This analysis is part of an incident investigation led by the FortiGuard Incident Response Team.
Fortiguard Incident Response Team discovered malware that had been running on a compromised machine for several weeks. The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process. Although obtaining the original malware executable was difficult, a memory dump of the running malware process and a full memory dump of the compromised machine (the “fullout” file, size 33GB) were successfully acquired.
Read more…
Source: Fortinet
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- WastedLocker: technical analysis
July 31, 2020
The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often. On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause ...
- Emotet malware now steals your email attachments to attack contacts
July 29, 2020
The Emotet malware botnet is now also using stolen attachments to increase the authenticity of spam emails used for infecting targets’ systems. This is the first time the botnet is using stolen attachments to add credibility to emails as Binary Defense threat researcher James Quinn told BleepingComputer. The attachment stealer module code — that also steals email ...
- Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902
July 28, 2020
Following the initial disclosure of two F5 BIG-IP vulnerabilities on the first week of July, we continued monitoring and analyzing the vulnerabilities and other related activities to further understand their severities. Based on the workaround published for CVE-2020-5902, we found an internet of things (IoT) Mirai botnet downloader (detected by Trend Micro as Trojan.SH.MIRAI.BOI) that ...
- Ensiko: A Webshell With Ransomware Capabilities
July 27, 2020
Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. It can also execute shell commands on an infected ...
- OilRig Targets Middle Eastern Telecom Organization and Adds Novel C2 Channel with Steganography to Its Inventory
July 22, 2020
While analyzing an attack against a Middle Eastern telecommunications organization, Unit 42 has discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails. In May 2020, Symantec published ...
- MATA: Multi-platform targeted malware framework
July 22, 2020
As the IT and OT environment becomes more complex, adversaries are quick to adapt their attack strategy. For example, as users’ work environments diversify, adversaries are busy acquiring the TTPs to infiltrate systems. Recently, we reported to our Threat Intelligence Portal customers a similar malware framework that internally we called MATA. The MATA malware framework ...

