aka: Winnti Umbrella, Winnti Group, Suckfly, APT41, APT 41, Group72, Group 72, Blackfly, LEAD, WICKED SPIDER, WICKED PANDA, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Red Kelpie
The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'
2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201130:threat:2633df5,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}},
date = {2020-11-30},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/},
language = {English},
urldate = {2020-12-01}
}
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike |
2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee,
author = {Denis Goydenko and Alexey Vishnyakov},
title = {{Investigation with a twist: an accidental APT attack and averted data destruction}},
date = {2020-11-27},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/},
language = {English},
urldate = {2020-12-01}
}
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz LuckyMouse |
2020-11-23 ⋅ Youtube (OWASP DevSlop) ⋅ Negar Shabab, Noushin Shabab
@online{shabab:20201123:compromised:6dd1417,
author = {Negar Shabab and Noushin Shabab},
title = {{Compromised Compilers - A new perspective of supply chain cyber attacks}},
date = {2020-11-23},
organization = {Youtube (OWASP DevSlop)},
url = {https://www.youtube.com/watch?v=55kaaMGBARM},
language = {English},
urldate = {2020-11-23}
}
Compromised Compilers - A new perspective of supply chain cyber attacks
ShadowPad |
2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
@online{team:20201123:ta416:60e8b7e,
author = {Proofpoint Threat Research Team},
title = {{TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader}},
date = {2020-11-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader},
language = {English},
urldate = {2020-11-25}
}
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX |
2020-11-20 ⋅ 360 netlab ⋅ JiaYu
@online{jiayu:20201120:blackrota:ee43da1,
author = {JiaYu},
title = {{Blackrota, a highly obfuscated backdoor developed by Go}},
date = {2020-11-20},
organization = {360 netlab},
url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/},
language = {Chinese},
urldate = {2020-11-23}
}
Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike |
2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani
@online{ancarani:20201120:detecting:79afa40,
author = {Riccardo Ancarani},
title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}},
date = {2020-11-20},
organization = {F-Secure Labs},
url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis},
language = {English},
urldate = {2020-11-23}
}
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d,
author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison},
title = {{Weaponizing Open Source Software for Targeted Attacks}},
date = {2020-11-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html},
language = {English},
urldate = {2020-11-23}
}
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX |
2020-11-17 ⋅ cyble ⋅ Cyble
@online{cyble:20201117:oceanlotus:d33eb97,
author = {Cyble},
title = {{OceanLotus Continues With Its Cyber Espionage Operations}},
date = {2020-11-17},
organization = {cyble},
url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/},
language = {English},
urldate = {2020-11-18}
}
OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter |
2020-11-13 ⋅ Youtube (The Standoff) ⋅ Alexey Zakharov, Positive Technologies
@online{zakharov:20201113:ff202eng:1d1222c,
author = {Alexey Zakharov and Positive Technologies},
title = {{FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research}},
date = {2020-11-13},
organization = {Youtube (The Standoff)},
url = {https://www.youtube.com/watch?v=8x-pGlWpIYI},
language = {English},
urldate = {2020-11-23}
}
FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research
CROSSWALK Unidentified 076 (Higaisa LNK to Shellcode) |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20201106:oceanlotus:f7b11ac,
author = {Steven Adair and Thomas Lancaster and Volexity Threat Research},
title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}},
date = {2020-11-06},
organization = {Volexity},
url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/},
language = {English},
urldate = {2020-11-09}
}
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32 |
2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20201106:cobalt:05fe8fc,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}},
date = {2020-11-06},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/},
language = {English},
urldate = {2020-11-09}
}
Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike |
2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384,
author = {Ryan Tracey and Drew Schmitt and CRYPSIS},
title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}},
date = {2020-11-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/},
language = {English},
urldate = {2020-11-12}
}
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX |
2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae,
author = {Vitali Kremez},
title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}},
date = {2020-11-06},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike},
language = {English},
urldate = {2020-11-09}
}
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk |
2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85,
author = {TheAnalyst},
title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}},
date = {2020-11-05},
organization = {Twitter (@ffforward)},
url = {https://twitter.com/ffforward/status/1324281530026524672},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader |
2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201105:ryuk:ceaa823,
author = {The DFIR Report},
title = {{Ryuk Speed Run, 2 Hours to Ransom}},
date = {2020-11-05},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/},
language = {English},
urldate = {2020-11-06}
}
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk |
2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos
@online{szappanos:20201104:new:66b8447,
author = {Gabor Szappanos},
title = {{A new APT uses DLL side-loads to “KilllSomeOne”}},
date = {2020-11-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/},
language = {English},
urldate = {2020-11-06}
}
A new APT uses DLL side-loads to “KilllSomeOne”
PlugX |
2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
@online{vigna:20201104:trick:a59a333,
author = {Giovanni Vigna},
title = {{Trick or Threat: Ryuk ransomware targets the health care industry}},
date = {2020-11-04},
organization = {VMRay},
url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/},
language = {English},
urldate = {2020-11-06}
}
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Renato Marinho
@online{marinho:20201103:attackers:9b3762b,
author = {Renato Marinho},
title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}},
date = {2020-11-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/26752},
language = {English},
urldate = {2020-11-06}
}
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0,
author = {ThreatConnect},
title = {{UNC 1878 Indicators from Threatconnect}},
date = {2020-10-30},
organization = {Github (ThreatConnect-Inc)},
url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv},
language = {English},
urldate = {2020-11-06}
}
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk |
2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT
@online{csirt:20201029:list:5fb0206,
author = {Swisscom CSIRT},
title = {{List of CobaltStrike C2's used by RYUK}},
date = {2020-10-29},
organization = {Github (Swisscom)},
url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt},
language = {English},
urldate = {2020-11-02}
}
List of CobaltStrike C2's used by RYUK
Cobalt Strike |
2020-10-29 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20201029:ryuk:0643968,
author = {RiskIQ},
title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}},
date = {2020-10-29},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/0bcefe76},
language = {English},
urldate = {2020-11-02}
}
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk |
2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
@online{team:20201029:bazar:1846b93,
author = {The Red Canary Team},
title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}},
date = {2020-10-29},
organization = {Red Canary},
url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/},
language = {English},
urldate = {2020-11-02}
}
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot |
2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock},
title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}},
date = {2020-10-28},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html},
language = {English},
urldate = {2020-11-02}
}
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878 |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad |
2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon
@online{iddon:20201027:mtr:3b62ca9,
author = {Greg Iddon},
title = {{MTR Casebook: An active adversary caught in the act}},
date = {2020-10-27},
organization = {Sophos Managed Threat Response (MTR)},
url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/},
language = {English},
urldate = {2020-11-02}
}
MTR Casebook: An active adversary caught in the act
Cobalt Strike |
2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201018:ryuk:fbaadb8,
author = {The DFIR Report},
title = {{Ryuk in 5 Hours}},
date = {2020-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/},
language = {English},
urldate = {2020-10-19}
}
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk |
2020-10-14 ⋅ RiskIQ ⋅ Steve Ginty, Jon Gross
@online{ginty:20201014:wellmarked:9176303,
author = {Steve Ginty and Jon Gross},
title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}},
date = {2020-10-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/f0320980},
language = {English},
urldate = {2020-10-23}
}
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike |
2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20201014:theyre:99f5d1e,
author = {Sean Gallagher},
title = {{They’re back: inside a new Ryuk ransomware attack}},
date = {2020-10-14},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-16}
}
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC |
2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1,
author = {Roman Marshanski and Vitali Kremez},
title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}},
date = {2020-10-12},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon},
language = {English},
urldate = {2020-10-13}
}
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk |
2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07,
author = {StrangerealIntel},
title = {{Chimera, APT19 under the radar ?}},
date = {2020-10-11},
organization = {Github (StrangerealIntel)},
url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md},
language = {English},
urldate = {2020-10-15}
}
Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter |
2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201008:ryuks:e47d8fa,
author = {The DFIR Report},
title = {{Ryuk’s Return}},
date = {2020-10-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/08/ryuks-return/},
language = {English},
