Malware Reverse Engineering - Unraveling the Secrets of Encryption in Malware
Encryption is everywhere in our lives. You might not notice it, but you use it every single day. It is baked into...
CryptoClippy is Evolving to Pilfer Even More Financial Data
A banking trojan is a malware designed to steal sensitive financial information, such as online banking login credentials, credit card numbers, and...
How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems
What is binary padding? How can you detect against threats using junk data in various ways to evade defensive systems and sandboxes?...
Phishing Campaign Targets Chinese Nuclear Energy Industry
Intezer has been tracking activity targeting the energy sector and noted a campaign with techniques that align with those of Bitter APT,...
Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware ⚡
Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits. Year...
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat...
YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom”
The Stage: The Dark Web Market for YouTube Account Access In 2006, the term “data is the new oil” was coined. Ever...
Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat
Symbiote is a new Linux® malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on...
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
A recently developed malware framework called Elephant is being delivered in targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses. The...
New Conversation Hijacking Campaign Delivering IcedID
This post describes the technical analysis of a new campaign detected by Intezer’s research team, which initiates attacks with a phishing email...
Detection Rules for Sysjoker (and How to Make Them With Osquery)
On January 11, 2022, we released a blog post on a new malware called SysJoker. SysJoker is a malware targeting Windows, macOS,...
New SysJoker Backdoor Targets Windows, Linux, and macOS
Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September,...
Exposed Prefect Workflows Could Lead to Disruptive Attacks
Workflow management platforms are powerful tools for automating and managing complex tasks. Integrating workflow platforms can help companies coordinate and ease their...
Intezer Analyze Transforms for Maltego
We are happy to introduce the Intezer Analyze plugin for Maltego. Combine insights from our malware analysis platform with Maltego’s graphical tool (And you...
New Attacks on Kubernetes via Misconfigured Argo Workflows
Key Points Intezer has detected a new attack vector against Kubernetes (K8s) clusters via misconfigured Argo Workflows instances. Attackers are already taking advantage of this...
Targeted Phishing Attack against Ukrainian Government Expands to Georgia
In May 2021, Fortinet published a report about the early stages of an ongoing phishing attack against the Ukrainian government. The attack, initially...
Global Phishing Campaign Targets Energy Sector and its Suppliers
Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil...
Klingon RAT Holding on for Dear Life
With more malware written in Golang than ever before, the threat from Go-based Remote Access Trojans (RATs) has never been higher. Not only...
New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
We discovered a new sophisticated backdoor targeting Linux endpoints and servers Based on Tactics, Techniques, and Procedures (TTPs) the backdoor is believed to...
Year of the Gopher: 2020 Go Malware Round-Up
Developers are not the only ones that have adopted Go. Malware written in Go has been steadily increasing. In the last few...
How We Escaped Docker in Azure Functions
Summary of Findings What is Azure Functions? Technical Analysis Proof of Concept Why Does this Matter? Summary of Findings In previous months...
A Rare Look Inside a Cryptojacking Campaign and its Profit
Intro Linux threats are becoming more frequent. A common type of Linux threat is cryptojacking, which is the unauthorized use of an...
Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets
Already with thousands of victims. Intro With Bitcoin on the rise and a market exceeding billions of dollars, cryptocurrency has attracted threat actors...
Early Bird Catches the Worm: New Golang Worm Drops XMRig Miner on Servers
Intro In early December, we discovered a new, undetected worm written in Golang. This worm continues the popular 2020 trend of multi-platform malware developed...
A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
Summary In November, we uncovered COVID-19 phishing lures that were used to deliver the Go version of Zebrocy. Zebrocy is mainly used...
Stantinko’s Proxy After Your Apache Server
Intro It is common for threat actors to evolve their Linux malware. BlackTech with their new ELF_PLEAD malware and Winnti’s PWNLNX tool are recent examples....
A Storm is Brewing: IPStorm Now Has Linux Malware
Introduction The development of cross-platform malware is not new, however, we continue to observe a number of malware that were previously documented only...
VB2020 - Advanced Pasta Threat: Mapping Malware Use of Open Source Offensive Security Tools
The term Offensive Security Tool, also known as OST, is a controversial subject within the InfoSec community. It often sparks fierce debate...
PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers
Analysis by Intezer and IBM X-Force points its origins to a Malware-as-a-Service (MaaS) provider utilized by the Cobalt Gang and FIN6 attack...
Mapping the Connections Inside Russia's APT Ecosystem
This research is a joint effort conducted by Omri Ben-Bassat from Intezer and Itay Cohen from Check Point Research. Prologue пролог If...
Watching the WatchBog: New BlueKeep Scanner and Linux Exploits
Overview We have discovered a new version of WatchBog—a cryptocurrency-mining botnet operational since late 2018—that we suspect has compromised more than 4,500 Linux...
EvilGnome: Rare Malware Spying on Linux Desktop Users
Introduction Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system...
Executable and Linkable Format 101 Part 4: Dynamic Linking
This is a new post in our Executable and Linkable Format (ELF) 101 series, where the goal is to spread awareness about the...