Entries by christian scott

An APT Blueprint:Gaining New Visibility into Financial Threats

In mid-2018, Bitdefender researchers investigated a targeted attack on an Eastern European financial institution, gaining new insights and creating a complete event timeline showing how the infamous group Carbanak infiltrates organizations, how it moves laterally across the infrastructure, and the time it takes to set up the actual heist. REFERENCE: https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf ADVERSARY: Carbanak

Zebrocy’s Multilanguage Malware Salad

Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy. Zebrocy is an active sub-group of victim profiling and access specialists. Zebrocy maintains a lineage back through 2013, sharing malware artefacts and similarities with BlackEnergy. The past five years of Zebrocy […]

A dive into Turla PowerShell usage

Turla, also known as Snake, is an infamous espionage group recognized for its complex malware. To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk. REFERENCE: […]

Shade Ransomware Hits High-Tech

Shade ransomware is a long-established family of ransomware first spotted in late 2014 targeting hosts running Microsoft Windows. It is also known as Troldesh. Shade has been distributed through malicious spam (malspam) and exploit kits. A recent report focused on Russian language emails that deliver Shade, but this ransomware is also distributed through English-language malspam. […]

Aposemat IoT Malware Analysis, an X-Bash infection

According to this blogpost by Palo Alto researchers, XBash targeted Linux and Windows systems. XBash is a botnet, coinminer, ransomware that has self-propagation capabilities. On Linux, this malware has ransomware and botnet capabilities. For Windows systems, coinmining and self-propagating capabilities REFERENCE: https://www.stratosphereips.org/blog/2019/3/21/malware-capture-analysis-possible-coin-miner

A journey to Zebrocy land

What happens when a victim is compromised by a backdoor and the operator is controlling it? It’s a difficult question that is not possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the operator to their targets. The Sednit group – also known as APT28, Fancy […]

Recent MuddyWater-associated BlackWater Campaign Shows Signs of New Anti-detection Techniques

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called "BlackWater" is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater's tactics, techniques and procedures (TTPs) have […]

Groups Behind “Banload” Banking Malware Implement New Techniques

As the adoption of online banking within Brazil continues to grow, a corresponding rise in banking malware targeting this developing market is also being observed. The prolific Brazilian cybercrime group behind the banking malware “Banload” have implemented an interesting new driver component, internally called ‘FileDelete’, to remove software drivers and executables belonging to anti-malware and […]

New KPOT v2.0 stealer

KPOT Stealer is a “stealer” malware that focuses on exfiltrating account information and other data from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software. Proofpoint researchers started seeing KPOT Stealer distributed via email campaigns and exploit kits in August 2018 (Figure 1). In addition, colleagues at Flashpoint Intel observed the malware […]