Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has once again emphasized the critical importance of addressing IT vulnerabilities. This week, Cyble has reported multiple vulnerabilities across IT devices based on the findings published in the Known Exploited Vulnerabilities (KEVs) catalog.  

Among the most concerning vulnerabilities in the list are CVE-2024-11680, CVE-2024-23113, and CVE-2024-47575, as well as others like CVE-2024-10924, CVE-2023-50094, and CVE-2024-38077. The vulnerabilities included in this updated list, classified as Known Exploited Vulnerabilities (KEVs), pose online threats to both government and private sector organizations.  

These flaws are not just theoretical or potential risks; they have been actively exploited by threat actors, making it essential for organizations to take immediate action to patch or mitigate these weaknesses in their systems. The CISA’s KEV catalog highlights which vulnerabilities need to be addressed immediately to prevent cybercriminals from taking advantage of them. 

Major IT Vulnerabilities Listed in the Known Exploited Vulnerabilities Catalog 

Among the most urgent vulnerabilities is CVE-2024-11680, which affects the popular network management software used by many large organizations. This vulnerability, if left unaddressed, can allow attackers to remotely execute arbitrary code, enabling them to gain unauthorized access to sensitive data or disrupt business operations.  

• CVE-2024-23113 is another severe IT vulnerability listed by CISA. This flaw is tied to a specific version of a widely deployed application, leaving it susceptible to exploitation through specially crafted requests that could allow an attacker to gain control over an affected system. The widespread use of this application in various industries—from finance to healthcare—means that the ramifications of an exploit could be catastrophic if left unpatched. 

• CVE-2024-47575, a vulnerability in yet another popular software package, has been flagged as critical by both CISA and security experts. Attackers can exploit this flaw to escalate their privileges, potentially taking control of a system and bypassing normal security mechanisms. Such an escalation could result in the compromise of sensitive data or the deployment of ransomware, making this a particularly malicious vulnerability. 

Other Vulnerabilities on the Radar 

In addition to the three high-priority vulnerabilities, CISA’s latest KEV catalog also includes other notable IT vulnerabilities, such as CVE-2024-10924, CVE-2023-50094, and CVE-2024-38077. While these flaws may not be as widely exploited as the previous ones, they still pose serious risks and require immediate attention. 

• CVE-2024-10924, for example, is a vulnerability in a widely used version of open-source software that could allow remote code execution. If exploited, attackers could bypass security controls and access systems that are critical to both business and governmental functions. 

• CVE-2023-50094 is related to a flaw in a popular content management system, which could allow attackers to execute arbitrary code remotely. As businesses and organizations increasingly rely on digital platforms to manage content, vulnerabilities like this one could open the door to a range of cyberattacks, from data breaches to full system takeovers. 

• CVE-2024-38077 impacts a specific configuration of a widely used database management system. Though not as severe as some of the other vulnerabilities, it can still lead to data corruption or unauthorized access if exploited. 

Mitigations and Recommendations 

Organizations can protect themselves from these vulnerabilities by implementing a range of security measures. Some of these measures include:  

• Regularly update software and hardware with the latest patches from official vendors and apply critical patches immediately. 
• Develop a patch management strategy, including inventory management, testing, deployment, and automation for efficiency. 
• Segment the network to isolate critical assets, using firewalls, VLANs, and access controls to reduce exposure. 
• Create and maintain an incident response plan, regularly testing and updating it to address current threats. 
• Implement monitoring and logging systems, such as SIEM, for real-time threat detection and analysis. 
• Subscribe to security alerts from official sources and conduct regular VAPT exercises to identify and fix vulnerabilities. 

Conclusion 

The publication of new Known Exploited Vulnerabilities (KEVs) by CISA serves as a vital resource in the fight against cybercrime. The vulnerabilities highlighted in the latest list, including CVE-2024-11680, CVE-2024-23113, and CVE-2024-47575, require immediate attention. The inclusion of these flaws highlights the importance of being proactive in identifying and addressing IT vulnerabilities before they can be exploited by attackers. 

The post CISA Releases New List of Known Exploited Vulnerabilities, Urges Immediate Actions  appeared first on Cyble.

Blog – Cyble – ​Read More

The U.S. has never faced a more challenging time for cybersecurity, with critical infrastructure under siege, nation-state threat actors emboldened, and a new Presidential Administration that could usher in policy changes and a possible government restructuring.

