GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.
2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein @online{olshtein:20230130:following:e442fcc,
author = {Arie Olshtein},
title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}},
date = {2023-01-30},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/},
language = {English},
urldate = {2023-01-31}
}
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot |
2023-01-26 ⋅ Acronis ⋅ Ilan Duhin @online{duhin:20230126:unpacking:8ff4776,
author = {Ilan Duhin},
title = {{Unpacking Emotet Malware}},
date = {2023-01-26},
organization = {Acronis},
url = {https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb},
language = {English},
urldate = {2023-01-27}
}
Unpacking Emotet Malware Emotet |
2023-01-20 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @online{team:20230120:emotet:3d5fe7f,
author = {BlackBerry Research & Intelligence Team},
title = {{Emotet Returns With New Methods of Evasion}},
date = {2023-01-20},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion},
language = {English},
urldate = {2023-01-25}
}
Emotet Returns With New Methods of Evasion Emotet IcedID |
2023-01-12 ⋅ EclecticIQ ⋅ EclecticIQ Threat Research Team @online{team:20230112:qakbot:a26156d,
author = {EclecticIQ Threat Research Team},
title = {{QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature}},
date = {2023-01-12},
organization = {EclecticIQ},
url = {https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature},
language = {English},
urldate = {2023-01-16}
}
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature QakBot |
2023-01-09 ⋅ Intrinsec ⋅ Intrinsec, CTI Intrinsec @online{intrinsec:20230109:emotet:202716f,
author = {Intrinsec and CTI Intrinsec},
title = {{Emotet returns and deploys loaders}},
date = {2023-01-09},
organization = {Intrinsec},
url = {https://www.intrinsec.com/emotet-returns-and-deploys-loaders/},
language = {English},
urldate = {2023-01-10}
}
Emotet returns and deploys loaders BumbleBee Emotet IcedID |
2023-01-09 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20230109:unwrapping:d36b45f,
author = {The DFIR Report},
title = {{Unwrapping Ursnifs Gifts}},
date = {2023-01-09},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/},
language = {English},
urldate = {2023-01-13}
}
Unwrapping Ursnifs Gifts ISFB |
2022-12-28 ⋅ Micah Babinski @online{babinski:20221228:html:7dbe8af,
author = {Micah Babinski},
title = {{HTML Smuggling Detection}},
date = {2022-12-28},
url = {https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841},
language = {English},
urldate = {2022-12-31}
}
HTML Smuggling Detection QakBot |
2022-12-23 ⋅ Trendmicro ⋅ Ian Kenefick @online{kenefick:20221223:icedid:df95b05,
author = {Ian Kenefick},
title = {{IcedID Botnet Distributors Abuse Google PPC to Distribute Malware}},
date = {2022-12-23},
organization = {Trendmicro},
url = {https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html},
language = {English},
urldate = {2022-12-24}
}
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware IcedID |
2022-12-22 ⋅ ASEC ⋅ AhnLab @online{ahnlab:20221222:qakbot:9e92461,
author = {AhnLab},
title = {{Qakbot Being Distributed via Virtual Disk Files (*.vhd)}},
date = {2022-12-22},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/44662/},
language = {English},
urldate = {2022-12-24}
}
Qakbot Being Distributed via Virtual Disk Files (*.vhd) QakBot |
2022-12-21 ⋅ Team Cymru ⋅ S2 Research Team @online{team:20221221:inside:8298d24,
author = {S2 Research Team},
title = {{Inside the IcedID BackConnect Protocol}},
date = {2022-12-21},
organization = {Team Cymru},
url = {https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol},
language = {English},
urldate = {2022-12-24}
}
Inside the IcedID BackConnect Protocol IcedID |
2022-12-19 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20221219:z2abimonthly:8edee72,
author = {m4n0w4r and Tran Trung Kien},
title = {{[Z2A]Bimonthly malware challege – Emotet (Back From the Dead)}},
date = {2022-12-19},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/},
language = {English},
urldate = {2022-12-20}
}
[Z2A]Bimonthly malware challege – Emotet (Back From the Dead) Emotet |
2022-12-18 ⋅ ZAYOTEM ⋅ Berkay DOĞAN, Dilara BEHAR, Rabia EKŞİ, Zafer Yiğithan DERECİ @online{doan:20221218:icedid:f4a858a,
author = {Berkay DOĞAN and Dilara BEHAR and Rabia EKŞİ and Zafer Yiğithan DERECİ},
title = {{IcedID Technical Analysis Report}},
date = {2022-12-18},
organization = {ZAYOTEM},
url = {https://drive.google.com/file/d/1jB0CsDvAADSrBeGxoi5gzyx8eQIiOJ2G/view},
language = {English},
urldate = {2022-12-20}
}
IcedID Technical Analysis Report IcedID |
2022-12-15 ⋅ ISC ⋅ Brad Duncan @online{duncan:20221215:google:179f840,
author = {Brad Duncan},
title = {{Google ads lead to fake software pages pushing IcedID (Bokbot)}},
date = {2022-12-15},
organization = {ISC},
url = {https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344},
language = {English},
urldate = {2022-12-19}
}
Google ads lead to fake software pages pushing IcedID (Bokbot) IcedID |
2022-12-05 ⋅ Cybereason ⋅ Kotaro Ogino, Ralph Villanueva, Robin Plumer @online{ogino:20221205:threat:b2ffad4,
author = {Kotaro Ogino and Ralph Villanueva and Robin Plumer},
title = {{Threat Analysis: MSI - Masquerading as a Software Installer}},
date = {2022-12-05},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer},
language = {English},
urldate = {2022-12-05}
}
Threat Analysis: MSI - Masquerading as a Software Installer Magniber Matanbuchus QakBot |
2022-12-02 ⋅ Github (binref) ⋅ Jesko Hüttenhain @online{httenhain:20221202:refinery:ee32690,
author = {Jesko Hüttenhain},
title = {{The Refinery Files 0x06: Qakbot Decoder}},
date = {2022-12-02},
organization = {Github (binref)},
url = {https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x06.Qakbot.Decoder.ipynb},
language = {English},
urldate = {2022-12-02}
}
The Refinery Files 0x06: Qakbot Decoder QakBot |
2022-12-01 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20221201:from:4ac8d82,
author = {Splunk Threat Research Team},
title = {{From Macros to No Macros: Continuous Malware Improvements by QakBot}},
date = {2022-12-01},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html},
language = {English},
urldate = {2022-12-05}
}
From Macros to No Macros: Continuous Malware Improvements by QakBot QakBot |
2022-11-30 ⋅ Tidal Cyber Inc. ⋅ Scott Small @online{small:20221130:identifying:ed7c4b3,
author = {Scott Small},
title = {{Identifying and Defending Against QakBot's Evolving TTPs}},
date = {2022-11-30},
organization = {Tidal Cyber Inc.},
url = {https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps},
language = {English},
urldate = {2022-12-02}
}
Identifying and Defending Against QakBot's Evolving TTPs QakBot |
2022-11-28 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20221128:emotet:53a5fed,
author = {The DFIR Report},
title = {{Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware}},
date = {2022-11-28},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/},
language = {English},
urldate = {2022-11-28}
}
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware Emotet Mount Locker |
2022-11-23 ⋅ Cybereason ⋅ Cybereason Global SOC Team @online{team:20221123:threat:17093cc,
author = {Cybereason Global SOC Team},
title = {{THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies}},
date = {2022-11-23},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies},
language = {English},
urldate = {2022-11-25}
}
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies Black Basta QakBot |
2022-11-21 ⋅ BSides Sydney ⋅ Thomas Roccia @online{roccia:20221121:xray:da154d3,
author = {Thomas Roccia},
title = {{X-Ray of Malware Evasion Techniques - Analysis, Dissection, Cure?}},
date = {2022-11-21},
organization = {BSides Sydney},
url = {https://speakerdeck.com/fr0gger/x-ray-of-malware-evasion-techniques-analysis-dissection-cure},
language = {English},
urldate = {2022-12-29}
}
X-Ray of Malware Evasion Techniques - Analysis, Dissection, Cure? Emotet |
2022-11-16 ⋅ Proofpoint ⋅ Pim Trouerbach, Axel F @online{trouerbach:20221116:comprehensive:8278b4e,
author = {Pim Trouerbach and Axel F},
title = {{A Comprehensive Look at Emotet Virus’ Fall 2022 Return}},
date = {2022-11-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return},
language = {English},
urldate = {2022-12-29}
}
A Comprehensive Look at Emotet Virus’ Fall 2022 Return BumbleBee Emotet IcedID |
2022-11-14 ⋅ Twitter (@embee_research) ⋅ Matthew @online{matthew:20221114:twitter:9b57525,
author = {Matthew},
title = {{Twitter thread on Yara Signatures for Qakbot Encryption Routines}},
date = {2022-11-14},
organization = {Twitter (@embee_research)},
url = {https://twitter.com/embee_research/status/1592067841154756610?s=20},
language = {English},
urldate = {2022-11-18}
}
Twitter thread on Yara Signatures for Qakbot Encryption Routines IcedID QakBot |
2022-11-10 ⋅ Intezer ⋅ Nicole Fishbein @online{fishbein:20221110:how:6b334be,
author = {Nicole Fishbein},
title = {{How LNK Files Are Abused by Threat Actors}},
date = {2022-11-10},
organization = {Intezer},
url = {https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/},
language = {English},
urldate = {2022-11-11}
}
How LNK Files Are Abused by Threat Actors BumbleBee Emotet Mount Locker QakBot |
2022-11-03 ⋅ SentinelOne ⋅ SentinelLabs @online{sentinellabs:20221103:black:0be02f3,
author = {SentinelLabs},
title = {{Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor}},
date = {2022-11-03},
organization = {SentinelOne},
url = {https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta},
language = {English},
urldate = {2022-11-03}
}
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor Black Basta QakBot SocksBot |
2022-10-31 ⋅ Security homework ⋅ Christophe Rieunier @online{rieunier:20221031:qakbot:e82f924,
author = {Christophe Rieunier},
title = {{QakBot CCs prioritization and new record types}},
date = {2022-10-31},
organization = {Security homework},
url = {https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php},
language = {English},
urldate = {2022-10-31}
}
QakBot CCs prioritization and new record types QakBot |
2022-10-31 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20221031:orion:49e3b5c,
author = {Max Malyutin},
title = {{Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware}},
date = {2022-10-31},
organization = {Cynet},
url = {https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/},
language = {English},
urldate = {2022-11-15}
}
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware Black Basta Cobalt Strike QakBot |
2022-10-31 ⋅ Elastic ⋅ Seth Goodwin, Derek Ditch, Daniel Stepanic, Andrew Pease @online{goodwin:20221031:icedids:df089be,
author = {Seth Goodwin and Derek Ditch and Daniel Stepanic and Andrew Pease},
title = {{ICEDIDs network infrastructure is alive and well}},
date = {2022-10-31},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/icedids-network-infrastructure-is-alive-and-well},
