Silence of the Moles
Kaspersky Labs published a technical analysis of a new malware, Silence that is aimed at attacking financial institutions. After uploading the loader of this malware to Intezer Analyze™, we have found a possible connection through code reuse to the loader of another campaign of malware, Mole previously discovered by Unit 42 of Palo Alto Networks. This […]
Intezer Uncovers Connection Between CCleaner Hack & Chinese Hackers: Aurora Operation
Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide a stronger link between this attack and the Axiom group. First of all, our research team would like to thank the entire team at Cisco Talos for their excellent work on this attack […]
NotPetya Returns as Bad Rabbit
Large scale cyber attacks seem to be happening once a month these days. Originally discovered by ESET (https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/), Ukrainian and Russian organizations have been hit with the latest ransomware attack named Bad Rabbit. At the time of writing this post, the ransomware has believed to have originated from compromised webpages with a fake popup for […]
North Korea and Iran Use CodeProject to Develop Their Malware
Software developers and malware authors share a desire to work smart, not hard In the software development world, engineers frequently use ready-made code for various tasks, whether it involves copying a snippet from Stack Overflow, taking a library from Github, or reusing a company’s own rich, legacy code base. On the darker side of things, […]
Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers
Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide a stronger link between this attack and the Axiom group. First of all, our researchers would like to thank the entire team at Cisco Talos for their excellent work on this attack (their […]
Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner
Check out our follow up blog here: Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers Recently, there have been a few attacks with a supply chain infection, such as Shadowpad being implanted in many of Netsarang’s products, affecting millions of people. You may have the most up […]
New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2
Our previous blog post was a short brief of new Agent.BTZ variants that we found. This second part in the series will demonstrate in greater detail exactly how we discovered these new variants. 1. Methodology To begin, we used our hunting methodology, which consist of four main parts: Collection: Collect multiple samples from different versions. […]
New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2
Agent.BTZ–also known as ComRAT–is one of the world’s oldest known state-sponsored threats, mainly known for the 2008 Pentagon breach. Technically speaking, Agent.BTZ is a sophisticated user-mode RAT developed and operated by the Turla group in conjunction with Snake/Uroburos rootkit. In the past few months, we conducted research on Agent.BTZ’s code-base and how it evolved using […]
“EternalMiner” Copycats exploiting SambaCry for cryptocurrency mining
About eight weeks ago, a critical RCE vulnerability present in every Samba version since 2010 was reported and patched. This vulnerability is mostly known as “SambaCry” after the famous WannaCry attack targeting Windows systems vulnerable to “EternalBlue” SMB exploit. The vulnerability lies in a logical bug, which enables an attacker with write-only access to a […]