A new Cyble report highlights the cyber threats and challenges facing the U.S., offering critical insights into the biggest threats that organizations must grapple with. The report examines the top threats, threat actors, and attack targets; hacktivism trends; more than 50 actively exploited IT and ICS vulnerabilities; Dark Web and cybercrime trends; and recommendations for security teams.

Major U.S. Cyber Challenges

The challenges that will help define the U.S. cybersecurity direction in the coming months include:

Disinformation: Efforts to influence the U.S. election escalated significantly in the final weeks of the campaign. The main foreign actors involved in influence campaigns—notably Russia, China, and Iran—will likely continue to try to influence U.S. policy and discourse.

The Future of CISA: The Republican “Project 2025” agenda includes proposals to reorganize the top U.S. cybersecurity agency and its responsibilities at a time when critical infrastructure is facing significant challenges.

Nation-State Threats: Concern about foreign adversaries escalated when China-linked threat actors successfully infiltrated U.S. telecom systems to access wiretap data and the phone data of top U.S. officials. As China is believed to have significantly infiltrated critical infrastructure in the U.S. and elsewhere, national cyber agencies must do more to detect and remove these threats.

AI in Social Engineering: The proliferation of AI technology is enhancing the effectiveness of social engineering attacks, enabling more personalized and convincing tactics that have scammed average citizens as well as multi-national corporations. To help combat this rising threat, Cyble has added AI deepfake detection and takedown services to its threat intelligence suite.

Dark Web and Cybercrime: Dark Web activity remains a major threat, as exploits are under discussion on cybercrime forums within hours after vulnerabilities are publicly revealed, and zero-day vulnerabilities can frequently be found for sale on these forums.

Healthcare and OT/ICS environments: Threat actors continue to heavily target healthcare and critical infrastructure, with Manufacturing, Energy, Oil and Gas, and Building Automation being the leading attack targets detected by Cyble.

Ransomware: The U.S. is by far the biggest ransomware target, and data exfiltration is increasingly a goal of ransomware groups.

Infostealers continue to grow in frequency and sophistication, threatening the accounts and credentials of both enterprises and consumers.

Most Active Threat Groups and Ransomware Targets

Cyble detected four of the most active threat groups in October: ransomware groups. RansomHub was the top threat actor, followed by DragonForce, Lockbit, and Storm-0501. An APT group, UNC5812, rounded out the top five.

According to Cyble data, the U.S. remains the biggest ransomware target, with October attack volumes 10 times higher than in any other country (chart below).

Healthcare is being increasingly targeted by ransomware groups, and the effects on patient care are predictably dire. Texas Tech Health Sciences Center, Aspen Healthcare Services, and Boston Children’s Health Physicians were among the bigger ransomware targets in October.

The full report examines more than 30 threat groups, more than 50 IT and ICS vulnerabilities, and 52 malware families. The top malware families observed by Cyble in October were:

• Hydra
• Lynx
• Nitro
• RansomHub
• Rhysida
• Hellcat Ransomware
• Cactus
• Everest
• Medusa
• Interlock

Hacktivism Trends

Hacktivism remained significantly active heading into the election, both in the U.S. and elsewhere. Israel and Palestinian concerns were by far the most dominant – and played a surprisingly pivotal role in the U.S. election in some states, most notably in Michigan and Wisconsin.

Some of the most active hacktivist groups in October included:

• XYZ/Alpha Wolf
• Key Group
• NoName
• Cyber Operation Alliance
• Anon Black Flag

Dark Web and Cybercrime Activity

The dark web has become a democratizing force in cybercrime, giving less experienced threat actors and hacktivists access to more sophisticated exploits, leaked files, credentials, stolen credit cards, compromised endpoints, and more.

Cyble dark web researchers typically see ten or more vulnerability exploits discussed each week on cybercrime forums, many of which have available Proof of Concept (PoC) exploits that can be easily deployed.

Cyble’s AI-powered threat intelligence tool detected 1.5 million data exposures, 48,000 compromised endpoints, and 178,000 leaked credentials in October, all readily available for a price.

The report also looked at 34 IT and 20 ICS vulnerabilities targeted by attackers, many of which were discussed on dark web forums. Network devices are frequently a starting point for cyberattacks, but the list touches a wide range of systems that hackers use to move laterally, elevate privileges, and establish persistence.

Cyble Recommendations

The threat landscape may appear overwhelming at times, but good cybersecurity practices performed regularly can do much to reduce your attack surface. Patching, network segmentation, air-gapped backups, monitoring and logging, vulnerability assessments, and a strong incident response plan are all essential practices that take time but don’t necessarily carry a high price tag. Cyble can help with cost-effective vulnerability intelligence and scanning services targeted to individual environments.

The post New Report Highlights Critical Cybersecurity Challenges Facing the U.S. appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

Zyxel firewalls have come under scrutiny following a wave of attacks leveraging vulnerabilities to deploy Helldown ransomware. A critical directory traversal vulnerability, tracked as CVE-2024-11667, in the Zyxel ZLD firmware (versions 5.00–5.38) has been linked to these breaches.

Attackers exploit this flaw to steal credentials and execute malicious activities, including creating unauthorized VPN connections and modifying security policies.

CERT Germany (CERT-Bund) and Zyxel have issued urgent advisories detailing these threats and recommending immediate action to mitigate risks.

Understanding the Vulnerability: CVE-2024-11667

CVE-2024-11667 is a directory traversal vulnerability in Zyxel’s firewall firmware. It allows attackers to upload or download files via specially crafted URLs, potentially leading to credential theft and unauthorized access.

This vulnerability impacts:

• ATP and USG FLEX series firewalls in on-premise mode.
• Devices running ZLD firmware versions from 4.32 to 5.38 with remote management or SSL VPN enabled.

Devices using Nebula cloud management mode are not affected.

Helldown Ransomware Evolution
Initially observed in August 2024, Helldown has escalated in sophistication, leveraging the CVE-2024-11667 vulnerability in Zyxel USG Flex and ATP firewall series. The vulnerability, though unidentified, appears to allow unauthorized access even on patched systems if account credentials remain unchanged.

Helldown, derived from the infamous LockBit ransomware builder, targets organizations with advanced tactics, including lateral movement within networks. Its leak site has named 32 victims globally, with five German entities suspected as targets, CERT-Bund (BSI) said.

Key Attack Observations

• Attack Vectors: Exploitation of firewall vulnerabilities for initial access.
• Post-Exploitation Tactics: Creation of unauthorized accounts (e.g., “SUPPORT87”), lateral movement, and persistent backdoors.
• Impact: Data exfiltration, encryption of critical assets, and operational disruptions.

Identifying Signs of Compromise

Indicators of a compromised Zyxel firewall include:

1. Unauthorized SSL VPN Connections:
   • VPN accounts such as “SUPPORT87,” “SUPPOR817,” or “VPN” appear in connection logs.
   • Login attempts from non-recognized IP addresses, often routed through VPN services.

2. Modified Security Policies:
   • Policies granting unrestricted access (e.g., “ANY to ANY”) between WAN, LAN, and SSL VPN zones.
   • Changes to NAT rules allowing WAN-to-LAN access.

3. Suspicious Admin Activity:
   • Creation of unauthorized admin accounts.
   • Login attempts from unrecognized IPs.
   • Activity logs in SecuReporter showing unusual administrative actions.

4. AD Server Targeting:
   • Attackers use stolen administrator credentials to access Active Directory (AD) servers via SSL VPN connections, potentially encrypting files.

Steps to Detect and Remediate a Compromised Firewall

Detection

• Check for unknown VPN connections or user accounts in logs.
• Review SecuReporter activity logs for unauthorized admin actions.
• Inspect firewall rules for unusual access permissions.

Remediation

Upgrade Firmware:
Update to ZLD 5.39 or later to patch CVE-2024-11667 and implement security enhancements.

Change Credentials:

• Update passwords for all admin and user accounts (local and Active Directory).
• Change VPN pre-shared keys and external authentication server credentials.

Remove Unauthorized Accounts:

• Delete unrecognized admin and user accounts.
• Force logout for all untrusted sessions.

Review Security Policies:

• Remove rules that allow unrestricted access.
• Ensure policies restrict WAN, LAN, and SSL VPN traffic as needed.

Monitor Logs:
Continuously analyze logs for suspicious activity and unauthorized access attempts.

Best Practices for Securing Zyxel Firewalls

To prevent future compromises, Zyxel recommends the following measures:

Restrict Access:

• Disable remote management if not required.
• Implement IP restrictions for accessing the management interface.

Change Default Ports:

• Modify default HTTPS and SSL VPN ports to reduce exposure.

Enable Two-Factor Authentication (2FA):

• Require 2FA for admin and user logins to strengthen access control.

Geo-Restriction Rules:

• Use Geo-IP filtering to block traffic from untrusted regions.

Encrypt Configuration Files:

• Add private encryption keys to secure configuration files.

Regular Backups and Monitoring:

• Maintain updated backups of firewall configurations.
• Continuously monitor for vulnerabilities using threat intelligence feeds.

Conclusion

The exploitation of Zyxel firewall vulnerabilities underscores the importance of proactive cybersecurity measures. Organizations using affected devices must prioritize firmware updates, strengthen access controls, and actively monitor for suspicious activity.

The Helldown ransomware campaign highlights the dangers of leaving systems exposed to known vulnerabilities. By adopting a layered security approach, including 2FA, IP filtering, and robust monitoring, organizations can effectively safeguard their networks against similar threats.

References:

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-290907-1032.pdf?__blob=publicationFile&v=3

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

https://support.zyxel.eu/hc/en-us/articles/21878875707410-Zyxel-USG-FLEX-and-ATP-series-Upgrading-your-device-and-ALL-credentials-to-avoid-hackers-attacks#h_01J9RQPFVV0YYZY0CG3PJT7MAD

https://community.zyxel.com/en/discussion/26764/ransomware-helldown

The post German CERT Warns Zyxel Firewalls Exploited for Helldown Ransomware Deployment appeared first on Cyble.

Blog – Cyble – ​Read More

We at Kaspersky recently conducted a study and found that the average person spends $938 a year on 12 subscriptions. This just confirms that in today’s world, being subscribed to numerous services is just as much a part of everyday life as having your smartphone with you at all times.

There are subscriptions for everything: music, movies, fitness, security solutions, and even messaging apps. In this article, we’ll focus on one of the latter — Telegram Premium, a subscription that doubles almost all the messenger’s free-version’s limits. And the coolest thing about it is that you can give it to your friends as a present. If you have a large contact list, Telegram frequently reminds you of this possibility. Of course, scammers are exploiting this feature, sending out fake Telegram Premium gift subscriptions left and right.

So what’s behind these gift subscriptions from cybercriminals — and how can you protect your Telegram account?

How the Telegram gift-subscription scam works

It all starts with an innocent-looking Telegram message from someone in your contact list (actually — an impostor): “You’ve been sent a gift — a Telegram Premium subscription”. Beneath it is a link that, at first glance, seems legitimate. And indeed, it leads to an official-looking Telegram Premium channel. But there’s a catch…

The text you see — https://t.me/premium — actually hides a link to a completely different phishing page. It’s a simple trick. Consider this example: here’s a link to the Kaspersky Daily blog homepage — https://kaspersky.com/blog, but it actually redirects to the homepage of our other blog, Securelist. Scammers use the same principle: they mask their phishing links with seemingly legitimate addresses.

Let’s return to the Telegram gift-subscriptions scam. The phishing page looks like a regular Telegram login page in a browser. However, the scam is betrayed by the dodgy URL: the address starts with the familiar https://t.me, but then has something extra, which wouldn’t be there if were a legitimate page:

If you enter your account details here, consider them stolen. Your user name, password, and possibly your two-factor authentication code will end up in bad guys’ hands. Once you’ve handed over your credentials, the scammers display a congratulatory message and start a 24-hour timer, claiming it’s the activation period for Telegram Premium. This delay is a classic cybercriminal tactic. They’re counting on the user either forgetting about the subscription or believing it’s genuinely on its way. Most likely, the only thing that will happen during these 24 hours is that you’ll permanently lose access to your account.

How else do scammers exploit gift Telegram subscriptions?

Since Telegram Premium launched several years ago, various scam scenarios have emerged. Unsurprisingly, these scams bear similarities to other primitive forms of fraud we frequently discuss on the Kaspersky Daily blog.

For example, cybercriminals might claim to host a free raffle for a three-month Telegram Premium subscription. However, there’s no real drawing of the winning “tickets” — everyone’s a winner; however, the prize isn’t a genuine gift subscription. Victims are directed to click a link and log in to Telegram on a phishing site. And that’s where their accounts get compromised.