language = {English},
urldate = {2022-11-02}
}
ICEDIDs network infrastructure is alive and well IcedID |
2022-10-28 ⋅ Elastic ⋅ @rsprooten, Elastic Security Intelligence & Analytics Team @online{rsprooten:20221028:emotet:ffabd03,
author = {@rsprooten and Elastic Security Intelligence & Analytics Team},
title = {{EMOTET dynamic config extraction}},
date = {2022-10-28},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction},
language = {English},
urldate = {2022-10-30}
}
EMOTET dynamic config extraction Emotet |
2022-10-13 ⋅ Syrion ⋅ Raffaele Sabato @online{sabato:20221013:qakbot:f971585,
author = {Raffaele Sabato},
title = {{QAKBOT BB Configuration and C2 IPs List}},
date = {2022-10-13},
organization = {Syrion},
url = {https://syrion.me/malware/qakbot-bb-extractor/},
language = {English},
urldate = {2022-10-24}
}
QAKBOT BB Configuration and C2 IPs List QakBot |
2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20221013:spamhaus:43e3190,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q3 2022}},
date = {2022-10-13},
institution = {Spamhaus},
url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf},
language = {English},
urldate = {2022-12-29}
}
Spamhaus Botnet Threat Update Q3 2022 FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm |
2022-10-07 ⋅ Team Cymru ⋅ S2 Research Team @online{team:20221007:visualizza:0ed3fe8,
author = {S2 Research Team},
title = {{A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon}},
date = {2022-10-07},
organization = {Team Cymru},
url = {https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns},
language = {English},
urldate = {2022-10-10}
}
A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon IcedID PhotoLoader |
2022-10-03 ⋅ vmware ⋅ Threat Analysis Unit @techreport{unit:20221003:emotet:94323dc,
author = {Threat Analysis Unit},
title = {{Emotet Exposed: A Look Inside the Cybercriminal Supply Chain}},
date = {2022-10-03},
institution = {vmware},
url = {https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf},
language = {English},
urldate = {2022-10-24}
}
Emotet Exposed: A Look Inside the Cybercriminal Supply Chain Emotet |
2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence @online{intelligence:20220913:advintels:ea02331,
author = {Advanced Intelligence},
title = {{AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022}},
date = {2022-09-13},
organization = {AdvIntel},
url = {https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022},
language = {English},
urldate = {2022-09-19}
}
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022 Conti Cobalt Strike Emotet Ryuk TrickBot |
2022-09-12 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220912:dead:a6b31c3,
author = {The DFIR Report},
title = {{Dead or Alive? An Emotet Story}},
date = {2022-09-12},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/},
language = {English},
urldate = {2022-09-12}
}
Dead or Alive? An Emotet Story Cobalt Strike Emotet |
2022-09-07 ⋅ Google ⋅ Pierre-Marc Bureau, Google Threat Analysis Group @online{bureau:20220907:initial:d1975b3,
author = {Pierre-Marc Bureau and Google Threat Analysis Group},
title = {{Initial access broker repurposing techniques in targeted attacks against Ukraine}},
date = {2022-09-07},
organization = {Google},
url = {https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/},
language = {English},
urldate = {2022-09-13}
}
Initial access broker repurposing techniques in targeted attacks against Ukraine AnchorMail Cobalt Strike IcedID |
2022-09-06 ⋅ Zscaler ⋅ Brett Stone-Gross @online{stonegross:20220906:ares:e7ddb5d,
author = {Brett Stone-Gross},
title = {{The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA}},
date = {2022-09-06},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga},
language = {English},
urldate = {2022-09-07}
}
The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA Ares QakBot |
2022-09-01 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20220901:hunting:45c54de,
author = {Michael Koczwara},
title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}},
date = {2022-09-01},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f},
language = {English},
urldate = {2023-01-19}
}
Hunting C2/Adversaries Infrastructure with Shodan and Censys Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver |
2022-09-01 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20220901:ransomware:8eda6e4,
author = {Trend Micro},
title = {{Ransomware Spotlight Black Basta}},
date = {2022-09-01},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta},
language = {English},
urldate = {2022-09-19}
}
Ransomware Spotlight Black Basta Black Basta Cobalt Strike MimiKatz QakBot |
2022-08-25 ⋅ Palo Alto Networks Unit 42 ⋅ Amer Elsad @online{elsad:20220825:threat:b3514ed,
author = {Amer Elsad},
title = {{Threat Assessment: Black Basta Ransomware}},
date = {2022-08-25},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/},
language = {English},
urldate = {2022-10-05}
}
Threat Assessment: Black Basta Ransomware Black Basta QakBot |
2022-08-24 ⋅ Trellix ⋅ Adithya Chandra, Sushant Kumar Arya @online{chandra:20220824:demystifying:77609b2,
author = {Adithya Chandra and Sushant Kumar Arya},
title = {{Demystifying Qbot Malware}},
date = {2022-08-24},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html},
language = {English},
urldate = {2022-08-28}
}
Demystifying Qbot Malware QakBot |
2022-08-24 ⋅ Elastic ⋅ Cyril François @online{franois:20220824:qbot:152ef8d,
author = {Cyril François},
title = {{QBOT Malware Analysis}},
date = {2022-08-24},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/qbot-malware-analysis},
language = {English},
urldate = {2022-08-30}
}
QBOT Malware Analysis QakBot |
2022-08-23 ⋅ Darktrace ⋅ Eugene Chua, Paul Jennings, Hanah Darley @online{chua:20220823:emotet:8e4522c,
author = {Eugene Chua and Paul Jennings and Hanah Darley},
title = {{Emotet Resurgence: Cross-Industry Campaign Analysis}},
date = {2022-08-23},
organization = {Darktrace},
url = {https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis},
language = {English},
urldate = {2022-08-30}
}
Emotet Resurgence: Cross-Industry Campaign Analysis Emotet |
2022-08-19 ⋅ vmware ⋅ Oleg Boyarchuk, Stefano Ortolani @online{boyarchuk:20220819:how:a43d0e2,
author = {Oleg Boyarchuk and Stefano Ortolani},
title = {{How to Replicate Emotet Lateral Movement}},
date = {2022-08-19},
organization = {vmware},
url = {https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html},
language = {English},
urldate = {2022-08-31}
}
How to Replicate Emotet Lateral Movement Emotet |
2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220812:monster:cbf3101,
author = {Brad Duncan},
title = {{Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike}},
date = {2022-08-12},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/rss/28934},
language = {English},
urldate = {2022-08-15}
}
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike Cobalt Strike DarkVNC IcedID |
2022-08-10 ⋅ BitSight ⋅ João Batista @online{batista:20220810:emotet:2248a42,
author = {João Batista},
title = {{Emotet SMB Spreader is Back}},
date = {2022-08-10},
organization = {BitSight},
url = {https://www.bitsight.com/blog/emotet-smb-spreader-back},
language = {English},
urldate = {2022-08-11}
}
Emotet SMB Spreader is Back Emotet |
2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel @online{ancel:20220808:inside:67ef9a0,
author = {Benoît Ancel},
title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}},
date = {2022-08-08},
organization = {Medium CSIS Techblog},
url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145},
language = {English},
urldate = {2022-08-28}
}
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader |
2022-08-04 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves @online{platt:20220804:icedid:546c931,
author = {Joshua Platt and Jason Reaves},
title = {{IcedID leverages PrivateLoader}},
date = {2022-08-04},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f},
language = {English},
urldate = {2022-08-11}
}
IcedID leverages PrivateLoader IcedID PrivateLoader |
2022-07-27 ⋅ Elastic ⋅ Cyril François, Derek Ditch @online{franois:20220727:qbot:82146d1,
author = {Cyril François and Derek Ditch},
title = {{QBOT Configuration Extractor}},
date = {2022-07-27},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/qbot-configuration-extractor},
language = {English},
urldate = {2022-08-05}
}
QBOT Configuration Extractor QakBot |
2022-07-27 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220727:icedid:839e33a,
author = {Brad Duncan},
title = {{IcedID (Bokbot) with Dark VNC and Cobalt Strike}},
date = {2022-07-27},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884},
language = {English},
urldate = {2022-07-28}
}
IcedID (Bokbot) with Dark VNC and Cobalt Strike DarkVNC IcedID |
2022-07-27 ⋅ cyble ⋅ Cyble Research Labs @online{labs:20220727:targeted:aa69498,
author = {Cyble Research Labs},
title = {{Targeted Attacks Being Carried Out Via DLL SideLoading}},
date = {2022-07-27},
organization = {cyble},
url = {https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/},
language = {English},
urldate = {2022-08-15}
}
Targeted Attacks Being Carried Out Via DLL SideLoading Cobalt Strike QakBot |
2022-07-27 ⋅ Elastic ⋅ Cyril François, Andrew Pease, Seth Goodwin @online{franois:20220727:exploring:67dc644,
author = {Cyril François and Andrew Pease and Seth Goodwin},
title = {{Exploring the QBOT Attack Pattern}},
date = {2022-07-27},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern},
language = {English},
urldate = {2022-08-05}
}
Exploring the QBOT Attack Pattern QakBot |
2022-07-24 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220724:qbot:f6c03d9,
author = {Bill Toulas},
title = {{QBot phishing uses Windows Calculator sideloading to infect devices}},
date = {2022-07-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/},
language = {English},
urldate = {2022-07-29}
}
QBot phishing uses Windows Calculator sideloading to infect devices QakBot |
2022-07-19 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20220719:new:a3b1085,
author = {Xiaopeng Zhang},
title = {{New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails}},
date = {2022-07-19},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails},
language = {English},
urldate = {2022-07-25}
}
New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails QakBot |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:monster:1aaba4e,
author = {Unit 42},
title = {{Monster Libra}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/monsterlibra/},
language = {English},
urldate = {2022-07-29}
}
Monster Libra Valak IcedID GOLD CABIN |
2022-07-17 ⋅ Resecurity ⋅ Resecurity @online{resecurity:20220717:shortcutbased:6cd77fb,
author = {Resecurity},
title = {{Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise}},
date = {2022-07-17},
organization = {Resecurity},
url = {https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise},
