Cisco Talos recently identified a series of documents that they believe are part of a coordinated series of cyber attacks that they are calling the “Frankenstein” campaign. They assess that the attackers carried out these operations between January and April 2019 in an effort to install malware on users’ machines via malicious documents. They assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors’ ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.
In mid-2018, Bitdefender researchers investigated a targeted attack on an Eastern European financial institution, gaining new insights and creating a complete event timeline showing how the infamous group Carbanak infiltrates organizations, how it moves laterally across the infrastructure, and the time it takes to set up the actual heist.
Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy. Zebrocy is an active sub-group of victim profiling and access specialists. Zebrocy maintains a lineage back through 2013, sharing malware artefacts and similarities with BlackEnergy. The past five years of Zebrocy infrastructure, malware set, and targeting have similarities and overlaps with both the Sofacy and BlackEnergy APTs, yet throughout that time it has remained different from both of those groups.
Turla, also known as Snake, is an infamous espionage group recognized for its complex malware. To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk.
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaign.
Shade ransomware is a long-established family of ransomware first spotted in late 2014 targeting hosts running Microsoft Windows. It is also known as Troldesh. Shade has been distributed through malicious spam (malspam) and exploit kits. A recent report focused on Russian language emails that deliver Shade, but this ransomware is also distributed through English-language malspam.
According to this blogpost by Palo Alto researchers, XBash targeted Linux and Windows systems. XBash is a botnet, coinminer, ransomware that has self-propagation capabilities. On Linux, this malware has ransomware and botnet capabilities. For Windows systems, coinmining and self-propagating capabilities
What happens when a victim is compromised by a backdoor and the operator is controlling it? It’s a difficult question that is not possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the operator to their targets. The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at least 2004 and has made headlines frequently in past years.
Cisco Talos assesses with moderate confidence that a campaign we recently discovered called "BlackWater" is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater's tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim's machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater's latest TTPs.
As the adoption of online banking within Brazil continues to grow, a corresponding rise in banking malware targeting this developing market is also being observed. The prolific Brazilian cybercrime group behind the banking malware “Banload” have implemented an interesting new driver component, internally called ‘FileDelete’, to remove software drivers and executables belonging to anti-malware and banking protection programs. The goal behind this driver is to enable fraud through credential theft and account-takeover operations on a victim’s machine. In this technical analysis, SentinelOne dissects the novel FileDelete driver to reveal how it works.
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com