Another common tactic involves distributing APK files for supposedly “hacked” Telegram apps bundled with Premium subscriptions. Needless to say, such modified apps are often nothing more than malware in disguise.

Now, you’ll have noticed that the screenshots above are in various languages. The fact is that these scammers operate all over the world, and if this scheme hasn’t reached your region yet, rest assured it surely soon will. Therefore, you should ensure the security of your devices and accounts with reliable protection.

How to protect your Telegram account

To start, we recommend setting up your Telegram security and privacy using our guide. If you’ve already done this, here are some additional tips to help you avoid becoming a victim of these and other scams:

• Remember that there’s no such thing as a free lunch. Before celebrating a sudden gift, double-check if the sender really has good intentions. At the very least, contact them via a different communication channel — call them, use another messenger, or verify in person. As your personal account is at stake, you’d better err on the side of excessive caution.
• Purchase subscriptions only through official channels. Telegram, for example, has a designated bot for buying subscriptions.
• Enable two-factor authentication. This could be your last line of defense in case you fall for a scam. One way to store your 2FA tokens conveniently and securely is in Kaspersky Password Manager.
• Learn more about other ways scammers can steal your Telegram account. There are countless fraudulent schemes — many of which are more sophisticated than they appear.
• Slow down, even if you’re being rushed. Scammers love pressuring victims with timers. When it comes to your digital safety, ignore countdowns and take your time.
• Be cautious about alternative versions of apps. We recommend only using official apps, because unofficial versions are almost always loaded with Trojans.

Kaspersky official blog – ​Read More

In this article, ANY.RUN‘s analyst team will explore a malicious loader known as PSLoramyra. This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access.  

Classified as a fileless loader, PSLoramyra bypasses traditional detection methods by loading its primary payload entirely into memory, leaving minimal traces on the system. 

PSLoramyra Loader: Technical Analysis 

To see PSLoramyra loader in action, let’s have a look at its sample inside ANY.RUN’s sandbox: 

View analysis 

Initial PowerShell script 

Let’s take a closer look at this loader. The infection chain begins with an initial PowerShell script that contains both the main malicious payload and the scripts required to execute it. The script performs the following steps: 

1. File creation:  

The script generates three files critical to the infection chain: 

1. roox.ps1 

2. roox.bat 

3. roox.vbs 

2. Execution chain: 

1. The roox.vbs script is executed first to initiate the process. 

2. roox.vbs launches the roox.bat script. 

3. roox.bat then runs the roox.ps1 PowerShell script. 

3. Payload execution:  

The roox.ps1 script loads the main malicious payload directly into memory using Reflection.Assembly.Load.

It then leverages RegSvcs.exe to execute the payload. In this case, the payload is the Quasar RAT. 

Establishing Persistence with Task Scheduler 

The PowerShell script establishes persistence by creating a Windows Task Scheduler task that runs roox.vbs every two minutes. Here’s how it operates step by step: 
 

1. Creating the scheduler object: 

The script initializes a Task Scheduler object using the following command: 

New-Object -ComObject Schedule.Service  

It then connects to the Task Scheduler service: $scheduler.Connect() 

2. Defining a new task: 

A new task is created with: $taskDefinition = $scheduler.NewTask(0)  

The task is described, and its execution is enabled: $taskDefinition.Settings.Enabled = $true 

3. Setting the Trigger: 

A trigger is configured to execute the task every two minutes: $trigger.Repetition.Interval = “PT2M”  

4. Configuring the Task Action: 

The action specifies the execution of the roox.vbs script: $action.Path = “C:UsersPublicroox.vbs 

5. Registering the Task: 

Finally, the task is registered in the Task Scheduler, ensuring it runs continuously: $taskFolder.RegisterTaskDefinition() 

Script Creation 

The initial PowerShell script generates multiple scripts and writes them to the disk. This is achieved using the following command: [IO.File]::WriteAllText(“PATH”, CONTENT) 

The content of these scripts is initially stored in variables such as $Content. 

Detailed Script Breakdown 

Roox.vbs script 

This script runs every two minutes and acts as the starting point for executing the other scripts in the malware chain. Essentially, it serves as a link between the Task Scheduler and the subsequent scripts, ensuring the infection chain progresses successfully. 

