FIN6  (Back to overview)

aka: Skeleton Spider, ITG08

FIN is a group targeting financial assets including assets able to do financial transaction including PoS.


Associated Families
js.more_eggs win.cobalt_strike win.grateful_pos win.lockergoga win.ryuk

References
2020-01-14 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk
2019-12-26 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk
2019-12-23 ⋅ Norfolk
@online{norfolk:20191223:pos:5862d6d, author = {Norfolk}, title = {{POS Malware Used at Fuel Pumps}}, date = {2019-12-23}, url = {https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/}, language = {English}, urldate = {2020-01-07} } POS Malware Used at Fuel Pumps
Grateful POS
2019-12-23 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-12-21 ⋅ DecryptAdriana Hamacher
@online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } How ransomware exploded in the age of Bitcoin
Ryuk
2019-12-19 ⋅ MalwarebytesJovi Umawing
@online{umawing:20191219:threat:552a941, author = {Jovi Umawing}, title = {{Threat spotlight: the curious case of Ryuk ransomware}}, date = {2019-12-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/}, language = {English}, urldate = {2020-01-08} } Threat spotlight: the curious case of Ryuk ransomware
Ryuk
2019-12-15 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk
2019-12-09 ⋅ EmsisoftEmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a, author = {EmsiSoft Malware Lab}, title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}}, date = {2019-12-09}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/}, language = {English}, urldate = {2020-01-07} } Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk
2019-12-05 ⋅ Raphael Mudge
@online{mudge:20191205:cobalt:219044e, author = {Raphael Mudge}, title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}}, date = {2019-12-05}, url = {https://blog.cobaltstrike.com/}, language = {English}, urldate = {2019-12-06} } Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike
2019-12-05 ⋅ Github (blackorbird)blackorbird
@techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } APT32 Report
Cobalt Strike
2019-11-27 ⋅ Twitter (@Prosegur)Prosegur
@online{prosegur:20191127:incident:bd76c3f, author = {Prosegur}, title = {{Tweet on Incident of Information Security}}, date = {2019-11-27}, organization = {Twitter (@Prosegur)}, url = {https://twitter.com/Prosegur/status/1199732264386596864}, language = {English}, urldate = {2020-01-09} } Tweet on Incident of Information Security
Ryuk
2019-11-06 ⋅ Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-11-05 ⋅ tccontre Blogtccontre
@online{tccontre:20191105:cobaltstrike:02e37af, author = {tccontre}, title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}}, date = {2019-11-05}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html}, language = {English}, urldate = {2019-12-17} } CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike
2019-11 ⋅ CCN-CERTCCN-CERT
@online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } Informe Código Dañino CCN-CERT ID-26/19
Ryuk
2019-11-01 ⋅ CrowdStrikeAlexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER
2019-08-29 ⋅ Security IntelligenceOle Villadsen, Kevin Henson, Melissa Frydrych, Joey Victorino
@online{villadsen:20190829:moreeggs:8ff7351, author = {Ole Villadsen and Kevin Henson and Melissa Frydrych and Joey Victorino}, title = {{More_eggs, Anyone? Threat Actor ITG08 Strikes Again}}, date = {2019-08-29}, organization = {Security Intelligence}, url = {https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/}, language = {English}, urldate = {2020-01-13} } More_eggs, Anyone? Threat Actor ITG08 Strikes Again
More_eggs FIN6
2019-06-04 ⋅ BitdefenderBitdefender
@techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike
2019-05-19 ⋅ nrkHenrik Lied, Peter Svaar, Dennis Ravndal, Anders Brekke, Kristine Hirsti
@online{lied:20190519:skreddersydd:e16c8d8, author = {Henrik Lied and Peter Svaar and Dennis Ravndal and Anders Brekke and Kristine Hirsti}, title = {{Skreddersydd dobbeltangrep mot Hydro}}, date = {2019-05-19}, organization = {nrk}, url = {https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202}, language = {Norwegian}, urldate = {2019-11-21} } Skreddersydd dobbeltangrep mot Hydro
LockerGoga
2019-05-09 ⋅ GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-04 ⋅ Abuse.ioAbuse.io
@online{abuseio:20190504:abuseio:d5062ca, author = {Abuse.io}, title = {{Abuse.io Report - Lockergoga}}, date = {2019-05-04}, organization = {Abuse.io}, url = {https://www.abuse.io/lockergoga.txt}, language = {English}, urldate = {2020-01-07} } Abuse.io Report - Lockergoga
LockerGoga
2019-04-24 ⋅ WeixinTencent
@online{tencent:20190424:sea:a722d68, author = {Tencent}, title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}}, date = {2019-04-24}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A}, language = {English}, urldate = {2020-01-13} } "Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE
2019-04-16 ⋅ Youtube (Norsk Hydro)Norsk Hydro
@online{hydro:20190416:cyber:ada48a4, author = {Norsk Hydro}, title = {{The cyber attack rescue operation in Hydro Toulouse}}, date = {2019-04-16}, organization = {Youtube (Norsk Hydro)}, url = {https://www.youtube.com/watch?v=o6eEN0mUakM}, language = {English}, urldate = {2020-01-13} } The cyber attack rescue operation in Hydro Toulouse
LockerGoga
2019-04-15 ⋅ PenTestPartnersNeil Lines
@online{lines:20190415:cobalt:7b3c086, author = {Neil Lines}, title = {{Cobalt Strike. Walkthrough for Red Teamers}}, date = {2019-04-15}, organization = {PenTestPartners}, url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/}, language = {English}, urldate = {2019-12-17} } Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike
2019-04-05 ⋅ FireEyeBrendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59, author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock}, title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}}, date = {2019-04-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html}, language = {English}, urldate = {2019-12-20} } Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02 ⋅ HelpNetSecurityZeljka Zorz
@online{zorz:20190402:lockergoga:7fe224d, author = {Zeljka Zorz}, title = {{A LockerGoga primer and decrypters for Mira and Aurora ransomwares}}, date = {2019-04-02}, organization = {HelpNetSecurity}, url = {https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/}, language = {English}, urldate = {2019-12-16} } A LockerGoga primer and decrypters for Mira and Aurora ransomwares
LockerGoga
2019-04-02 ⋅ CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-26 ⋅ ANSSIANSSI
@techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk
2019-03-21 ⋅ DoublePulsarKevin Beaumont
@online{beaumont:20190321:how:ecfbbf1, author = {Kevin Beaumont}, title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}}, date = {2019-03-21}, organization = {DoublePulsar}, url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}, language = {English}, urldate = {2019-11-29} } How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
LockerGoga
2019-02-27 ⋅ MorphisecMichael Gorelik, Alon Groisman
@online{gorelik:20190227:new:5296a0b, author = {Michael Gorelik and Alon Groisman}, title = {{New Global Cyber Attack on Point of Sale Sytem}}, date = {2019-02-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems}, language = {English}, urldate = {2020-01-09} } New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike
2019-02-21 ⋅ ProofpointProofpoint Threat Insight Team
@online{team:20190221:fake:e94f77a, author = {Proofpoint Threat Insight Team}, title = {{Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers}}, date = {2019-02-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers}, language = {English}, urldate = {2019-12-20} } Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers
More_eggs
2019-01-30 ⋅ Bleeping ComputerIonut Ilascu
@online{ilascu:20190130:new:5c2d8da, author = {Ionut Ilascu}, title = {{New LockerGoga Ransomware Allegedly Used in Altran Attack}}, date = {2019-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/}, language = {English}, urldate = {2019-12-20} } New LockerGoga Ransomware Allegedly Used in Altran Attack
LockerGoga
2019-01-11 ⋅ FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-10 ⋅ CrowdStrikeAlexander Hanel
@online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER
2019-01-09 ⋅ McAfeeJohn Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk
2019 ⋅ MITREMITRE ATT&CK
@online{attck:2019:fin6:791eaef, author = {MITRE ATT&CK}, title = {{Group description: FIN6}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0037/}, language = {English}, urldate = {2019-12-20} } Group description: FIN6
FIN6
2019 ⋅ Virus BulletinGabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861, author = {Gabriela Nicolao and Luciano Martins}, title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf}, language = {English}, urldate = {2020-01-05} } Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk
2018-12-29 ⋅ Los Angeles TimesTony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk
2018-11-19 ⋅ FireEyeMatthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr
@online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike
2018-11-18 ⋅ Stranded on Pylos BlogJoe
@online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } CozyBear – In from the Cold?
Cobalt Strike APT 29
2018-10-17 ⋅ MITRE ATT&CKMITRE
@online{mitre:20181017:software:84822e8, author = {MITRE}, title = {{Software Description: More_eggs}}, date = {2018-10-17}, organization = {MITRE ATT&CK}, url = {https://attack.mitre.org/software/S0284/}, language = {English}, urldate = {2020-01-10} } Software Description: More_eggs
More_eggs
2018-10-08 ⋅ MorphisecMichael Gorelik
@online{gorelik:20181008:cobalt:dece0e0, author = {Michael Gorelik}, title = {{Cobalt Group 2.0}}, date = {2018-10-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/cobalt-gang-2.0}, language = {English}, urldate = {2020-01-05} } Cobalt Group 2.0