language = {English},
urldate = {2022-07-28}
}
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise AsyncRAT BumbleBee Emotet IcedID QakBot |
2022-07-12 ⋅ Zscaler ⋅ Tarun Dewan, Aditya Sharma @online{dewan:20220712:rise:1cc657e,
author = {Tarun Dewan and Aditya Sharma},
title = {{Rise in Qakbot attacks traced to evolving threat techniques}},
date = {2022-07-12},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques},
language = {English},
urldate = {2022-07-14}
}
Rise in Qakbot attacks traced to evolving threat techniques QakBot |
2022-07-12 ⋅ Cyren ⋅ Kervin Alintanahin @online{alintanahin:20220712:example:ae62e81,
author = {Kervin Alintanahin},
title = {{Example Analysis of Multi-Component Malware}},
date = {2022-07-12},
organization = {Cyren},
url = {https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware},
language = {English},
urldate = {2022-07-18}
}
Example Analysis of Multi-Component Malware Emotet Formbook |
2022-07-07 ⋅ Fortinet ⋅ Erin Lin @online{lin:20220707:notable:71d2df3,
author = {Erin Lin},
title = {{Notable Droppers Emerge in Recent Threat Campaigns}},
date = {2022-07-07},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns},
language = {English},
urldate = {2022-07-15}
}
Notable Droppers Emerge in Recent Threat Campaigns BumbleBee Emotet PhotoLoader QakBot |
2022-07-07 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220707:emotet:3732ca7,
author = {Brad Duncan},
title = {{Emotet infection with Cobalt Strike}},
date = {2022-07-07},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/},
language = {English},
urldate = {2022-07-12}
}
Emotet infection with Cobalt Strike Cobalt Strike Emotet |
2022-07-07 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond, Kat Weinberger @online{villadsen:20220707:unprecedented:d0a6add,
author = {Ole Villadsen and Charlotte Hammond and Kat Weinberger},
title = {{Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine}},
date = {2022-07-07},
organization = {IBM},
url = {https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine},
language = {English},
urldate = {2022-07-12}
}
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter |
2022-07-05 ⋅ Soc Investigation ⋅ Priyadharshini Balaji @online{balaji:20220705:qbot:75c3b14,
author = {Priyadharshini Balaji},
title = {{QBot Spreads via LNK Files – Detection & Response}},
date = {2022-07-05},
organization = {Soc Investigation},
url = {https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/},
language = {English},
urldate = {2022-07-13}
}
QBot Spreads via LNK Files – Detection & Response QakBot |
2022-06-30 ⋅ Trend Micro ⋅ Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa @online{apostol:20220630:black:7464953,
author = {Kenneth Adrian Apostol and Paolo Ronniel Labrador and Mirah Manlapig and James Panlilio and Emmanuel Panopio and John Kenneth Reyes and Melvin Singwa},
title = {{Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit}},
date = {2022-06-30},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html},
language = {English},
urldate = {2022-07-05}
}
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit Black Basta Cobalt Strike QakBot |
2022-06-27 ⋅ Netskope ⋅ Gustavo Palazolo @online{palazolo:20220627:emotet:e01f0fb,
author = {Gustavo Palazolo},
title = {{Emotet: Still Abusing Microsoft Office Macros}},
date = {2022-06-27},
organization = {Netskope},
url = {https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros},
language = {English},
urldate = {2022-06-30}
}
Emotet: Still Abusing Microsoft Office Macros Emotet |
2022-06-24 ⋅ Soc Investigation ⋅ BalaGanesh @online{balaganesh:20220624:icedid:2bb9d0d,
author = {BalaGanesh},
title = {{IcedID Banking Trojan returns with new TTPS – Detection & Response}},
date = {2022-06-24},
organization = {Soc Investigation},
url = {https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/},
language = {English},
urldate = {2022-06-27}
}
IcedID Banking Trojan returns with new TTPS – Detection & Response IcedID |
2022-06-24 ⋅ Group-IB ⋅ Albert Priego @online{priego:20220624:we:0ed77e2,
author = {Albert Priego},
title = {{We see you, Gozi Hunting the latest TTPs used for delivering the Trojan}},
date = {2022-06-24},
organization = {Group-IB},
url = {https://blog.group-ib.com/gozi-latest-ttps},
language = {English},
urldate = {2022-08-17}
}
We see you, Gozi Hunting the latest TTPs used for delivering the Trojan ISFB |
2022-06-21 ⋅ McAfee ⋅ Lakshya Mathur @online{mathur:20220621:rise:71e04f0,
author = {Lakshya Mathur},
title = {{Rise of LNK (Shortcut files) Malware}},
date = {2022-06-21},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/},
language = {English},
urldate = {2022-07-05}
}
Rise of LNK (Shortcut files) Malware BazarBackdoor Emotet IcedID QakBot |
2022-06-17 ⋅ Github (NtQuerySystemInformation) ⋅ Twitter (@kasua02) @techreport{kasua02:20220617:reverse:b218c67,
author = {Twitter (@kasua02)},
title = {{A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.}},
date = {2022-06-17},
institution = {Github (NtQuerySystemInformation)},
url = {https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf},
language = {English},
urldate = {2022-07-01}
}
A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading. QakBot |
2022-06-16 ⋅ ESET Research ⋅ Rene Holt @online{holt:20220616:how:d3225fc,
author = {Rene Holt},
title = {{How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security}},
date = {2022-06-16},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/},
language = {English},
urldate = {2022-06-17}
}
How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security Emotet |
2022-06-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220609:ta570:a51c1eb,
author = {Brad Duncan},
title = {{TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)}},
date = {2022-06-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28728},
language = {English},
urldate = {2022-06-09}
}
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt) QakBot |
2022-06-07 ⋅ McAfee ⋅ Jyothi Naveen, Kiran Raj @online{naveen:20220607:phishing:704f5f7,
author = {Jyothi Naveen and Kiran Raj},
title = {{Phishing Campaigns featuring Ursnif Trojan on the Rise}},
date = {2022-06-07},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/},
language = {English},
urldate = {2022-06-15}
}
Phishing Campaigns featuring Ursnif Trojan on the Rise ISFB |
2022-06-02 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20220602:trending:0bcdbc4,
author = {Mandiant},
title = {{TRENDING EVIL Q2 2022}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://experience.mandiant.com/trending-evil-2/p/1},
language = {English},
urldate = {2022-06-07}
}
TRENDING EVIL Q2 2022 CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot |
2022-05-30 ⋅ Matthieu Walter @online{walter:20220530:automatically:a02278f,
author = {Matthieu Walter},
title = {{Automatically Unpacking IcedID Stage 1 with Angr}},
date = {2022-05-30},
url = {https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/},
language = {English},
urldate = {2022-05-31}
}
Automatically Unpacking IcedID Stage 1 with Angr IcedID |
2022-05-27 ⋅ Kroll ⋅ Cole Manaster, George Glass, Elio Biasiotto @online{manaster:20220527:emotet:77000c1,
author = {Cole Manaster and George Glass and Elio Biasiotto},
title = {{Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20}},
date = {2022-05-27},
organization = {Kroll},
url = {https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain},
language = {English},
urldate = {2022-05-31}
}
Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20 Emotet |
2022-05-25 ⋅ vmware ⋅ Oleg Boyarchuk, Stefano Ortolani @online{boyarchuk:20220525:emotet:ada82ac,
author = {Oleg Boyarchuk and Stefano Ortolani},
title = {{Emotet Config Redux}},
date = {2022-05-25},
organization = {vmware},
url = {https://blogs.vmware.com/security/2022/05/emotet-config-redux.html},
language = {English},
urldate = {2022-05-29}
}
Emotet Config Redux Emotet |
2022-05-24 ⋅ Deep instinct ⋅ Bar Block @online{block:20220524:blame:9f45829,
author = {Bar Block},
title = {{Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them}},
date = {2022-05-24},
organization = {Deep instinct},
url = {https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office},
language = {English},
urldate = {2022-05-29}
}
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them Dridex Emotet |
2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight @online{batista:20220524:emotet:cae57f1,
author = {João Batista and Pedro Umbelino and BitSight},
title = {{Emotet Botnet Rises Again}},
date = {2022-05-24},
organization = {BitSight},
url = {https://www.bitsight.com/blog/emotet-botnet-rises-again},
language = {English},
urldate = {2022-05-25}
}
Emotet Botnet Rises Again Cobalt Strike Emotet QakBot SystemBC |
2022-05-19 ⋅ Trend Micro ⋅ Adolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray @online{silverio:20220519:bruised:f5c6775,
author = {Adolph Christian Silverio and Jeric Miguel Abordo and Khristian Joseph Morales and Maria Emreen Viray},
title = {{Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware}},
date = {2022-05-19},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html},
language = {English},
urldate = {2022-05-25}
}
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware Emotet QakBot |
2022-05-19 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen, Golo Mühr @online{hammond:20220519:itg23:eab10e2,
author = {Charlotte Hammond and Ole Villadsen and Golo Mühr},
title = {{ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups}},
date = {2022-05-19},
organization = {IBM},
url = {https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/},
language = {English},
urldate = {2022-05-25}
}
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups IcedID ISFB Mount Locker |
2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220517:ransomware:7b86339,
author = {Trend Micro Research},
title = {{Ransomware Spotlight: RansomEXX}},
date = {2022-05-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx},
language = {English},
urldate = {2022-05-25}
}
Ransomware Spotlight: RansomEXX LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot |
2022-05-17 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20220517:emotet:5f61714,
author = {Brad Duncan},
title = {{Emotet Summary: November 2021 Through January 2022}},
date = {2022-05-17},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/},
language = {English},
urldate = {2022-05-29}
}
Emotet Summary: November 2021 Through January 2022 Emotet |
2022-05-16 ⋅ vmware ⋅ Oleg Boyarchuk, Stefano Ortolani, Jason Zhang, Threat Analysis Unit @online{boyarchuk:20220516:emotet:6392ff3,
author = {Oleg Boyarchuk and Stefano Ortolani and Jason Zhang and Threat Analysis Unit},
title = {{Emotet Moves to 64 bit and Updates its Loader}},
date = {2022-05-16},
organization = {vmware},
url = {https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html},
language = {English},
urldate = {2022-05-17}
}