urldate = {2020-10-09}
}
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk |
2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen
@online{tanriverdi:20201008:there:620f4e7,
author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen},
title = {{There is no safe place}},
date = {2020-10-08},
organization = {Bayerischer Rundfunk},
url = {https://web.br.de/interaktiv/ocean-lotus/en/},
language = {English},
urldate = {2020-10-12}
}
There is no safe place
Cobalt Strike |
2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f,
author = {Health Sector Cybersecurity Coordination Center (HC3)},
title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}},
date = {2020-10-02},
institution = {Health Sector Cybersecurity Coordination Center (HC3)},
url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf},
language = {English},
urldate = {2020-11-02}
}
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-01 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20201001:russias:3440982,
author = {Andy Greenberg},
title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}},
date = {2020-10-01},
organization = {Wired},
url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/},
language = {English},
urldate = {2020-10-05}
}
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter |
2020-10-01 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller
@online{hamdan:20200929:getting:c01923a,
author = {Kareem Hamdan and Lucas Miller},
title = {{Getting the Bacon from the Beacon}},
date = {2020-09-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/},
language = {English},
urldate = {2020-10-05}
}
Getting the Bacon from the Beacon
Cobalt Strike |
2020-09-29 ⋅ Github (Apr4h) ⋅ Apra
@online{apra:20200929:cobaltstrikescan:ab5f221,
author = {Apra},
title = {{CobaltStrikeScan}},
date = {2020-09-29},
organization = {Github (Apr4h)},
url = {https://github.com/Apr4h/CobaltStrikeScan},
language = {English},
urldate = {2020-10-05}
}
CobaltStrikeScan
Cobalt Strike |
2020-09-24 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20200924:analysis:e1e4cc0,
author = {US-CERT},
title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}},
date = {2020-09-24},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a},
language = {English},
urldate = {2020-10-13}
}
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter |
2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW
@techreport{mavis:20200921:art:d9702a4,
author = {Nick Mavis and Joe Marshall and JON MUNSHAW},
title = {{The art and science of detecting Cobalt Strike}},
date = {2020-09-21},
institution = {Cisco Talos},
url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf},
language = {English},
urldate = {2020-09-23}
}
The art and science of detecting Cobalt Strike
Cobalt Strike |
2020-09-18 ⋅ Trend Micro ⋅ Trend Micro
@online{micro:20200918:us:7900e6a,
author = {Trend Micro},
title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}},
date = {2020-09-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html},
language = {English},
urldate = {2020-09-23}
}
U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
Cobalt Strike ColdLock |
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20200918:apt41:363daa8,
author = {Threat Hunter Team},
title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage},
language = {English},
urldate = {2020-09-23}
}
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti |
2020-09-16 ⋅ Department of Justice ⋅ Department of Justice
@online{justice:20200916:seven:d4591b9,
author = {Department of Justice},
title = {{Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally}},
date = {2020-09-16},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer},
language = {English},
urldate = {2020-09-18}
}
Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally
Axiom |
2020-09-16 ⋅ FBI ⋅ FBI
@techreport{fbi:20200916:fbi:76fd945,
author = {FBI},
title = {{FBI Flash AC-000133-TT: Indictment of China-Based Cyber Actors Associated with APT 41for Intrusion Activities}},
date = {2020-09-16},
institution = {FBI},
url = {https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf},
language = {English},
urldate = {2020-09-18}
}
FBI Flash AC-000133-TT: Indictment of China-Based Cyber Actors Associated with APT 41for Intrusion Activities
Axiom |
2020-09-15 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20200915:alert:13d0ab3,
author = {US-CERT},
title = {{Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-259a},
language = {English},
urldate = {2020-09-16}
}
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities
CHINACHOPPER Fox Kitten |
2020-09-15 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20200915:back:2c78a6f,
author = {Insikt Group®},
title = {{Back Despite Disruption: RedDelta Resumes Operations}},
date = {2020-09-15},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf},
language = {English},
urldate = {2020-09-16}
}
Back Despite Disruption: RedDelta Resumes Operations
PlugX |
2020-09-15 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20200915:malware:8345418,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-259A): Iranian Web Shells}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a},
language = {English},
urldate = {2020-09-16}
}
Malware Analysis Report (AR20-259A): Iranian Web Shells
CHINACHOPPER |
2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20200911:research:edfb074,
author = {ThreatConnect Research Team},
title = {{Research Roundup: Activity on Previously Identified APT33 Domains}},
date = {2020-09-11},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/},
language = {English},
urldate = {2020-09-15}
}
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33 |
2020-09-10 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200910:overview:f751b73,
author = {GReAT},
title = {{An overview of targeted attacks and APTs on Linux}},
date = {2020-09-10},
organization = {Kaspersky Labs},
url = {https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/},
language = {English},
urldate = {2020-10-05}
}
An overview of targeted attacks and APTs on Linux
Cloud Snooper Dacls DoubleFantasy MESSAGETAP Penquin Turla Tsunami elf.wellmess X-Agent |
2020-09-08 ⋅ PTSecurity ⋅ PTSecurity
@techreport{ptsecurity:20200908:shadowpad:2903f45,
author = {PTSecurity},
title = {{ShadowPad: new activity from the Winnti group}},
date = {2020-09-08},
institution = {PTSecurity},
url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf},
language = {English},
urldate = {2020-10-08}
}
ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash |
2020-09-03 ⋅ Viettel Cybersecurity ⋅ vuonglvm
@online{vuonglvm:20200903:apt32:02bd8fc,
author = {vuonglvm},
title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}},
date = {2020-09-03},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/},
language = {Vietnamese},
urldate = {2020-09-09}
}
APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)
Cobalt Strike |
2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends in Summer 2020}},
date = {2020-09-01},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html},
language = {English},
urldate = {2020-09-03}
}
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk |
2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20200831:netwalker:29a1511,
author = {The DFIR Report},
title = {{NetWalker Ransomware in 1 Hour}},
date = {2020-08-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/},
language = {English},
urldate = {2020-08-31}
}
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz |
2020-08-20 ⋅ Seebug Paper ⋅ Malayke
@online{malayke:20200820:use:77d3957,
author = {Malayke},
title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}},
date = {2020-08-20},
organization = {Seebug Paper},
url = {https://paper.seebug.org/1301/},
language = {Chinese},
urldate = {2020-08-24}
}
Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2 |
2020-08-19 ⋅ TEAMT5 ⋅ TeamT5
@online{teamt5:20200819:0819:e955419,
author = {TeamT5},
title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}},
date = {2020-08-19},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/},
language = {Chinese},
urldate = {2020-08-25}
}
調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike |
2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez
@online{kremez:20200814:zloader:cbd9ad5,
author = {Vitali Kremez},
title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}},
date = {2020-08-14},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1294320579311435776},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader |
2020-08-06 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20200806:chinese:32c43e3,
author = {Andy Greenberg},
title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}},
date = {2020-08-06},
organization = {Wired},
url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/},
language = {English},
urldate = {2020-11-04}
}
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f,
author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang},
title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}},
date = {2020-08-04},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf},
language = {English},
urldate = {2020-11-04}
}
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-07-29 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20200729:chinese:1929fcd,
author = {Insikt Group},
title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}},
date = {2020-07-29},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf},
language = {English},
urldate = {2020-07-30}
}
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity
@techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor |
2020-07-28 ⋅ NTT ⋅ NTT Security
@online{security:20200728:craftypanda:7643b28,
author = {NTT Security},
title = {{CraftyPanda 標的型攻撃解析レポート}},
date = {2020-07-28},
organization = {NTT},
url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report},
language = {Japanese},
urldate = {2020-07-30}
}
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX |
2020-07-26 ⋅ Shells.System blog ⋅ Askar
@online{askar:20200726:inmemory:5556cad,
author = {Askar},
title = {{In-Memory shellcode decoding to evade AVs/EDRs}},
date = {2020-07-26},
organization = {Shells.System blog},
url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/},
language = {English},
urldate = {2020-07-30}
}
In-Memory shellcode decoding to evade AVs/EDRs
Cobalt Strike |
2020-07-22 ⋅ On the Hunt ⋅ Newton Paul
@online{paul:20200722:analysing:2de83d7,
author = {Newton Paul},
title = {{Analysing Fileless Malware: Cobalt Strike Beacon}},
date = {2020-07-22},
organization = {On the Hunt},
url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/},
language = {English},
urldate = {2020-07-24}
}
Analysing Fileless Malware: Cobalt Strike Beacon
Cobalt Strike |
2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
@online{jazi:20200721:chinese:da6a239,
author = {Hossein Jazi and Jérôme Segura},
title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}},
date = {2020-07-21},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/},
language = {English},
urldate = {2020-07-22}
}
Chinese APT group targets India and Hong Kong using new variant of MgBot malware
KSREMOTE Cobalt Strike MgBot |
