Research Saturday N2K Networks

Ismael Valenzuela, Vice President Threat Research & Intelligence, from Blackberry Threat Research and Intelligence team is discussing their work on "Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages." BlackBerry has identified Transparent Tribe (APT36), a Pakistani-based advanced persistent threat group, targeting India's government, defense, and aerospace sectors from late 2023 to April 2024, using evolving toolkits and exploiting web services like Telegram and Google Drive.
Evidence such as time zone settings and spear-phishing emails with Pakistani IP addresses supports their attribution, suggesting alignment with Pakistan's interests.
The research can be found here:
Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages

Learn more about your ad choices. Visit megaphone.fm/adchoices

Kerri Shafer-Page from Arctic Wolf joins us to discuss their work on "Lost in the Fog: A New Ransomware Threat." Starting in early May, Arctic Wolf's Incident Response team investigated Fog ransomware attacks on US education and recreation sectors, where attackers exploited compromised VPN credentials to access systems, disable Windows Defender, encrypt files, and delete backups.
Despite the uniformity in ransomware payloads and ransom notes, the organizational structure of the responsible groups remains unknown.
The research can be found here:
Lost in the Fog: A New Ransomware Threat

Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by a Security Researcher from SpyCloud Labs, James, who is discussing their work on "Unpacking Infostealer Malware: What we’ve learned from reverse engineering LummaC2 and Atomic macOS Stealer." Infostealer malware has become highly prevalent, with SpyCloud tracking over 50 families and finding that 1 in 5 digital identities are at risk.
This research analyzes the workings and intentions behind infostealers like LummaC2 and Atomic macOS Stealer, focusing on the types of data extracted and the broader security implications.
The research can be found here:

Reversing LummaC2 4.0: Updates, Bug Fixes

Reversing Atomic macOS Stealer: Binaries, Backdoors & Browser Theft

How the Threat Actors at SpaxMedia Distribute Malware Globally


Learn more about your ad choices. Visit megaphone.fm/adchoices

Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, is discussing their work on "Threat actors ride the hype for newly released Arc browser." The Arc browser, newly released for Windows, has quickly garnered positive reviews but has also attracted cybercriminals who are using deceptive Google search ads to distribute malware disguised as the browser.
These malicious campaigns exploit the hype around Arc, using techniques like embedding malware in image files and utilizing the MEGA cloud platform for command and control, highlighting the need for caution with sponsored search results and the effectiveness of Endpoint Detection and Response (EDR) systems.
The research can be found here:
Threat actors ride the hype for newly released Arc browser

Learn more about your ad choices. Visit megaphone.fm/adchoices

Amit Malik, Director of Threat Research at Uptycs, is sharing their work on "New Threat Detected: Inside Our Discovery of the Log4j Campaign and Its XMRig Malware." The Uptycs Threat Research Team has discovered a large-scale Log4j campaign involving over 1700 IPs, aiming to deploy XMRig cryptominer malware.
This ongoing operation was initially detected through the team's honeypot collection, prompting an in-depth analysis of the campaign. The research says "The JNDI plugin is particularly useful to attackers because it allows them not only to fetch the values of environment variables in the target system but also to freely define the URL and protocol resource for the JNDI network connection."
The research can be found here:
New Threat Detected: Inside Our Discovery of the Log4j Campaign and Its XMRig Malware

Learn more about your ad choices. Visit megaphone.fm/adchoices

Jon DiMaggio, a Chief Security Strategist at Analyst1, is sharing his work on "Ransomware Diaries Volume 5: Unmasking LockBit." On February 19, 2024, the National Crime Agency (NCA), a UK sovereign law enforcement agency, in collaboration with the FBI, Europol, and nine other countries under "Operation Cronos," disrupted the LockBit ransomware gang’s data leak site used for shaming, extorting, and leaking victim data.
The NCA greeted visitors to LockBit’s dark web leak site with a seizure banner, revealing they had been controlling LockBit’s infrastructure for some time, collecting information, acquiring victim decryption keys, and even compromising the new ransomware payload intended for LockBit 4.0.
The research can be found here:
Ransomware Diaries Volume 5: Unmasking LockBit

Learn more about your ad choices. Visit megaphone.fm/adchoices