Emotet Moves to 64 bit and Updates its Loader Emotet |
2022-05-12 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220512:what:05369d4,
author = {Intel 471},
title = {{What malware to look for if you want to prevent a ransomware attack}},
date = {2022-05-12},
organization = {Intel 471},
url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike},
language = {English},
urldate = {2022-05-13}
}
What malware to look for if you want to prevent a ransomware attack Conti BumbleBee Cobalt Strike IcedID Sliver |
2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220511:ta578:0a0a686,
author = {Brad Duncan},
title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}},
date = {2022-05-11},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/28636},
language = {English},
urldate = {2022-05-11}
}
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware BumbleBee Cobalt Strike IcedID PhotoLoader |
2022-05-11 ⋅ IronNet ⋅ Blake Cahen, IronNet Threat Research @online{cahen:20220511:detecting:c61fd63,
author = {Blake Cahen and IronNet Threat Research},
title = {{Detecting a MUMMY SPIDER campaign and Emotet infection}},
date = {2022-05-11},
organization = {IronNet},
url = {https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection},
language = {English},
urldate = {2022-05-17}
}
Detecting a MUMMY SPIDER campaign and Emotet infection Emotet |
2022-05-11 ⋅ HP ⋅ HP Wolf Security @techreport{security:20220511:threat:bd460f0,
author = {HP Wolf Security},
title = {{Threat Insights Report Q1 - 2022}},
date = {2022-05-11},
institution = {HP},
url = {https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf},
language = {English},
urldate = {2022-05-13}
}
Threat Insights Report Q1 - 2022 AsyncRAT Emotet Mekotio Vjw0rm |
2022-05-09 ⋅ Netresec ⋅ Erik Hjelmvik @online{hjelmvik:20220509:emotet:ce90938,
author = {Erik Hjelmvik},
title = {{Emotet C2 and Spam Traffic Video}},
date = {2022-05-09},
organization = {Netresec},
url = {https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video},
language = {English},
urldate = {2022-05-09}
}
Emotet C2 and Spam Traffic Video Emotet |
2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20220509:ransomwareasaservice:13ec472,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}},
date = {2022-05-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself},
language = {English},
urldate = {2022-05-17}
}
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
2022-05-09 ⋅ Cybereason ⋅ Lior Rochberger @online{rochberger:20220509:cybereason:9178f63,
author = {Lior Rochberger},
title = {{Cybereason vs. Quantum Locker Ransomware}},
date = {2022-05-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware},
language = {English},
urldate = {2022-05-11}
}
Cybereason vs. Quantum Locker Ransomware IcedID Mount Locker |
2022-05-08 ⋅ Qualys ⋅ Amit Gadhave @online{gadhave:20220508:ursnif:4e8605b,
author = {Amit Gadhave},
title = {{Ursnif Malware Banks on News Events for Phishing Attacks}},
date = {2022-05-08},
organization = {Qualys},
url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks},
language = {English},
urldate = {2022-05-17}
}
Ursnif Malware Banks on News Events for Phishing Attacks ISFB |
2022-05-06 ⋅ Netskope ⋅ Gustavo Palazolo @online{palazolo:20220506:emotet:44a2595,
author = {Gustavo Palazolo},
title = {{Emotet: New Delivery Mechanism to Bypass VBA Protection}},
date = {2022-05-06},
organization = {Netskope},
url = {https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection},
language = {English},
urldate = {2022-05-09}
}
Emotet: New Delivery Mechanism to Bypass VBA Protection Emotet |
2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix @online{felix:20220504:twitter:0fb7e35,
author = {Felix},
title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}},
date = {2022-05-04},
organization = {Twitter (@felixw3000)},
url = {https://twitter.com/felixw3000/status/1521816045769662468},
language = {English},
urldate = {2022-05-09}
}
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC. Cobalt Strike IcedID PhotoLoader |
2022-05-04 ⋅ Sophos ⋅ Andreas Klopsch @online{klopsch:20220504:attacking:750e07f,
author = {Andreas Klopsch},
title = {{Attacking Emotet’s Control Flow Flattening}},
date = {2022-05-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/},
language = {English},
urldate = {2022-05-05}
}
Attacking Emotet’s Control Flow Flattening Emotet |
2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble @online{kasiviswanathan:20220428:ransomware:95feafb,
author = {Karthikeyan C Kasiviswanathan and Vishal Kamble},
title = {{Ransomware: How Attackers are Breaching Corporate Networks}},
date = {2022-04-28},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker},
language = {English},
urldate = {2022-05-04}
}
Ransomware: How Attackers are Breaching Corporate Networks AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot |
2022-04-27 ⋅ Cybleinc ⋅ Cyble @online{cyble:20220427:emotet:a8c919a,
author = {Cyble},
title = {{Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims}},
date = {2022-04-27},
organization = {Cybleinc},
url = {https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/},
language = {English},
urldate = {2022-05-04}
}
Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims Emotet |
2022-04-26 ⋅ Proofpoint ⋅ Axel F @online{f:20220426:emotet:afb4f87,
author = {Axel F},
title = {{Emotet Tests New Delivery Techniques}},
date = {2022-04-26},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques},
language = {English},
urldate = {2022-04-29}
}
Emotet Tests New Delivery Techniques Emotet |
2022-04-26 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220426:conti:6bcff7d,
author = {Intel 471},
title = {{Conti and Emotet: A constantly destructive duo}},
date = {2022-04-26},
organization = {Intel 471},
url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks},
language = {English},
urldate = {2022-04-29}
}
Conti and Emotet: A constantly destructive duo Cobalt Strike Conti Emotet IcedID QakBot TrickBot |
2022-04-26 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20220426:emotet:d0b6f50,
author = {Ionut Ilascu},
title = {{Emotet malware now installs via PowerShell in Windows shortcut files}},
date = {2022-04-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/},
language = {English},
urldate = {2022-04-29}
}
Emotet malware now installs via PowerShell in Windows shortcut files Emotet |
2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220425:quantum:128d2b3,
author = {The DFIR Report},
title = {{Quantum Ransomware}},
date = {2022-04-25},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/},
language = {English},
urldate = {2022-04-25}
}
Quantum Ransomware Cobalt Strike IcedID |
2022-04-24 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220424:shortcut:b1a00dd,
author = {Tony Lambert},
title = {{Shortcut to Emotet, an odd TTP change}},
date = {2022-04-24},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/},
language = {English},
urldate = {2022-04-25}
}
Shortcut to Emotet, an odd TTP change Emotet |
2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA) @techreport{cisa:20220420:aa22110a:4fde5d6,
author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)},
title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
institution = {CISA},
url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf},
language = {English},
urldate = {2022-04-25}
}
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader |
2022-04-20 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220420:aa:eb304fb,
author = {Brad Duncan},
title = {{'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic}},
date = {2022-04-20},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/rss/28568},
language = {English},
urldate = {2022-04-25}
}
'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic QakBot |
2022-04-20 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220420:malware:b20963e,
author = {cocomelonc},
title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}},
date = {2022-04-20},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html},
language = {English},
urldate = {2022-12-01}
}
Malware development: persistence - part 1. Registry run keys. C++ example. Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky |
2022-04-20 ⋅ CISA ⋅ CISA @online{cisa:20220420:alert:529e28c,
author = {CISA},
title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a},
language = {English},
urldate = {2022-04-25}
}
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet |
2022-04-19 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus @online{cryptolaemus:20220419:emotet:c68608b,
author = {Cryptolaemus},
title = {{#Emotet Update: 64 bit upgrade of Epoch 5}},
date = {2022-04-19},
organization = {Twitter (@Cryptolaemus1)},
url = {https://twitter.com/Cryptolaemus1/status/1516535343281025032},
language = {English},
urldate = {2022-04-20}
}
#Emotet Update: 64 bit upgrade of Epoch 5 Emotet |
2022-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220419:emotet:a7e392d,
author = {Bill Toulas},
title = {{Emotet botnet switches to 64-bit modules, increases activity}},
date = {2022-04-19},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/},
language = {English},
urldate = {2022-04-20}
}
Emotet botnet switches to 64-bit modules, increases activity Emotet |
2022-04-18 ⋅ Fortinet ⋅ Erin Lin @online{lin:20220418:trends:fab9950,
author = {Erin Lin},
title = {{Trends in the Recent Emotet Maldoc Outbreak}},
date = {2022-04-18},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak},
language = {English},
urldate = {2022-04-20}
}
Trends in the Recent Emotet Maldoc Outbreak Emotet |
2022-04-17 ⋅ Malwarology ⋅ Gaetano Pellegrino @online{pellegrino:20220417:qakbot:6af138c,
author = {Gaetano Pellegrino},
title = {{Qakbot Series: API Hashing}},
date = {2022-04-17},
organization = {Malwarology},
url = {https://www.malwarology.com/2022/04/qakbot-series-api-hashing/},
language = {English},
urldate = {2022-05-29}
}
Qakbot Series: API Hashing QakBot |
2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken @online{bushidotoken:20220417:lessons:d4d0595,
author = {BushidoToken},
title = {{Lessons from the Conti Leaks}},
date = {2022-04-17},
organization = {BushidoToken Blog},
url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html},
language = {English},
urldate = {2022-04-25}
}
Lessons from the Conti Leaks BazarBackdoor Conti Emotet IcedID Ryuk TrickBot |
2022-04-16 ⋅ Malwarology ⋅ Gaetano Pellegrino @online{pellegrino:20220416:qakbot:0b60d1c,
author = {Gaetano Pellegrino},
title = {{Qakbot Series: Process Injection}},
date = {2022-04-16},
organization = {Malwarology},
url = {https://www.malwarology.com/2022/04/qakbot-series-process-injection/},
language = {English},
urldate = {2022-05-31}
}
Qakbot Series: Process Injection QakBot |
2022-04-14 ⋅ Cert-UA ⋅ Cert-UA @online{certua:20220414:cyberattack:915dfa7,
author = {Cert-UA},
title = {{Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)}},
date = {2022-04-14},
