After a three-month hiatus, there’s been a resurgence in detections and incidents connected to the Emotet botnet, as observed by @cryptoaemus1. And we’re seeing it as well. https://twitter.com/cryptolaemus1/status/1633099154623803394

Sophos X-Ops has seen a resurgence of spam messages carrying an Emotet-deploying payload—a ZIP attachment containing a malicious Word document with a script that launches the infection chain. /1 #threatintel #Sophosxops #emotet

As we mentioned in our recent thread on archive and disk image formats (https://infosec.exchange/@SophosXOps/109875659930771007), threat actors are moving to a variety of alternatives to traditional macros. One of the more prominent is OneNote – there’s been a big take-up of .ONE files as a malware vector in the last few weeks. Qakbot (https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/), IcedID, and AsyncRAT have all used them. Their campaigns rely on social engineering to get users to open .ONE files with a variety of embedded files: HTA, BAT, VBS, WSF, EXE, JSE, CPL, CHM, and more. We’re expecting these to get more varied. Here’s a recent Qakbot example from our blog above: #sophosxops #threatintel #ioc

Sophos X-Ops is investigating reports of a new public exploit for CVE-2023-21768 affecting Windows 11.

Sophos customers are protected from this threat via the runtime protection specifically the PrivGuard mitigation (which prevents privilege escalation via token theft). #Sophosxops #threatintel

In October, we published research looking at whether threat actors were turning to archives and disk images, in response to Microsoft using Mark of the Web to disable macros in untrusted files https://news.sophos.com/en-us/2022/10/12/are-threat-actors-turning-to-archives-and-disk-images-as-macro-usage-dwindles/

At that time, we saw a downwards trend in detections of malicious Office macros. It was hard to say whether archive usage was going up, but there did seem to be an uptick in disk image files.

Looking at detections of just IMG files, between July 2022 – January 2023, we can see a clear increase, starting in August and accelerating in October, peaking in November. #infosec #ThreatIntel #SophosXops

The second Patch Tuesday of 2023 contains 75 fixes for a diverse set of product families, including Power BI, 3D Builder, PEAP, and PostScript. As is often the case, Windows accounts for the bulk of these, with 32 patches, including four of the nine Critical-severity bugs (all remote code execution: three in PEAP, and one in the iSCI Discovery Service).

Microsoft Dynamics 365 and .NET and Visual Studio take second place with six each (including three Critical-rated RCE bugs in .NET and Visual Studio); followed by Office and Azure at five apiece.

3D Builder, which also showed up last month, makes a reappearance, albeit with fewer issues this time round – only two, compared to January’s 14. Both are Important-severity remote code execution vulnerabilities. 1/2 #sophosxops #threatintel #IoC

Over the past several months, we’ve been investigating two pig butchering (sha zhu pan) operations from Asia. Both show an evolution in tactics when compared to previous #CryptoRom scams. Now, rather than dating apps, these scammers are reaching out directly to their victims. #sophosxops #threatintel #ioc 1/4

Tax season is barely just getting started in Canada, but that's no impediment to a #spam campaign targeting Canadian taxpayers with #phishing links. In just a few days in January, we received hundreds of examples of #malspam purporting to originate with the Canada Revenue Agency (or #CRA).

Many of the messages shared distinctive characteristics with one another, like the use of oddly placed Trademark and Registered symbols in both the From: and Subject: headers. #Sophosxops #threatintel #ioc 1/9

We've been tracking the growth of #malware threat actors taking advantage of a (previously) rarely abused Office file format - the .one files used by the #OneNote application. Now a more prominent malware group, Qakbot, has joined the fray. 1/6 #Sophosxops #threatintel #IoC

https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/

We’ve been tracking pig butchering (sha zhu pan) scams for 2+ years, and have seen many fake apps used to fool victims into “investing” cryptocurrency in fake markets. But we recently found a new twist: scammers managed to get their fake apps published on Apple’s App Store. /1 #sophosxops #threatintel #ioc

New bullies on the block: They don’t PLAY nice.

In mid-November 2022, #Sophos X-Ops responded to an incident where PLAY #ransomware, also known as #PlayCrypt, was found in an under-protected environment.

PLAY is a relatively new ransomware variant, first reported in mid-July of 2022. It deploys a variety of commonly abused tools, similar to other Ransomware-as-a-Service (RaaS) deployments such as Hive or Nokoyawa. In this thread we’ll walk through what Sophos X-Ops researchers @bencrypted and @th3_protoCOL saw in their analysis – a process our Rapid Response team observed in reverse, starting their work with this customer when they were called in at the 14-day mark.

The IoCs provided in this writeup are available on our Github: https://github.com/sophoslabs/IoCs.

#threatintel #infosec #ioc #SophosXOps

NEW: Windows 7 rides out of its final Patch Tuesday with 42 lovely parting gifts, as Microsoft released fixes for 98 CVEs on Tuesday. As is the custom, Windows accounted for most of those, with 66 patches affecting one or more versions of the operating system...

👉 https://news.sophos.com/en-us/2023/01/10/january-2023-patch-roundup/?cmp=30728

1/5 #infosec #threatintel #SophosXOps

The scammers who scam scammers on cybercrime forums: Parts 1-4 🧵👇

A shadowy sub-economy is more than just a curiosity – it’s booming business, and also an opportunity for defenders...

1/5

#infosec #threatintel #SophosXOps

Dive into more details on what we found in the article from Matt Wixey and the Sophos X-Ops team: https://news.sophos.com/en-us/2022/12/28/the-scammers-who-scam-scammers-on-cybercrime-forums-part-4/?cmp=30726

#infosec #threatintel #SophosXOps

12/12

NEW part four: The scammers who scam scammers on cybercrime forums

In the fourth and final part of our series, we look at why scammers scamming scammers is a huge intelligence opportunity for researchers...

Learn more: https://news.sophos.com/en-us/2022/12/28/the-scammers-who-scam-scammers-on-cybercrime-forums-part-4/?cmp=30726

#infosec #threatintel #SophosXOps

NEW part III: The scammers who scam scammers on cybercrime forums

In the third part of our series, we look at the curious case of twenty fake marketplaces...

https://news.sophos.com/en-us/2022/12/21/the-scammers-who-scam-scammers-on-cybercrime-forums-part-3/?cmp=30728

#infosec #ThreatIntel #SophosXOps 1/11

NEW: Signed driver malware moves up the software trust chain

The criminals signed their AV-killer malware, closely related to one known as BURNTCIGAR, with a legitimate WHCP certificate...

#infosec #threatintel #ioc #sophosxops #patchtuesday 1/11

Sophos X-Ops has released signatures for the Microsoft Internet Explorer vulnerability CVE-2022-41128: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41128 #sophosxops

Sophos Endpoint IPS, Sophos XG Firewall and SFOS: 2307933, 2307934

NEW: The scammers who scam scammers on cybercrime forums

A shadowy sub-economy is more than just a curiosity – it’s booming business, and also an opportunity for defenders. We look at the forums involved and how they deal with scammers scamming scammers...

#infosec #threatintel #Sophosxops #scammersscammingscammers

1/17

NEW: The scammers who scam scammers on cybercrime forums

A shadowy sub-economy is more than just a curiosity – it’s booming business, and also an opportunity for defenders. We look at the forums involved and how they deal with scammers scamming scammers...

#infosec #threatintel #Sophosxops

1/17