2020-07-20 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20200720:study:442ba99,
author = {Dr.Web},
title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}},
date = {2020-07-20},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf},
language = {English},
urldate = {2020-10-02}
}
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird |
2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon
@online{gordon:20200720:what:b88e81f,
author = {Daniel Gordon},
title = {{What even is Winnti?}},
date = {2020-07-20},
organization = {Risky.biz},
url = {https://risky.biz/whatiswinnti/},
language = {English},
urldate = {2020-08-18}
}
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell |
2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200715:chinese:0ff06bd,
author = {Catalin Cimpanu},
title = {{Chinese state hackers target Hong Kong Catholic Church}},
date = {2020-07-15},
organization = {ZDNet},
url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/},
language = {English},
urldate = {2020-07-30}
}
Chinese state hackers target Hong Kong Catholic Church
PlugX |
2020-07-14 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec,
author = {Falcon OverWatch Team},
title = {{Manufacturing Industry in the Adversaries’ Crosshairs}},
date = {2020-07-14},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/},
language = {English},
urldate = {2020-07-23}
}
Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake Ransomware |
2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo
@online{bao:20200707:cobalt:cf80aa8,
author = {Ladislav Bačo},
title = {{Cobalt Strike stagers used by FIN6}},
date = {2020-07-07},
organization = {MWLab},
url = {https://malwarelab.eu/posts/fin6-cobalt-strike/},
language = {English},
urldate = {2020-07-11}
}
Cobalt Strike stagers used by FIN6
Cobalt Strike |
2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3,
author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee},
title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}},
date = {2020-06-23},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/},
language = {English},
urldate = {2020-06-23}
}
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker |
2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
@online{team:20200623:sodinokibi:7eff193,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}},
date = {2020-06-23},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos},
language = {English},
urldate = {2020-06-23}
}
Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil |
2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra
@online{malhotra:20200622:indigodrop:6d5e7e1,
author = {Asheer Malhotra},
title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}},
date = {2020-06-22},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html},
language = {English},
urldate = {2020-06-24}
}
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Cobalt Strike IndigoDrop |
2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5,
author = {Joshua Platt and Jason Reaves},
title = {{Inside a TrickBot Cobalt Strike Attack Server}},
date = {2020-06-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/},
language = {English},
urldate = {2020-06-23}
}
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot |
2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil
@online{singh:20200619:targeted:05d8d31,
author = {Atinderpal Singh and Nirmal Singh and Sahil Antil},
title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}},
date = {2020-06-19},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims},
language = {English},
urldate = {2020-06-21}
}
Targeted Attack Leverages India-China Border Dispute to Lure Victims
Cobalt Strike |
2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge
@online{mudge:20200619:beacon:bc8ae77,
author = {Raphael Mudge},
title = {{Beacon Object Files - Luser Demo}},
date = {2020-06-19},
organization = {Youtube (Raphael Mudge)},
url = {https://www.youtube.com/watch?v=gfYswA_Ronw},
language = {English},
urldate = {2020-06-23}
}
Beacon Object Files - Luser Demo
Cobalt Strike |
2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)
@techreport{acsc:20200618:advisory:ed0f53c,
author = {Australian Cyber Security Centre (ACSC)},
title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}},
date = {2020-06-18},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf},
language = {English},
urldate = {2020-06-19}
}
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader |
2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
@online{jazi:20200617:multistage:6358f3f,
author = {Hossein Jazi and Jérôme Segura},
title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}},
date = {2020-06-17},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/},
language = {English},
urldate = {2020-06-19}
}
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
Cobalt Strike |
2020-06-16 ⋅ Intezer ⋅ Aviygayil Mechtinger
@online{mechtinger:20200616:elf:7057d58,
author = {Aviygayil Mechtinger},
title = {{ELF Malware Analysis 101: Linux Threats No Longer an Afterthought}},
date = {2020-06-16},
organization = {Intezer},
url = {https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought},
language = {English},
urldate = {2020-06-16}
}
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti |
2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group
@online{group:20200615:striking:8fdf4bb,
author = {Exploit Development Group},
title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}},
date = {2020-06-15},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/},
language = {English},
urldate = {2020-06-16}
}
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Cobalt Strike |
2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal
@online{kristal:20200609:cobaltstrikeparser:a023ac8,
author = {Gal Kristal},
title = {{CobaltStrikeParser}},
date = {2020-06-09},
organization = {Github (Sentinel-One)},
url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py},
language = {English},
urldate = {2020-09-15}
}
CobaltStrikeParser
Cobalt Strike |
2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830,
author = {GReAT and Mark Lechtik and Giampaolo Dedola},
title = {{Cycldek: Bridging the (air) gap}},
date = {2020-06-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/},
language = {English},
urldate = {2020-06-03}
}
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing |
2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii
@online{kawaii:20200602:mustang:2cf125a,
author = {Jagaimo Kawaii},
title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}},
date = {2020-06-02},
organization = {Lab52},
url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/},
language = {English},
urldate = {2020-06-03}
}
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX |
2020-05-21 ⋅ ESET Research ⋅ Mathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c,
author = {Mathieu Tartare and Martin Smolár},
title = {{No “Game over” for the Winnti Group}},
date = {2020-05-21},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/},
language = {English},
urldate = {2020-05-23}
}
No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz |
2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller
@online{miller:20200515:sogu:cc5a1fc,
author = {Steve Miller},
title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}},
date = {2020-05-15},
organization = {Twitter (@stvemillertime)},
url = {https://twitter.com/stvemillertime/status/1261263000960450562},
language = {English},
urldate = {2020-05-18}
}
Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX |
2020-05-14 ⋅ Lab52 ⋅ Dex
@online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal
@online{kristal:20200511:anatomy:4ece947,
author = {Gal Kristal},
title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}},
date = {2020-05-11},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/},
language = {English},
urldate = {2020-05-13}
}
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike |
2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat
@online{cyberthreat:20200501:chin:3a4fb89,
author = {Cyberthreat},
title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}},
date = {2020-05-01},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/},
language = {Vietnamese},
urldate = {2020-09-09}
}
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX |
2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20200424:ursnif:e983798,
author = {The DFIR Report},
title = {{Ursnif via LOLbins}},
date = {2020-04-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/},
language = {English},
urldate = {2020-05-15}
}
Ursnif via LOLbins
Cobalt Strike LOLSnif |
2020-04-20 ⋅ QuoScient ⋅ QuoIntelligence
@online{quointelligence:20200420:winnti:6a4fb66,
author = {QuoIntelligence},
title = {{WINNTI GROUP: Insights From the Past}},
date = {2020-04-20},
organization = {QuoScient},
url = {https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/},
language = {English},
urldate = {2020-04-21}
}
WINNTI GROUP: Insights From the Past
Winnti |
2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
@online{corp:20200416:taiwan:3029f53,
author = {CyCraft Technology Corp},
title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}},
date = {2020-04-16},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730},
language = {English},
urldate = {2020-11-04}
}
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Operation Skeleton Key |
2020-04-13 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone, Jen Miller-Osborn
@online{lee:20200413:apt41:fdd4c46,
author = {Bryan Lee and Robert Falcone and Jen Miller-Osborn},
title = {{APT41 Using New Speculoos Backdoor to Target Organizations Globally}},
date = {2020-04-13},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/},
language = {English},
urldate = {2020-04-14}
}
APT41 Using New Speculoos Backdoor to Target Organizations Globally
Speculoos APT41 |
2020-04-07 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20200407:decade:6441e18,
author = {Blackberry Research},
title = {{Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android}},
date = {2020-04-07},
institution = {Blackberry},
url = {https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf},
language = {English},
urldate = {2020-08-10}
}
Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android
Penquin Turla XOR DDoS ZXShell |
2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer
@online{heinemeyer:20200402:catching:b7f137d,
author = {Max Heinemeyer},
title = {{Catching APT41 exploiting a zero-day vulnerability}},
date = {2020-04-02},
organization = {Darktrace},
url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/},
language = {English},
urldate = {2020-04-13}
}
Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike |
2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight
@online{knight:20200326:dukes:df85f94,
author = {Scott Knight},
title = {{The Dukes of Moscow}},
date = {2020-03-26},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/},
language = {English},
urldate = {2020-05-18}
}
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
2020-03-25 ⋅ Wilbur Security ⋅ JW
@online{jw:20200325:trickbot:17b0dc3,
author = {JW},
title = {{Trickbot to Ryuk in Two Hours}},
