New APT34 Malware Targets The Middle East

Credit to Author: Mohamed Fahmy| Date: Thu, 02 Feb 2023 00:00:00 +0000

We analyze an infection campaign targeting organizations in the Middle East for cyberespionage in December 2022 using a new backdoor malware. The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers.

Read more

Attacking The Supply Chain: Developer

Credit to Author: David Fiser| Date: Wed, 25 Jan 2023 00:00:00 +0000

In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”.

Read more

Raspberry Robin Malware Targets Telecom, Governments

Credit to Author: Christopher So| Date: Tue, 20 Dec 2022 00:00:00 +0000

We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.

Read more

Ransomware Business Models: Future Pivots and Trends

Credit to Author: Feike Hacquebord| Date: Thu, 15 Dec 2022 00:00:00 +0000

Ransomware groups and their business models are expected to change from what and how we know it to date. In this blog entry, we summarize from some of our insights the triggers that spark the small changes in the short term (“evolutions”) and the bigger deviations (“revolutions”) they can redirect their criminal enterprises to in the long run.

Read more

Earth Preta Spear-Phishing Governments Worldwide

Credit to Author: Nick Dai| Date: Fri, 18 Nov 2022 00:00:00 +0000

We break down the cyberespionage activities of advanced persistent threat (APT) group Earth Preta, observed in large-scale attack deployments that began in March. We also show the infection routines of the malware families they use to infect multiple sectors worldwide: TONEINS, TONESHELL, and PUBLOAD.

Read more

Hack the Real Box: APT41’s New Subgroup Earth Longzhi

Credit to Author: Hara Hiroaki| Date: Wed, 09 Nov 2022 00:00:00 +0000

We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.

Read more

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

Credit to Author: Mohamed Fahmy| Date: Tue, 25 Oct 2022 00:00:00 +0000

Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint

Read more

How Water Labbu Exploits Electron-Based Applications

Credit to Author: Joseph C Chen| Date: Wed, 05 Oct 2022 00:00:00 +0000

In the second part of our Water Labbu blog series, we explore how the threat actor exploits Electron-based applications using Cobalt Strike to deploy backdoors.

Read more