Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention
Threat Reports
New details on TinyTurla’s post-compromise activity reveal full kill chain
We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises.
When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors | Mandiant
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day - Avast Threat Labs
The Lazarus Group is back with an upgraded variant of their FudModule rootkit, this time enabled by a zero-day admin-to-kernel vulnerability for CVE-2024-21338. Read this blog for a detailed analysis of this rootkit variant and learn more about several new techniques, including a handle table entry manipulation technique that directly targets Microsoft Defender, CrowdStrike Falcon, and HitmanPro.
WatchTower End of Year Report 2023
In this year-end edition of the WatchTower Digest, we discuss the threats we observed in 2023 and look ahead to the 2024 threat landscape.
SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)
Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!
Raspberry Robin Keeps Riding the Wave of Endless 1-Days - Check Point Research
Key Findings Introduction Raspberry Robin is a widely distributed worm first reported by Red Canary in 2021. Its capabilities and evasions in addition to its very active distribution made it one of the most intriguing malware out there. We at Check Point Research published an article a couple of months ago using Raspberry Robin as an example […]
Diving Into Glupteba's UEFI Bootkit
Fileless Revenge RAT Malware - ASEC BLOG
AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’ and ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred. As shown in the code below, the threat actor creates and runs Setup.exe (malicious file) before executing smtp-verifier.exe (legitimate tool). The created file’s property changes to ‘Hidden’ and the file becomes hidden from typical Windows Explorer environments. The figure below shows the overall flow of the malicious activities that follow afterward. Many files...
HijackLoader Expands Techniques to Improve Defense Evasion
Read this blog to learn about the HijackLoader sample that employs sophisticated evasion techniques to enhance the complexity of the threat.
Unveiling the intricacies of DiceLoader - Sekoia.io Blog
Learn how DiceLoader (also known as Icebot), a malware used by the FIN7 intrusion set, works.
Evolution of UNC4990: Uncovering USB Malware's Hidden Depths | Mandiant
Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks – CSIRT-CTI
The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis - Researcher Blog - ITOCHU Cyber & Intelligence Inc.
What is the LODEINFO malware? Analysis of LODEINFO The infection flow Update of the Downloader Shellcode Remote Template Injection Maldoc VBA code embedded in M…
Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware
Threat Analysis Group sheds light on Russian threat COLDRIVER’s use of malware.
New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, the threat actor used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files.
Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash.
This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash. - GitHub - Bert-JanP/O...
A Requirements-Driven Approach to Cyber Threat Intelligence
A requirements-driven approach to cyber threat intelligence represents a commitment across the
intelligence lifecycle to explicitly meet the specified needs of all relevant stakeholders.
signalscorps/awesome-threat-intel-blogs
A curated list of Awesome Threat Intelligence Blogs.
From ScreenConnect to Hive Ransomware in 61 hours - The DFIR Report
In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such … Read More
SharpPanda APT Campaign Expands its Arsenal Targeting G20 Nations
Cyble analyzes SharpPanda, a highly sophisticated APT group utilizing spear-phishing tactics to launch cyberattacks on G20 Nation officials.
Alloy taurus
Educated Manticore - Iran Aligned Threat Actor Targeting Israel via Improved Arsenal of Tools - Check Point Research
Key Findings: Introduction In this report, Check Point research reveals new findings of an activity cluster closely related to Phosphorus. The research presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant was attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East […]
Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity
Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the 3CX attack was carried out by Lazarus.
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible | Mandiant
null
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.
Pupy RAT hiding under WerFault’s cover - K7 Labs
We at K7 Labs recently identified an interesting technique used by threat actors to execute a Remote Admin Tool. We […]
Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges
Overview On Oct 21, 2022, 360Netlab's honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention. After further lookup, we confirmed
Blowing Cobalt Strike Out of the Water With Memory Analysis
Earth Preta Spear-Phishing Governments Worldwide