date = {2020-03-25},
organization = {Wilbur Security},
url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/},
language = {English},
urldate = {2020-03-26}
}
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot |
2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller
@online{glyer:20200325:this:0bc322f,
author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller},
title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}},
date = {2020-03-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html},
language = {English},
urldate = {2020-04-14}
}
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike |
2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch
@online{klopsch:20200322:mustang:56f3768,
author = {Andreas Klopsch},
title = {{Mustang Panda joins the COVID-19 bandwagon}},
date = {2020-03-22},
organization = {Malware and Stuff},
url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/},
language = {English},
urldate = {2020-03-27}
}
Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike |
2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten
@online{rusten:20200320:analysis:f82a963,
author = {Luke Rusten},
title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}},
date = {2020-03-20},
organization = {RECON INFOSEC},
url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/},
language = {English},
urldate = {2020-06-22}
}
Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)
Cobalt Strike |
2020-03-19 ⋅ VinCSS ⋅ m4n0w4r
@online{m4n0w4r:20200319:phn:461fca7,
author = {m4n0w4r},
title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}},
date = {2020-03-19},
organization = {VinCSS},
url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html},
language = {Vietnamese},
urldate = {2020-03-19}
}
Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2
PlugX |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20200304:cobalt:176b61e,
author = {Raphael Mudge},
title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}},
date = {2020-03-04},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/},
language = {English},
urldate = {2020-03-04}
}
Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike |
2020-03-03 ⋅ GIthub (superkhung) ⋅ superkhung
@online{superkhung:20200303:github:8ea37ed,
author = {superkhung},
title = {{GitHub Repository: winnti-sniff}},
date = {2020-03-03},
organization = {GIthub (superkhung)},
url = {https://github.com/superkhung/winnti-sniff},
language = {English},
urldate = {2020-03-04}
}
GitHub Repository: winnti-sniff
Winnti |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom |
2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7,
author = {Alex Hinchliffe},
title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}},
date = {2020-03-02},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/},
language = {English},
urldate = {2020-03-02}
}
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-02-20 ⋅ Carbon Black ⋅ Takahiro Haruyama
@online{haruyama:20200220:threat:aa4ef11,
author = {Takahiro Haruyama},
title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}},
date = {2020-02-20},
organization = {Carbon Black},
url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/},
language = {English},
urldate = {2020-02-21}
}
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)
Winnti |
2020-02-19 ⋅ FireEye ⋅ FireEye
@online{fireeye:20200219:mtrends:193613a,
author = {FireEye},
title = {{M-Trends 2020}},
date = {2020-02-19},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020},
language = {English},
urldate = {2020-02-20}
}
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer
@online{svajcer:20200218:building:0a80664,
author = {Vanja Svajcer},
title = {{Building a bypass with MSBuild}},
date = {2020-02-18},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html},
language = {English},
urldate = {2020-02-20}
}
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz |
2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen
@online{chen:20200217:clambling:1a0bb8e,
author = {Theo Chen and Zero Chen},
title = {{CLAMBLING - A New Backdoor Base On Dropbox}},
date = {2020-02-17},
organization = {Talent-Jump Technologies},
url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/},
language = {English},
urldate = {2020-03-30}
}
CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020-01-31 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20200131:winnti:9f891e4,
author = {Mathieu Tartare},
title = {{Winnti Group targeting universities in Hong Kong}},
date = {2020-01-31},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/},
language = {English},
urldate = {2020-02-03}
}
Winnti Group targeting universities in Hong Kong
ShadowPad Winnti |
2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard
@online{hamzeloofard:20200131:new:5d058ea,
author = {Shahab Hamzeloofard},
title = {{New wave of PlugX targets Hong Kong}},
date = {2020-01-31},
organization = {Avira},
url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/},
language = {English},
urldate = {2020-02-10}
}
New wave of PlugX targets Hong Kong
PlugX |
2020-01-31 ⋅ Tagesschau ⋅ Jan Lukas Strozyk
@online{strozyk:20200131:deutsches:d0a9221,
author = {Jan Lukas Strozyk},
title = {{Deutsches Chemieunternehmen gehackt}},
date = {2020-01-31},
organization = {Tagesschau},
url = {https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html},
language = {German},
urldate = {2020-02-03}
}
Deutsches Chemieunternehmen gehackt
Winnti |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020-01-13 ⋅ Lab52 ⋅ Jagaimo Kawaii
@online{kawaii:20200113:apt27:4c2f818,
author = {Jagaimo Kawaii},
title = {{APT27 ZxShell RootKit module updates}},
date = {2020-01-13},
organization = {Lab52},
url = {https://lab52.io/blog/apt27-rootkit-updates/},
language = {English},
urldate = {2020-01-13}
}
APT27 ZxShell RootKit module updates
ZXShell |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:983570b,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:1892bc8,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:97e5784,
author = {SecureWorks},
title = {{GOLD NIAGARA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-niagara},
language = {English},
urldate = {2020-05-23}
}
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:472aea8,
author = {SecureWorks},
title = {{BRONZE OLIVE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-olive},
language = {English},
urldate = {2020-05-23}
}
BRONZE OLIVE
ANGRYREBEL PlugX APT 22 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:tin:ccd6795,
author = {SecureWorks},
title = {{TIN WOODLAWN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn},
language = {English},
urldate = {2020-05-23}
}
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:79d8dd2,
author = {SecureWorks},
title = {{BRONZE OVERBROOK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook},
language = {English},
urldate = {2020-05-23}
}
BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:d70008e,
author = {SecureWorks},
title = {{BRONZE EXPORT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-export},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPORT
Axiom |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:f48e53c,
author = {SecureWorks},
title = {{BRONZE WOODLAND}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland},
language = {English},
urldate = {2020-05-23}
}
BRONZE WOODLAND
PlugX Zeus Roaming Tiger |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
2020-01 ⋅ Dragos ⋅ Joe Slowik
@techreport{slowik:202001:threat:d891011,
author = {Joe Slowik},
title = {{Threat Intelligence and the Limits of Malware Analysis}},
date = {2020-01},
institution = {Dragos},
url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf},
language = {English},
urldate = {2020-06-10}
}
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:8050e44,
author = {SecureWorks},
title = {{GOLD DUPONT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-dupont},
language = {English},
urldate = {2020-05-23}
}
GOLD DUPONT
Cobalt Strike Defray PyXie |
2019-12-29 ⋅ Secureworks ⋅ CTU Research Team
@online{team:20191229:bronze:bda6bfc,
author = {CTU Research Team},
title = {{BRONZE PRESIDENT Targets NGOs}},
date = {2019-12-29},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-president-targets-ngos},
language = {English},
urldate = {2020-01-10}
}
BRONZE PRESIDENT Targets NGOs
PlugX BRONZE PRESIDENT |
2019-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c,
author = {Jen Miller-Osborn and Mike Harbison},
title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}},
date = {2019-12-17},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/},
language = {English},
urldate = {2020-01-08}
}
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird
@techreport{blackorbird:20191205:apt32:0afe4e7,
author = {blackorbird},
title = {{APT32 Report}},
date = {2019-12-05},
institution = {Github (blackorbird)},
url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf},
language = {Japanese},
urldate = {2020-01-10}
}
APT32 Report
Cobalt Strike |
2019-12-05 ⋅ Raphael Mudge
@online{mudge:20191205:cobalt:219044e,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}},
date = {2019-12-05},
url = {https://blog.cobaltstrike.com/},
language = {English},
urldate = {2019-12-06}
}
Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike |
2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen
@techreport{thomasen:20191129:cyber:1aae987,
author = {Thomas Thomasen},
title = {{Cyber Threat Intelligence & Incident Response}},
date = {2019-11-29},
institution = {Deloitte},
url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf},
language = {English},
urldate = {2020-03-04}
}
Cyber Threat Intelligence & Incident Response
Cobalt Strike |
2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler
@online{cutler:20191116:fresh:871567d,
author = {Silas Cutler},
title = {{Fresh PlugX October 2019}},
date = {2019-11-16},
organization = {Silas Cutler's Blog},
url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html},
language = {English},
urldate = {2020-01-07}
}
Fresh PlugX October 2019
PlugX |
2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
@online{tomonaga:20191111:cases:ac5f1b3,
author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi},
title = {{APT cases exploiting vulnerabilities in region‑specific software}},
date = {2019-11-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/},
language = {English},
urldate = {2020-05-13}
}
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX |
2019-11-05 ⋅ tccontre Blog ⋅ tccontre
@online{tccontre:20191105:cobaltstrike:02e37af,
author = {tccontre},
title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}},
date = {2019-11-05},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html},
language = {English},
urldate = {2019-12-17}
}
CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike |
2019-10-31 ⋅ FireEye ⋅ Raymond Leong, Dan Perez, Tyler Dean
@online{leong:20191031:messagetap:823e994,
author = {Raymond Leong and Dan Perez and Tyler Dean},
title = {{MESSAGETAP: Who’s Reading Your Text Messages?}},
date = {2019-10-31},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html},
language = {English},
urldate = {2019-12-18}
}
MESSAGETAP: Who’s Reading Your Text Messages?
