through digital shadows, silently locking away data, and leaving a haunting message demanding a ransom. That is LockBit ransomware, the stealthy troublemaker in the world of cybersecurity. In this blog, let’s unpack the mysteries of LockBit: how it sneaks in and wreaks havoc and why businesses should be on high alert.

Ransomware-as-a-service (RaaS) may not be a brand-new tactic on the cyber battlefield, but it’s quickly gaining popularity among threat actors. For at least the past five years, cybercriminals have not only realized the monetary effectiveness of ransomware, but have understood that by banding together, and utilizing each other’s strengths, they could expand their ransomware attacks, split the profits, and utilize stolen data to launch future cyber attacks on larger organizations.

DARKGATE is Windows-based malware that is sold on the dark web. DARKGATE is a fully functional backdoor that can steal browser information, drop additional payloads, and steal keystrokes. Kroll previously noted DARKGATE’s distribution via Teams. When the DARKGATE payload runs on a victim system, it creates a randomly named folder within C:\ProgramData that contains encoded files. Within the randomly named folder is a short configuration file and the output of keystrokes logged on the system.

Rather than stick to traditional ransomware extortion methods that revolve around the attack itself, a new form of extortion known as Swatting puts the focus on the victim organization’s customers. A somewhat unexpected mode of extortion appears to be popping up in attacks targeting medical institutions. According to Dark Reading, cybercriminals are making repeat prank calls to police about individuals that are patients impacted by a data breach of a medical facility they are a customer of.

AsyncRAT appears in a new campaign, Water Curupira distributes PikaBot loader malware, and Turkish hackers exploit global MS SQL servers.

Here at Rubrik, few things excite us more than knowing that the work we do enables a smoother functioning of our governments. Government organizations have an important duty to defend our nation’s critical institutions and essential infrastructure against threat actors—while operating with limited budgets and limited resources. Rubrik has a long history of securing public sector institutions. We have relentlessly focused on developing products that ensure rapid and confident cyber recovery.

AutoIt is a scripting language designed for automating the Windows GUI and general scripting. Over the years, it has been utilized for malicious purposes, including AutoIt-compiled malware, which dates back to as early as 2008. Malware creators have exploited the versatility of AutoIT in a variety of ways, such as using obfuscated scripts for payload decryption, utilizing legitimate tools like BaSupportVNC, and even creating worms capable of spreading through removable media and Windows shares.