organization = {Cert-UA},
url = {https://cert.gov.ua/article/39609},
language = {Ukrainian},
urldate = {2022-04-20}
}
Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464) IcedID |
2022-04-14 ⋅ Avast Decoded ⋅ Vladimir Martyanov @online{martyanov:20220414:zloader:23c520a,
author = {Vladimir Martyanov},
title = {{Zloader 2: The Silent Night}},
date = {2022-04-14},
organization = {Avast Decoded},
url = {https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/},
language = {English},
urldate = {2022-04-15}
}
Zloader 2: The Silent Night ISFB Raccoon Zloader |
2022-04-14 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220414:hackers:2b1153c,
author = {Bill Toulas},
title = {{Hackers target Ukrainian govt with IcedID malware, Zimbra exploits}},
date = {2022-04-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/},
language = {English},
urldate = {2022-04-15}
}
Hackers target Ukrainian govt with IcedID malware, Zimbra exploits IcedID |
2022-04-13 ⋅ Kaspersky ⋅ AMR @online{amr:20220413:emotet:113c0db,
author = {AMR},
title = {{Emotet modules and recent attacks}},
date = {2022-04-13},
organization = {Kaspersky},
url = {https://securelist.com/emotet-modules-and-recent-attacks/106290/},
language = {English},
urldate = {2022-04-15}
}
Emotet modules and recent attacks Emotet |
2022-04-13 ⋅ Malwarology ⋅ Gaetano Pellegrino @online{pellegrino:20220413:qakbot:4bc5d74,
author = {Gaetano Pellegrino},
title = {{Qakbot Series: Configuration Extraction}},
date = {2022-04-13},
organization = {Malwarology},
url = {https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/},
language = {English},
urldate = {2022-05-29}
}
Qakbot Series: Configuration Extraction QakBot |
2022-04-12 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20220412:systembc:7bdd20c,
author = {ASEC Analysis Team},
title = {{SystemBC Being Used by Various Attackers}},
date = {2022-04-12},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/33600/},
language = {English},
urldate = {2022-04-15}
}
SystemBC Being Used by Various Attackers Emotet SmokeLoader SystemBC |
2022-04-12 ⋅ Tech Times ⋅ Joseph Henry @online{henry:20220412:qbot:9dd8d54,
author = {Joseph Henry},
title = {{Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers}},
date = {2022-04-12},
organization = {Tech Times},
url = {https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm},
language = {English},
urldate = {2022-05-04}
}
Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers QakBot |
2022-04-12 ⋅ Check Point ⋅ Check Point Research @online{research:20220412:march:2c56dc6,
author = {Check Point Research},
title = {{March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance}},
date = {2022-04-12},
organization = {Check Point},
url = {https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/},
language = {English},
urldate = {2022-04-20}
}
March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance Alien FluBot Agent Tesla Emotet |
2022-04-11 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20220411:qbot:7f1ddc7,
author = {Sergiu Gatlan},
title = {{Qbot malware switches to new Windows Installer infection vector}},
date = {2022-04-11},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/},
language = {English},
urldate = {2022-05-04}
}
Qbot malware switches to new Windows Installer infection vector QakBot |
2022-04-10 ⋅ Malwarology ⋅ Gaetano Pellegrino @online{pellegrino:20220410:qakbot:d46c1cc,
author = {Gaetano Pellegrino},
title = {{Qakbot Series: String Obfuscation}},
date = {2022-04-10},
organization = {Malwarology},
url = {https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/},
language = {English},
urldate = {2022-05-29}
}
Qakbot Series: String Obfuscation QakBot |
2022-04-08 ⋅ ReversingLabs ⋅ Paul Roberts @online{roberts:20220408:conversinglabs:270c740,
author = {Paul Roberts},
title = {{ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles}},
date = {2022-04-08},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles},
language = {English},
urldate = {2022-06-09}
}
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles Conti Emotet TrickBot |
2022-04-04 ⋅ The DFIR Report ⋅ @0xtornado, @yatinwad, @MettalicHack, @_pete_0 @online{0xtornado:20220404:stolen:3df91a7,
author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0},
title = {{Stolen Images Campaign Ends in Conti Ransomware}},
date = {2022-04-04},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/},
language = {English},
urldate = {2022-04-04}
}
Stolen Images Campaign Ends in Conti Ransomware Conti IcedID |
2022-04-02 ⋅ Github (pl-v) ⋅ Player-V @online{playerv:20220402:emotet:712f2ab,
author = {Player-V},
title = {{Emotet Analysis Part 1: Unpacking}},
date = {2022-04-02},
organization = {Github (pl-v)},
url = {https://pl-v.github.io/plv/posts/Emotet-unpacking/},
language = {English},
urldate = {2022-04-08}
}
Emotet Analysis Part 1: Unpacking Emotet |
2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov @online{fokker:20220331:conti:3bc2974,
author = {John Fokker and Jambul Tologonov},
title = {{Conti Leaks: Examining the Panama Papers of Ransomware}},
date = {2022-03-31},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html},
language = {English},
urldate = {2022-04-07}
}
Conti Leaks: Examining the Panama Papers of Ransomware LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot |
2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team @online{pantazopoulos:20220331:continuation:b38514d,
author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team},
title = {{Conti-nuation: methods and techniques observed in operations post the leaks}},
date = {2022-03-31},
organization = {nccgroup},
url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/},
language = {English},
urldate = {2022-03-31}
}
Conti-nuation: methods and techniques observed in operations post the leaks Cobalt Strike Conti QakBot |
2022-03-30 ⋅ Prevailion ⋅ Prevailion @online{prevailion:20220330:wizard:6eb38a7,
author = {Prevailion},
title = {{Wizard Spider continues to confound}},
date = {2022-03-30},
organization = {Prevailion},
url = {https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903},
language = {English},
urldate = {2022-03-31}
}
Wizard Spider continues to confound BazarBackdoor Cobalt Strike Emotet |
2022-03-29 ⋅ vmware ⋅ Oleg Boyarchuk, Jason Zhang, Threat Analysis Unit @online{boyarchuk:20220329:emotet:18b143b,
author = {Oleg Boyarchuk and Jason Zhang and Threat Analysis Unit},
title = {{Emotet C2 Configuration Extraction and Analysis}},
date = {2022-03-29},
organization = {vmware},
url = {https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html},
language = {English},
urldate = {2022-04-04}
}
Emotet C2 Configuration Extraction and Analysis Emotet |
2022-03-29 ⋅ Threat Post ⋅ Elizabeth Montalbano @online{montalbano:20220329:exchange:ff88f41,
author = {Elizabeth Montalbano},
title = {{Exchange Servers Speared in IcedID Phishing Campaign}},
date = {2022-03-29},
organization = {Threat Post},
url = {https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/},
language = {English},
urldate = {2022-03-31}
}
Exchange Servers Speared in IcedID Phishing Campaign IcedID |
2022-03-28 ⋅ Fortinet ⋅ James Slaughter, Val Saengphaibul, Fred Gutierrez @online{slaughter:20220328:spoofed:0cd6f0e,
author = {James Slaughter and Val Saengphaibul and Fred Gutierrez},
title = {{Spoofed Invoice Used to Drop IcedID}},
date = {2022-03-28},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id},
language = {English},
urldate = {2022-03-31}
}
Spoofed Invoice Used to Drop IcedID IcedID |
2022-03-28 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220328:microsoft:5bc32d1,
author = {Bill Toulas},
title = {{Microsoft Exchange targeted for IcedID reply-chain hijacking attacks}},
date = {2022-03-28},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/},
language = {English},
urldate = {2022-03-30}
}
Microsoft Exchange targeted for IcedID reply-chain hijacking attacks IcedID |
2022-03-28 ⋅ Cisco ⋅ María José Erquiaga, Onur Erdogan, Adela Jezkova @online{erquiaga:20220328:emotet:d36774a,
author = {María José Erquiaga and Onur Erdogan and Adela Jezkova},
title = {{Emotet is Back}},
date = {2022-03-28},
organization = {Cisco},
url = {https://blogs.cisco.com/security/emotet-is-back},
language = {English},
urldate = {2022-03-30}
}
Emotet is Back Emotet |
2022-03-28 ⋅ Intezer ⋅ Joakim Kennedy, Ryan Robinson @online{kennedy:20220328:new:cede4da,
author = {Joakim Kennedy and Ryan Robinson},
title = {{New Conversation Hijacking Campaign Delivering IcedID}},
date = {2022-03-28},
organization = {Intezer},
url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/},
language = {English},
urldate = {2022-04-05}
}
New Conversation Hijacking Campaign Delivering IcedID IcedID PhotoLoader |
2022-03-25 ⋅ SANS ISC ⋅ Xavier Mertens @online{mertens:20220325:xlsb:21fdeaf,
author = {Xavier Mertens},
title = {{XLSB Files: Because Binary is Stealthier Than XML}},
date = {2022-03-25},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/},
language = {English},
urldate = {2022-03-25}
}
XLSB Files: Because Binary is Stealthier Than XML QakBot |
2022-03-23 ⋅ Fortinet ⋅ Shunichi Imano, Val Saengphaibul @online{imano:20220323:bad:06c3501,
author = {Shunichi Imano and Val Saengphaibul},
title = {{Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams}},
date = {2022-03-23},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams},
language = {English},
urldate = {2022-03-25}
}
Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams Emotet |
2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220323:gold:0f3da90,
author = {Counter Threat Unit ResearchTeam},
title = {{GOLD ULRICK Leaks Reveal Organizational Structure and Relationships}},
date = {2022-03-23},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships},
language = {English},
urldate = {2022-03-25}
}
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships Conti Emotet IcedID TrickBot |
2022-03-23 ⋅ NVISO Labs ⋅ Bart Parys @online{parys:20220323:hunting:1610697,
author = {Bart Parys},
title = {{Hunting Emotet campaigns with Kusto}},
date = {2022-03-23},
organization = {NVISO Labs},
url = {https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/},
language = {English},
urldate = {2022-03-24}
}
Hunting Emotet campaigns with Kusto Emotet |
2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220323:threat:84ad46c,
author = {Counter Threat Unit ResearchTeam},
title = {{Threat Intelligence Executive Report Volume 2022, Number 2}},
date = {2022-03-23},
organization = {Secureworks},
url = {https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx},
language = {English},
urldate = {2022-03-25}
}
Threat Intelligence Executive Report Volume 2022, Number 2 Conti Emotet IcedID TrickBot |
2022-03-23 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20220323:ms:946096e,
author = {Xiaopeng Zhang},
title = {{MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II}},
date = {2022-03-23},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii},