MESSAGETAP |
2019-10-31 ⋅ PTSecurity ⋅ PTSecurity
@online{ptsecurity:20191031:calypso:adaf761,
author = {PTSecurity},
title = {{Calypso APT: new group attacking state institutions}},
date = {2019-10-31},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/},
language = {English},
urldate = {2020-01-12}
}
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX |
2019-10-21 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20191021:winnti:eb2c722,
author = {Mathieu Tartare},
title = {{Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor}},
date = {2019-10-21},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/},
language = {English},
urldate = {2019-11-14}
}
Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
LOWKEY skip-2.0 |
2019-10-15 ⋅ FireEye ⋅ Tobias Krueger
@online{krueger:20191015:lowkey:aab2f5e,
author = {Tobias Krueger},
title = {{LOWKEY: Hunting for the Missing Volume Serial ID}},
date = {2019-10-15},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html},
language = {English},
urldate = {2019-12-10}
}
LOWKEY: Hunting for the Missing Volume Serial ID
LOWKEY poisonplug |
2019-10-07 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8,
author = {Marc-Etienne M.Léveillé and Mathieu Tartare},
title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}},
date = {2019-10-07},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf},
language = {English},
urldate = {2020-01-10}
}
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad |
2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe
@online{hinchliffe:20191003:pkplug:4a43ea5,
author = {Alex Hinchliffe},
title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}},
date = {2019-10-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/},
language = {English},
urldate = {2020-01-07}
}
PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX |
2019-09-30 ⋅ vmware ⋅ Scott Knight
@online{knight:20190930:cb:a21cf30,
author = {Scott Knight},
title = {{CB Threat Analysis Unit: Technical Analysis of “Crosswalk”}},
date = {2019-09-30},
organization = {vmware},
url = {https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/},
language = {English},
urldate = {2020-04-21}
}
CB Threat Analysis Unit: Technical Analysis of “Crosswalk”
CROSSWALK |
2019-09-30 ⋅ Lastline ⋅ Jason Zhang, Stefano Ortolani
@online{zhang:20190930:helo:559ed11,
author = {Jason Zhang and Stefano Ortolani},
title = {{HELO Winnti: Attack or Scan?}},
date = {2019-09-30},
organization = {Lastline},
url = {https://www.lastline.com/labsblog/helo-winnti-attack-scan/},
language = {English},
urldate = {2019-10-23}
}
HELO Winnti: Attack or Scan?
Winnti |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike |
2019-09-19 ⋅ MeltX0R
@online{meltx0r:20190919:emissary:361f1fd,
author = {MeltX0R},
title = {{Emissary Panda APT: Recent infrastructure and RAT analysis}},
date = {2019-09-19},
url = {https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html},
language = {English},
urldate = {2020-01-09}
}
Emissary Panda APT: Recent infrastructure and RAT analysis
ZXShell |
2019-09-04 ⋅ FireEye ⋅ FireEye
@online{fireeye:20190904:apt41:b5d6780,
author = {FireEye},
title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}},
date = {2019-09-04},
organization = {FireEye},
url = {https://content.fireeye.com/api/pdfproxy?id=86840},
language = {English},
urldate = {2020-01-13}
}
APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti |
2019-09-04 ⋅ CarbonBlack ⋅ Takahiro Haruyama
@online{haruyama:20190904:cb:7c71995,
author = {Takahiro Haruyama},
title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}},
date = {2019-09-04},
organization = {CarbonBlack},
url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/},
language = {English},
urldate = {2019-12-17}
}
CB TAU Threat Intelligence Notification: Winnti Malware 4.0
Winnti |
2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer
@online{rascagnres:20190827:china:2d2bbb8,
author = {Paul Rascagnères and Vanja Svajcer},
title = {{China Chopper still active 9 years later}},
date = {2019-08-27},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html},
language = {English},
urldate = {2019-10-14}
}
China Chopper still active 9 years later
CHINACHOPPER |
2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0,
author = {Alex Pennino and Matt Bromiley},
title = {{GAME OVER: Detecting and Stopping an APT41 Operation}},
date = {2019-08-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html},
language = {English},
urldate = {2020-01-06}
}
GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON |
2019-08-09 ⋅ FireEye ⋅ FireEye
@online{fireeye:20190809:double:40f736e,
author = {FireEye},
title = {{Double Dragon APT41, a dual espionage and cyber crime operation}},
date = {2019-08-09},
organization = {FireEye},
url = {https://content.fireeye.com/apt-41/rpt-apt41/},
language = {English},
urldate = {2019-12-18}
}
Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti |
2019-08-08 ⋅ Twitter (@MrDanPerez) ⋅ Dan Perez
@online{perez:20190808:winnti:6c0b6b0,
author = {Dan Perez},
title = {{Tweet on Winnti and HIGHNOON}},
date = {2019-08-08},
organization = {Twitter (@MrDanPerez)},
url = {https://twitter.com/MrDanPerez/status/1159461995013378048},
language = {English},
urldate = {2020-01-13}
}
Tweet on Winnti and HIGHNOON
HIGHNOON |
2019-07-24 ⋅ Twitter (@bkMSFT) ⋅ Ben K (bkMSFT)
@online{bkmsft:20190724:apt17:8b88bcb,
author = {Ben K (bkMSFT)},
title = {{Tweet on APT17}},
date = {2019-07-24},
organization = {Twitter (@bkMSFT)},
url = {https://twitter.com/bkMSFT/status/1153994428949749761},
language = {English},
urldate = {2020-01-07}
}
Tweet on APT17
HIGHNOTE |
2019-07-24 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:attacking:66ef327,
author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski},
title = {{Attacking the Heart of the German Industry}},
date = {2019-07-24},
organization = {Bayerischer Rundfunk},
url = {http://web.br.de/interaktiv/winnti/english/},
language = {English},
urldate = {2019-11-29}
}
Attacking the Heart of the German Industry
Winnti |
2019-07-24 ⋅ Github (br-data) ⋅ Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:winnti:25b27fb,
author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski},
title = {{Winnti analysis}},
date = {2019-07-24},
organization = {Github (br-data)},
url = {https://github.com/br-data/2019-winnti-analyse/},
language = {English},
urldate = {2019-12-10}
}
Winnti analysis
Winnti |
2019-07-24 ⋅ Intrusiontruth ⋅ Intrusiontruth
@online{intrusiontruth:20190724:apt17:6b9a666,
author = {Intrusiontruth},
title = {{APT17 is run by the Jinan bureau of the Chinese Ministry of State Security}},
date = {2019-07-24},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/},
language = {English},
urldate = {2020-04-21}
}
APT17 is run by the Jinan bureau of the Chinese Ministry of State Security
BLACKCOFFEE |
2019-06-04 ⋅ Bitdefender ⋅ Bitdefender
@techreport{bitdefender:20190604:blueprint:ce0583c,
author = {Bitdefender},
title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}},
date = {2019-06-04},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf},
language = {English},
urldate = {2019-12-18}
}
An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike |
2019-06-03 ⋅ FireEye ⋅ Chi-en Shen
@online{shen:20190603:into:d40fee9,
author = {Chi-en Shen},
title = {{Into the Fog - The Return of ICEFOG APT}},
date = {2019-06-03},
organization = {FireEye},
url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt},
language = {English},
urldate = {2020-06-30}
}
Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust |
2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster
@online{falcone:20190528:emissary:dc0f942,
author = {Robert Falcone and Tom Lancaster},
title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}},
date = {2019-05-28},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/},
language = {English},
urldate = {2020-01-09}
}
Emissary Panda Attacks Middle East Government Sharepoint Servers
CHINACHOPPER Unidentified 060 |
2019-05-24 ⋅ Fortinet ⋅ Ben Hunter
@online{hunter:20190524:uncovering:7d8776e,
author = {Ben Hunter},
title = {{Uncovering new Activity by APT10}},
date = {2019-05-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-},
language = {English},
urldate = {2020-11-04}
}
Uncovering new Activity by APT10
PlugX Quasar RAT |
2019-05-17 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
@online{gatlan:20190517:teamviewer:563f298,
author = {Sergiu Gatlan},
title = {{TeamViewer Confirms Undisclosed Breach From 2016}},
date = {2019-05-17},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/},
language = {English},
urldate = {2019-12-20}
}
TeamViewer Confirms Undisclosed Breach From 2016
Axiom |
2019-05-15 ⋅ Chronicle ⋅ Silas Cutler, Juan Andrés Guerrero-Saade
@online{cutler:20190515:winnti:269a852,
author = {Silas Cutler and Juan Andrés Guerrero-Saade},
title = {{Winnti: More than just Windows and Gates}},
date = {2019-05-15},
organization = {Chronicle},
url = {https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a},
language = {English},
urldate = {2019-10-14}
}
Winnti: More than just Windows and Gates
Winnti Axiom |
2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b,
author = {Verizon Communications Inc.},
title = {{2019 Data Breach Investigations Report}},
date = {2019-05-08},
institution = {Verizon Communications Inc.},
