SYMBOLCOMMON_NAMEaka. SYNONYMS

FIN6  (Back to overview)

aka: SKELETON SPIDER, ITG08, MageCart Group 6, White Giant, GOLD FRANKLIN

FIN is a group targeting financial assets including assets able to do financial transaction including PoS.


Associated Families
js.more_eggs win.grateful_pos win.lockergoga win.maze win.terra_stealer win.ryuk js.magecart win.cobalt_strike

References
2021-09-21Medium elis531989Eli Salem
@online{salem:20210921:squirrel:1254a9d, author = {Eli Salem}, title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}}, date = {2021-09-21}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9}, language = {English}, urldate = {2021-09-22} } The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle
2021-09-17Malware Traffic AnalysisBrad Duncan
@online{duncan:20210917:20210917:b995435, author = {Brad Duncan}, title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}}, date = {2021-09-17}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html}, language = {English}, urldate = {2021-09-20} } 2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-17Medium inteloperatorIntel Operator
@online{operator:20210917:default:aaaa15c, author = {Intel Operator}, title = {{The default: 63 6f 62 61 6c 74 strike}}, date = {2021-09-17}, organization = {Medium inteloperator}, url = {https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7}, language = {English}, urldate = {2021-09-19} } The default: 63 6f 62 61 6c 74 strike
Cobalt Strike
2021-09-16Twitter (@GossiTheDog)Kevin Beaumont
@online{beaumont:20210916:some:550bbaa, author = {Kevin Beaumont}, title = {{Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell}}, date = {2021-09-16}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1438500100238577670}, language = {English}, urldate = {2021-09-20} } Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot
2021-09-16Medium ShabarkinPavel Shabarkin
@online{shabarkin:20210916:pointer:828998f, author = {Pavel Shabarkin}, title = {{Pointer: Hunting Cobalt Strike globally}}, date = {2021-09-16}, organization = {Medium Shabarkin}, url = {https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a}, language = {English}, urldate = {2021-09-19} } Pointer: Hunting Cobalt Strike globally
Cobalt Strike
2021-09-16RiskIQRiskIQ
@online{riskiq:20210916:untangling:d1e0f1b, author = {RiskIQ}, title = {{Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit}}, date = {2021-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/c88cf7e6}, language = {English}, urldate = {2021-09-19} } Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk
2021-09-15MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20210915:analyzing:37b6528, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability}}, date = {2021-09-15}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/}, language = {English}, urldate = {2021-09-19} } Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike
2021-09-14Recorded FutureInsikt Group®
@techreport{group:20210914:fullspectrum:fdc7b06, author = {Insikt Group®}, title = {{Full-Spectrum Cobalt Strike Detection}}, date = {2021-09-14}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf}, language = {English}, urldate = {2021-09-19} } Full-Spectrum Cobalt Strike Detection
Cobalt Strike
2021-09-13The DFIR ReportThe DFIR Report
@online{report:20210913:bazarloader:5073703, author = {The DFIR Report}, title = {{BazarLoader to Conti Ransomware in 32 Hours}}, date = {2021-09-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/}, language = {English}, urldate = {2021-09-14} } BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti
2021-09-13MalwarebytesJérôme Segura
@online{segura:20210913:many:c651ab9, author = {Jérôme Segura}, title = {{The many tentacles of Magecart Group 8}}, date = {2021-09-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/}, language = {English}, urldate = {2021-09-19} } The many tentacles of Magecart Group 8
magecart
2021-09-10GigamonJoe Slowik
@online{slowik:20210910:rendering:59082b0, author = {Joe Slowik}, title = {{Rendering Threats: A Network Perspective}}, date = {2021-09-10}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/}, language = {English}, urldate = {2021-09-12} } Rendering Threats: A Network Perspective
Cobalt Strike
2021-09-09Trend MicroTrend Micro
@online{micro:20210909:remote:17382af, author = {Trend Micro}, title = {{Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs}}, date = {2021-09-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html}, language = {English}, urldate = {2021-09-12} } Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
Cobalt Strike
2021-09-08Arash's BlogArash Parsa
@online{parsa:20210908:hook:4dff1b6, author = {Arash Parsa}, title = {{Hook Heaps and Live Free}}, date = {2021-09-08}, organization = {Arash's Blog}, url = {https://www.arashparsa.com/hook-heaps-and-live-free/}, language = {English}, urldate = {2021-09-10} } Hook Heaps and Live Free
Cobalt Strike
2021-09-07Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20210907:cobalt:7af112e, author = {Michael Koczwara}, title = {{Cobalt Strike C2 Hunting with Shodan}}, date = {2021-09-07}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2}, language = {English}, urldate = {2021-09-09} } Cobalt Strike C2 Hunting with Shodan
Cobalt Strike
2021-09-06kienmanowar Blogm4n0w4r
@online{m4n0w4r:20210906:quick:0a892b2, author = {m4n0w4r}, title = {{Quick analysis CobaltStrike loader and shellcode}}, date = {2021-09-06}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/}, language = {English}, urldate = {2021-09-10} } Quick analysis CobaltStrike loader and shellcode
Cobalt Strike
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-03SophosSean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
@online{gallagher:20210903:conti:db20680, author = {Sean Gallagher and Peter Mackenzie and Anand Ajjan and Andrew Ludgate and Gabor Szappanos and Sergio Bestulic and Syed Zaidi}, title = {{Conti affiliates use ProxyShell Exchange exploit in ransomware attacks}}, date = {2021-09-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/}, language = {English}, urldate = {2021-09-06} } Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti
2021-09-02Twitter (@th3_protoCOL)Colin, GaborSzappanos
@online{colin:20210902:confluence:5bbf2cb, author = {Colin and GaborSzappanos}, title = {{Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)}}, date = {2021-09-02}, organization = {Twitter (@th3_protoCOL)}, url = {https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20}, language = {English}, urldate = {2021-09-06} } Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)
Cobalt Strike
2021-09-02Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20210902:cobalt:40a1888, author = {Michael Koczwara}, title = {{Cobalt Strike PowerShell Payload Analysis}}, date = {2021-09-02}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7}, language = {English}, urldate = {2021-09-09} } Cobalt Strike PowerShell Payload Analysis
Cobalt Strike
2021-09-01YouTube (Black Hat)Aragorn Tseng, Charles Li
@online{tseng:20210901:mem2img:7817a5d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=6SDdUVejR2w}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-08-30QianxinRed Raindrop Team
@online{team:20210830:operation:7b5be26, author = {Red Raindrop Team}, title = {{Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss}}, date = {2021-08-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/}, language = {Chinese}, urldate = {2021-09-09} } Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz
2021-08-29The DFIR ReportThe DFIR Report
@online{report:20210829:cobalt:1e4595e, author = {The DFIR Report}, title = {{Cobalt Strike, a Defender’s Guide}}, date = {2021-08-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/}, language = {English}, urldate = {2021-08-31} } Cobalt Strike, a Defender’s Guide
Cobalt Strike
2021-08-27MorphisecMorphisec Labs
@online{labs:20210827:proxyshell:a4650f1, author = {Morphisec Labs}, title = {{ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors}}, date = {2021-08-27}, organization = {Morphisec}, url = {https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors}, language = {English}, urldate = {2021-08-31} } ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors
Cobalt Strike
2021-08-25Trend MicroHara Hiroaki, Ted Lee
@techreport{hiroaki:20210825:earth:776384f, author = {Hara Hiroaki and Ted Lee}, title = {{Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor}}, date = {2021-08-25}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf}, language = {English}, urldate = {2021-08-31} } Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor
Cobalt Strike SideWalk
2021-08-24ESET ResearchThibaut Passilly, Mathieu Tartare
@online{passilly:20210824:sidewalk:75d39db, author = {Thibaut Passilly and Mathieu Tartare}, title = {{The SideWalk may be as dangerous as the CROSSWALK}}, date = {2021-08-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/}, language = {English}, urldate = {2021-08-31} } The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk
2021-08-23FBIFBI
@techreport{fbi:20210823:indicators:3308f26, author = {FBI}, title = {{Indicators of Compromise Associated with OnePercent Group Ransomware}}, date = {2021-08-23}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210823.pdf}, language = {English}, urldate = {2021-08-24} } Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz
2021-08-23Youtube (SANS Digital Forensics and Incident Response)Chad Tilbury
@online{tilbury:20210823:keynote:23c0084, author = {Chad Tilbury}, title = {{Keynote: Cobalt Strike Threat Hunting}}, date = {2021-08-23}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=borfuQGrB8g}, language = {English}, urldate = {2021-08-25} } Keynote: Cobalt Strike Threat Hunting
Cobalt Strike
2021-08-19BlackberryBlackBerry Research & Intelligence Team
@online{team:20210819:blackberry:2eec433, author = {BlackBerry Research & Intelligence Team}, title = {{BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware}}, date = {2021-08-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware}, language = {English}, urldate = {2021-08-23} } BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex
2021-08-19Sekoiasekoia
@online{sekoia:20210819:insider:ceb84de, author = {sekoia}, title = {{An insider insights into Conti operations – Part two}}, date = {2021-08-19}, organization = {Sekoia}, url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/}, language = {English}, urldate = {2021-09-06} } An insider insights into Conti operations – Part two
Cobalt Strike Conti
2021-08-18IntezerRyan Robinson
@online{robinson:20210818:cobalt:965e1a9, author = {Ryan Robinson}, title = {{Cobalt Strike: Detect this Persistent Threat}}, date = {2021-08-18}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/}, language = {English}, urldate = {2021-08-25} } Cobalt Strike: Detect this Persistent Threat
Cobalt Strike
2021-08-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210817:hunting:1dc14d0, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration}}, date = {2021-08-17}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations}, language = {English}, urldate = {2021-08-31} } Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti
2021-08-17Sekoiasekoia
@online{sekoia:20210817:insider:3b427c7, author = {sekoia}, title = {{An insider insights into Conti operations – Part one}}, date = {2021-08-17}, organization = {Sekoia}, url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one}, language = {English}, urldate = {2021-09-06} } An insider insights into Conti operations – Part one
Cobalt Strike Conti
2021-08-17Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20210817:cobalt:64689eb, author = {Michael Koczwara}, title = {{Cobalt Strike Hunting — DLL Hijacking/Attack Analysis}}, date = {2021-08-17}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e}, language = {English}, urldate = {2021-09-09} } Cobalt Strike Hunting — DLL Hijacking/Attack Analysis
Cobalt Strike
2021-08-11Advanced IntelligenceVitali Kremez
@online{kremez:20210811:secret:5c5f06c, author = {Vitali Kremez}, title = {{Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent}}, date = {2021-08-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent}, language = {English}, urldate = {2021-08-31} } Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti
2021-08-10Bleeping ComputerSergiu Gatlan
@online{gatlan:20210810:crytek:59f98bc, author = {Sergiu Gatlan}, title = {{Crytek confirms Egregor ransomware attack, customer data theft}}, date = {2021-08-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/}, language = {English}, urldate = {2021-08-11} } Crytek confirms Egregor ransomware attack, customer data theft
Egregor Maze
2021-08-09IstroSecLadislav Bačo
@online{bao:20210809:cobalt:fc98da7, author = {Ladislav Bačo}, title = {{APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)}}, date = {2021-08-09}, organization = {IstroSec}, url = {https://www.istrosec.com/blog/apt-sk-cobalt/}, language = {English}, urldate = {2021-08-16} } APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)
Cobalt Strike
2021-08-05Red CanaryTony Lambert, Brian Donohue, Dan Cotton
@online{lambert:20210805:when:aeb7b10, author = {Tony Lambert and Brian Donohue and Dan Cotton}, title = {{When Dridex and Cobalt Strike give you Grief}}, date = {2021-08-05}, organization = {Red Canary}, url = {https://redcanary.com/blog/grief-ransomware/}, language = {English}, urldate = {2021-09-10} } When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer
2021-08-05SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210805:detecting:235fe13, author = {Counter Threat Unit ResearchTeam}, title = {{Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)}}, date = {2021-08-05}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups}, language = {English}, urldate = {2021-08-06} } Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)
Cobalt Strike
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-08-06} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Ransomware Maze RansomEXX REvil Ryuk Sekhmet
2021-08-04Sentinel LABSGal Kristal
@online{kristal:20210804:hotcobalt:136e715, author = {Gal Kristal}, title = {{Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations}}, date = {2021-08-04}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/}, language = {English}, urldate = {2021-08-06} } Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations
Cobalt Strike
2021-08-04CrowdStrikeFalcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR
@online{team:20210804:prophet:e6e6a99, author = {Falcon OverWatch Team and CrowdStrike Intelligence Team and CrowdStrike IR}, title = {{PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity}}, date = {2021-08-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/}, language = {English}, urldate = {2021-09-02} } PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker
2021-08-04SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210804:detecting:b379acb, author = {Counter Threat Unit ResearchTeam}, title = {{Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)}}, date = {2021-08-04}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks}, language = {English}, urldate = {2021-08-06} } Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)
Cobalt Strike
2021-08-03CybereasonAssaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20210803:deadringer:908e8d5, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}}, date = {2021-08-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos}, language = {English}, urldate = {2021-08-06} } DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae
2021-08-02Youtube (Forschungsinstitut Cyber Defense)Alexander Rausch, Konstantin Klinger
@online{rausch:20210802:code:dee039d, author = {Alexander Rausch and Konstantin Klinger}, title = {{The CODE 2021: Workshop presentation and demonstration about CobaltStrike}}, date = {2021-08-02}, organization = {Youtube (Forschungsinstitut Cyber Defense)}, url = {https://www.youtube.com/watch?v=y65hmcLIWDY}, language = {English}, urldate = {2021-08-25} } The CODE 2021: Workshop presentation and demonstration about CobaltStrike
Cobalt Strike
2021-08-01The DFIR ReportThe DFIR Report
@online{report:20210801:bazarcall:bb6829b, author = {The DFIR Report}, title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}}, date = {2021-08-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/}, language = {English}, urldate = {2021-08-02} } BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-30Twitter (@Unit42_Intel)Unit 42
@online{42:20210730:bazarloader:43bdc2c, author = {Unit 42}, title = {{Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability}}, date = {2021-07-30}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20}, language = {English}, urldate = {2021-08-02} } Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210729:bazacall:8d79cdf, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{BazaCall: Phony call centers lead to exfiltration and ransomware}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/}, language = {English}, urldate = {2021-08-02} } BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike
2021-07-29Rasta MouseRasta Mouse
@online{mouse:20210729:ntlm:7f97289, author = {Rasta Mouse}, title = {{NTLM Relaying via Cobalt Strike}}, date = {2021-07-29}, organization = {Rasta Mouse}, url = {https://rastamouse.me/ntlm-relaying-via-cobalt-strike/}, language = {English}, urldate = {2021-07-29} } NTLM Relaying via Cobalt Strike
Cobalt Strike
2021-07-27BlackberryBlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-07-25Medium svch0stsvch0st
@online{svch0st:20210725:guide:28267fd, author = {svch0st}, title = {{Guide to Named Pipes and Hunting for Cobalt Strike Pipes}}, date = {2021-07-25}, organization = {Medium svch0st}, url = {https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575}, language = {English}, urldate = {2021-08-02} } Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Cobalt Strike
2021-07-22Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20210722:cobalt:f102b02, author = {Michael Koczwara}, title = {{Cobalt Strike Hunting — simple PCAP and Beacon Analysis}}, date = {2021-07-22}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811}, language = {English}, urldate = {2021-07-22} } Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike
2021-07-19The DFIR ReportThe DFIR Report
@online{report:20210719:icedid:0365384, author = {The DFIR Report}, title = {{IcedID and Cobalt Strike vs Antivirus}}, date = {2021-07-19}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/}, language = {English}, urldate = {2021-07-20} } IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID
2021-07-16Twitter (@MBThreatIntel)Malwarebytes Threat Intelligence
@online{intelligence:20210716:magecart:3ba6f5b, author = {Malwarebytes Threat Intelligence}, title = {{Tweet on Magecart skimmer using steganography}}, date = {2021-07-16}, organization = {Twitter (@MBThreatIntel)}, url = {https://twitter.com/MBThreatIntel/status/1416101496022724609}, language = {English}, urldate = {2021-07-20} } Tweet on Magecart skimmer using steganography
magecart
2021-07-15Twitter (@AffableKraut)Eric Brandel
@online{brandel:20210715:another:384815e, author = {Eric Brandel}, title = {{Tweet on another digital skimmer/magecart script from the "q-logger" threat actor}}, date = {2021-07-15}, organization = {Twitter (@AffableKraut)}, url = {https://twitter.com/AffableKraut/status/1415425132080816133?s=20}, language = {English}, urldate = {2021-07-20} } Tweet on another digital skimmer/magecart script from the "q-logger" threat actor
magecart
2021-07-14MDSecChris Basnett
@online{basnett:20210714:investigating:585e2a1, author = {Chris Basnett}, title = {{Investigating a Suspicious Service}}, date = {2021-07-14}, organization = {MDSec}, url = {https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/}, language = {English}, urldate = {2021-07-20} } Investigating a Suspicious Service
Cobalt Strike
2021-07-14KasperskyMark Lechtik, Paul Rascagnères, Aseel Kayal
@online{lechtik:20210714:luminousmoth:a5cf19d, author = {Mark Lechtik and Paul Rascagnères and Aseel Kayal}, title = {{LuminousMoth APT: Sweeping attacks for the chosen few}}, date = {2021-07-14}, organization = {Kaspersky}, url = {https://securelist.com/apt-luminousmoth/103332/}, language = {English}, urldate = {2021-07-20} } LuminousMoth APT: Sweeping attacks for the chosen few
Cobalt Strike
2021-07-14GoogleMaddie Stone, Clement Lecigne, Google Threat Analysis Group
@online{stone:20210714:how:38dfdc6, author = {Maddie Stone and Clement Lecigne and Google Threat Analysis Group}, title = {{How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)}}, date = {2021-07-14}, organization = {Google}, url = {https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/}, language = {English}, urldate = {2021-07-26} } How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)
Cobalt Strike
2021-07-13YouTube ( Matt Soseman)Matt Soseman
@online{soseman:20210713:solarwinds:cb7df1d, author = {Matt Soseman}, title = {{Solarwinds and SUNBURST attacks compromised my lab!}}, date = {2021-07-13}, organization = {YouTube ( Matt Soseman)}, url = {https://www.youtube.com/watch?v=GfbxHy6xnbA}, language = {English}, urldate = {2021-07-21} } Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-07-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210709:hancitor:814e815, author = {Brad Duncan}, title = {{Hancitor tries XLL as initial malware file}}, date = {2021-07-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27618}, language = {English}, urldate = {2021-07-19} } Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor
2021-07-09The RecordCatalin Cimpanu
@online{cimpanu:20210709:ransomwhere:bd77fbe, author = {Catalin Cimpanu}, title = {{Ransomwhere project wants to create a database of past ransomware payments}}, date = {2021-07-09}, organization = {The Record}, url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/}, language = {English}, urldate = {2021-07-20} } Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-07-08Avast DecodedThreat Intelligence Team
@online{team:20210708:decoding:04acb98, author = {Threat Intelligence Team}, title = {{Decoding Cobalt Strike: Understanding Payloads}}, date = {2021-07-08}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/}, language = {English}, urldate = {2021-07-08} } Decoding Cobalt Strike: Understanding Payloads
Cobalt Strike Empire Downloader
2021-07-07SUCURIBen Martin
@online{martin:20210707:magecart:936a43d, author = {Ben Martin}, title = {{Magecart Swiper Uses Unorthodox Concatenation}}, date = {2021-07-07}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html}, language = {English}, urldate = {2021-07-20} } Magecart Swiper Uses Unorthodox Concatenation
magecart
2021-07-07Trend MicroJoseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
@online{chen:20210707:biopass:88dcdc2, author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen}, title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}}, date = {2021-07-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html}, language = {English}, urldate = {2021-07-19} } BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi
2021-07-07McAfeeMcAfee Labs
@techreport{labs:20210707:ryuk:ee88024, author = {McAfee Labs}, title = {{Ryuk Ransomware Now Targeting Webservers}}, date = {2021-07-07}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf}, language = {English}, urldate = {2021-07-11} } Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk
2021-07-07TrustwaveRodel Mendrez, Nikita Kazymirskyi
@online{mendrez:20210707:diving:1c04c81, author = {Rodel Mendrez and Nikita Kazymirskyi}, title = {{Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails}}, date = {2021-07-07}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/}, language = {English}, urldate = {2021-07-09} } Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil
2021-07-06Twitter (@MBThreatIntel)Malwarebytes Threat Intelligence
@online{intelligence:20210706:malspam:083ba5a, author = {Malwarebytes Threat Intelligence}, title = {{Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike}}, date = {2021-07-06}, organization = {Twitter (@MBThreatIntel)}, url = {https://twitter.com/MBThreatIntel/status/1412518446013812737}, language = {English}, urldate = {2021-07-09} } Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike
Cobalt Strike
2021-07-05Trend MicroAbraham Camba, Catherine Loveria, Ryan Maglaque, Buddy Tancio
@online{camba:20210705:tracking:6ae6ad5, author = {Abraham Camba and Catherine Loveria and Ryan Maglaque and Buddy Tancio}, title = {{Tracking Cobalt Strike: A Trend Micro Vision One Investigation}}, date = {2021-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html}, language = {English}, urldate = {2021-07-19} } Tracking Cobalt Strike: A Trend Micro Vision One Investigation
Cobalt Strike
2021-07-02MalwareBookReportsmuzi
@online{muzi:20210702:skip:09c3cd8, author = {muzi}, title = {{Skip the Middleman: Dridex Document to Cobalt Strike}}, date = {2021-07-02}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/cryptone-cobalt-strike/}, language = {English}, urldate = {2021-07-06} } Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex
2021-07-01The RecordCatalin Cimpanu
@online{cimpanu:20210701:mongolian:1fd57de, author = {Catalin Cimpanu}, title = {{Mongolian certificate authority hacked eight times, compromised with malware}}, date = {2021-07-01}, organization = {The Record}, url = {https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/}, language = {English}, urldate = {2021-07-02} } Mongolian certificate authority hacked eight times, compromised with malware
Cobalt Strike
2021-07-01Avast DecodedLuigino Camastra, Igor Morgenstern, Jan Vojtěšek
@online{camastra:20210701:backdoored:6f26c16, author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek}, title = {{Backdoored Client from Mongolian CA MonPass}}, date = {2021-07-01}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/}, language = {English}, urldate = {2021-07-02} } Backdoored Client from Mongolian CA MonPass
Cobalt Strike
2021-07-01DomainToolsChad Anderson
@online{anderson:20210701:most:39f64b8, author = {Chad Anderson}, title = {{The Most Prolific Ransomware Families: A Defenders Guide}}, date = {2021-07-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide}, language = {English}, urldate = {2021-07-11} } The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil
2021-06-30Group-IBOleg Skulkin
@online{skulkin:20210630:revil:63bb524, author = {Oleg Skulkin}, title = {{REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs}}, date = {2021-06-30}, organization = {Group-IB}, url = {https://blog.group-ib.com/REvil_RaaS}, language = {English}, urldate = {2021-07-02} } REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil
2021-06-29ProofpointSelena Larson, Daniel Blackford
@online{larson:20210629:cobalt:99ad5a0, author = {Selena Larson and Daniel Blackford}, title = {{Cobalt Strike: Favorite Tool from APT to Crimeware}}, date = {2021-06-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware}, language = {English}, urldate = {2021-06-29} } Cobalt Strike: Favorite Tool from APT to Crimeware
Cobalt Strike
2021-06-29AccentureAccenture Security
@online{security:20210629:hades:2d4c606, author = {Accenture Security}, title = {{HADES ransomware operators continue attacks}}, date = {2021-06-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades}, language = {English}, urldate = {2021-07-01} } HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz
2021-06-28MalwarebytesJérôme Segura
@online{segura:20210628:lil:e675ba5, author = {Jérôme Segura}, title = {{Lil' skimmer, the Magecart impersonator - Malwarebytes Labs}}, date = {2021-06-28}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/}, language = {English}, urldate = {2021-07-09} } Lil' skimmer, the Magecart impersonator - Malwarebytes Labs
magecart
2021-06-28The DFIR ReportThe DFIR Report
@online{report:20210628:hancitor:b21cdd2, author = {The DFIR Report}, title = {{Hancitor Continues to Push Cobalt Strike}}, date = {2021-06-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/}, language = {English}, urldate = {2021-06-29} } Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor
2021-06-22CrowdStrikeThe Falcon Complete Team
@online{team:20210622:response:13a8ee6, author = {The Falcon Complete Team}, title = {{Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators}}, date = {2021-06-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/}, language = {English}, urldate = {2021-06-24} } Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
Cobalt Strike
2021-06-22Twitter (@Cryptolaemus1)Cryptolaemus, Kirk Sayre, dao ming si
@online{cryptolaemus:20210622:ta575:895ac37, author = {Cryptolaemus and Kirk Sayre and dao ming si}, title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}}, date = {2021-06-22}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680}, language = {English}, urldate = {2021-06-22} } Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex
2021-06-20The DFIR ReportThe DFIR Report
@online{report:20210620:from:aadb7e8, author = {The DFIR Report}, title = {{From Word to Lateral Movement in 1 Hour}}, date = {2021-06-20}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/}, language = {English}, urldate = {2021-06-22} } From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID
2021-06-18SecurityScorecardRyan Sherstobitoff
@online{sherstobitoff:20210618:securityscorecard:0000641, author = {Ryan Sherstobitoff}, title = {{SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought}}, date = {2021-06-18}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought}, language = {English}, urldate = {2021-06-22} } SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought
Cobalt Strike
2021-06-17Binary DefenseBrandon George
@online{george:20210617:analysis:6e4b8ac, author = {Brandon George}, title = {{Analysis of Hancitor – When Boring Begets Beacon}}, date = {2021-06-17}, organization = {Binary Defense}, url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon}, language = {English}, urldate = {2021-06-22} } Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-06-16FireEyeTyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson
@online{mclellan:20210616:smoking:fa6559d, author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson}, title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}}, date = {2021-06-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html}, language = {English}, urldate = {2021-06-21} } Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike FiveHands
2021-06-16Національної поліції УкраїниНаціональна поліція України
@online{:20210616:cyberpolice:f455d86, author = {Національна поліція України}, title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}}, date = {2021-06-16}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-06-21} } Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2021-06-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210615:hades:e1734d8, author = {Counter Threat Unit ResearchTeam}, title = {{Hades Ransomware Operators Use Distinctive Tactics and Infrastructure}}, date = {2021-06-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure}, language = {English}, urldate = {2021-06-21} } Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Cobalt Strike Hades
2021-06-14scotthelme.co.ukScott Helme
@online{helme:20210614:introducing:67342bd, author = {Scott Helme}, title = {{Introducing Script Watch: Detect Magecart style attacks, fast!}}, date = {2021-06-14}, organization = {scotthelme.co.uk}, url = {https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter}, language = {English}, urldate = {2021-06-21} } Introducing Script Watch: Detect Magecart style attacks, fast!