language = {English},
urldate = {2022-03-25}
}
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II Emotet |
2022-03-21 ⋅ Info Security ⋅ Vinugayathri Chinnasamy @online{chinnasamy:20220321:emotet:2d27f06,
author = {Vinugayathri Chinnasamy},
title = {{Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware}},
date = {2022-03-21},
organization = {Info Security},
url = {https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/},
language = {English},
urldate = {2022-03-22}
}
Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware Emotet |
2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220321:conti:507fdf9,
author = {eSentire Threat Response Unit (TRU)},
title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}},
date = {2022-03-21},
organization = {eSentire},
url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire},
language = {English},
urldate = {2022-05-23}
}
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID |
2022-03-17 ⋅ Github (eln0ty) ⋅ Abdallah Elnoty @online{elnoty:20220317:icedid:0b8ef27,
author = {Abdallah Elnoty},
title = {{IcedID Analysis}},
date = {2022-03-17},
organization = {Github (eln0ty)},
url = {https://eln0ty.github.io/malware%20analysis/IcedID/},
language = {English},
urldate = {2022-03-22}
}
IcedID Analysis IcedID |
2022-03-17 ⋅ Trend Micro ⋅ Trend Micro Research @techreport{research:20220317:navigating:5ad631e,
author = {Trend Micro Research},
title = {{Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report}},
date = {2022-03-17},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf},
language = {English},
urldate = {2022-03-22}
}
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report REvil BazarBackdoor Buer IcedID QakBot REvil |
2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220316:qakbot:7fe703f,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity Cobalt Strike QakBot |
2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team @techreport{team:20220316:ransomware:1c2a72a,
author = {Symantec Threat Hunter Team},
title = {{The Ransomware Threat Landscape: What to Expect in 2022}},
date = {2022-03-16},
institution = {Symantec},
url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf},
language = {English},
urldate = {2022-03-22}
}
The Ransomware Threat Landscape: What to Expect in 2022 AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin |
2022-03-16 ⋅ Dragos ⋅ Josh Hanrahan @online{hanrahan:20220316:suspected:325fc01,
author = {Josh Hanrahan},
title = {{Suspected Conti Ransomware Activity in the Auto Manufacturing Sector}},
date = {2022-03-16},
organization = {Dragos},
url = {https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/},
language = {English},
urldate = {2022-03-17}
}
Suspected Conti Ransomware Activity in the Auto Manufacturing Sector Conti Emotet |
2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220316:qakbot:ff11e1e,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28448},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity Cobalt Strike QakBot |
2022-03-09 ⋅ nikpx ⋅ xors @online{xors:20220309:bokbot:925e438,
author = {xors},
title = {{BokBot Technical Analysis}},
date = {2022-03-09},
organization = {nikpx},
url = {https://nikpx.github.io/malware/analysis/2022/03/09/BokBot},
language = {English},
urldate = {2022-03-10}
}
BokBot Technical Analysis IcedID |
2022-03-08 ⋅ Lumen ⋅ Black Lotus Labs @online{labs:20220308:what:c99735b,
author = {Black Lotus Labs},
title = {{What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets}},
date = {2022-03-08},
organization = {Lumen},
url = {https://blog.lumen.com/emotet-redux/},
language = {English},
urldate = {2022-03-10}
}
What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets Emotet |
2022-03-07 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20220307:ms:b388372,
author = {Xiaopeng Zhang},
title = {{MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I}},
date = {2022-03-07},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one},
language = {English},
urldate = {2022-03-08}
}
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I Emotet |
2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220303:cyberattacks:d961eb0,
author = {Trend Micro Research},
title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}},
date = {2022-03-03},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html},
language = {English},
urldate = {2022-03-04}
}
Cyberattacks are Prominent in the Russia-Ukraine Conflict BazarBackdoor Cobalt Strike Conti Emotet WhisperGate |
2022-03-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20220302:conti:03b0358,
author = {Brian Krebs},
title = {{Conti Ransomware Group Diaries, Part II: The Office}},
date = {2022-03-02},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/},
language = {English},
urldate = {2022-03-07}
}
Conti Ransomware Group Diaries, Part II: The Office Conti Emotet Ryuk TrickBot |
2022-03-01 ⋅ Twitter (@ContiLeaks) ⋅ ContiLeaks @online{contileaks:20220301:emotet:b68be9c,
author = {ContiLeaks},
title = {{Tweet on Emotet final server scheme}},
date = {2022-03-01},
organization = {Twitter (@ContiLeaks)},
url = {https://twitter.com/ContiLeaks/status/1498614197202079745},
language = {English},
urldate = {2022-03-02}
}
Tweet on Emotet final server scheme Emotet |
2022-02-26 ⋅ LinkedIn (Zayed AlJaberi) ⋅ Zayed AlJaberi @online{aljaberi:20220226:hunting:270b30c,
author = {Zayed AlJaberi},
title = {{Hunting Recent QakBot Malware}},
date = {2022-02-26},
organization = {LinkedIn (Zayed AlJaberi)},
url = {https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4},
language = {English},
urldate = {2022-03-01}
}
Hunting Recent QakBot Malware QakBot |
2022-02-26 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20220226:trending:a445d4a,
author = {Mandiant},
title = {{TRENDING EVIL Q1 2022}},
date = {2022-02-26},
organization = {Mandiant},
url = {https://experience.mandiant.com/trending-evil/p/1},
language = {English},
urldate = {2022-03-14}
}
TRENDING EVIL Q1 2022 KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot |
2022-02-25 ⋅ CyberScoop ⋅ Joe Warminsky @online{warminsky:20220225:trickbot:2d38470,
author = {Joe Warminsky},
title = {{TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators}},
date = {2022-02-25},
organization = {CyberScoop},
url = {https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/},
language = {English},
urldate = {2022-03-01}
}
TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators BazarBackdoor Emotet TrickBot |
2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220224:notorious:c5e1556,
author = {Ravie Lakshmanan},
title = {{Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure}},
date = {2022-02-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html},
language = {English},
urldate = {2022-03-04}
}
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure BazarBackdoor Emotet TrickBot |
2022-02-24 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20220224:new:014251e,
author = {Max Malyutin},
title = {{New Wave of Emotet – When Project X Turns Into Y}},
date = {2022-02-24},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/},
language = {English},
urldate = {2022-05-04}
}
New Wave of Emotet – When Project X Turns Into Y Cobalt Strike Emotet |
2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220224:trickbot:7e86d52,
author = {Ravie Lakshmanan},
title = {{TrickBot Gang Likely Shifting Operations to Switch to New Malware}},
date = {2022-02-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html},
language = {English},
urldate = {2022-03-01}
}
TrickBot Gang Likely Shifting Operations to Switch to New Malware BazarBackdoor Emotet QakBot TrickBot |
2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach @online{ebach:20220223:what:0a4496e,
author = {Luca Ebach},
title = {{What the Pack(er)?}},
date = {2022-02-23},
organization = {cyber.wtf blog},
url = {https://cyber.wtf/2022/03/23/what-the-packer/},
language = {English},
urldate = {2022-03-25}
}
What the Pack(er)? Cobalt Strike Emotet |
2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220222:icedid:67f870d,
author = {eSentire Threat Response Unit (TRU)},
title = {{IcedID to Cobalt Strike In Under 20 Minutes}},
date = {2022-02-22},
organization = {eSentire},
url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes},
language = {English},
urldate = {2022-05-23}
}
IcedID to Cobalt Strike In Under 20 Minutes Cobalt Strike IcedID PhotoLoader |
2022-02-21 ⋅ The DFIR Report @online{report:20220221:qbot:8b10b52,
author = {The DFIR Report},
title = {{Qbot and Zerologon Lead To Full Domain Compromise}},
date = {2022-02-21},
url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/},
language = {English},
urldate = {2022-02-26}
}
Qbot and Zerologon Lead To Full Domain Compromise Cobalt Strike QakBot |
2022-02-16 ⋅ Threat Post ⋅ Elizabeth Montalbano @online{montalbano:20220216:emotet:a1297ac,
author = {Elizabeth Montalbano},
title = {{Emotet Now Spreading Through Malicious Excel Files}},
date = {2022-02-16},
organization = {Threat Post},
url = {https://threatpost.com/emotet-spreading-malicious-excel-files/178444/},
language = {English},
urldate = {2022-02-18}
}
Emotet Now Spreading Through Malicious Excel Files Emotet |
2022-02-16 ⋅ SOC Prime ⋅ Alla Yurchenko @online{yurchenko:20220216:qbot:db07ba5,
author = {Alla Yurchenko},
title = {{QBot Malware Detection: Old Dog New Tricks}},
date = {2022-02-16},
organization = {SOC Prime},
url = {https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/},
language = {English},
urldate = {2022-02-17}
}
QBot Malware Detection: Old Dog New Tricks QakBot |
2022-02-16 ⋅ Security Onion ⋅ Doug Burks @online{burks:20220216:quick:e515983,
author = {Doug Burks},
title = {{Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08}},
date = {2022-02-16},
organization = {Security Onion},
url = {https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html},
language = {English},
urldate = {2022-02-17}
}
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08 Cobalt Strike Emotet |
2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220215:increase:a4de9ce,
author = {eSentire Threat Response Unit (TRU)},
title = {{Increase in Emotet Activity and Cobalt Strike Deployment}},
date = {2022-02-15},
organization = {eSentire},
url = {https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment},
language = {English},
urldate = {2022-05-23}
}
Increase in Emotet Activity and Cobalt Strike Deployment Cobalt Strike Emotet |
2022-02-15 ⋅ Palo Alto Networks Unit 42 ⋅ Saqib Khanzada, Tyler Halfpop, Micah Yates, Brad Duncan @online{khanzada:20220215:new:822e8f9,
author = {Saqib Khanzada and Tyler Halfpop and Micah Yates and Brad Duncan},
title = {{New Emotet Infection Method}},
date = {2022-02-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/new-emotet-infection-method/},
language = {English},
urldate = {2022-02-17}
}
New Emotet Infection Method Emotet |
2022-02-13 ⋅ NetbyteSEC ⋅ Taqi, Rosamira, Fareed @online{taqi:20220213:technical:50aa099,
