securityaffairsMay 27, 2023
New #Buhti #ransomware operation uses rebranded #LockBit and #Babuk payloads
https://securityaffairs.com/146700/cyber-crime/buhti-ransomware-rebranded-lockbit-babuk.html
#securityaffairs #hacking #malware
New Buhti ransomware operation uses rebranded LockBit and Babuk payloads

The recently identified Buhti operation targets organizations worldwide with rebranded LockBit and Babuk ransomware variants. Researchers from Symantec discovered a new ransomware operation called Buhti (aka Blacktail) that is using LockBit and Babuk variants to target Linux and Windows systems worldwide. The ransomware operation hasn’t its own ransomware payload, however, it uses a custom information […]

Security Affairs
Show threadSophos X-OpsApr 27, 2023

Some of the final payloads overlap with previously-reported threats, such as #Truebot (#downloader, often linked to Cl0p #ransomware), #Buhti (ransomware), #MoneroOcean (a #coinminer, discussed here: https://news.sophos.com/en-us/2021/12/02/two-flavors-of-tor2mine-miner-dig-deep-into-networks-with-powershell-vbscript/), and #Mirai (a #botnet #worm).

One such example of a #miner, shown in the screenshot below, details the commands to terminate the processes and services used by other, competing malicious miners before launching their own #Monero (#XMR) mining software. This cynical form of 'capture the flag' is commonplace behavior among the threat actor groups who deploy and maintain hostile miners.

5/6

Two flavors of Tor2Mine miner dig deep into networks with PowerShell, VBScript

Using remote scripts and code, one variant can even execute filelessly until it gains administrative credentials.

Sophos News