magecart
2021-06-12Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210612:thread:eac742a, author = {Peter Mackenzie}, title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}}, date = {2021-06-12}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095}, language = {English}, urldate = {2021-06-21} } A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker
2021-06-10Group-IBNikita Rostovcev
@online{rostovcev:20210610:big:4d0a5f2, author = {Nikita Rostovcev}, title = {{Big airline heist APT41 likely behind massive supply chain attack}}, date = {2021-06-10}, organization = {Group-IB}, url = {https://blog.group-ib.com/colunmtk_apt41}, language = {English}, urldate = {2021-06-16} } Big airline heist APT41 likely behind massive supply chain attack
Cobalt Strike
2021-06-09Twitter (@RedDrip7)RedDrip7
@online{reddrip7:20210609:in:74f9bac, author = {RedDrip7}, title = {{Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)}}, date = {2021-06-09}, organization = {Twitter (@RedDrip7)}, url = {https://twitter.com/RedDrip7/status/1402640362972147717?s=20}, language = {English}, urldate = {2021-06-21} } Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)
Cobalt Strike
2021-06-09Twitter (@SecurityJoes)SecurityJoes
@online{securityjoes:20210609:net:13f2b90, author = {SecurityJoes}, title = {{Tweet on .NET builder of a Ryuk imposter malware}}, date = {2021-06-09}, organization = {Twitter (@SecurityJoes)}, url = {https://twitter.com/SecurityJoes/status/1402603695578157057}, language = {English}, urldate = {2021-06-16} } Tweet on .NET builder of a Ryuk imposter malware
Ryuk
2021-06-07Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210607:inside:6c363a7, author = {Joshua Platt and Jason Reaves}, title = {{Inside the SystemBC Malware-As-A-Service}}, date = {2021-06-07}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6}, language = {English}, urldate = {2021-06-08} } Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot
2021-06-04InkyRoger Kay
@online{kay:20210604:colonial:959c12f, author = {Roger Kay}, title = {{Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts}}, date = {2021-06-04}, organization = {Inky}, url = {https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts}, language = {English}, urldate = {2021-06-16} } Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts
Cobalt Strike
2021-06-04Twitter (@alex_lanstein)Alex Lanstein
@online{lanstein:20210604:unc2652nobelium:460c6ab, author = {Alex Lanstein}, title = {{Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-​2021-1879}}, date = {2021-06-04}, organization = {Twitter (@alex_lanstein)}, url = {https://twitter.com/alex_lanstein/status/1399829754887524354}, language = {English}, urldate = {2021-07-26} } Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-​2021-1879
Cobalt Strike
2021-06-02Medium CyCraftCyCraft Technology Corp
@online{corp:20210602:chinalinked:487955f, author = {CyCraft Technology Corp}, title = {{China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware}}, date = {2021-06-02}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5}, language = {English}, urldate = {2021-06-09} } China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware
Cobalt Strike ColdLock
2021-06-02SophosSean Gallagher
@online{gallagher:20210602:amsi:084d0ba, author = {Sean Gallagher}, title = {{AMSI bypasses remain tricks of the malware trade}}, date = {2021-06-02}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/}, language = {English}, urldate = {2021-06-09} } AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-06-01Department of JusticeOffice of Public Affairs
@online{affairs:20210601:justice:1ed9656, author = {Office of Public Affairs}, title = {{Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development}}, date = {2021-06-01}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear}, language = {English}, urldate = {2021-06-09} } Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
Cobalt Strike
2021-06-01SANSKevin Haley, Jake Williams
@online{haley:20210601:contrarian:6aff18c, author = {Kevin Haley and Jake Williams}, title = {{A Contrarian View on SolarWinds}}, date = {2021-06-01}, organization = {SANS}, url = {https://www.sans.org/webcasts/contrarian-view-solarwinds-119515}, language = {English}, urldate = {2021-06-21} } A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-06-01SentinelOneJuan Andrés Guerrero-Saade
@online{guerrerosaade:20210601:noblebaron:20dd227, author = {Juan Andrés Guerrero-Saade}, title = {{NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks}}, date = {2021-06-01}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/}, language = {English}, urldate = {2021-06-09} } NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks
Cobalt Strike
2021-06-01MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
@online{mstic:20210601:new:83aee4c, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team}, title = {{New sophisticated email-based attack from NOBELIUM}}, date = {2021-06-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/}, language = {English}, urldate = {2021-06-09} } New sophisticated email-based attack from NOBELIUM
Cobalt Strike
2021-05-29Twitter (@elisalem9)Eli Salem
@online{salem:20210529:obfuscation:f1b68f3, author = {Eli Salem}, title = {{Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452}}, date = {2021-05-29}, organization = {Twitter (@elisalem9)}, url = {https://twitter.com/elisalem9/status/1398566939656601606}, language = {English}, urldate = {2021-08-02} } Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452
Cobalt Strike
2021-05-28CISAUS-CERT
@online{uscert:20210528:malware:0913332, author = {US-CERT}, title = {{Malware Analysis Report (AR21-148A): Cobalt Strike Beacon}}, date = {2021-05-28}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a}, language = {English}, urldate = {2021-07-19} } Malware Analysis Report (AR21-148A): Cobalt Strike Beacon
Cobalt Strike
2021-05-28CISAUS-CERT
@online{uscert:20210528:alert:be89c5f, author = {US-CERT}, title = {{Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs}}, date = {2021-05-28}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-148a}, language = {English}, urldate = {2021-07-27} } Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs
Cobalt Strike
2021-05-27VolexityDamien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
@online{cash:20210527:suspected:beb9dd9, author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns}}, date = {2021-05-27}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/}, language = {English}, urldate = {2021-06-09} } Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
Cobalt Strike
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-25Huntress LabsMatthew Brennan
@online{brennan:20210525:cobalt:c428be0, author = {Matthew Brennan}, title = {{Cobalt Strikes Again: An Analysis of Obfuscated Malware}}, date = {2021-05-25}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware}, language = {English}, urldate = {2021-06-09} } Cobalt Strikes Again: An Analysis of Obfuscated Malware
Cobalt Strike
2021-05-22Youtube (ACPEnw)YouTube (ACPEnw)
@online{acpenw:20210522:lessons:6747f56, author = {YouTube (ACPEnw)}, title = {{Lessons Learned from a Cyber Attack System Admin Perspective}}, date = {2021-05-22}, organization = {Youtube (ACPEnw)}, url = {https://www.youtube.com/watch?v=HwfRxjV2wok}, language = {English}, urldate = {2021-06-21} } Lessons Learned from a Cyber Attack System Admin Perspective
Ryuk
2021-05-21blackarrowPablo Ambite
@online{ambite:20210521:leveraging:55f56da, author = {Pablo Ambite}, title = {{Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic}}, date = {2021-05-21}, organization = {blackarrow}, url = {https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/}, language = {English}, urldate = {2021-06-22} } Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Cobalt Strike
2021-05-19Medium Mehmet ErgeneMehmet Ergene
@online{ergene:20210519:enterprise:f7fb481, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2}}, date = {2021-05-19}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e}, language = {English}, urldate = {2021-05-26} } Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2
Cobalt Strike
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-18The RecordCatalin Cimpanu
@online{cimpanu:20210518:darkside:14b6690, author = {Catalin Cimpanu}, title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}}, date = {2021-05-18}, organization = {The Record}, url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/}, language = {English}, urldate = {2021-05-19} } Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-18SophosJohn Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
@online{shier:20210518:active:f313ac5, author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie}, title = {{The Active Adversary Playbook 2021}}, date = {2021-05-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153}, language = {English}, urldate = {2021-05-25} } The Active Adversary Playbook 2021
Cobalt Strike MimiKatz
2021-05-18Bleeping ComputerIonut Ilascu
@online{ilascu:20210518:darkside:d8e345b, author = {Ionut Ilascu}, title = {{DarkSide ransomware made $90 million in just nine months}}, date = {2021-05-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/}, language = {English}, urldate = {2021-06-07} } DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-17TalosBrad Garnett
@online{garnett:20210517:case:a8ef9cf, author = {Brad Garnett}, title = {{Case Study: Incident Response is a relationship-driven business}}, date = {2021-05-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/05/ctir-case-study.html}, language = {English}, urldate = {2021-05-25} } Case Study: Incident Response is a relationship-driven business
Cobalt Strike
2021-05-16NCSC IrelandNCSC Ireland
@techreport{ireland:20210516:ransomware:b091d9b, author = {NCSC Ireland}, title = {{Ransomware Attack on Health Sector - UPDATE 2021-05-16}}, date = {2021-05-16}, institution = {NCSC Ireland}, url = {https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf}, language = {English}, urldate = {2021-05-17} } Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti
2021-05-14Blue Team BlogAuth 0r
@online{0r:20210514:darkside:bf9c5bc, author = {Auth 0r}, title = {{DarkSide Ransomware Operations – Preventions and Detections.}}, date = {2021-05-14}, organization = {Blue Team Blog}, url = {https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections}, language = {English}, urldate = {2021-05-17} } DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide
2021-05-14GuidePoint SecurityDrew Schmitt
@online{schmitt:20210514:from:944b5f1, author = {Drew Schmitt}, title = {{From ZLoader to DarkSide: A Ransomware Story}}, date = {2021-05-14}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/}, language = {English}, urldate = {2021-05-17} } From ZLoader to DarkSide: A Ransomware Story
DarkSide Cobalt Strike Zloader
2021-05-13MalwarebytesJérôme Segura
@online{segura:20210513:newly:396ce52, author = {Jérôme Segura}, title = {{Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity}}, date = {2021-05-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/}, language = {English}, urldate = {2021-05-17} } Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity
magecart
2021-05-13AWAKEKieran Evans
@online{evans:20210513:catching:eaa13e2, author = {Kieran Evans}, title = {{Catching the White Stork in Flight}}, date = {2021-05-13}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/}, language = {English}, urldate = {2021-09-19} } Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS
2021-05-12Medium Mehmet ErgeneMehmet Ergene
@online{ergene:20210512:enterprise:09742df, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1}}, date = {2021-05-12}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f}, language = {English}, urldate = {2021-05-26} } Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1
Cobalt Strike
2021-05-12The DFIR Report
@online{report:20210512:conti:598c5f2, author = {The DFIR Report}, title = {{Conti Ransomware}}, date = {2021-05-12}, url = {https://thedfirreport.com/2021/05/12/conti-ransomware/}, language = {English}, urldate = {2021-05-13} } Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-11Mal-Eatsmal_eats
@online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-11FireEyeJordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson
@online{nuce:20210511:shining:339d137, author = {Jordan Nuce and Jeremy Kennelly and Kimberly Goody and Andrew Moore and Alyssa Rahman and Brendan McKeague and Jared Wilson}, title = {{Shining a Light on DARKSIDE Ransomware Operations}}, date = {2021-05-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html}, language = {English}, urldate = {2021-05-13} } Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide
2021-05-10ZERO.BSZEROBS
@online{zerobs:20210510:cobaltstrikebeacons:b7fee54, author = {ZEROBS}, title = {{Cobaltstrike-Beacons analyzed}}, date = {2021-05-10}, organization = {ZERO.BS}, url = {https://zero.bs/cobaltstrike-beacons-analyzed.html}, language = {English}, urldate = {2021-05-11} } Cobaltstrike-Beacons analyzed
Cobalt Strike
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-05-07TEAMT5Aragorn Tseng, Charles Li
@techreport{tseng:20210507:mem2img:494799d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-05-07Bleeping ComputerLawrence Abrams
@online{abrams:20210507:data:c674b2b, author = {Lawrence Abrams}, title = {{Data leak marketplaces aim to take over the extortion economy}}, date = {2021-05-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/}, language = {English}, urldate = {2021-05-08} } Data leak marketplaces aim to take over the extortion economy
Babuk Maze
2021-05-07SophosLabs UncutRajesh Nataraj
@online{nataraj:20210507:new:79ec788, author = {Rajesh Nataraj}, title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}}, date = {2021-05-07}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728}, language = {English}, urldate = {2021-05-11} } New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike
2021-05-07Cisco TalosCaitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81, author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin}, title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}}, date = {2021-05-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html}, language = {English}, urldate = {2021-05-11} } Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike
2021-05-07Medium svch0stsvch0st
@online{svch0st:20210507:stats:11919e5, author = {svch0st}, title = {{Stats from Hunting Cobalt Strike Beacons}}, date = {2021-05-07}, organization = {Medium svch0st}, url = {https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b}, language = {English}, urldate = {2021-05-08} } Stats from Hunting Cobalt Strike Beacons
Cobalt Strike
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2021-05-11} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
Prometei BlackKingdom Ransomware CHINACHOPPER Cobalt Strike
2021-05-06Sophos LabsTilly Travers, Bill Kearney, Kyle Link, Peter Mackenzie, Matthew Sharf
@online{travers:20210506:mtr:1f2feb4, author = {Tilly Travers and Bill Kearney and Kyle Link and Peter Mackenzie and Matthew Sharf}, title = {{MTR in Real Time: Pirates pave way for Ryuk ransomware}}, date = {2021-05-06}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/}, language = {English}, urldate = {2021-05-13} } MTR in Real Time: Pirates pave way for Ryuk ransomware
Ryuk
2021-05-05TRUESECMattias Wåhlén
@online{whln:20210505:are:61bb8a0, author = {Mattias Wåhlén}, title = {{Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?}}, date = {2021-05-05}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/}, language = {English}, urldate = {2021-05-08} } Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker
2021-05-05SophosLabs UncutAndrew Brandt, Peter Mackenzie, Vikas Singh, Gabor Szappanos