The roox.vbs script launches the next script in the chain, roox.bat, in a hidden window. This ensures that its execution remains invisible to the user, maintaining the stealth of the infection process. 

1. Error handling: 

The command on error resume next suppresses error messages, allowing the script to continue execution even if exceptions occur. This ensures the script does not fail visibly during the process. 

2. CreateWshShellObj function 

This function creates a COM object named WScript.Shell. The object is used to execute commands and scripts, which are essential for launching the next stage in the infection chain. 

3. GetFilePath function 

This function retrieves the path to the next stage in the chain, specifically pointing to the BAT file roox.bat. 

4. GetVisibilitySetting function 

Configures the visibility settings to ensure that roox.bat runs without displaying a window on the desktop. This stealthy execution minimizes the chances of detection by the user. 

5. RunFile function

Executes a file at the specified path with the defined visibility settings. In this case, it launches roox.bat in hidden mode. 

6. Sequence of calls 

The script executes the required functions in the following order to launch roox.bat: 

• Creates the WScript.Shell object using CreateWshShellObj. 
• Retrieves the path to roox.bat via GetFilePath. 
• Configures the visibility mode to hidden (0) using GetVisibilitySetting. 
• Executes roox.bat in hidden mode through the RunFile function.

ROOX.BAT Script 

This script runs roox.ps1 using PowerShell. It employs the following flags to enhance stealth and bypass security measures: 

• NoProfile: Prevents the loading of user-specific PowerShell profiles 

• WindowStyle Hidden: Hides the PowerShell window during execution, ensuring that the process remains invisible to the user. 

• ExecutionPolicy Bypass: Overrides Windows PowerShell execution policies, allowing scripts to run without restrictions imposed by security configurations. 

ROOX.PS1 Script

The roox.ps1 PowerShell script deobfuscates the main malicious payload, dynamically loads it into memory, and executes it using .NET Reflection and RegSvcs.exe. The script employs simple obfuscation using the # character to make detection more challenging.

The variables $RoXstring_lla and $Mordexstring_ojj store the main malicious payload in the form of HEX strings, with each byte separated by %&% as a means of obfuscation. 

Deobfuscation Process 

The script uses the following commands to convert the obfuscated HEX strings into usable binary code: 

[Byte[]] $NKbb = $Mordexstring_ojj -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } 

[Byte[]] $pe = $RoXstring_lla -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } 

What these commands do: 

• Split the HEX strings: They split the HEX strings $Mordexstring_ojj and $RoXstring_lla into arrays using %&% as a delimiter. 
• Convert HEX to decimal bytes: Then, each element in the array converts the HEX string into a decimal byte value. 

ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } 

Form byte arrays: This forms a byte array (Byte[]), representing the binary code of the payload. 

Deobfuscate using -replace: 
Obfuscated commands are cleaned by removing # symbols using the -replace command. For example, a string like L####o####a####d is transformed into Load. 

Restore the method name: 
The variable $Fu restores the method name [Reflection.Assembly]::Load, which is used to load a .NET assembly into memory. 

Payload execution in memory: The script dynamically loads the NewPE2.PE type from the .NET assembly and calls its Execute method. The Execute method injects malicious code into a legitimate process, such as aspnet_compiler.exe. In this case, the target process is RegSvcs.exe. 

The initial variable $RoXstring_lla contains the injector for the .NET assembly NewPE2, which is responsible for loading the main payload into the process.

Within this assembly, the script locates the type NewPE2.PE and executes the Execute method. The latter is provided with parameters: the path and the malicious .NET assembly itself. 

Use the following query to search for more samples and threat data in TI Lookup:

Conclusion

PSLoramyra is a sophisticated fileless loader. It leverages PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, evading traditional detection methods. Its infection chain begins with an initial PowerShell script that generates essential files and establishes persistence through Windows Task Scheduler. The malware’s stealthy execution and minimal system footprint make it a serious threat.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Explore all Black Friday 2024 offers →

Indicators of Compromise (IOCs)

Hashes 

ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9 

9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e 

d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc 

Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb 

Files 

C:UsersPublicroox.vbs 

C:UsersPublicroox.bat 

C:UsersPublicroox.ps1 

Domain 

Ronymahmoud[.]casacam[.]net 

IP 

3[.]145[.]156[.]44 

The post PSLoramyra: Technical Analysis of Fileless Malware Loader appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More