author = {Taqi and Rosamira and Fareed},
title = {{Technical Malware Analysis: The Return of Emotet}},
date = {2022-02-13},
organization = {NetbyteSEC},
url = {https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html},
language = {English},
urldate = {2022-02-14}
}
Technical Malware Analysis: The Return of Emotet Emotet |
2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team @online{team:20220210:threat:320574f,
author = {Cybereason Global SOC Team},
title = {{Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot}},
date = {2022-02-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot},
language = {English},
urldate = {2022-02-10}
}
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot Cobalt Strike Emotet IcedID QakBot |
2022-02-08 ⋅ BleepingComputer ⋅ Bill Toulas @online{toulas:20220208:qbot:a40ed5c,
author = {Bill Toulas},
title = {{Qbot needs only 30 minutes to steal your credentials, emails}},
date = {2022-02-08},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/},
language = {English},
urldate = {2022-02-09}
}
Qbot needs only 30 minutes to steal your credentials, emails QakBot |
2022-02-07 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220207:qbot:35410a9,
author = {The DFIR Report},
title = {{Qbot Likes to Move It, Move It}},
date = {2022-02-07},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/},
language = {English},
urldate = {2022-02-09}
}
Qbot Likes to Move It, Move It QakBot |
2022-02-07 ⋅ vmware ⋅ Jason Zhang, Threat Analysis Unit @online{zhang:20220207:emotet:e89deeb,
author = {Jason Zhang and Threat Analysis Unit},
title = {{Emotet Is Not Dead (Yet) – Part 2}},
date = {2022-02-07},
organization = {vmware},
url = {https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/},
language = {English},
urldate = {2022-02-10}
}
Emotet Is Not Dead (Yet) – Part 2 Emotet |
2022-02-02 ⋅ VMRay ⋅ VMRay Labs Team, Mateusz Lukaszewski @online{team:20220202:malware:0eef3c2,
author = {VMRay Labs Team and Mateusz Lukaszewski},
title = {{Malware Analysis Spotlight: Emotet’s Use of Cryptography}},
date = {2022-02-02},
organization = {VMRay},
url = {https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/},
language = {English},
urldate = {2022-02-09}
}
Malware Analysis Spotlight: Emotet’s Use of Cryptography Emotet |
2022-01-27 ⋅ Threat Lab Indonesia ⋅ Threat Lab Indonesia @online{indonesia:20220127:malware:8bcfff1,
author = {Threat Lab Indonesia},
title = {{Malware Analysis Emotet Infection}},
date = {2022-01-27},
organization = {Threat Lab Indonesia},
url = {https://blog.threatlab.info/malware-analysis-emotet-infection/},
language = {Indonesian},
urldate = {2022-02-02}
}
Malware Analysis Emotet Infection Emotet |
2022-01-25 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220125:emotet:9c62525,
author = {Brad Duncan},
title = {{Emotet Stops Using 0.0.0.0 in Spambot Traffic}},
date = {2022-01-25},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/},
language = {English},
urldate = {2022-02-01}
}
Emotet Stops Using 0.0.0.0 in Spambot Traffic Emotet |
2022-01-23 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20220123:quicknote:852995b,
author = {m4n0w4r and Tran Trung Kien},
title = {{[QuickNote] Emotet epoch4 & epoch5 tactics}},
date = {2022-01-23},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/},
language = {English},
urldate = {2022-01-25}
}
[QuickNote] Emotet epoch4 & epoch5 tactics Emotet |
2022-01-22 ⋅ Atomic Matryoshka ⋅ z3r0day_504 @online{z3r0day504:20220122:malware:1ec08ef,
author = {z3r0day_504},
title = {{Malware Headliners: Emotet}},
date = {2022-01-22},
organization = {Atomic Matryoshka},
url = {https://www.atomicmatryoshka.com/post/malware-headliners-emotet},
language = {English},
urldate = {2022-02-01}
}
Malware Headliners: Emotet Emotet |
2022-01-21 ⋅ Trend Micro ⋅ Ian Kenefick @online{kenefick:20220121:emotet:daddaf1,
author = {Ian Kenefick},
title = {{Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware}},
date = {2022-01-21},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html},
language = {English},
urldate = {2022-01-25}
}
Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware Emotet |
2022-01-21 ⋅ vmware ⋅ Jason Zhang, Threat Analysis Unit @online{zhang:20220121:emotet:bdb4508,
author = {Jason Zhang and Threat Analysis Unit},
title = {{Emotet Is Not Dead (Yet)}},
date = {2022-01-21},
organization = {vmware},
url = {https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/},
language = {English},
urldate = {2022-02-10}
}
Emotet Is Not Dead (Yet) Emotet |
2022-01-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220119:0000:cdac125,
author = {Brad Duncan},
title = {{0.0.0.0 in Emotet Spambot Traffic}},
date = {2022-01-19},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28254},
language = {English},
urldate = {2022-01-24}
}
0.0.0.0 in Emotet Spambot Traffic Emotet |
2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20220119:kraken:5b52d17,
author = {The BlackBerry Research & Intelligence Team},
title = {{Kraken the Code on Prometheus}},
date = {2022-01-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus},
language = {English},
urldate = {2022-05-25}
}
Kraken the Code on Prometheus Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk |
2022-01-18 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20220118:2021:9cff6fc,
author = {Insikt Group®},
title = {{2021 Adversary Infrastructure Report}},
date = {2022-01-18},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf},
language = {English},
urldate = {2022-01-24}
}
2021 Adversary Infrastructure Report BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot |
2022-01-17 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220117:emotets:85bf9d4,
author = {Tony Lambert},
title = {{Emotet's Excel 4.0 Macros Dropping DLLs}},
date = {2022-01-17},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/emotet-excel4-macro-analysis/},
language = {English},
urldate = {2022-01-25}
}
Emotet's Excel 4.0 Macros Dropping DLLs Emotet |
2022-01-15 ⋅ Atomic Matryoshka ⋅ z3r0day_504 @online{z3r0day504:20220115:malware:ce94f8c,
author = {z3r0day_504},
title = {{Malware Headliners: Qakbot}},
date = {2022-01-15},
organization = {Atomic Matryoshka},
url = {https://www.atomicmatryoshka.com/post/malware-headliners-qakbot},
language = {English},
urldate = {2022-02-01}
}
Malware Headliners: Qakbot QakBot |
2022-01-14 ⋅ RiskIQ ⋅ Jordan Herman @online{herman:20220114:riskiq:f4f5b68,
author = {Jordan Herman},
title = {{RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers}},
date = {2022-01-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/2cd1c003},
language = {English},
urldate = {2022-01-18}
}
RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers Dridex Emotet |
2022-01-13 ⋅ Trustwave ⋅ Lloyd Macrohon, Rodel Mendrez @online{macrohon:20220113:decrypting:274747e,
author = {Lloyd Macrohon and Rodel Mendrez},
title = {{Decrypting Qakbot’s Encrypted Registry Keys}},
date = {2022-01-13},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/},
language = {English},
urldate = {2022-01-25}
}
Decrypting Qakbot’s Encrypted Registry Keys QakBot |
2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro @online{refaeli:20220111:threat:fd22089,
author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro},
title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}},
date = {2022-01-11},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike},
language = {English},
urldate = {2022-01-18}
}
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike Cobalt Strike QakBot Squirrelwaffle |
2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20220111:signed:0f32583,
author = {Jason Reaves and Joshua Platt},
title = {{Signed DLL campaigns as a service}},
date = {2022-01-11},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489},
language = {English},
urldate = {2023-01-31}
}
Signed DLL campaigns as a service BATLOADER Cobalt Strike ISFB Zloader |
2022-01-07 ⋅ muha2xmad ⋅ Muhammad Hasan Ali @online{ali:20220107:unpacking:e59d104,
author = {Muhammad Hasan Ali},
title = {{Unpacking Emotet malware part 02}},
date = {2022-01-07},
organization = {muha2xmad},
url = {https://muha2xmad.github.io/unpacking/emotet-part-2/},
language = {English},
urldate = {2022-02-14}
}
Unpacking Emotet malware part 02 Emotet |
2022-01-06 ⋅ muha2xmad ⋅ Muhammad Hasan Ali @online{ali:20220106:unpacking:57cdd55,
author = {Muhammad Hasan Ali},
title = {{Unpacking Emotet malware part 01}},
date = {2022-01-06},
organization = {muha2xmad},
url = {https://muha2xmad.github.io/unpacking/emotet-part-1/},
language = {English},
urldate = {2022-02-14}
}
Unpacking Emotet malware part 01 Emotet |
2022-01-01 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220101:analyzing:1512a76,
author = {Tony Lambert},
title = {{Analyzing an IcedID Loader Document}},
date = {2022-01-01},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/analyzing-icedid-document/},
language = {English},
urldate = {2022-01-25}
}
Analyzing an IcedID Loader Document IcedID |
2021-12-22 ⋅ Cloudsek ⋅ Anandeshwar Unnikrishnan @online{unnikrishnan:20211222:emotet:29082b3,
author = {Anandeshwar Unnikrishnan},
title = {{Emotet 2.0: Everything you need to know about the new Variant of the Banking Trojan}},
date = {2021-12-22},
organization = {Cloudsek},
url = {https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/},
language = {English},
urldate = {2022-05-25}
}
Emotet 2.0: Everything you need to know about the new Variant of the Banking Trojan Emotet |
2021-12-17 ⋅ Trend Micro ⋅ Abraham Camba, Jonna Santos, Gilbert Sison, Jay Yaneza @online{camba:20211217:staging:0ec37d9,
author = {Abraham Camba and Jonna Santos and Gilbert Sison and Jay Yaneza},
title = {{Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager}},
date = {2021-12-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html},
language = {English},
urldate = {2021-12-31}
}
Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager QakBot |
2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20211216:intelligence:f7bad55,
author = {The Red Canary Team},
title = {{Intelligence Insights: December 2021}},
date = {2021-12-16},
organization = {Red Canary},
url = {https://redcanary.com/blog/intelligence-insights-december-2021},
language = {English},
urldate = {2021-12-31}
}
Intelligence Insights: December 2021 Cobalt Strike QakBot Squirrelwaffle |
2021-12-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20211216:how:6fd0b06,
author = {Brad Duncan},
title = {{How the "Contact Forms" campaign tricks people}},
date = {2021-12-16},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/},
language = {English},
urldate = {2021-12-31}
}
How the "Contact Forms" campaign tricks people IcedID |
2021-12-13 ⋅ Zscaler ⋅ Dennis Schwarz, Avinash Kumar @online{schwarz:20211213:return:94bdbce,
author = {Dennis Schwarz and Avinash Kumar},
title = {{Return of Emotet: Malware Analysis}},