@online{brandt:20210505:intervention:f548dee, author = {Andrew Brandt and Peter Mackenzie and Vikas Singh and Gabor Szappanos}, title = {{Intervention halts a ProxyLogon-enabled attack}}, date = {2021-05-05}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack}, language = {English}, urldate = {2021-05-07} } Intervention halts a ProxyLogon-enabled attack
Cobalt Strike
2021-05-04Medium sergiusechelSergiu Sechel
@online{sechel:20210504:improving:ce4da6d, author = {Sergiu Sechel}, title = {{Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives}}, date = {2021-05-04}, organization = {Medium sergiusechel}, url = {https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468}, language = {English}, urldate = {2021-05-04} } Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives
Cobalt Strike
2021-05-02The DFIR ReportThe DFIR Report
@online{report:20210502:trickbot:242b786, author = {The DFIR Report}, title = {{Trickbot Brief: Creds and Beacons}}, date = {2021-05-02}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/}, language = {English}, urldate = {2021-05-04} } Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot
2021-04-29NTTThreat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4, author = {Threat Detection NTT Ltd.}, title = {{The Operations of Winnti group}}, date = {2021-04-29}, institution = {NTT}, url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf}, language = {English}, urldate = {2021-08-09} } The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti
2021-04-27Trend MicroJanus Agcaoili, Earle Earnshaw
@online{agcaoili:20210427:legitimate:b293526, author = {Janus Agcaoili and Earle Earnshaw}, title = {{Legitimate Tools Weaponized for Ransomware in 2021}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021}, language = {English}, urldate = {2021-05-03} } Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz
2021-04-27Trend MicroJanus Agcaoili
@online{agcaoili:20210427:hello:b3c5de5, author = {Janus Agcaoili}, title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html}, language = {English}, urldate = {2021-04-29} } Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike
2021-04-27CrowdStrikeJosh Dalman, Kamil Janton, Eben Kaplan
@online{dalman:20210427:ransomware:8242ac5, author = {Josh Dalman and Kamil Janton and Eben Kaplan}, title = {{Ransomware Preparedness: A Call to Action}}, date = {2021-04-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/}, language = {English}, urldate = {2021-05-31} } Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2021-04-26getrevueTwitter (@80vul)
@online{80vul:20210426:hunting:e8be278, author = {Twitter (@80vul)}, title = {{Hunting Cobalt Strike DNS redirectors by using ZoomEye}}, date = {2021-04-26}, organization = {getrevue}, url = {https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734}, language = {English}, urldate = {2021-04-29} } Hunting Cobalt Strike DNS redirectors by using ZoomEye
Cobalt Strike
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-26nvisoMaxime Thiebaut
@online{thiebaut:20210426:anatomy:0ade0a5, author = {Maxime Thiebaut}, title = {{Anatomy of Cobalt Strike’s DLL Stager}}, date = {2021-04-26}, organization = {nviso}, url = {https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/}, language = {English}, urldate = {2021-04-29} } Anatomy of Cobalt Strike’s DLL Stager
Cobalt Strike
2021-04-24Non-offensive securityNon-offensive security team
@online{team:20210424:detect:4fab11a, author = {Non-offensive security team}, title = {{Detect Cobalt Strike server through DNS protocol}}, date = {2021-04-24}, organization = {Non-offensive security}, url = {https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ}, language = {Chinese}, urldate = {2021-04-29} } Detect Cobalt Strike server through DNS protocol
Cobalt Strike
2021-04-23Twitter (@vikas891)Vikas Singh
@online{singh:20210423:doppel:1bfd6da, author = {Vikas Singh}, title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}}, date = {2021-04-23}, organization = {Twitter (@vikas891)}, url = {https://twitter.com/vikas891/status/1385306823662587905}, language = {English}, urldate = {2021-05-25} } Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer
2021-04-22Twitter (@AffableKraut)Eric Brandel
@online{brandel:20210422:thread:edbfa14, author = {Eric Brandel}, title = {{A thread on possibly new magecart skimmer}}, date = {2021-04-22}, organization = {Twitter (@AffableKraut)}, url = {https://twitter.com/AffableKraut/status/1385030485676544001}, language = {English}, urldate = {2021-04-28} } A thread on possibly new magecart skimmer
magecart
2021-04-22Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210422:twwet:62355c6, author = {Peter Mackenzie}, title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}}, date = {2021-04-22}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688}, language = {English}, urldate = {2021-05-25} } Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer
2021-04-21SophosLabs UncutSean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
@online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-20Medium walmartglobaltechJason Reaves
@online{reaves:20210420:cobaltstrike:d18d4c4, author = {Jason Reaves}, title = {{CobaltStrike Stager Utilizing Floating Point Math}}, date = {2021-04-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718}, language = {English}, urldate = {2021-04-20} } CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike
2021-04-19NetresecErik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49, author = {Erik Hjelmvik}, title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}}, date = {2021-04-19}, organization = {Netresec}, url = {https://netresec.com/?b=214d7ff}, language = {English}, urldate = {2021-04-20} } Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-18YouTube (dist67)Didier Stevens
@online{stevens:20210418:decoding:18e5319, author = {Didier Stevens}, title = {{Decoding Cobalt Strike Traffic}}, date = {2021-04-18}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=ysN-MqyIN7M}, language = {English}, urldate = {2021-04-20} } Decoding Cobalt Strike Traffic
Cobalt Strike
2021-04-17Advanced IntelligenceVitali Kremez, Al Calleo, Yelisey Boguslavskiy
@online{kremez:20210417:adversary:197fcfa, author = {Vitali Kremez and Al Calleo and Yelisey Boguslavskiy}, title = {{Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021}}, date = {2021-04-17}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021}, language = {English}, urldate = {2021-04-19} } Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021
Ryuk
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-09F-SecureRiccardo Ancarani, Giulio Ginesi
@online{ancarani:20210409:detecting:01d28ed, author = {Riccardo Ancarani and Giulio Ginesi}, title = {{Detecting Exposed Cobalt Strike DNS Redirectors}}, date = {2021-04-09}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors}, language = {English}, urldate = {2021-04-14} } Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-04-07Medium sixdubJustin Warner
@online{warner:20210407:using:a7d19fd, author = {Justin Warner}, title = {{Using Kaitai Struct to Parse Cobalt Strike Beacon Configs}}, date = {2021-04-07}, organization = {Medium sixdub}, url = {https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e}, language = {English}, urldate = {2021-04-09} } Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike
2021-04-05Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20210405:trickbot:a6b0592, author = {Jason Reaves and Joshua Platt}, title = {{TrickBot Crews New CobaltStrike Loader}}, date = {2021-04-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c}, language = {English}, urldate = {2021-04-06} } TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot
2021-04-05eSentireeSentire
@online{esentire:20210405:hackers:d45f86f, author = {eSentire}, title = {{Hackers Spearphish Professionals on LinkedIn with Fake Job Offers, Infecting them with Malware, Warns eSentire}}, date = {2021-04-05}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire}, language = {English}, urldate = {2021-04-06} } Hackers Spearphish Professionals on LinkedIn with Fake Job Offers, Infecting them with Malware, Warns eSentire
More_eggs
2021-04-01DomainToolsJoe Slowik
@online{slowik:20210401:covid19:6a96e45, author = {Joe Slowik}, title = {{COVID-19 Phishing With a Side of Cobalt Strike}}, date = {2021-04-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#}, language = {English}, urldate = {2021-04-06} } COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike
2021-04-01Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210401:hancitors:8876ca1, author = {Brad Duncan}, title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/}, language = {English}, urldate = {2021-04-06} } Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-30GuidePoint SecurityDrew Schmitt
@online{schmitt:20210330:yet:9855592, author = {Drew Schmitt}, title = {{Yet Another Cobalt Strike Stager: GUID Edition}}, date = {2021-03-30}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/}, language = {English}, urldate = {2021-04-06} } Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike
2021-03-29The DFIR ReportThe DFIR Report
@online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-21YouTube (dist67)Didier Stevens
@online{stevens:20210321:finding:92a9a4d, author = {Didier Stevens}, title = {{Finding Metasploit & Cobalt Strike URLs}}, date = {2021-03-21}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=WW0_TgWT2gs}, language = {English}, urldate = {2021-03-25} } Finding Metasploit & Cobalt Strike URLs
Cobalt Strike
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-18DeepInstinctBen Gross
@online{gross:20210318:cobalt:5392fb0, author = {Ben Gross}, title = {{Cobalt Strike – Post-Exploitation Attackers Toolkit}}, date = {2021-03-18}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/}, language = {English}, urldate = {2021-06-22} } Cobalt Strike – Post-Exploitation Attackers Toolkit
Cobalt Strike
2021-03-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-16McAfeeMcAfee ATR
@techreport{atr:20210316:technical:8c4909a, author = {McAfee ATR}, title = {{Technical Analysis of Operation Diànxùn}}, date = {2021-03-16}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf}, language = {English}, urldate = {2021-03-22} } Technical Analysis of Operation Diànxùn
Cobalt Strike
2021-03-16ElasticJoe Desimone
@online{desimone:20210316:detecting:4091130, author = {Joe Desimone}, title = {{Detecting Cobalt Strike with memory signatures}}, date = {2021-03-16}, organization = {Elastic}, url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures}, language = {English}, urldate = {2021-03-22} } Detecting Cobalt Strike with memory signatures
Cobalt Strike
2021-03-11Cyborg SecurityJosh Campbell
@online{campbell:20210311:you:7bd2342, author = {Josh Campbell}, title = {{You Don't Know the HAFNIUM of it...}}, date = {2021-03-11}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/}, language = {English}, urldate = {2021-03-16} } You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat
2021-03-11QuriumQurium
@online{qurium:20210311:myanmar:7bfc8ce, author = {Qurium}, title = {{Myanmar – Multi-stage malware attack targets elected lawmakers}}, date = {2021-03-11}, organization = {Qurium}, url = {https://www.qurium.org/alerts/targeted-malware-against-crph/}, language = {English}, urldate = {2021-06-21} } Myanmar – Multi-stage malware attack targets elected lawmakers
Cobalt Strike
2021-03-10ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
@online{schwarz:20210310:nimzaloader:f6960d4, author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team}, title = {{NimzaLoader: TA800’s New Initial Access Malware}}, date = {2021-03-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware}, language = {English}, urldate = {2021-03-12} } NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike
2021-03-09splunkSecurity Research Team
@online{team:20210309:cloud:4deeb78, author = {Security Research Team}, title = {{Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021}}, date = {2021-03-09}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html}, language = {English}, urldate = {2021-03-11} } Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike
2021-03-08The DFIR ReportThe DFIR Report
@online{report:20210308:bazar:ba050d7, author = {The DFIR Report}, title = {{Bazar Drops the Anchor}}, date = {2021-03-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/}, language = {English}, urldate = {2021-03-10} } Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-03-08Youtube (SANS Digital Forensics and Incident Response)Katie Nickels, Adam Pennington, Jen Burns
@online{nickels:20210308:star:083eb29, author = {Katie Nickels and Adam Pennington and Jen Burns}, title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}}, date = {2021-03-08}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU}, language = {English}, urldate = {2021-03-11} } STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP
2021-03-07InfoSec Handlers Diary BlogDidier Stevens
@online{stevens:20210307:pcaps:980212d, author = {Didier Stevens}, title = {{PCAPs and Beacons}}, date = {2021-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27176}, language = {English}, urldate = {2021-03-11} } PCAPs and Beacons
Cobalt Strike
2021-03-04NCC GroupOllie Whitehouse
@online{whitehouse:20210304:deception:7435450, author = {Ollie Whitehouse}, title = {{Deception Engineering: exploring the use of Windows Service Canaries against ransomware}}, date = {2021-03-04}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/}, language = {English}, urldate = {2021-03-11} } Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Ryuk
2021-03-02CERT-FRCERT-FR
@online{certfr:20210302:egregor:f0da4ec, author = {CERT-FR}, title = {{The Egregor Ransomware}}, date = {2021-03-02}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/}, language = {English}, urldate = {2021-06-29} } The Egregor Ransomware
Egregor Maze Sekhmet
2021-03CCN-CERTCCN-CERT
@online{ccncert:202103:informe:1628d52, author = {CCN-CERT}, title = {{Informe Código DañinoCCN-CERT ID-03/21: RyukRansomware}}, date = {2021-03}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html}, language = {Spanish}, urldate = {2021-03-19} } Informe Código DañinoCCN-CERT ID-03/21: RyukRansomware
Ryuk
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-03-01Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210301:nimar:c26af08, author = {Joshua Platt and Jason Reaves}, title = {{Nimar Loader}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e}, language = {English}, urldate = {2021-03-04} } Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike
2021-03-01Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210301:investigation:a7851d5, author = {Joshua Platt and Jason Reaves}, title = {{Investigation into the state of Nim malware}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811}, language = {English}, urldate = {2021-03-04} } Investigation into the state of Nim malware
BazarNimrod Cobalt Strike
2021-03-01YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)Jiří Vinopal
@online{vinopal:20210301:ryuk:333699d, author = {Jiří Vinopal}, title = {{Ryuk Ransomware - Advanced using of Scylla for Imports reconstruction}}, date = {2021-03-01}, organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)}, url = {https://www.youtube.com/watch?v=Of_KjNG9DHc}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware - Advanced using of Scylla for Imports reconstruction
Ryuk
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-274rchibld4rchibld
@online{4rchibld:20210227:nice:e7960f8, author = {4rchibld}, title = {{Nice to meet you, too. My name is Ryuk.}}, date = {2021-02-27}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/}, language = {English}, urldate = {2021-05-11} } Nice to meet you, too. My name is Ryuk.
