Advanced Persistent Threat

August 19, 2020

U.S. government agencies today published a malware analysis report exposing information on a remote access trojan (RAT) malware used by North Korean hackers in attacks targeting government contractors. The malware was identified by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) and is known as known BLINDINGCAN. The trojan was attributed ...

August 13, 2020

The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia’s military hackers. The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks. Based on evidence ...

August 13, 2020

CactusPete (also known as Karma Panda or Tonto Team) is an APT group that has been publicly known since at least 2013. Some of the group’s activities have been previously described in public by multiple sources. We have been investigating and privately reporting on this group’s activity for years as well. Historically, their activity has ...

August 5, 2020

A stack of Linux backdoor malware used for espionage, compiled dynamically and customizable to specific targets, is being used as a shared resource by five different Chinese-language APT groups, according to researchers. According to an analysis from BlackBerry released at Black Hat 2020 on Wednesday, those five groups have turned out to all be splinters of ...

August 4, 2020

An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks. Speaking in a webinar last week, Vincente Diaz, a malware analyst for antivirus maker Kaspersky, said the change happened in May this year when Oilrig added a new tool to its hacking ...

July 30, 2020

Tracked under the codename of “Operation North Star,” McAfee said these attacks have been linked to infrastructure and TTPs (Techniques, Tactics, and Procedures) previously associated with Hidden Cobra — an umbrella term the US government uses to describe all North Korean state-sponsored hacking groups. As for the attacks themselves, McAfee said they were run-of-the-mill spear-phishing emails ...

July 28, 2020

We may only be six months in, but there’s little doubt that 2020 will go down in history as a rather unpleasant year. In the field of cybersecurity, the collective hurt mostly crystallized around the increasing prevalence of targeted ransomware attacks. By investigating a number of these incidents and through discussions with some of our ...

July 22, 2020

While analyzing an attack against a Middle Eastern telecommunications organization, Unit 42 has discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails. In May 2020, Symantec published ...

July 22, 2020

As the IT and OT environment becomes more complex, adversaries are quick to adapt their attack strategy. For example, as users’ work environments diversify, adversaries are busy acquiring the TTPs to infiltrate systems. Recently, we reported to our Threat Intelligence Portal customers a similar malware framework that internally we called MATA. The MATA malware framework ...

July 16, 2020

One of Iran’s top hacking groups has left a server exposed online where security researchers say they found a trove of screen recordings showing the hackers in action. Discovered by IBM’s X-Force cyber-security division, researchers believe the videos are tutorials the Iranian group was using to train new recruits. According to X-Force analysts, the videos were recorded ...

July 9, 2020

Hackers in the Evilnum group have developed a toolset that combines custom malware, legitimate utilities, and tools bought from a malware-as-a-service (MaaS) provider that caters to big fintech threat actors. The group has been active since at least 2018 and focuses on companies from the financial technology sector that offer trading and investment platforms. Its targets are ...

July 1, 2020

Researchers have uncovered a surveillance campaign, dating back to at least 2013, which has used a slew of Android surveillanceware tools to spy on the Uyghur ethnic minority group. The campaign uses three never-before-seen Android surveillanceware tools, dubbed SilkBean, GoldenEagle and CarbonSteal, and one previously disclosed tool, DoubleAgent. The purpose of these tools is to gather and ...

June 30, 2020

he APT group known as StrongPity is back with a new watering-hole campaign, targeting mainly Kurdish victims in Turkey and Syria. The malware served offers operators the ability to search for and exfiltrate any file or document from a victim’s machine. The group (a.k.a. Promethium) is operating a series of bogus websites purporting to offer a ...

June 19, 2020

In February 2020, we observed a Trojan injected into the system process memory on a particular host. The target turned out to be a diplomatic entity. What initially attracted our attention was the enterprise-grade API-like (application programming interface) programming style. Such an approach is not that common in the malware world and is mostly used ...

June 18, 2020

The InvisiMole threat group has resurfaced in a new campaign, revealing a new toolset and a strategic collaboration with the high-profile Gamaredon advanced persistent threat (APT) group. InvisiMole was first uncovered by ESET in 2018, with cyberespionage activity dating back to 2013 in operations in Ukraine and Russia. More recently, from late 2019 until at least this month, researchers ...

June 17, 2020

When the news broke in 2014 about a new sophisticated threat actor dubbed the Turla Group, which the Estonian foreign intelligence service believes has Russian origins and operates on behalf of the FSB, its kernelmode malware also became the first publicly-described case that abused a third-party device driver to disable Driver Signature Enforcement (DSE). This security mechanism was introduced in Windows Vista ...

June 12, 2020

Russian officials said this week that German authorities have failed to produce the evidence that Russian military hackers breached the German Parliament in 2015. The statement is in relation to an arrest warrant that Germany filed at the end of May, when they charged a Russian hacker named Dmitriy Sergeyevich Badin. German prosecutors said Badin was a ...

June 11, 2020

New tools attributed to the Russia-linked Gamaredon hacker group include a module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim’s contacts. The threat actor disables protections for running macro scripts in Outlook and to plant the source file for the spearphishing attacks that spread malware to other victims. Gamaredon ...

June 9, 2020

The APT known as TA410 has added a modular remote-access trojan (RAT) to its espionage arsenal, deployed against Windows targets in the United States’ utilities sector. According to researchers at Proofpoint, the RAT, called FlowCloud, can access installed applications and control the keyboard, mouse, screen, files, services and processes of an infected computer, with the ability ...

June 3, 2020

While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus ...