Incidents

Sober steals your passwords

For the last 24 hours or so we’ve seen a number of new Email-Worm.Win32.Sober variants, some of which we have got an alert out for.

We went from Sober.u to Sober.z about four hours ago.

These Sobers are pretty much the same like before, for instance they still use exclusive lock and the possibility to download files.

What’s interesting is that these Sobers also drop not-a-virus:PSWTool.PassView.162 onto the system.

As the name suggests this program is a tool which is able to show certain passwords.

In this case the program can show the passwords stored by Internet Explorer and Outlook.

As nor Sober nor PSWTool.PassView.162 can send out the obtained info from PassView, it is likely that the file(s) that Sober is (possibly) going to download will have this ability.

Naturally we’re closely monitoring the situation and we will keep you updated in case something interesting comes along.

Sober steals your passwords

Your email address will not be published.

 

Reports

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox