jfkNov 24

Oh no. Here we go again! Another wave of compromised #npm packages. Check your dependencies! This time it even deletes your home directory, if it does not find any secrets 😱

https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

And it appears that the worm is quite successful again: https://github.com/search?q=sha1-hulud&type=repositories

#ShaiHulud #Malware #CredentialStealer #SupplyChain #SupplyChainAttack #InfoSec

The threat actors behind Shai Hulud has struck again, hitting Zapier and Ensdomains

A new variant of Shai Hulud has hit Zapier and Ensdomains

Ars Technica NewsSep 22
Here’s how potent Atomic credential stealer is finding its way onto Macs https://arstechni.ca/Axzs #credentialstealer #malvertising #Security #Biz&IT #atomic #Apple #MacOS #amos
Here’s how potent Atomic credential stealer is finding its way onto Macs

LastPass warns it’s one of the latest to see its well-known brand impersonated.

Ars Technica
Christoffer S.May 31, 2023

Rhadamanthys Stealer has it's own web, I had missed that completely.

Yet another sign that the Stealer market is growing, maturing and getting increasingly professional and an important part of the ecosystem.

#ThreatIntelligence #Stealer #CredentialStealer #Malware

Just Another Blue TeamerMay 19, 2023

#HappyFriday everyone! This week I will wrap up with a #readoftheday from ThreatMon and their coverage of the #ZarazaBot. They provide technical analysis of the #credentialstealer and describes some of its behaviors! Enjoy and Happy Hunting!

Zaraza Bot: The New Russian Credential Stealer
https://threatmon.io/wp-content/uploads/2023/05/Zaraza-Bot_-The-New-Russian-Credential-Stealer.pdf

Notable MITRE ATT&CK TTPs:
TA0009 - Collection:
T1005 - Data from Local System
T1113 - Screen Capture
T1119 - Automated Collection
T1074.001 - Data Staged: Local Data Staging

TA0011 - Command And Control
T1071 - Application layer Protocol
T1537 - Encrypted Channel

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Christoffer S.Mar 28, 2023

Any thoughts on how many Credential Stealer families rely on using the Telegram API Bot endpoint for exfiltrating / copying information from infected devices?

Trying to assess the potential for leveraging that observation for some simple detection rules of potential stealer infections.

Any hot takes?

[ #ThreatIntel #DetectionEngineering #CredentialStealer ]

ITSEC NewsJul 29, 2021

Threat Spotlight: Solarmarker - By Andrew Windsor, with contributions from Chris Neal.

Executive summaryCisco Tal... http://feedproxy.google.com/~r/feedburner/Talos/~3/QZanLZERCHk/threat-spotlight-solarmarker.html #credentialstealer #securex #threats

Threat Spotlight: Solarmarker

A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

ITSEC NewsFeb 12, 2020
Loda RAT Grows Up - By Chris Neal.Over the past several months, Cisco Talos has observed a malware campaign that utilize... more: http://feedproxy.google.com/~r/feedburner/Talos/~3/FP1Tfj2Deww/loda-rat-grows-up.html #credentialstealer #threatresearch #malware #autoit #rats #rat
Loda RAT Grows Up

A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group