ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Introduction Distributed denial-of-service (DDoS) attacks were on the rise in 2018, ranging from a high volume of Mirai attacks to more sophisticated botnets targeting enterprises. An example of these attacks is the one targeting GitHub in February 2018, forcing the website to go offline for approximately 10 minutes. In researching the current DDoS ecosystem we […]
Muhstik Botnet Reloaded: New Variants Targeting phpMyAdmin Servers
The Muhstik botnet was first exposed by Netlab360 researchers in May 2018. This botnet targeted mainly GPON routers. At Intezer we found that Muhstik is extending its spectrum of compromised devices by targeting web servers hosting phpMyAdmin. PhpMyAdmin is a well known open-source tool written in PHP, intended to handle the administration of MySQL over the web. This tool is fairly popular among […]
Paleontology: The Unknown Origins of Lazarus Malware
As seen by security researchers across the world and proven in a joint research by McAfee and Intezer, Lazarus, one of the groups operating from North Korea, has consistently reused code in their malware toolset. There is a common pattern among the code of the malware that researchers and reverse engineers alike find during their […]
APT37: Final1stspy Reaping the FreeMilk
Researchers at Palo Alto Networks recently published a report regarding the NOKKI malware, which has shared code with KONNI and, although not in the report by Palo Alto, KimJongRAT (discovered by Paul Rascagnères of Cisco Talos in 2013), and another report on how there is evidence of the NOKKI malware connecting to the North Korean threat […]
Intezer Analyze™ ELF Support Release: Hakai Variant Case Study
ELF SUPPORT We would like to proudly announce that Intezer Analyze™ now supports genetic malware analysis for ELF binaries! You may now upload ELF files to our system and find code reuse. We have already indexed the genes of millions of different files into our ELF genome database, classified into both malicious, trusted, and neutral […]
Prince of Persia: The Sands of Foudre
Introduction In the past couple years, Palo Alto Networks reported on the “Prince of Persia” malware campaign which is believed to be of Iranian origin and ongoing for more than 10 years. The original research, published in 2016, called the malware Infy and their second report, published in 2017, named the upgraded malware Foudre. The […]
Code, Strings and what’s in between
Our technology is based on genetic analysis of files. So far, we’ve focused mainly on detection of code reuse, as part of the genetic malware analysis process. Recently, we’ve added two new and exciting capabilities to our product: 1. String reuse 2. View shared code While each feature brings its own value to the product, […]
Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families
This research is a joint effort of Christiaan Beek, lead scientist & sr. principal engineer at McAfee, and Jay Rosenberg, senior security researcher at Intezer, and can be found in the McAfee Labs blog as well. Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of […]
Mitigating Emotet, The Most Common Banking Trojan
Recently, Proofpoint released a fairly surprising report, stating that Banking Trojans have surpassed Ransomware as the top malware threat found in email. This is not too surprising, due to the rising difficulty of cashing out cyber-ransom operations, and the increasing awareness of enterprises for these kinds of threats. In addition, Emotet created recent headlines with […]
Product Updates for June 2018
In this blog post we’d like to share with you some details about our latest cool developments. New User Interface: We’ve recently added to our product, support for Dynamic Execution and Static Extraction and we wanted our user interface to reflect these additions. The “Tree View” on the left panel of the page, reflects the […]