Ryuk
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-24Github (AmnestyTech)Amnesty International
@online{international:20210224:overview:95b80e0, author = {Amnesty International}, title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}}, date = {2021-02-24}, organization = {Github (AmnestyTech)}, url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam}, language = {English}, urldate = {2021-02-25} } Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown
2021-02-24VMWare Carbon BlackTakahiro Haruyama
@techreport{haruyama:20210224:knock:f4903a2, author = {Takahiro Haruyama}, title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}}, date = {2021-02-24}, institution = {VMWare Carbon Black}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf}, language = {Japanese}, urldate = {2021-02-26} } Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-22YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)Jiří Vinopal
@online{vinopal:20210222:ryuk:e9c5fb4, author = {Jiří Vinopal}, title = {{Ryuk Ransomware API Resolving in 10 minutes}}, date = {2021-02-22}, organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)}, url = {https://www.youtube.com/watch?v=7xxRunBP5XA}, language = {English}, urldate = {2021-02-25} } Ryuk Ransomware API Resolving in 10 minutes
Ryuk
2021-02-16ProofpointProofpoint Threat Research Team
@online{team:20210216:q4:4a82474, author = {Proofpoint Threat Research Team}, title = {{Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes}}, date = {2021-02-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes}, language = {English}, urldate = {2021-05-31} } Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes
Emotet Ryuk NARWHAL SPIDER
2021-02-11Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210211:hancitor:9fa527e, author = {The DFIR Report}, title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}}, date = {2021-02-11}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1359669513520873473}, language = {English}, urldate = {2021-02-18} } Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor
2021-02-11CTI LEAGUECTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8, author = {CTI LEAGUE}, title = {{CTIL Darknet Report – 2021}}, date = {2021-02-11}, institution = {CTI LEAGUE}, url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf}, language = {English}, urldate = {2021-02-20} } CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-02-09Cobalt StrikeRaphael Mudge
@online{mudge:20210209:learn:c08b657, author = {Raphael Mudge}, title = {{Learn Pipe Fitting for all of your Offense Projects}}, date = {2021-02-09}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/}, language = {English}, urldate = {2021-02-10} } Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike
2021-02-09SecurehatSecurehat
@online{securehat:20210209:extracting:0f4ae2f, author = {Securehat}, title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}}, date = {2021-02-09}, organization = {Securehat}, url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader}, language = {English}, urldate = {2021-02-10} } Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP
2021-02-04ChainanalysisChainalysis Team
@online{team:20210204:blockchain:4e63b2f, author = {Chainalysis Team}, title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}}, date = {2021-02-04}, organization = {Chainanalysis}, url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer}, language = {English}, urldate = {2021-02-06} } Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2021-02-04ClearSkyClearSky Research Team
@techreport{team:20210204:conti:27cb3a2, author = {ClearSky Research Team}, title = {{CONTI Modus Operandi and Bitcoin Tracking}}, date = {2021-02-04}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf}, language = {English}, urldate = {2021-02-06} } CONTI Modus Operandi and Bitcoin Tracking
Conti Ryuk
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2021-02-02Committee to Protect JournalistsMadeline Earp
@online{earp:20210202:how:923f969, author = {Madeline Earp}, title = {{How Vietnam-based hacking operation OceanLotus targets journalists}}, date = {2021-02-02}, organization = {Committee to Protect Journalists}, url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists}, language = {English}, urldate = {2021-02-04} } How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-02Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210202:recent:5272ed0, author = {The DFIR Report}, title = {{Tweet on recent dridex post infection activity}}, date = {2021-02-02}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1356729371931860992}, language = {English}, urldate = {2021-02-04} } Tweet on recent dridex post infection activity
Cobalt Strike Dridex
2021-02-01Twitter (@IntelAdvanced)Advanced Intelligence
@online{intelligence:20210201:active:0a4f59f, author = {Advanced Intelligence}, title = {{Tweet on Active Directory Exploitation by RYUK "one" group}}, date = {2021-02-01}, organization = {Twitter (@IntelAdvanced)}, url = {https://twitter.com/IntelAdvanced/status/1356114606780002308}, language = {English}, urldate = {2021-02-04} } Tweet on Active Directory Exploitation by RYUK "one" group
Ryuk
2021-02-01AhnLabASEC Analysis Team
@online{team:20210201:bluecrab:df21c0a, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}}, date = {2021-02-01}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19860/}, language = {English}, urldate = {2021-02-06} } BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil
2021-02-01pkb1s.github.ioPetros Koutroumpis
@online{koutroumpis:20210201:relay:596413f, author = {Petros Koutroumpis}, title = {{Relay Attacks via Cobalt Strike Beacons}}, date = {2021-02-01}, organization = {pkb1s.github.io}, url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/}, language = {English}, urldate = {2021-02-04} } Relay Attacks via Cobalt Strike Beacons
Cobalt Strike
2021-01-31The DFIR ReportThe DFIR Report
@online{report:20210131:bazar:c3b3859, author = {The DFIR Report}, title = {{Bazar, No Ryuk?}}, date = {2021-01-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/}, language = {English}, urldate = {2021-02-02} } Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-28TrustedSecAdam Chester
@online{chester:20210128:tailoring:d3f973c, author = {Adam Chester}, title = {{Tailoring Cobalt Strike on Target}}, date = {2021-01-28}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/}, language = {English}, urldate = {2021-01-29} } Tailoring Cobalt Strike on Target
Cobalt Strike
2021-01-28Huntress LabsJohn Hammond
@techreport{hammond:20210128:analyzing:2f8dae2, author = {John Hammond}, title = {{Analyzing Ryuk Another Link in the Cyber Attack Chain}}, date = {2021-01-28}, institution = {Huntress Labs}, url = {https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf}, language = {English}, urldate = {2021-01-29} } Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk
2021-01-28AhnLabASEC Analysis Team
@online{team:20210128:bluecrab:44d2e64, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware constantly trying to bypass detection}}, date = {2021-01-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19640/}, language = {Korean}, urldate = {2021-02-04} } BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil
2021-01-26Twitter (@swisscom_csirt)Swisscom CSIRT
@online{csirt:20210126:cring:f12c487, author = {Swisscom CSIRT}, title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}}, date = {2021-01-26}, organization = {Twitter (@swisscom_csirt)}, url = {https://twitter.com/swisscom_csirt/status/1354052879158571008}, language = {English}, urldate = {2021-01-27} } Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz
2021-01-25Twitter (@IntelAdvanced)Advanced Intelligence
@online{intelligence:20210125:ryuk:25a96a7, author = {Advanced Intelligence}, title = {{Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool}}, date = {2021-01-25}, organization = {Twitter (@IntelAdvanced)}, url = {https://twitter.com/IntelAdvanced/status/1353546534676258816}, language = {English}, urldate = {2021-01-25} } Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool
Ryuk
2021-01-20MicrosoftMicrosoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC)
@online{team:20210120:deep:1cc0551, author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)}, title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}}, date = {2021-01-20}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/}, language = {English}, urldate = {2021-01-21} } Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP
2021-01-18SymantecThreat Hunter Team
@online{team:20210118:raindrop:9ab1262, author = {Threat Hunter Team}, title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}}, date = {2021-01-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware}, language = {English}, urldate = {2021-01-21} } Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-01-17Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210117:conti:db7f1cb, author = {Peter Mackenzie}, title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}}, date = {2021-01-17}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352}, language = {English}, urldate = {2021-01-21} } Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti
2021-01-15Medium DansecDan Lussier
@online{lussier:20210115:detecting:fecd6c3, author = {Dan Lussier}, title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}}, date = {2021-01-15}, organization = {Medium Dansec}, url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64}, language = {English}, urldate = {2021-01-21} } Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike
2021-01-14RiskIQJordan Herman
@online{herman:20210114:medialand:3f603bd, author = {Jordan Herman}, title = {{MediaLand: Magecart and Bulletproof Hosting}}, date = {2021-01-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5bea32aa}, language = {English}, urldate = {2021-01-21} } MediaLand: Magecart and Bulletproof Hosting
magecart
2021-01-14RiskIQTeam RiskIQ
@online{riskiq:20210114:new:29f2c96, author = {Team RiskIQ}, title = {{New Analysis Puts Magecart Interconnectivity into Focus}}, date = {2021-01-14}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-medialand/}, language = {English}, urldate = {2021-01-18} } New Analysis Puts Magecart Interconnectivity into Focus
grelos magecart Raccoon
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2021-01-12BrightTALK (FireEye)Ben Read, John Hultquist
@online{read:20210112:unc2452:6e54c6c, author = {Ben Read and John Hultquist}, title = {{UNC2452: What We Know So Far}}, date = {2021-01-12}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/462719}, language = {English}, urldate = {2021-01-18} } UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP
2021-01-12Fox-ITWouter Jansen
@online{jansen:20210112:abusing:c38eeb6, author = {Wouter Jansen}, title = {{Abusing cloud services to fly under the radar}}, date = {2021-01-12}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/}, language = {English}, urldate = {2021-01-18} } Abusing cloud services to fly under the radar
Cobalt Strike
2021-01-11The DFIR ReportThe DFIR Report
@online{report:20210111:trickbot:d1011f9, author = {The DFIR Report}, title = {{Trickbot Still Alive and Well}}, date = {2021-01-11}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/}, language = {English}, urldate = {2021-01-11} } Trickbot Still Alive and Well
Cobalt Strike TrickBot
2021-01-11SolarWindsSudhakar Ramakrishna
@online{ramakrishna:20210111:new:296b621, author = {Sudhakar Ramakrishna}, title = {{New Findings From Our Investigation of SUNBURST}}, date = {2021-01-11}, organization = {SolarWinds}, url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/}, language = {English}, urldate = {2021-01-18} } New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP
2021-01-10Medium walmartglobaltechJason Reaves
@online{reaves:20210110:man1:54a4162, author = {Jason Reaves}, title = {{MAN1, Moskal, Hancitor and a side of Ransomware}}, date = {2021-01-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618}, language = {English}, urldate = {2021-01-11} } MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-09Connor McGarr's BlogConnor McGarr
@online{mcgarr:20210109:malware:dde1353, author = {Connor McGarr}, title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}}, date = {2021-01-09}, organization = {Connor McGarr's Blog}, url = {https://connormcgarr.github.io/thread-hijacking/}, language = {English}, urldate = {2021-01-11} } Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike
2021-01-07Recorded FutureInsikt Group®
@techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-07Advanced IntelligenceVitali Kremez, Brian Carter, HYAS
@online{kremez:20210107:crime:4c6f5c3, author = {Vitali Kremez and Brian Carter and HYAS}, title = {{Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders}}, date = {2021-01-07}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders}, language = {English}, urldate = {2021-01-11} } Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders
Ryuk
2021-01-06Red CanaryTony Lambert
@online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-05Trend MicroTrend Micro Research
@online{research:20210105:earth:d7bb547, author = {Trend Micro Research}, title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}}, date = {2021-01-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html}, language = {English}, urldate = {2021-01-10} } Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike
2021-01-04Medium haggis-mMichael Haag
@online{haag:20210104:malleable:ab64356, author = {Michael Haag}, title = {{Malleable C2 Profiles and You}}, date = {2021-01-04}, organization = {Medium haggis-m}, url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929}, language = {English}, urldate = {2021-01-05} } Malleable C2 Profiles and You
Cobalt Strike
2021SecureworksSecureWorks
@online{secureworks:2021:threat:7e8aa73, author = {SecureWorks}, title = {{Threat Profile: GOLD VILLAGE}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-village}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD VILLAGE
Maze TA2101
2021TalosTalos Incident Response
@techreport{response:2021:evicting:c795470, author = {Talos Incident Response}, title = {{Evicting Maze}}, date = {2021}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf}, language = {English}, urldate = {2021-05-26} } Evicting Maze
Cobalt Strike Maze
2021TalosTalos Incident Response
@techreport{response:2021:cobalt:f4412fa, author = {Talos Incident Response}, title = {{Cobalt Strikes Out}}, date = {2021}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf}, language = {English}, urldate = {2021-05-26} } Cobalt Strikes Out
Cobalt Strike
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2021SecureworksSecureWorks
@online{secureworks:2021:threat:c0ba914, author = {SecureWorks}, title = {{Threat Profile: GOLD FRANKLIN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-franklin}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6
2021SecureworksSecureWorks
@online{secureworks:2021:threat:bce1d06, author = {SecureWorks}, title = {{Threat Profile: GOLD WINTER}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-winter}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER
2021SecureworksSecureWorks
@online{secureworks:2021:threat:45f61e0, author = {SecureWorks}, title = {{Threat Profile: GOLD WATERFALL}}, date = {2021}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-waterfall}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL
2020-12-280xC0DECAFEThomas Barabosch
@online{barabosch:20201228:never:f7e93aa, author = {Thomas Barabosch}, title = {{Never upload ransomware samples to the Internet}}, date = {2020-12-28}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/}, language = {English}, urldate = {2021-01-01} } Never upload ransomware samples to the Internet
Ryuk
2020-12-26Medium grimminckStefan Grimminck
@online{grimminck:20201226:spoofing:a0a5622, author = {Stefan Grimminck}, title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}}, date = {2020-12-26}, organization = {Medium grimminck}, url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b}, language = {English}, urldate = {2021-01-01} } Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike
2020-12-22TRUESECMattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28, author = {Mattias Wåhlén}, title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}}, date = {2020-12-22}, organization = {TRUESEC}, url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/}, language = {English}, urldate = {2021-01-01} } Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-12-21FortinetUdi Yavo
@online{yavo:20201221:what:716b31d, author = {Udi Yavo}, title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}}, date = {2020-12-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack}, language = {English}, urldate = {2021-01-18} } What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-12-20RandhomeEtienne Maynier