url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf},
language = {English},
urldate = {2020-05-10}
}
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam |
2019-04-24 ⋅ Weixin ⋅ Tencent
@online{tencent:20190424:sea:a722d68,
author = {Tencent},
title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}},
date = {2019-04-24},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A},
language = {English},
urldate = {2020-01-13}
}
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE |
2019-04-23 ⋅ Kaspersky Labs ⋅ GReAT, AMR
@online{great:20190423:operation:20b8f83,
author = {GReAT and AMR},
title = {{Operation ShadowHammer: a high-profile supply chain attack}},
date = {2019-04-23},
organization = {Kaspersky Labs},
url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/},
language = {English},
urldate = {2019-12-20}
}
Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad |
2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines
@online{lines:20190415:cobalt:7b3c086,
author = {Neil Lines},
title = {{Cobalt Strike. Walkthrough for Red Teamers}},
date = {2019-04-15},
organization = {PenTestPartners},
url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/},
language = {English},
urldate = {2019-12-17}
}
Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike |
2019-04-04 ⋅ Deutsche Welle ⋅ Deutsche Welle
@online{welle:20190404:bayer:c350e4e,
author = {Deutsche Welle},
title = {{Bayer points finger at Wicked Panda in cyberattack}},
date = {2019-04-04},
organization = {Deutsche Welle},
url = {https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004},
language = {English},
urldate = {2020-01-10}
}
Bayer points finger at Wicked Panda in cyberattack
Axiom |
2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow
@online{perlow:20190324:jeshell:439ae8b,
author = {Kevin Perlow},
title = {{JEShell: An OceanLotus (APT32) Backdoor}},
date = {2019-03-24},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/},
language = {English},
urldate = {2020-05-19}
}
JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown |
2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team
@online{team:20190319:sectorm04:6c6ea37,
author = {ThreatRecon Team},
title = {{SectorM04 Targeting Singapore – An Analysis}},
date = {2019-03-19},
organization = {NSHC},
url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/},
language = {English},
urldate = {2020-01-07}
}
SectorM04 Targeting Singapore – An Analysis
PlugX Termite |
2019-03-11 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé
@online{mlveill:20190311:gaming:8449e78,
author = {Marc-Etienne M.Léveillé},
title = {{Gaming industry still in the scope of attackers in Asia}},
date = {2019-03-11},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/},
language = {English},
urldate = {2020-01-13}
}
Gaming industry still in the scope of attackers in Asia
Axiom |
2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman
@online{gorelik:20190227:new:5296a0b,
author = {Michael Gorelik and Alon Groisman},
title = {{New Global Cyber Attack on Point of Sale Sytem}},
date = {2019-02-27},
organization = {Morphisec},
url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems},
language = {English},
urldate = {2020-01-09}
}
New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike |
2019-02-27 ⋅ Secureworks ⋅ CTU Research Team
@online{team:20190227:peek:16c9160,
author = {CTU Research Team},
title = {{A Peek into BRONZE UNION’s Toolbox}},
date = {2019-02-27},
organization = {Secureworks},
url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox},
language = {English},
urldate = {2020-01-07}
}
A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell |
2019-02-26 ⋅ Fox-IT ⋅ Fox IT
@online{it:20190226:identifying:689104d,
author = {Fox IT},
title = {{Identifying Cobalt Strike team servers in the wild}},
date = {2019-02-26},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/},
language = {English},
urldate = {2020-10-25}
}
Identifying Cobalt Strike team servers in the wild
Cobalt Strike |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:winnti:ad3b350,
author = {MITRE ATT&CK},
title = {{Group description: Winnti Group}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0044/},
language = {English},
urldate = {2019-12-20}
}
Group description: Winnti Group
Axiom |
2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan
@techreport{gu:2019:vine:df5dbfb,
author = {Lion Gu and Bowen Pan},
title = {{A vine climbing over the Great Firewall: A long-term attack against China}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf},
language = {English},
urldate = {2020-01-08}
}
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:2019:axiom:1e5515a,
author = {Cyber Operations Tracker},
title = {{Axiom}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/axiom},
language = {English},
urldate = {2019-12-20}
}
Axiom
Axiom |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:tool:ebc79ce,
author = {MITRE ATT&CK},
title = {{Tool description: BLACKCOFFEE}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0069/},
language = {English},
urldate = {2019-12-20}
}
Tool description: BLACKCOFFEE
BLACKCOFFEE |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:tool:fd89dda,
author = {MITRE ATT&CK},
title = {{Tool description: China Chopper}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0020/},
language = {English},
urldate = {2019-12-20}
}
Tool description: China Chopper
CHINACHOPPER |
2018-12-24 ⋅ Twitter (@MrDanPerez) ⋅ Dan Perez
@online{perez:20181224:hashes:9a4fc8c,
author = {Dan Perez},
title = {{Tweet on hashes for CROSSWALK}},
date = {2018-12-24},
organization = {Twitter (@MrDanPerez)},
url = {https://twitter.com/MrDanPerez/status/1159459082534825986},
language = {English},
urldate = {2019-11-27}
}
Tweet on hashes for CROSSWALK
CROSSWALK |
2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD
@techreport{asd:20181214:investigationreport:6eda856,
author = {ASD},
title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}},
date = {2018-12-14},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf},
language = {English},
urldate = {2020-03-11}
}
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves |
2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr
@online{dunwoody:20181119:not:e581291,
author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr},
title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}},
date = {2018-11-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html},
language = {English},
urldate = {2019-12-20}
}
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike |
2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe
@online{joe:20181118:cozybear:4801301,
author = {Joe},
title = {{CozyBear – In from the Cold?}},
date = {2018-11-18},
organization = {Stranded on Pylos Blog},
url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/},
language = {English},
urldate = {2020-01-09}
}
CozyBear – In from the Cold?
Cobalt Strike APT 29 |
2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888,
author = {Regina Elwell and Katie Nickels},
title = {{ATT&CKing FIN7}},
date = {2018-10-01},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf},
language = {English},
urldate = {2020-06-25}
}
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot |
2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida
@online{endo:20180803:volatility:4597ce0,
author = {Takuya Endo and Yukako Uchida},
title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}},
date = {2018-08-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html},
language = {English},
urldate = {2019-07-11}
}
Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike |
2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC
@online{jpcertcc:20180731:scanner:d1757d9,
author = {JPCERT/CC},
title = {{Scanner for CobaltStrike}},
date = {2018-07-31},
organization = {Github (JPCERTCC)},
url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py},
language = {English},
urldate = {2020-01-13}
}
Scanner for CobaltStrike
Cobalt Strike |
2018-07-26 ⋅ CrowdStrike ⋅ Adam Meyers
@online{meyers:20180726:meet:af48096,
author = {Adam Meyers},
title = {{Meet CrowdStrike’s Adversary of the Month for July: WICKED SPIDER}},
date = {2018-07-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/},
language = {English},
urldate = {2019-12-20}
}
Meet CrowdStrike’s Adversary of the Month for July: WICKED SPIDER
Axiom |
2018-05-22 ⋅ Github (TKCERT) ⋅ thyssenkrupp CERT
@online{cert:20180522:nmap:1ee2530,
author = {thyssenkrupp CERT},
title = {{Nmap Script to scan for Winnti infections}},
date = {2018-05-22},
organization = {Github (TKCERT)},
url = {https://github.com/TKCERT/winnti-nmap-script},
language = {English},
urldate = {2020-01-07}
}
Nmap Script to scan for Winnti infections
Winnti |
2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa
@online{ishikawa:20180521:confirmed:ad336b5,
author = {Yoshihiro Ishikawa},
title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}},
date = {2018-05-21},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html},
language = {Japanese},
urldate = {2019-10-27}
}
Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike |
2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
@online{rocha:20180509:malware:3ee8ecf,
author = {Luis Rocha},
title = {{Malware Analysis - PlugX - Part 2}},