More_eggs
2018-09-27 ⋅ SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20180927:cybercriminals:a7f1c24, author = {Counter Threat Unit ResearchTeam}, title = {{Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish}}, date = {2018-09-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish}, language = {English}, urldate = {2020-01-08} } Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish
More_eggs Cobalt
2018-08-30 ⋅ NetScoutASERT Team
@online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } Double the Infection, Double the Fun
More_eggs CobInt
2018-08-20 ⋅ Check PointItay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk
2018-08-03 ⋅ JPCERT/CCTakuya Endo, Yukako Uchida
@online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike
2018-07-31 ⋅ Github (JPCERTCC)JPCERT/CC
@online{jpcertcc:20180731:scanner:d1757d9, author = {JPCERT/CC}, title = {{Scanner for CobaltStrike}}, date = {2018-07-31}, organization = {Github (JPCERTCC)}, url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py}, language = {English}, urldate = {2020-01-13} } Scanner for CobaltStrike
Cobalt Strike
2018-07-31 ⋅ Cisco TalosVanja Svajcer
@online{svajcer:20180731:multiple:15a3457, author = {Vanja Svajcer}, title = {{Multiple Cobalt Personality Disorder}}, date = {2018-07-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html}, language = {English}, urldate = {2019-12-15} } Multiple Cobalt Personality Disorder
More_eggs
2018-05-21 ⋅ LACYoshihiro Ishikawa
@online{ishikawa:20180521:confirmed:ad336b5, author = {Yoshihiro Ishikawa}, title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}}, date = {2018-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html}, language = {Japanese}, urldate = {2019-10-27} } Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike
2018-03-02 ⋅ ReaqtaReaqta
@online{reaqta:20180302:spearphishing:3d933a4, author = {Reaqta}, title = {{Spear-phishing campaign leveraging on MSXSL}}, date = {2018-03-02}, organization = {Reaqta}, url = {https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/}, language = {English}, urldate = {2020-01-08} } Spear-phishing campaign leveraging on MSXSL
More_eggs
2017-12-13 ⋅ Vitali Kremez BlogVitali Kremez
@online{kremez:20171213:update:50a1f16, author = {Vitali Kremez}, title = {{Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth}}, date = {2017-12-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html}, language = {English}, urldate = {2020-01-08} } Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth
Grateful POS
2017-12-08 ⋅ RSAKent Beckman
@online{beckman:20171208:gratefulpos:0ba1053, author = {Kent Beckman}, title = {{GratefulPOS credit card stealing malware - just in time for the shopping season}}, date = {2017-12-08}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season}, language = {English}, urldate = {2020-01-08} } GratefulPOS credit card stealing malware - just in time for the shopping season
Grateful POS
2017-11-20 ⋅ Trend MicroRonnie Giagone, Lenart Bermejo, Fyodor Yarochkin
@online{giagone:20171120:cobalt:fb5c2ed, author = {Ronnie Giagone and Lenart Bermejo and Fyodor Yarochkin}, title = {{Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks}}, date = {2017-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/}, language = {English}, urldate = {2019-10-29} } Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks
More_eggs Cobalt
2017-08-07 ⋅ Trend MicroLenart Bermejo, Ronnie Giagone, Rubio Wu, Fyodor Yarochkin
@online{bermejo:20170807:backdoorcarrying:317ebe3, author = {Lenart Bermejo and Ronnie Giagone and Rubio Wu and Fyodor Yarochkin}, title = {{Backdoor-carrying Emails Set Sights on Russian-speaking Businesses}}, date = {2017-08-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/}, language = {English}, urldate = {2020-01-09} } Backdoor-carrying Emails Set Sights on Russian-speaking Businesses
More_eggs
2017-06-06 ⋅ FireEyeIan Ahl
@online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike
2016-10-11 ⋅ SymantecSymantec Security Response
@online{response:20161011:odinaff:36b35db, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2019-12-05} } Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff Anunak
2012 ⋅ Cobalt StrikeCobalt Strike
@online{strike:2012:cobalt:8522cdd, author = {Cobalt Strike}, title = {{Cobalt Strike Website}}, date = {2012}, organization = {Cobalt Strike}, url = {https://www.cobaltstrike.com/support}, language = {English}, urldate = {2020-01-13} } Cobalt Strike Website
Cobalt Strike
2011-06-29 ⋅ SymantecJohn McDonald
@techreport{mcdonald:20110629:inside:5df2e81, author = {John McDonald}, title = {{Inside a Back Door Attack}}, date = {2011-06-29}, institution = {Symantec}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf}, language = {English}, urldate = {2019-11-29} } Inside a Back Door Attack
Grateful POS FIN6

Credits: MISP Project