@online{maynier:20201220:analyzing:3e15960, author = {Etienne Maynier}, title = {{Analyzing Cobalt Strike for Fun and Profit}}, date = {2020-12-20}, organization = {Randhome}, url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/}, language = {English}, urldate = {2020-12-23} } Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike
2020-12-16RiskIQMia Ihm, Cory Kennedy, Jordan Herman
@online{ihm:20201216:skimming:608e648, author = {Mia Ihm and Cory Kennedy and Jordan Herman}, title = {{Skimming a Little Off the Top: Meyhod’s Skimming Methods Hit Hairloss Specialists}}, date = {2020-12-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/14924d61}, language = {English}, urldate = {2020-12-17} } Skimming a Little Off the Top: Meyhod’s Skimming Methods Hit Hairloss Specialists
magecart
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-15Github (sophos-cybersecurity)Sophos Cyber Security Team
@online{team:20201215:solarwindsthreathunt:4357421, author = {Sophos Cyber Security Team}, title = {{solarwinds-threathunt}}, date = {2020-12-15}, organization = {Github (sophos-cybersecurity)}, url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt}, language = {English}, urldate = {2020-12-15} } solarwinds-threathunt
Cobalt Strike SUNBURST
2020-12-15PICUS SecuritySüleyman Özarslan
@online{zarslan:20201215:tactics:bba1b4f, author = {Süleyman Özarslan}, title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}}, date = {2020-12-15}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach}, language = {English}, urldate = {2020-12-17} } Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST
2020-12-14Palo Alto Networks Unit 42Unit 42
@online{42:20201214:threat:032b92d, author = {Unit 42}, title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}}, date = {2020-12-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/}, language = {English}, urldate = {2020-12-15} } Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST
2020-12-14Medium Killbitkillbit
@online{killbit:20201214:applying:75d0dde, author = {killbit}, title = {{Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware}}, date = {2020-12-14}, organization = {Medium Killbit}, url = {https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f}, language = {English}, urldate = {2020-12-17} } Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware
Maze
2020-12-11BlackberryBlackBerry Research and Intelligence team
@online{team:20201211:mountlocker:9c495cb, author = {BlackBerry Research and Intelligence team}, title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}}, date = {2020-12-11}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates}, language = {English}, urldate = {2020-12-14} } MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker
2020-12-10CybereasonJoakim Kandefelt
@online{kandefelt:20201210:cybereason:0267d5e, author = {Joakim Kandefelt}, title = {{Cybereason vs. Ryuk Ransomware}}, date = {2020-12-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware}, language = {English}, urldate = {2020-12-14} } Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot
2020-12-10Palo Alto Networks Unit 42Unit42
@online{unit42:20201210:threat:6ac31af, author = {Unit42}, title = {{Threat Brief: FireEye Red Team Tool Breach}}, date = {2020-12-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/}, language = {English}, urldate = {2020-12-15} } Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-10CyberIntCyberInt
@online{cyberint:20201210:ryuk:e74b8f6, author = {CyberInt}, title = {{Ryuk Crypto-Ransomware}}, date = {2020-12-10}, organization = {CyberInt}, url = {https://blog.cyberint.com/ryuk-crypto-ransomware}, language = {English}, urldate = {2020-12-14} } Ryuk Crypto-Ransomware
Ryuk TrickBot
2020-12-09FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } Recent Qakbot (Qbot) activity
Cobalt Strike QakBot
2020-12-08Cobalt StrikeRaphael Mudge
@online{mudge:20201208:red:8ccdfcf, author = {Raphael Mudge}, title = {{A Red Teamer Plays with JARM}}, date = {2020-12-08}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/}, language = {English}, urldate = {2021-01-11} } A Red Teamer Plays with JARM
Cobalt Strike
2020-12-08SophosSean Gallagher, Anand Aijan, Gabor Szappanos, Syed Shahram, Bill Kearney, Mark Loman, Peter Mackenzie, Sergio Bestulic
@online{gallagher:20201208:egregor:fe48cfd, author = {Sean Gallagher and Anand Aijan and Gabor Szappanos and Syed Shahram and Bill Kearney and Mark Loman and Peter Mackenzie and Sergio Bestulic}, title = {{Egregor ransomware: Maze’s heir apparent}}, date = {2020-12-08}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/}, language = {English}, urldate = {2020-12-08} } Egregor ransomware: Maze’s heir apparent
Egregor Maze
2020-12-07Minerva LabsTom Roter
@online{roter:20201207:egregor:2d3dced, author = {Tom Roter}, title = {{Egregor Ransomware - An In-Depth Analysis}}, date = {2020-12-07}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis}, language = {English}, urldate = {2020-12-09} } Egregor Ransomware - An In-Depth Analysis
Egregor Maze Sekhmet
2020-12-02SansecSansec Threat Research Team
@online{team:20201202:persistent:4f26f93, author = {Sansec Threat Research Team}, title = {{Persistent parasite in EOL Magento 2 stores wakes at Black Friday}}, date = {2020-12-02}, organization = {Sansec}, url = {https://sansec.io/research/magento-2-persistent-parasite}, language = {English}, urldate = {2020-12-14} } Persistent parasite in EOL Magento 2 stores wakes at Black Friday
magecart
2020-12-02Red Canarytwitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce, author = {twitter (@redcanary)}, title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}}, date = {2020-12-02}, organization = {Red Canary}, url = {https://twitter.com/redcanary/status/1334224861628039169}, language = {English}, urldate = {2020-12-08} } Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12-01Trend MicroRyan Flores
@online{flores:20201201:impact:415bf2e, author = {Ryan Flores}, title = {{The Impact of Modern Ransomware on Manufacturing Networks}}, date = {2020-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html}, language = {English}, urldate = {2020-12-08} } The Impact of Modern Ransomware on Manufacturing Networks
Maze Petya REvil
2020-12-01360.cnjindanlong
@online{jindanlong:20201201:hunting:b9e2674, author = {jindanlong}, title = {{Hunting Beacons}}, date = {2020-12-01}, organization = {360.cn}, url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950}, language = {English}, urldate = {2021-01-10} } Hunting Beacons
Cobalt Strike
2020-12-01mez0.ccmez0
@online{mez0:20201201:cobalt:38336ed, author = {mez0}, title = {{Cobalt Strike PowerShell Execution}}, date = {2020-12-01}, organization = {mez0.cc}, url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/}, language = {English}, urldate = {2020-12-14} } Cobalt Strike PowerShell Execution
Cobalt Strike
2020-11-30MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201130:threat:2633df5, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}}, date = {2020-11-30}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/}, language = {English}, urldate = {2020-12-01} } Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-27MacnicaHiroshi Takeuchi
@online{takeuchi:20201127:analyzing:4089f84, author = {Hiroshi Takeuchi}, title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}}, date = {2020-11-27}, organization = {Macnica}, url = {https://blog.macnica.net/blog/2020/11/dtrack.html}, language = {Japanese}, urldate = {2020-12-08} } Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack
2020-11-27ReflectizReflectiz
@online{reflectiz:20201127:ico:a1bad28, author = {Reflectiz}, title = {{The ICO Fines Ticketmaster UK £1.25 Million for Security Failures: A Lesson to be Learned}}, date = {2020-11-27}, organization = {Reflectiz}, url = {https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/}, language = {English}, urldate = {2021-01-29} } The ICO Fines Ticketmaster UK £1.25 Million for Security Failures: A Lesson to be Learned
magecart
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-25ReflectizIdan Cohen
@online{cohen:20201125:csp:1b9a48e, author = {Idan Cohen}, title = {{CSP, the Right Solution for the Web-Skimming Pandemic?}}, date = {2020-11-25}, organization = {Reflectiz}, url = {https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218}, language = {English}, urldate = {2021-01-29} } CSP, the Right Solution for the Web-Skimming Pandemic?
magecart
2020-11-25SentinelOneJim Walter
@online{walter:20201125:egregor:5727f7a, author = {Jim Walter}, title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}}, date = {2020-11-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/}, language = {English}, urldate = {2020-12-08} } Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-20F-Secure LabsRiccardo Ancarani
@online{ancarani:20201120:detecting:79afa40, author = {Riccardo Ancarani}, title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}}, date = {2020-11-20}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis}, language = {English}, urldate = {2020-11-23} } Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike
2020-11-20360 netlabJiaYu
@online{jiayu:20201120:blackrota:ee43da1, author = {JiaYu}, title = {{Blackrota, a highly obfuscated backdoor developed by Go}}, date = {2020-11-20}, organization = {360 netlab}, url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/}, language = {Chinese}, urldate = {2020-11-23} } Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike
2020-11-19ThreatpostElizabeth Montalbano
@online{montalbano:20201119:exploits:f40feb2, author = {Elizabeth Montalbano}, title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}}, date = {2020-11-19}, organization = {Threatpost}, url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/}, language = {English}, urldate = {2020-11-23} } APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk
2020-11-18DomainToolsJoe Slowik
@online{slowik:20201118:analyzing:abccd43, author = {Joe Slowik}, title = {{Analyzing Network Infrastructure as Composite Objects}}, date = {2020-11-18}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects}, language = {English}, urldate = {2020-11-19} } Analyzing Network Infrastructure as Composite Objects
Ryuk
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-17cybleCyble
@online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-11-17Salesforce EngineeringJohn Althouse
@online{althouse:20201117:easily:172bd6d, author = {John Althouse}, title = {{Easily Identify Malicious Servers on the Internet with JARM}}, date = {2020-11-17}, organization = {Salesforce Engineering}, url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a}, language = {English}, urldate = {2020-12-03} } Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-15TrustnetMichael Wainshtain
@online{wainshtain:20201115:from:719b7ff, author = {Michael Wainshtain}, title = {{From virus alert to PowerShell Encrypted Loader}}, date = {2020-11-15}, organization = {Trustnet}, url = {https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/}, language = {English}, urldate = {2021-07-26} } From virus alert to PowerShell Encrypted Loader
Cobalt Strike
2020-11-14Medium 0xastrovaxastrovax
@online{astrovax:20201114:deep:b50ae08, author = {astrovax}, title = {{Deep Dive Into Ryuk Ransomware}}, date = {2020-11-14}, organization = {Medium 0xastrovax}, url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12}, language = {English}, urldate = {2021-01-25} } Deep Dive Into Ryuk Ransomware
Hermes Ryuk
2020-11-11RiskIQJordan Herman
@online{herman:20201111:magecart:8137a1f, author = {Jordan Herman}, title = {{Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches}}, date = {2020-11-11}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/fda1f967}, language = {English}, urldate = {2020-11-18} } Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches
magecart
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
@online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-09Bleeping ComputerIonut Ilascu
@online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-11-06Advanced IntelligenceVitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-06VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20201106:oceanlotus:f7b11ac, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}}, date = {2020-11-06}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/}, language = {English}, urldate = {2020-11-09} } OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32
2020-11-06Cobalt StrikeRaphael Mudge
@online{mudge:20201106:cobalt:05fe8fc, author = {Raphael Mudge}, title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}}, date = {2020-11-06}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/}, language = {English}, urldate = {2020-11-09} } Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/}, language = {English}, urldate = {2020-11-12} } Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06TelsyTelsy Research Team
@techreport{team:20201106:malware:7b6dd9d, author = {Telsy Research Team}, title = {{Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze}}, date = {2020-11-06}, institution = {Telsy}, url = {https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf}, language = {English}, urldate = {2020-11-09} } Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze
Maze
2020-11-05The DFIR ReportThe DFIR Report
@online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-05Github (scythe-io)SCYTHE
@online{scythe:20201105:ryuk:8d7c4de, author = {SCYTHE}, title = {{Ryuk Adversary Emulation Plan}}, date = {2020-11-05}, organization = {Github (scythe-io)}, url = {https://github.com/scythe-io/community-threats/tree/master/Ryuk}, language = {English}, urldate = {2020-11-11} } Ryuk Adversary Emulation Plan
Ryuk
2020-11-05SCYTHEJorge Orchilles, Sean Lyngaas
@online{orchilles:20201105:threatthursday:a3297b9, author = {Jorge Orchilles and Sean Lyngaas}, title = {{#ThreatThursday - Ryuk}}, date = {2020-11-05}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-ryuk}, language = {English}, urldate = {2020-11-06} } #ThreatThursday - Ryuk
BazarBackdoor Ryuk
2020-11-05Twitter (@ffforward)TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85, author = {TheAnalyst}, title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}}, date = {2020-11-05}, organization = {Twitter (@ffforward)}, url = {https://twitter.com/ffforward/status/1324281530026524672}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader
2020-11-04VMRayGiovanni Vigna
@online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-11-03InfoSec Handlers Diary BlogRenato Marinho
@online{marinho:20201103:attackers:9b3762b, author = {Renato Marinho}, title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}}, date = {2020-11-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26752}, language = {English}, urldate = {2020-11-06} } Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-11-02SUCURIDenis Sinegubko
@online{sinegubko:20201102:cssjs:e800099, author = {Denis Sinegubko}, title = {{CSS-JS Steganography in Fake Flash Player Update Malware}}, date = {2020-11-02}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html}, language = {English}, urldate = {2020-11-04} } CSS-JS Steganography in Fake Flash Player Update Malware
magecart NetSupportManager RAT
2020-10-31splunkRyan Kovar
@online{kovar:20201031:ryuk:735f563, author = {Ryan Kovar}, title = {{Ryuk and Splunk Detections}}, date = {2020-10-31}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html}, language = {English}, urldate = {2020-11-02} } Ryuk and Splunk Detections
Ryuk
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0, author = {ThreatConnect}, title = {{UNC 1878 Indicators from Threatconnect}}, date = {2020-10-30}, organization = {Github (ThreatConnect-Inc)}, url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv}, language = {English}, urldate = {2020-11-06} } UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-30CofenseThe Cofense Intelligence Team
@online{team:20201030:ryuk:9166a9a, author = {The Cofense Intelligence Team}, title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}}, date = {2020-10-30}, organization = {Cofense}, url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/}, language = {English}, urldate = {2020-11-02} } The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk
2020-10-29Bleeping ComputerLawrence Abrams
@online{abrams:20201029:hacking:c8d5379, author = {Lawrence Abrams}, title = {{Hacking group is targeting US hospitals with Ryuk ransomware}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Hacking group is targeting US hospitals with Ryuk ransomware
Ryuk
2020-10-29RiskIQRiskIQ