date = {2018-05-09},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/},
language = {English},
urldate = {2020-01-05}
}
Malware Analysis - PlugX - Part 2
PlugX |
2018-05-03 ⋅ ProtectWise ⋅ Tom Hegel
@online{hegel:20180503:burning:2837854,
author = {Tom Hegel},
title = {{Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers}},
date = {2018-05-03},
organization = {ProtectWise},
url = {https://401trg.com/burning-umbrella/},
language = {English},
urldate = {2019-10-15}
}
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
Axiom |
2018-03-16 ⋅ FireEye ⋅ FireEye
@online{fireeye:20180316:suspected:2a77316,
author = {FireEye},
title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}},
date = {2018-03-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html},
language = {English},
urldate = {2019-12-20}
}
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan |
2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov
@online{makrushin:20180313:time:7171143,
author = {Denis Makrushin and Yury Namestnikov},
title = {{Time of death? A therapeutic postmortem of connected medicine}},
date = {2018-03-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/time-of-death-connected-medicine/84315/},
language = {English},
urldate = {2019-12-20}
}
Time of death? A therapeutic postmortem of connected medicine
PlugX |
2018-03-05 ⋅ Github (TKCERT) ⋅ TKCERT
@online{tkcert:20180305:suricata:0b45f94,
author = {TKCERT},
title = {{Suricata rules to detect Winnti communication}},
date = {2018-03-05},
organization = {Github (TKCERT)},
url = {https://github.com/TKCERT/winnti-suricata-lua},
language = {English},
urldate = {2020-01-07}
}
Suricata rules to detect Winnti communication
Winnti |
2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
@online{rocha:20180204:malware:ea0aede,
author = {Luis Rocha},
title = {{MALWARE ANALYSIS – PLUGX}},
date = {2018-02-04},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/},
language = {English},
urldate = {2020-01-07}
}
MALWARE ANALYSIS – PLUGX
PlugX |
2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy
@online{kozy:20171220:end:218a388,
author = {Adam Kozy},
title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}},
date = {2017-12-20},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/},
language = {English},
urldate = {2020-05-11}
}
An End to “Smash-and-Grab” and a Move to More Targeted Approaches
CHINACHOPPER |
2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa
@online{ishikawa:20171218:relationship:fb13bae,
author = {Yoshihiro Ishikawa},
title = {{Relationship between PlugX and attacker group "DragonOK"}},
date = {2017-12-18},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html},
language = {Japanese},
urldate = {2019-11-22}
}
Relationship between PlugX and attacker group "DragonOK"
PlugX |
2017-08-15 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20170815:shadowpad:3d5b9a0,
author = {GReAT},
title = {{ShadowPad in corporate networks}},
date = {2017-08-15},
organization = {Kaspersky Labs},
url = {https://securelist.com/shadowpad-in-corporate-networks/81432/},
language = {English},
urldate = {2019-12-20}
}
ShadowPad in corporate networks
ShadowPad |
2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic
@online{lancaster:20170627:paranoid:f933eb4,
author = {Tom Lancaster and Esmid Idrizovic},
title = {{Paranoid PlugX}},
date = {2017-06-27},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/},
language = {English},
urldate = {2019-12-20}
}
Paranoid PlugX
PlugX |
2017-06-06 ⋅ FireEye ⋅ Ian Ahl
@online{ahl:20170606:privileges:9598d5f,
author = {Ian Ahl},
title = {{Privileges and Credentials: Phished at the Request of Counsel}},
date = {2017-06-06},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html},
language = {English},
urldate = {2019-12-20}
}
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike |
2017-04-27 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20170427:alert:fdb865d,
author = {US-CERT},
title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}},
date = {2017-04-27},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA17-117A},
language = {English},
urldate = {2020-03-11}
}
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves |
2017-04-19 ⋅ Trend Micro ⋅ Trendmicro
@online{trendmicro:20170419:of:1656f97,
author = {Trendmicro},
title = {{Of Pigs and Malware: Examining a Possible Member of the Winnti Group}},
date = {2017-04-19},
organization = {Trend Micro},
url = {http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/},
language = {English},
urldate = {2019-12-04}
}
Of Pigs and Malware: Examining a Possible Member of the Winnti Group
Winnti |
2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123,
author = {Shusei Tomonaga},
title = {{RedLeaves - Malware Based on Open Source RAT}},
date = {2017-04-03},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html},
language = {English},
urldate = {2020-01-10}
}
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves |
2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712,
author = {PricewaterhouseCoopers},
title = {{Operation Cloud Hopper: Technical Annex}},
date = {2017-04},
institution = {PricewaterhouseCoopers},
url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf},
language = {English},
urldate = {2019-10-15}
}
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
2017-03-22 ⋅ Trend Micro ⋅ Cedric Pernet
@online{pernet:20170322:winnti:44f428b,
author = {Cedric Pernet},
title = {{Winnti Abuses GitHub for C&C Communications}},
date = {2017-03-22},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/},
language = {English},
urldate = {2020-01-07}
}
Winnti Abuses GitHub for C&C Communications
EASYNIGHT Axiom |
2017-03-22 ⋅ Trend Micro ⋅ Cedric Pernet
@online{pernet:20170322:winnti:bfd35bc,
author = {Cedric Pernet},
title = {{Winnti Abuses GitHub for C&C Communications}},
date = {2017-03-22},
organization = {Trend Micro},
url = {http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/},
language = {English},
urldate = {2019-07-09}
}
Winnti Abuses GitHub for C&C Communications
Winnti |
2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20170221:plugx:f9e4817,
author = {Shusei Tomonaga},
title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}},
date = {2017-02-21},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html},
language = {English},
urldate = {2020-01-13}
}
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX |
2017-02-13 ⋅ RSA ⋅ RSA Research
@techreport{research:20170213:kingslayer:98f4892,
author = {RSA Research},
title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}},
date = {2017-02-13},
institution = {RSA},
url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf},
language = {English},
urldate = {2020-01-08}
}
KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX |
2017-01-25 ⋅ Microsoft ⋅ Microsoft Defender ATP Research Team
@online{team:20170125:detecting:92af610,
author = {Microsoft Defender ATP Research Team},
title = {{Detecting threat actors in recent German industrial attacks with Windows Defender ATP}},
date = {2017-01-25},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/},
language = {English},
urldate = {2020-01-06}
}
Detecting threat actors in recent German industrial attacks with Windows Defender ATP
Axiom |
2016-12-08 ⋅ Deutsche Welle ⋅ Deutsche Welle
@online{welle:20161208:thyssenkrupp:5a3010c,
author = {Deutsche Welle},
title = {{Thyssenkrupp victim of cyber attack}},
date = {2016-12-08},
organization = {Deutsche Welle},
url = {https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341},
language = {English},
urldate = {2020-01-13}
}
Thyssenkrupp victim of cyber attack
Axiom |
2016-10-28 ⋅ Github (smb01) ⋅ smb01
@online{smb01:20161028:zxshell:e4d3a5e,
author = {smb01},
title = {{zxshell repository}},
date = {2016-10-28},
organization = {Github (smb01)},
url = {https://github.com/smb01/zxshell},
language = {English},
urldate = {2020-01-07}
}
zxshell repository
ZXShell |
2016-10-11 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20161011:odinaff:36b35db,
author = {Symantec Security Response},
title = {{Odinaff: New Trojan used in high level financial attacks}},
date = {2016-10-11},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks},
language = {English},
urldate = {2019-12-05}
}
Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff Anunak |
2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs
@online{labs:20160825:unpacking:66173f5,
author = {Malwarebytes Labs},
title = {{Unpacking the spyware disguised as antivirus}},
date = {2016-08-25},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/},
language = {English},
urldate = {2019-12-20}
}
Unpacking the spyware disguised as antivirus
PlugX |
2016-05-03 ⋅ William Showalter
@online{showalter:20160503:universal:e111d7d,
author = {William Showalter},
title = {{A Universal Windows Bootkit}},
date = {2016-05-03},
url = {http://williamshowalter.com/a-universal-windows-bootkit/},
language = {English},
urldate = {2020-01-07}
}
A Universal Windows Bootkit
Axiom |
2016-03-06 ⋅ Github (TKCERT) ⋅ thyssenkrupp CERT
@online{cert:20160306:network:f9244d3,
author = {thyssenkrupp CERT},
title = {{Network detector for Winnti malware}},
date = {2016-03-06},
organization = {Github (TKCERT)},
url = {https://github.com/TKCERT/winnti-detector},
language = {English},
urldate = {2020-01-07}
}
Network detector for Winnti malware
Winnti |
