On November 17th, Microsoft Security Threat Intelligence tracked activity from a threat actor known as DEV-0569 regarding the development of new tools to deliver the Royal ransomware.
Although Microsoft still uses a temporary ‘DEV-####’ designation for it, meaning that they are unsure about its origin or identity, the group is believed to consist of ex-Conti members.
“Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation,” the Microsoft Security Threat Intelligence team said in an analysis.
Traced back to August 2022, the group typically relies on malvertising, phishing link vectors, fake forum pages, and blog comments. They also direct users to a malware downloader called BATLOADER, posing as various legitimate software installers such as TeamViewer, Adobe Flash Player, and Zoom or updates embedded in spam emails.
When BATLOADER is launched, it uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands.
BATLOADER also appears to share overlaps with another malware called Zloader. A recent analysis of the strain by eSentire and VMware called out its stealth and persistence, in addition to its use of search engine...
Read Full Story: https://news.google.com/__i/rss/rd/articles/CBMiRmh0dHBzOi8vd3d3LmhhY2tyZWFkLmNvbS9yb3lhbC1yYW5zb213YXJlLWdvb2dsZS1hZHMtY3JhY2tlZC1zb2Z0d2FyZS_SAQA?oc=5
Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.