@online{riskiq:20201029:ryuk:0643968, author = {RiskIQ}, title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}}, date = {2020-10-29}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/0bcefe76}, language = {English}, urldate = {2020-11-02} } Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk
2020-10-29Red CanaryThe Red Canary Team
@online{team:20201029:bazar:1846b93, author = {The Red Canary Team}, title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}}, date = {2020-10-29}, organization = {Red Canary}, url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/}, language = {English}, urldate = {2020-11-02} } A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot
2020-10-29Palo Alto Networks Unit 42Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-29McAfeeMcAfee Labs
@techreport{labs:20201029:mcafee:84eed4e, author = {McAfee Labs}, title = {{McAfee Labs Threat Advisory Ransom-Ryuk}}, date = {2020-10-29}, institution = {McAfee}, url = {https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf}, language = {English}, urldate = {2020-11-02} } McAfee Labs Threat Advisory Ransom-Ryuk
Ryuk
2020-10-29Bleeping ComputerLawrence Abrams
@online{abrams:20201029:maze:f90b399, author = {Lawrence Abrams}, title = {{Maze ransomware is shutting down its cybercrime operation}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/}, language = {English}, urldate = {2020-11-02} } Maze ransomware is shutting down its cybercrime operation
Egregor Maze
2020-10-29Github (Swisscom)Swisscom CSIRT
@online{csirt:20201029:list:5fb0206, author = {Swisscom CSIRT}, title = {{List of CobaltStrike C2's used by RYUK}}, date = {2020-10-29}, organization = {Github (Swisscom)}, url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt}, language = {English}, urldate = {2020-11-02} } List of CobaltStrike C2's used by RYUK
Cobalt Strike
2020-10-29ReutersChristopher Bing, Joseph Menn
@online{bing:20201029:building:ceeb50f, author = {Christopher Bing and Joseph Menn}, title = {{Building wave of ransomware attacks strike U.S. hospitals}}, date = {2020-10-29}, organization = {Reuters}, url = {https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP}, language = {English}, urldate = {2020-11-02} } Building wave of ransomware attacks strike U.S. hospitals
Ryuk
2020-10-29Twitter (@anthomsec)Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4, author = {Andrew Thompson}, title = {{Tweet on UNC1878 activity}}, date = {2020-10-29}, organization = {Twitter (@anthomsec)}, url = {https://twitter.com/anthomsec/status/1321865315513520128}, language = {English}, urldate = {2020-11-04} } Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-29CNNVivian Salama, Alex Marquardt, Lauren Mascarenhas
@online{salama:20201029:several:88d8127, author = {Vivian Salama and Alex Marquardt and Lauren Mascarenhas}, title = {{Several hospitals targeted in new wave of ransomware attacks}}, date = {2020-10-29}, organization = {CNN}, url = {https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html}, language = {English}, urldate = {2020-11-02} } Several hospitals targeted in new wave of ransomware attacks
Ryuk
2020-10-29Twitter (@SophosLabs)SophosLabs
@online{sophoslabs:20201029:similarities:408a640, author = {SophosLabs}, title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}}, date = {2020-10-29}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1321844306970251265}, language = {English}, urldate = {2020-11-02} } Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk
2020-10-28CISACISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk
2020-10-28Youtube (SANS Digital Forensics and Incident Response)Van Ta, Aaron Stephens, Katie Nickels
@online{ta:20201028:star:16965fb, author = {Van Ta and Aaron Stephens and Katie Nickels}, title = {{STAR Webcast: Spooky RYUKy: The Return of UNC1878}}, date = {2020-10-28}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=BhjQ6zsCVSc}, language = {English}, urldate = {2020-11-02} } STAR Webcast: Spooky RYUKy: The Return of UNC1878
Ryuk
2020-10-28Youtube (SANS Institute)Katie Nickels, Van Ta, Aaron Stephens
@online{nickels:20201028:spooky:3bf0a0a, author = {Katie Nickels and Van Ta and Aaron Stephens}, title = {{Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast}}, date = {2020-10-28}, organization = {Youtube (SANS Institute)}, url = {https://www.youtube.com/watch?v=CgDtm05qApE}, language = {English}, urldate = {2020-11-04} } Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast
Ryuk UNC1878
2020-10-28BitdefenderRuben Andrei Condor
@techreport{condor:20201028:decade:b8d7422, author = {Ruben Andrei Condor}, title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}}, date = {2020-10-28}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-11-02} } A Decade of WMI Abuse – an Overview of Techniques in Modern Malware
sLoad Emotet Maze
2020-10-28FireEyeKimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-28Github (aaronst)Aaron Stephens
@online{stephens:20201028:unc1878:5f717f6, author = {Aaron Stephens}, title = {{UNC1878 indicators}}, date = {2020-10-28}, organization = {Github (aaronst)}, url = {https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456}, language = {English}, urldate = {2020-11-04} } UNC1878 indicators
Ryuk UNC1878
2020-10-28KrebsOnSecurityBrian Krebs
@online{krebs:20201028:fbi:26b9480, author = {Brian Krebs}, title = {{FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals}}, date = {2020-10-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/}, language = {English}, urldate = {2020-11-02} } FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals
Ryuk
2020-10-28SophosLabs UncutSean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051, author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos}, title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}}, date = {2020-10-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/}, language = {English}, urldate = {2020-11-02} } Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader
2020-10-27Sophos Managed Threat Response (MTR)Greg Iddon
@online{iddon:20201027:mtr:3b62ca9, author = {Greg Iddon}, title = {{MTR Casebook: An active adversary caught in the act}}, date = {2020-10-27}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/}, language = {English}, urldate = {2020-11-02} } MTR Casebook: An active adversary caught in the act
Cobalt Strike
2020-10-27Bleeping ComputerLawrence Abrams
@online{abrams:20201027:steelcase:25f66a9, author = {Lawrence Abrams}, title = {{Steelcase furniture giant hit by Ryuk ransomware attack}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-28} } Steelcase furniture giant hit by Ryuk ransomware attack
Ryuk
2020-10-26CheckpointItay Cohen, Eyal Itkin
@online{cohen:20201026:exploit:9ec173c, author = {Itay Cohen and Eyal Itkin}, title = {{Exploit Developer Spotlight: The Story of PlayBit}}, date = {2020-10-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/}, language = {English}, urldate = {2020-10-27} } Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil
2020-10-26ThreatConnectThreatConnect Research Team
@online{team:20201026:threatconnect:0e90cc3, author = {ThreatConnect Research Team}, title = {{ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft}}, date = {2020-10-26}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/}, language = {English}, urldate = {2020-10-29} } ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft
Ryuk
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-22Sentinel LABSMarco Figueroa
@online{figueroa:20201022:inside:228798e, author = {Marco Figueroa}, title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}}, date = {2020-10-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/}, language = {English}, urldate = {2020-10-26} } An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
Ryuk
2020-10-22Bleeping ComputerLawrence Abrams
@online{abrams:20201022:french:6d52e19, author = {Lawrence Abrams}, title = {{French IT giant Sopra Steria hit by Ryuk ransomware}}, date = {2020-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/}, language = {English}, urldate = {2020-10-26} } French IT giant Sopra Steria hit by Ryuk ransomware
Ryuk
2020-10-21Kaspersky LabsFedor Sinitsyn, Nikita Galimov, Vladimir Kuskov
@online{sinitsyn:20201021:life:5906110, author = {Fedor Sinitsyn and Nikita Galimov and Vladimir Kuskov}, title = {{Life of Maze ransomware}}, date = {2020-10-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/maze-ransomware/99137/}, language = {English}, urldate = {2020-10-23} } Life of Maze ransomware
Maze
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
@online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16ThreatConnectThreatConnect Research Team
@online{team:20201016:threatconnect:2010d70, author = {ThreatConnect Research Team}, title = {{ThreatConnect Research Roundup: Possible Ryuk Infrastructure}}, date = {2020-10-16}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/}, language = {English}, urldate = {2020-10-23} } ThreatConnect Research Roundup: Possible Ryuk Infrastructure
Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-14RiskIQSteve Ginty, Jon Gross
@online{ginty:20201014:wellmarked:9176303, author = {Steve Ginty and Jon Gross}, title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}}, date = {2020-10-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f0320980}, language = {English}, urldate = {2020-10-23} } A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2020-10-13VirusTotalGerardo Fernández, Vicente Diaz
@online{fernndez:20201013:tracing:14bb6fa, author = {Gerardo Fernández and Vicente Diaz}, title = {{Tracing fresh Ryuk campaigns itw}}, date = {2020-10-13}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html}, language = {English}, urldate = {2020-10-23} } Tracing fresh Ryuk campaigns itw
Ryuk
2020-10-12SymantecThreat Hunter Team
@online{team:20201012:trickbot:5c1e5bf, author = {Threat Hunter Team}, title = {{Trickbot: U.S. Court Order Hits Botnet’s Infrastructure}}, date = {2020-10-12}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption}, language = {English}, urldate = {2020-10-12} } Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-12MicrosoftTom Burt
@online{burt:20201012:new:045c1c3, author = {Tom Burt}, title = {{New action to combat ransomware ahead of U.S. elections}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/}, language = {English}, urldate = {2020-10-12} } New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot
2020-10-11Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-08Bayerischer RundfunkHakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen
@online{tanriverdi:20201008:there:620f4e7, author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen}, title = {{There is no safe place}}, date = {2020-10-08}, organization = {Bayerischer Rundfunk}, url = {https://web.br.de/interaktiv/ocean-lotus/en/}, language = {English}, urldate = {2020-10-12} } There is no safe place
Cobalt Strike
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-06CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201006:double:bb0f240, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}}, date = {2020-10-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/}, language = {English}, urldate = {2020-10-12} } Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil VIKING SPIDER
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-01WiredAndy Greenberg
@online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-10-01KELAVictoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-10-01US-CERTUS-CERT
@online{uscert:20201001:alert:a46c3d4, author = {US-CERT}, title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}}, date = {2020-10-01}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a}, language = {English}, urldate = {2020-10-04} } Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-09-29CrowdStrikeKareem Hamdan, Lucas Miller
@online{hamdan:20200929:getting:c01923a, author = {Kareem Hamdan and Lucas Miller}, title = {{Getting the Bacon from the Beacon}}, date = {2020-09-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/}, language = {English}, urldate = {2020-10-05} } Getting the Bacon from the Beacon
Cobalt Strike
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-29Github (Apr4h)Apra
@online{apra:20200929:cobaltstrikescan:ab5f221, author = {Apra}, title = {{CobaltStrikeScan}}, date = {2020-09-29}, organization = {Github (Apr4h)}, url = {https://github.com/Apr4h/CobaltStrikeScan}, language = {English}, urldate = {2020-10-05} } CobaltStrikeScan
Cobalt Strike
2020-09-25StateScoopBenjamin Freed
@online{freed:20200925:baltimore:296e7d1, author = {Benjamin Freed}, title = {{Baltimore ransomware attack was early attempt at data extortion, new report shows}}, date = {2020-09-25}, organization = {StateScoop}, url = {https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/}, language = {English}, urldate = {2021-05-28} } Baltimore ransomware attack was early attempt at data extortion, new report shows
Maze RobinHood OUTLAW SPIDER
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24US-CERTUS-CERT
@online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-09-21Cisco TalosNick Mavis, Joe Marshall, JON MUNSHAW
@techreport{mavis:20200921:art:d9702a4, author = {Nick Mavis and Joe Marshall and JON MUNSHAW}, title = {{The art and science of detecting Cobalt Strike}}, date = {2020-09-21}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf}, language = {English}, urldate = {2020-09-23} } The art and science of detecting Cobalt Strike
Cobalt Strike
2020-09-18Trend MicroTrend Micro
@online{micro:20200918:us:7900e6a, author = {Trend Micro}, title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}}, date = {2020-09-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html}, language = {English}, urldate = {2020-09-23} } U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
Cobalt Strike ColdLock
2020-09-17SophosLabs UncutAndrew Brandt, Peter Mackenzie
@online{brandt:20200917:maze:714f603, author = {Andrew Brandt and Peter Mackenzie}, title = {{Maze attackers adopt Ragnar Locker virtual machine technique}}, date = {2020-09-17}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/}, language = {English}, urldate = {2020-09-21} } Maze attackers adopt Ragnar Locker virtual machine technique
Maze
2020-09-17Bleeping ComputerLawrence Abrams
@online{abrams:20200917:maze:81b8c38, author = {Lawrence Abrams}, title = {{Maze ransomware now encrypts via virtual machines to evade detection}}, date = {2020-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/}, language = {English}, urldate = {2020-09-21} } Maze ransomware now encrypts via virtual machines to evade detection
Maze
2020-09-03Twitter (@Arkbird_SOLG)Arkbird
@online{arkbird:20200903:development:cf8dd7d, author = {Arkbird}, title = {{Tweet on development in more_eggs}}, date = {2020-09-03}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1301536930069278727}, language = {English}, urldate = {2020-09-15} } Tweet on development in more_eggs
More_eggs
2020-09-03Viettel Cybersecurityvuonglvm
@online{vuonglvm:20200903:apt32:02bd8fc, author = {vuonglvm}, title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}}, date = {2020-09-03}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/}, language = {Vietnamese}, urldate = {2020-09-09} } APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)
Cobalt Strike
2020-09-02RiskIQJordan Herman
@online{herman:20200902:inter:93b8c50, author = {Jordan Herman}, title = {{The Inter Skimmer Kit}}, date = {2020-09-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/30f22a00}, language = {English}, urldate = {2020-09-04} } The Inter Skimmer Kit
magecart DreamBot TeslaCrypt
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
@online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-20Seebug PaperMalayke
@online{malayke:20200820:use:77d3957, author = {Malayke}, title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}}, date = {2020-08-20}, organization = {Seebug Paper}, url = {https://paper.seebug.org/1301/}, language = {Chinese}, urldate = {2020-08-24} } Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2
2020-08-20sensecycyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08-19TEAMT5TeamT5
@online{teamt5:20200819:0819:e955419, author = {TeamT5}, title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}}, date = {2020-08-19}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/}, language = {Chinese}, urldate = {2021-05-03} } 調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike Waterbear
2020-08-18AreteArete Incident Response
@techreport{response:20200818:is:72e08da, author = {Arete Incident Response}, title = {{Is Conti the New Ryuk?}}, date = {2020-08-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf}, language = {English}, urldate = {2020-08-25} } Is Conti the New Ryuk?