2016-03-02 ⋅ RSA Conference ⋅ Vanja Svajcer
@techreport{svajcer:20160302:dissecting:e8721e3,
author = {Vanja Svajcer},
title = {{Dissecting Derusbi}},
date = {2016-03-02},
institution = {RSA Conference},
url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf},
language = {English},
urldate = {2020-02-27}
}
Dissecting Derusbi
Derusbi |
2016-01-22 ⋅ RSA Link ⋅ Norton Santos
@online{santos:20160122:plugx:580fcff,
author = {Norton Santos},
title = {{PlugX APT Malware}},
date = {2016-01-22},
organization = {RSA Link},
url = {https://community.rsa.com/thread/185439},
language = {English},
urldate = {2020-01-13}
}
PlugX APT Malware
PlugX |
2015-12-15 ⋅ Airbus Defence & Space ⋅ Fabien Perigaud
@online{perigaud:20151215:newcomers:73beb0c,
author = {Fabien Perigaud},
title = {{Newcomers in the Derusbi family}},
date = {2015-12-15},
organization = {Airbus Defence & Space},
url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family},
language = {English},
urldate = {2020-02-27}
}
Newcomers in the Derusbi family
Derusbi |
2015-10-13 ⋅ Kaspersky Labs ⋅ Dmitry Tarakanov
@online{tarakanov:20151013:i:36fae83,
author = {Dmitry Tarakanov},
title = {{I am HDRoot! Part 2}},
date = {2015-10-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/i-am-hdroot-part-2/72356/},
language = {English},
urldate = {2020-03-19}
}
I am HDRoot! Part 2
HDRoot |
2015-10-08 ⋅ Virus Bulletin ⋅ Micky Pun, Eric Leung, Neo Tan
@techreport{pun:20151008:catching:368d81d,
author = {Micky Pun and Eric Leung and Neo Tan},
title = {{Catching the silent whisper: Understanding the Derusbi family tree}},
date = {2015-10-08},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf},
language = {English},
urldate = {2020-02-27}
}
Catching the silent whisper: Understanding the Derusbi family tree
Derusbi |
2015-10-06 ⋅ Kaspersky Labs ⋅ Dmitry Tarakanov
@online{tarakanov:20151006:i:445dc3a,
author = {Dmitry Tarakanov},
title = {{I am HDRoot! Part 1}},
date = {2015-10-06},
organization = {Kaspersky Labs},
url = {https://securelist.com/i-am-hdroot-part-1/72275/},
language = {English},
urldate = {2020-03-19}
}
I am HDRoot! Part 1
HDRoot |
2015-08 ⋅ Arbor Networks ⋅ ASERT Team
@online{team:201508:uncovering:121e5cf,
author = {ASERT Team},
title = {{Uncovering the Seven Pointed Dagger}},
date = {2015-08},
organization = {Arbor Networks},
url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn},
language = {English},
urldate = {2020-05-18}
}
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27 |
2015-06-22 ⋅ Kaspersky Labs ⋅ Dmitry Tarakanov
@online{tarakanov:20150622:games:aba8183,
author = {Dmitry Tarakanov},
title = {{Games are over: Winnti is now targeting pharmaceutical companies}},
date = {2015-06-22},
organization = {Kaspersky Labs},
url = {https://securelist.com/games-are-over/70991/},
language = {English},
urldate = {2019-12-20}
}
Games are over: Winnti is now targeting pharmaceutical companies
Winnti Axiom |
2015-05-18 ⋅ Tetsuji Tanigawa
@online{tanigawa:20150518:tt:4cb29ea,
author = {Tetsuji Tanigawa},
title = {{TT Malware Log}},
date = {2015-05-18},
url = {http://malware-log.hatenablog.com/entry/2015/05/18/000000_1},
language = {Japanese},
urldate = {2020-01-08}
}
TT Malware Log
BLACKCOFFEE |
2015-05 ⋅ FireEye ⋅ FireEye
@techreport{fireeye:201505:hiding:8695fc2,
author = {FireEye},
title = {{HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC}},
date = {2015-05},
institution = {FireEye},
url = {https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf},
language = {English},
urldate = {2019-12-19}
}
HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC
BLACKCOFFEE |
2015-04-06 ⋅ Novetta ⋅ Novetta
@techreport{novetta:20150406:winnti:acc4030,
author = {Novetta},
title = {{WINNTI ANALYSIS}},
date = {2015-04-06},
institution = {Novetta},
url = {https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf},
language = {English},
urldate = {2020-01-10}
}
WINNTI ANALYSIS
Winnti |
2015-02-27 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20150227:anthem:3576532,
author = {ThreatConnect Research Team},
title = {{The Anthem Hack: All Roads Lead to China}},
date = {2015-02-27},
organization = {ThreatConnect},
url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/},
language = {English},
urldate = {2020-01-09}
}
The Anthem Hack: All Roads Lead to China
Derusbi |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20150129:analysis:0eaad95,
author = {Shusei Tomonaga},
title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}},
date = {2015-01-29},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html},
language = {English},
urldate = {2020-01-09}
}
Analysis of a Recent PlugX Variant - “P2P PlugX”
PlugX |
2015 ⋅ Ruxcon ⋅ Matt McCormack
@techreport{mccormack:2015:why:fa3d041,
author = {Matt McCormack},
title = {{WHY ATTACKER TOOLSETS DO WHAT THEY DO}},
date = {2015},
institution = {Ruxcon},
url = {http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf},
language = {English},
urldate = {2020-01-08}
}
WHY ATTACKER TOOLSETS DO WHAT THEY DO
Winnti |
2014-11 ⋅ Novetta ⋅ Novetta
@techreport{novetta:201411:zoxpng:91e81c6,
author = {Novetta},
title = {{ZoxPNG Analysis}},
date = {2014-11},
institution = {Novetta},
url = {http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf},
language = {English},
urldate = {2020-05-07}
}
ZoxPNG Analysis
BLACKCOFFEE |
2014-10-28 ⋅ Cisco ⋅ Andrea Allievi, Douglas Goddard, Shaun Hurley, Alain Zidouemba
@online{allievi:20141028:threat:a302fbd,
author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba},
title = {{Threat Spotlight: Group 72, Opening the ZxShell}},
date = {2014-10-28},
organization = {Cisco},
url = {https://blogs.cisco.com/security/talos/opening-zxshell},
language = {English},
urldate = {2019-10-15}
}
Threat Spotlight: Group 72, Opening the ZxShell
ZXShell |
2014-10-28 ⋅ Novetta ⋅ Novetta
@techreport{novetta:20141028:derusbi:aae275a,
author = {Novetta},
title = {{Derusbi (Server Variant) Analysis}},
date = {2014-10-28},
institution = {Novetta},
url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf},
language = {English},
urldate = {2020-01-06}
}
Derusbi (Server Variant) Analysis
Derusbi |
2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos
@techreport{szappanos:20140627:plugx:e63d8bf,
author = {Gabor Szappanos},
title = {{PlugX - The Next Generation}},
date = {2014-06-27},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf},
language = {English},
urldate = {2020-01-10}
}
PlugX - The Next Generation
PlugX |
2014-06-10 ⋅ FireEye ⋅ Mike Scott
@online{scott:20140610:clandestine:6d515ab,
author = {Mike Scott},
title = {{Clandestine Fox, Part Deux}},
date = {2014-06-10},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html},
language = {English},
urldate = {2019-12-20}
}
Clandestine Fox, Part Deux
PlugX |
2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud
@online{perigaud:20140106:plugx:16410d7,
author = {Fabien Perigaud},
title = {{PlugX: some uncovered points}},
date = {2014-01-06},
organization = {Airbus},
url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html},
language = {English},
urldate = {2020-01-08}
}
PlugX: some uncovered points
PlugX |
2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik
@online{ahl:20130807:breaking:aff06e9,
author = {Ian Ahl and Tony Lee and Dennis Hanzlik},
title = {{Breaking Down the China Chopper Web Shell - Part I}},
date = {2013-08-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html},
language = {English},
urldate = {2019-12-20}
}
Breaking Down the China Chopper Web Shell - Part I
CHINACHOPPER |
2013-04-11 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20130411:winnti:b1c0d83,
author = {GReAT},
title = {{Winnti. More than just a game}},
date = {2013-04-11},
organization = {Kaspersky Labs},
url = {https://securelist.com/winnti-more-than-just-a-game/37029/},
language = {English},
urldate = {2019-12-20}
}
Winnti. More than just a game
Axiom |
2013-04-11 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20130411:winnti:f53a759,
author = {GReAT},
title = {{Winnti FAQ. More Than Just a Game}},
date = {2013-04-11},
organization = {Kaspersky Labs},
url = {https://securelist.com/winnti-faq-more-than-just-a-game/57585/},
language = {English},
urldate = {2019-12-20}
}
Winnti FAQ. More Than Just a Game
Axiom |
2013-04 ⋅ Kaspersky Labs ⋅ GReAT
@techreport{great:201304:winnti:c8e6f40,
author = {GReAT},
title = {{Winnti - More than just a game}},
date = {2013-04},
institution = {Kaspersky Labs},
url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf},
language = {English},
urldate = {2019-07-11}
}
Winnti - More than just a game
portless Winnti |
2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL
@techreport{circl:20130329:analysis:b3c48b0,
author = {CIRCL},
title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}},
date = {2013-03-29},
institution = {Computer Incident Response Center Luxembourg},
url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf},
language = {English},
urldate = {2019-11-24}
}
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
PlugX |
2012 ⋅ Cobalt Strike ⋅ Cobalt Strike
@online{strike:2012:cobalt:8522cdd,
author = {Cobalt Strike},
title = {{Cobalt Strike Website}},
date = {2012},
organization = {Cobalt Strike},
url = {https://www.cobaltstrike.com/support},
language = {English},
urldate = {2020-01-13}
}
Cobalt Strike Website
Cobalt Strike |