News Heading - 1
  • Written by Ari Denial Cybersecurity & Tech Writer

ALPHV has gained notoriety for targeting critical infrastructure and health entities, in contrast to some other ransomware operators who have avoided such targets. This attack is detailed in a blog post by Mandiant, which includes information on detection and indicators.

According to Mandiant , a commercial scanning service has revealed the existence of over 8,500 IP addresses publicly advertising the “Symantec/Veritas Backup Exec ndmp” service on ports 10000, 9000, and 10001.

Mandiant’s findings reveal that the UNC4466 threat actor group compromised a Windows server running Veritas Backup Exec using a Metasploit module and maintained access to the host.

They used tools like Advanced IP Scanner and ADRecon to gather information about the victim’s environment and downloaded additional tools, including the ALPHV ransomware encryptor. The group used SOCKS5 tunneling for C2 communication and employed BITS transfers to download tools and deploy the ransomware payload.

To escalate privileges, the group used Mimikatz, LaZagne, and Nanodump to steal user credentials and evade detection by clearing event logs and disabling Microsoft Defender’s real-time monitoring.

Defenders can use the guidance provided in Mandiant’s report to detect UNC4466 attacks promptly and take necessary measures to prevent the execution of the ALPHV payload on their systems.

News Heading - 2

Typhon Reborn Stealer Malware Returns with Sophisticated Evasion Tactics, Security Experts Warn

  • Written by Ari Denial Cybersecurity & Tech Writer

Typhon Reborn Stealer, which has a reputation for successfully stealing confidential data, has released an updated version (V2) of the software.

This new version has recently resurfaced, and the creator has implemented improved strategies to evade detection and analysis. The enhanced tactics used by the perpetrator have caused concern among security experts, who fear that the updated malware’s sophisticated capabilities may result in more significant harm than its previous iteration.

The new version (V2) of the Typhon Reborn malware has been reported to include substantial enhancements aimed at hindering analysis through the implementation of anti-virtualization mechanisms.

The inclusion of these advanced features demonstrates the malware developer’s efforts to make the software more resilient against analysis and highlights the importance of continued vigilance and investment in cutting-edge security measures.

The updated version of Typhon Reborn is being sold on the dark web for a subscription fee of $59 per month, $360 per year, or $540 for a lifetime subscription.

Cisco Talos has reported that the codebase of Typhon V2, the recently resurfaced information-stealing malware, has undergone significant modifications to enhance its resilience and stability. The latest version features improved string obfuscation through the use of Base64 encoding and XOR, making analysis more challenging.

Moreover, the malware has been updated with advanced anti-infection mechanisms that evaluate a wider range of factors such as usernames, CPUIDs, applications, processes, debugger/emulation checks, and geolocation data before executing the malicious routines.

Additionally, the malware can exclude specific regions or follow a customized geolocation list based on user preferences.

Typhon Reborn’s latest version boasts a new feature that allows it to differentiate between a victim’s environment and a simulated environment on a researcher’s computer.

Typhon Reborn’s updated version continues to target various applications and extensions such as messaging apps, email clients, cryptocurrency wallets, VPN clients and gaming apps as well as capturing screenshots.

The malware now has a file grabber component that enables the attackers to search for and exfiltrate specific files. The stolen data is transmitted via HTTPS, using the Telegram API, which was also the method of choice in the original version.