Conti Ryuk
2020-08-14Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200814:zloader:cbd9ad5, author = {Vitali Kremez}, title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}}, date = {2020-08-14}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1294320579311435776}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader
2020-08-13SentinelOneSentinelLabs
@online{sentinellabs:20200813:case:4560aed, author = {SentinelLabs}, title = {{Case Study: Catching a Human-Operated Maze Ransomware Attack In Action}}, date = {2020-08-13}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/}, language = {English}, urldate = {2020-08-14} } Case Study: Catching a Human-Operated Maze Ransomware Attack In Action
Maze
2020-08-06WiredAndy Greenberg
@online{greenberg:20200806:chinese:32c43e3, author = {Andy Greenberg}, title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}}, date = {2020-08-06}, organization = {Wired}, url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/}, language = {English}, urldate = {2020-11-04} } Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key
2020-08-04ZDNetCatalin Cimpanu
@online{cimpanu:20200804:ransomware:e0320ee, author = {Catalin Cimpanu}, title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}}, date = {2020-08-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/}, language = {English}, urldate = {2020-08-18} } Ransomware gang publishes tens of GBs of internal data from LG and Xerox
Maze
2020-08-04BlackHatChung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-26Shells.System blogAskar
@online{askar:20200726:inmemory:5556cad, author = {Askar}, title = {{In-Memory shellcode decoding to evade AVs/EDRs}}, date = {2020-07-26}, organization = {Shells.System blog}, url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/}, language = {English}, urldate = {2020-07-30} } In-Memory shellcode decoding to evade AVs/EDRs
Cobalt Strike
2020-07-22SentinelOneJason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038, author = {Jason Reaves and Joshua Platt}, title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}}, date = {2020-07-22}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/}, language = {English}, urldate = {2020-07-23} } Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-22SUCURIDenis Sinegubko
@online{sinegubko:20200722:skimmers:abd9eb9, author = {Denis Sinegubko}, title = {{Skimmers in Images & GitHub Repos}}, date = {2020-07-22}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html}, language = {English}, urldate = {2020-07-30} } Skimmers in Images & GitHub Repos
magecart
2020-07-22On the HuntNewton Paul
@online{paul:20200722:analysing:2de83d7, author = {Newton Paul}, title = {{Analysing Fileless Malware: Cobalt Strike Beacon}}, date = {2020-07-22}, organization = {On the Hunt}, url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/}, language = {English}, urldate = {2020-07-24} } Analysing Fileless Malware: Cobalt Strike Beacon
Cobalt Strike
2020-07-21MalwarebytesHossein Jazi, Jérôme Segura
@online{jazi:20200721:chinese:da6a239, author = {Hossein Jazi and Jérôme Segura}, title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}}, date = {2020-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/}, language = {English}, urldate = {2020-07-22} } Chinese APT group targets India and Hong Kong using new variant of MgBot malware
KSREMOTE Cobalt Strike MgBot
2020-07-20QuoIntelligence
@online{quointelligence:20200720:golden:4a88a80, author = {QuoIntelligence}, title = {{Golden Chickens: Evolution Oof the MaaS}}, date = {2020-07-20}, url = {https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/}, language = {English}, urldate = {2020-07-23} } Golden Chickens: Evolution Oof the MaaS
More_eggs TerraLoader TerraStealer VenomLNK
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-07-11TrustwavePeter Evans, Rodel Mendrez
@online{evans:20200711:injecting:3d78e32, author = {Peter Evans and Rodel Mendrez}, title = {{Injecting Magecart into Magento Global Config}}, date = {2020-07-11}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/}, language = {English}, urldate = {2020-07-15} } Injecting Magecart into Magento Global Config
magecart
2020-07-10Github (eset)Matías Porolli
@online{porolli:20200710:evilnumindicators:639ec06, author = {Matías Porolli}, title = {{Evilnum — Indicators of Compromise}}, date = {2020-07-10}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/evilnum}, language = {English}, urldate = {2020-07-11} } Evilnum — Indicators of Compromise
EVILNUM More_eggs EVILNUM TerraStealer
2020-07-09ESET ResearchMatías Porolli
@online{porolli:20200709:more:24d8b63, author = {Matías Porolli}, title = {{More evil: A deep look at Evilnum and its toolset}}, date = {2020-07-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/}, language = {English}, urldate = {2020-07-11} } More evil: A deep look at Evilnum and its toolset
EVILNUM More_eggs EVILNUM TerraPreter TerraStealer TerraTV Evilnum
2020-07-07GEMINI
@techreport{gemini:20200707:full:283dfdd, author = {GEMINI}, title = {{Full list of all the 570+ sites that the Keeper gang hacked since April 2017}}, date = {2020-07-07}, institution = {}, url = {https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf}, language = {English}, urldate = {2020-07-08} } Full list of all the 570+ sites that the Keeper gang hacked since April 2017
magecart
2020-07-07GEMINI
@online{gemini:20200707:keeper:b2f882b, author = {GEMINI}, title = {{"Keeper" Magecart Group Infects 570 Sites}}, date = {2020-07-07}, url = {https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/}, language = {English}, urldate = {2020-07-08} } "Keeper" Magecart Group Infects 570 Sites
magecart
2020-07-07MWLabLadislav Bačo
@online{bao:20200707:cobalt:cf80aa8, author = {Ladislav Bačo}, title = {{Cobalt Strike stagers used by FIN6}}, date = {2020-07-07}, organization = {MWLab}, url = {https://malwarelab.eu/posts/fin6-cobalt-strike/}, language = {English}, urldate = {2020-07-11} } Cobalt Strike stagers used by FIN6
Cobalt Strike
2020-07-06SansecSansec Threat Research Team
@online{team:20200706:north:1fb54b4, author = {Sansec Threat Research Team}, title = {{North Korean hackers implicated in stealing from US and European shoppers}}, date = {2020-07-06}, organization = {Sansec}, url = {https://sansec.io/research/north-korea-magecart}, language = {English}, urldate = {2020-07-06} } North Korean hackers implicated in stealing from US and European shoppers
magecart
2020-06-26Trend MicroJoseph C Chen
@online{chen:20200626:us:8bce65c, author = {Joseph C Chen}, title = {{US Local Government Services Targeted by New Magecart Credit Card Skimming Attack}}, date = {2020-06-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/}, language = {English}, urldate = {2020-06-30} } US Local Government Services Targeted by New Magecart Credit Card Skimming Attack
magecart
2020-06-25MalwarebytesJérôme Segura
@online{segura:20200625:web:2b712b2, author = {Jérôme Segura}, title = {{Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files}}, date = {2020-06-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/}, language = {English}, urldate = {2020-06-29} } Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files
magecart
2020-06-24Twitter (@3xp0rtblog)3xp0rt
@online{3xp0rt:20200624:new:6b725c2, author = {3xp0rt}, title = {{Tweet on new version of TaurusStealer (v1.4)}}, date = {2020-06-24}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1275746149719252992}, language = {English}, urldate = {2020-06-24} } Tweet on new version of TaurusStealer (v1.4)
TerraStealer
2020-06-23NCC GroupNikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3, author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee}, title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}}, date = {2020-06-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/}, language = {English}, urldate = {2020-06-23} } WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker
2020-06-23Bleeping ComputerIonut Ilascu
@online{ilascu:20200623:ryuk:c63b0c6, author = {Ionut Ilascu}, title = {{Ryuk ransomware deployed two weeks after Trickbot infection}}, date = {2020-06-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/}, language = {English}, urldate = {2020-06-30} } Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk
2020-06-23SymantecCritical Attack Discovery and Intelligence Team
@online{team:20200623:sodinokibi:7eff193, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}}, date = {2020-06-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos}, language = {English}, urldate = {2020-06-23} } Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil
2020-06-22Sentinel LABSJoshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5, author = {Joshua Platt and Jason Reaves}, title = {{Inside a TrickBot Cobalt Strike Attack Server}}, date = {2020-06-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}, language = {English}, urldate = {2020-06-23} } Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot
2020-06-22Talos IntelligenceAsheer Malhotra
@online{malhotra:20200622:indigodrop:6d5e7e1, author = {Asheer Malhotra}, title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}}, date = {2020-06-22}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html}, language = {English}, urldate = {2020-06-24} } IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Cobalt Strike IndigoDrop
2020-06-19ZscalerAtinderpal Singh, Nirmal Singh, Sahil Antil
@online{singh:20200619:targeted:05d8d31, author = {Atinderpal Singh and Nirmal Singh and Sahil Antil}, title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}}, date = {2020-06-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims}, language = {English}, urldate = {2020-06-21} } Targeted Attack Leverages India-China Border Dispute to Lure Victims
Cobalt Strike
2020-06-19Youtube (Raphael Mudge)Raphael Mudge
@online{mudge:20200619:beacon:bc8ae77, author = {Raphael Mudge}, title = {{Beacon Object Files - Luser Demo}}, date = {2020-06-19}, organization = {Youtube (Raphael Mudge)}, url = {https://www.youtube.com/watch?v=gfYswA_Ronw}, language = {English}, urldate = {2020-06-23} } Beacon Object Files - Luser Demo
Cobalt Strike
2020-06-18Quick HealPreksha Saxena
@online{saxena:20200618:maze:76ca64b, author = {Preksha Saxena}, title = {{Maze ransomware continues to be a threat to the consumers}}, date = {2020-06-18}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/}, language = {English}, urldate = {2020-07-02} } Maze ransomware continues to be a threat to the consumers
Maze
2020-06-18Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
@techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader
2020-06-17CognizantCognizant
@techreport{cognizant:20200617:notice:37fe994, author = {Cognizant}, title = {{Notice of Data Breach}}, date = {2020-06-17}, institution = {Cognizant}, url = {https://oag.ca.gov/system/files/Letter%204.pdf}, language = {English}, urldate = {2020-06-18} } Notice of Data Breach
Maze
2020-06-17MalwarebytesHossein Jazi, Jérôme Segura
@online{jazi:20200617:multistage:6358f3f, author = {Hossein Jazi and Jérôme Segura}, title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}}, date = {2020-06-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/}, language = {English}, urldate = {2020-06-19} } Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
Cobalt Strike
2020-06-16BleepingComputerSergiu Gatlan
@online{gatlan:20200616:chipmaker:0e801b8, author = {Sergiu Gatlan}, title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}}, date = {2020-06-16}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-17} } Chipmaker MaxLinear reports data breach after Maze Ransomware attack
Maze
2020-06-15Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200615:quarterly:c2dcd77, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly report: Incident Response trends in Summer 2020}}, date = {2020-06-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more}, language = {English}, urldate = {2020-06-19} } Quarterly report: Incident Response trends in Summer 2020
Ryuk
2020-06-15SansecSansec Threat Research Team
@online{team:20200615:magecart:09274cd, author = {Sansec Threat Research Team}, title = {{Magecart strikes amid Corona lockdown}}, date = {2020-06-15}, organization = {Sansec}, url = {https://sansec.io/research/magecart-corona-lockdown}, language = {English}, urldate = {2020-06-16} } Magecart strikes amid Corona lockdown
magecart
2020-06-15NCC GroupExploit Development Group
@online{group:20200615:striking:8fdf4bb, author = {Exploit Development Group}, title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}}, date = {2020-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/}, language = {English}, urldate = {2020-06-16} } Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Cobalt Strike
2020-06-15ZDNetCatalin Cimpanu
@online{cimpanu:20200615:web:a10a55d, author = {Catalin Cimpanu}, title = {{Web skimmers found on the websites of Intersport, Claire's, and Icing}}, date = {2020-06-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/}, language = {English}, urldate = {2020-06-16} } Web skimmers found on the websites of Intersport, Claire's, and Icing
magecart
2020-06-09RiskIQJordan Herman
@online{herman:20200609:misconfigured:75c6908, author = {Jordan Herman}, title = {{Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code}}, date = {2020-06-09}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/}, language = {English}, urldate = {2020-06-10} } Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code
magecart
2020-06-09Github (Sentinel-One)Gal Kristal
@online{kristal:20200609:cobaltstrikeparser:a023ac8, author = {Gal Kristal}, title = {{CobaltStrikeParser}}, date = {2020-06-09}, organization = {Github (Sentinel-One)}, url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py}, language = {English}, urldate = {2020-09-15} } CobaltStrikeParser
Cobalt Strike
2020-06-05SUCURIDenis Sinegubko
@online{sinegubko:20200605:evasion:86c8265, author = {Denis Sinegubko}, title = {{Evasion Tactics in Hybrid Credit Card Skimmers}}, date = {2020-06-05}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html}, language = {English}, urldate = {2020-06-10} } Evasion Tactics in Hybrid Credit Card Skimmers
magecart
2020-06-04Chianxin Virus Response Center
@online{center:20200604::a1c780b, author = {Chianxin Virus Response Center}, title = {{脚本系贼寇之风兴起,买卖体系堪比勒索软件}}, date = {2020-06-04}, url = {https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw}, language = {Chinese}, urldate = {2020-07-16} } 脚本系贼寇之风兴起,买卖体系堪比勒索软件
EVILNUM More_eggs
2020-06-04Sophos Naked SecurityLisa Vaas
@online{vaas:20200604:nuclear:9d471e1, author = {Lisa Vaas}, title = {{Nuclear missile contractor hacked in Maze ransomware attack}}, date = {2020-06-04}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-04} } Nuclear missile contractor hacked in Maze ransomware attack
Maze
2020-05-28MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
@online{mstic:20200528:breaking:f55e372, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Breaking down NOBELIUM’s latest early-stage toolset}}, date = {2020-05-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/}, language = {English}, urldate = {2021-06-09} } Breaking down NOBELIUM’s latest early-stage toolset
Cobalt Strike
2020-05-21BrightTALK (FireEye)Kimberly Goody, Jeremy Kennelly
@online{goody:20200521:navigating:a2eae5f, author = {Kimberly Goody and Jeremy Kennelly}, title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}}, date = {2020-05-21}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat}, language = {English}, urldate = {2020-06-05} } Navigating MAZE: Analysis of a Rising Ransomware Threat
Maze
2020-05-20ReflectizReflectiz
@online{reflectiz:20200520:gocgle:47c4bc7, author = {Reflectiz}, title = {{The Gocgle Malicious Campaign}}, date = {2020-05-20}, organization = {Reflectiz}, url = {https://www.reflectiz.com/the-gocgle-web-skimming-campaign/}, language = {English}, urldate = {2020-05-23} } The Gocgle Malicious Campaign
magecart
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-11SentinelOneGal Kristal
@online{kristal:20200511:anatomy:4ece947, author = {Gal Kristal}, title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}}, date = {2020-05-11}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/}, language = {English}, urldate = {2020-05-13} } The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike
2020-05-07REDTEAM.PLAdam Ziaja
@online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-05-07FireEye IncKimberly Goody, Jeremy Kennelly, Joshua Shilko
@online{goody:20200507:navigating:7147cb7, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko}, title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}}, date = {2020-05-07}, organization = {FireEye Inc}, url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html}, language = {English}, urldate = {2020-05-11} } Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
Maze
2020-05-05N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } Deep Analysis of Ryuk Ransomware
Ryuk
2020-05-04BluelivBlueliv Team
@online{team:20200504:escape:63ebdfa, author = {Blueliv Team}, title = {{Escape from the Maze}}, date = {2020-05-04}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/}, language = {English}, urldate = {2020-05-11} } Escape from the Maze
Maze
2020-05-01CrowdStrikeShaun Hurley
@online{hurley:20200501:many:22ed72c, author = {Shaun Hurley}, title = {{The Many Paths Through Maze}}, date = {2020-05-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/}, language = {English}, urldate = {2020-05-05} } The Many Paths Through Maze
Maze
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-24The DFIR ReportThe DFIR Report
@online{report:20200424:ursnif:e983798, author = {The DFIR Report}, title = {{Ursnif via LOLbins}}, date = {2020-04-24}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/}, language = {English}, urldate = {2021-03-16} } Ursnif via LOLbins
Cobalt Strike LOLSnif TeamSpy
2020-04-19SecurityLiterateKyle Cucci
@online{cucci:20200419:reversing:4523233, author = {Kyle Cucci}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-08-13} } Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk
2020-04-18C