date = {2021-12-13},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis},
language = {English},
urldate = {2021-12-20}
}
Return of Emotet: Malware Analysis Emotet |
2021-12-11 ⋅ YouTube (AGDC Services) ⋅ AGDC Services @online{services:20211211:how:358bd74,
author = {AGDC Services},
title = {{How To Extract & Decrypt Qbot Configs Across Variants}},
date = {2021-12-11},
organization = {YouTube (AGDC Services)},
url = {https://www.youtube.com/watch?v=M22c1JgpG-U},
language = {English},
urldate = {2021-12-20}
}
How To Extract & Decrypt Qbot Configs Across Variants QakBot |
2021-12-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20211209:closer:bace4ec,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{A closer look at Qakbot’s latest building blocks (and how to knock them down)}},
date = {2021-12-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/},
language = {English},
urldate = {2021-12-13}
}
A closer look at Qakbot’s latest building blocks (and how to knock them down) QakBot |
2021-12-09 ⋅ HP ⋅ Patrick Schläpfer @online{schlpfer:20211209:emotets:aa090a7,
author = {Patrick Schläpfer},
title = {{Emotet’s Return: What’s Different?}},
date = {2021-12-09},
organization = {HP},
url = {https://threatresearch.ext.hp.com/emotets-return-whats-different/},
language = {English},
urldate = {2022-01-18}
}
Emotet’s Return: What’s Different? Emotet |
2021-12-08 ⋅ Check Point Research ⋅ Raman Ladutska, Aliaksandr Trafimchuk, David Driker, Yali Magiel @online{ladutska:20211208:when:16ee92b,
author = {Raman Ladutska and Aliaksandr Trafimchuk and David Driker and Yali Magiel},
title = {{When old friends meet again: why Emotet chose Trickbot for rebirth}},
date = {2021-12-08},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/},
language = {English},
urldate = {2022-02-18}
}
When old friends meet again: why Emotet chose Trickbot for rebirth Emotet TrickBot |
2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20211207:emotet:f33c999,
author = {Lawrence Abrams},
title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}},
date = {2021-12-07},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/},
language = {English},
urldate = {2021-12-08}
}
Emotet now drops Cobalt Strike, fast forwards ransomware attacks Cobalt Strike Emotet |
2021-12-03 ⋅ SANS ISC InfoSec Forums ⋅ Brad Duncan @online{duncan:20211203:ta551:f71be57,
author = {Brad Duncan},
title = {{TA551 (Shathak) pushes IcedID (Bokbot)}},
date = {2021-12-03},
organization = {SANS ISC InfoSec Forums},
url = {https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/},
language = {English},
urldate = {2021-12-06}
}
TA551 (Shathak) pushes IcedID (Bokbot) IcedID |
2021-11-30 ⋅ Deep instinct ⋅ Ron Ben Yizhak @online{yizhak:20211130:reemergence:3f232d5,
author = {Ron Ben Yizhak},
title = {{The Re-Emergence of Emotet}},
date = {2021-11-30},
organization = {Deep instinct},
url = {https://www.deepinstinct.com/blog/the-re-emergence-of-emotet},
language = {English},
urldate = {2022-07-18}
}
The Re-Emergence of Emotet Emotet |
2021-11-25 ⋅ DSIH ⋅ Charles Blanc-Rolin @online{blancrolin:20211125:emotet:b02b32b,
author = {Charles Blanc-Rolin},
title = {{Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine?}},
date = {2021-11-25},
organization = {DSIH},
url = {https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html},
language = {French},
urldate = {2021-12-06}
}
Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine? Emotet |
2021-11-23 ⋅ Anomali ⋅ Anomali Threat Research @online{research:20211123:mummy:8cffd4e,
author = {Anomali Threat Research},
title = {{Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return}},
date = {2021-11-23},
organization = {Anomali},
url = {https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return},
language = {English},
urldate = {2021-11-26}
}
Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return Emotet |
2021-11-21 ⋅ Twitter (@tylabs) ⋅ Tyler McLellan, Twitter (@ffforward) @online{mclellan:20211121:twitter:018d4b1,
author = {Tyler McLellan and Twitter (@ffforward)},
title = {{Twitter Thread about UNC1500 phishing using QAKBOT}},
date = {2021-11-21},
organization = {Twitter (@tylabs)},
url = {https://twitter.com/tylabs/status/1462195377277476871},
language = {English},
urldate = {2021-11-29}
}
Twitter Thread about UNC1500 phishing using QAKBOT QakBot |
2021-11-20 ⋅ Twitter (@eduardfir) ⋅ Eduardo Mattos @online{mattos:20211120:velociraptor:bc6d897,
author = {Eduardo Mattos},
title = {{Tweet on Velociraptor artifact analysis for Emotet}},
date = {2021-11-20},
organization = {Twitter (@eduardfir)},
url = {https://twitter.com/eduardfir/status/1461856030292422659},
language = {English},
urldate = {2021-11-25}
}
Tweet on Velociraptor artifact analysis for Emotet Emotet |
2021-11-20 ⋅ Youtube (HEXORCIST) ⋅ Nicolas Brulez @online{brulez:20211120:unpacking:b26d2fb,
author = {Nicolas Brulez},
title = {{Unpacking Emotet and Reversing Obfuscated Word Document}},
date = {2021-11-20},
organization = {Youtube (HEXORCIST)},
url = {https://www.youtube.com/watch?v=AkZ5TYBqcU4},
language = {English},
urldate = {2021-12-20}
}
Unpacking Emotet and Reversing Obfuscated Word Document Emotet |
2021-11-20 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy, Vitali Kremez @online{boguslavskiy:20211120:corporate:a8b0a1c,
author = {Yelisey Boguslavskiy and Vitali Kremez},
title = {{Corporate Loader "Emotet": History of "X" Project Return for Ransomware}},
date = {2021-11-20},
organization = {Advanced Intelligence},
url = {https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware},
language = {English},
urldate = {2021-11-25}
}
Corporate Loader "Emotet": History of "X" Project Return for Ransomware Emotet |
2021-11-19 ⋅ CRONUP ⋅ Germán Fernández @online{fernndez:20211119:la:2cbc6a0,
author = {Germán Fernández},
title = {{La Botnet de EMOTET reinicia ataques en Chile y LATAM}},
date = {2021-11-19},
organization = {CRONUP},
url = {https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/},
language = {Spanish},
urldate = {2021-11-25}
}
La Botnet de EMOTET reinicia ataques en Chile y LATAM Emotet |
2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar @online{fahmy:20211119:squirrelwaffle:1e8fa78,
author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar},
title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}},
date = {2021-11-19},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html},
language = {English},
urldate = {2021-11-25}
}
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains Cobalt Strike QakBot Squirrelwaffle |
2021-11-19 ⋅ LAC WATCH ⋅ LAC WATCH @online{watch:20211119:malware:c504e6f,
author = {LAC WATCH},
title = {{Malware Emotet resumes its activities for the first time in 10 months, and Japan is also the target of the attack}},
date = {2021-11-19},
organization = {LAC WATCH},
url = {https://www.lac.co.jp/lacwatch/alert/20211119_002801.html},
language = {English},
urldate = {2021-11-25}
}
Malware Emotet resumes its activities for the first time in 10 months, and Japan is also the target of the attack Emotet |
2021-11-18 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy @online{palazolo:20211118:netskope:39d2098,
author = {Gustavo Palazolo and Ghanashyam Satpathy},
title = {{Netskope Threat Coverage: The Return of Emotet}},
date = {2021-11-18},
organization = {Netskope},
url = {https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet},
language = {English},
urldate = {2021-11-25}
}
Netskope Threat Coverage: The Return of Emotet Emotet |
2021-11-18 ⋅ eSentire ⋅ eSentire @online{esentire:20211118:emotet:ded09a3,
author = {eSentire},
title = {{Emotet Activity Identified}},
date = {2021-11-18},
organization = {eSentire},
url = {https://www.esentire.com/security-advisories/emotet-activity-identified},
language = {English},
urldate = {2021-11-19}
}
Emotet Activity Identified Emotet |
2021-11-18 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20211118:intelligence:7b00cb9,
author = {The Red Canary Team},
title = {{Intelligence Insights: November 2021}},
date = {2021-11-18},
organization = {Red Canary},
url = {https://redcanary.com/blog/intelligence-insights-november-2021/},
language = {English},
urldate = {2021-11-19}
}
Intelligence Insights: November 2021 Andromeda Conti LockBit QakBot Squirrelwaffle |
2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42 @online{42:20211117:matanbuchus:9e3556c,
author = {Unit 42},
title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}},
date = {2021-11-17},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1461004489234829320},
language = {English},
urldate = {2021-11-25}
}
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike Cobalt Strike QakBot |
2021-11-16 ⋅ Twitter (@kienbigmummy) ⋅ m4n0w4r @online{m4n0w4r:20211116:short:97d45fa,
author = {m4n0w4r},
title = {{Tweet on short analysis of QakBot}},
date = {2021-11-16},
organization = {Twitter (@kienbigmummy)},
url = {https://twitter.com/kienbigmummy/status/1460537501676802051},
language = {English},
urldate = {2021-11-19}
}
Tweet on short analysis of QakBot QakBot |
2021-11-16 ⋅ Malwarebytes ⋅ Malwarebytes Threat Intelligence Team @online{team:20211116:trickbot:b624694,
author = {Malwarebytes Threat Intelligence Team},
title = {{TrickBot helps Emotet come back from the dead}},
date = {2021-11-16},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/},
language = {English},
urldate = {2021-11-17}
}
TrickBot helps Emotet come back from the dead Emotet TrickBot |
2021-11-16 ⋅ Zscaler ⋅ Deepen Desai @online{desai:20211116:return:936dad6,
author = {Deepen Desai},
title = {{Return of Emotet malware}},
date = {2021-11-16},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware},
language = {English},
urldate = {2021-11-19}
}
Return of Emotet malware Emotet |
2021-11-16 ⋅ Hornetsecurity ⋅ Security Lab @online{lab:20211116:comeback:7f2b540,
author = {Security Lab},
title = {{Comeback of Emotet}},
date = {2021-11-16},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/threat-research/comeback-emotet/},
language = {English},
urldate = {2021-11-25}
}
Comeback of Emotet Emotet |
2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski @online{research:20211116:how:d7fdaf8,
author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski},
title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}},
date = {2021-11-16},
organization = {IronNet},
url = {https://www.ironnet.com/blog/ransomware-graphic-blog},
language = {English},
urldate = {2021-11-25}
}
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware Cobalt Strike Conti IcedID REvil |
2021-11-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20211116:emotet:3545954,
author = {Brad Duncan},
title = {{Emotet Returns}},
date = {2021-11-16},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/28044},
language = {English},
urldate = {2021-11-17}
}
Emotet Returns Emotet |
2021-11-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20211115:emotet:8de6d81,
author = {Lawrence Abrams},
title = {{Emotet malware is back and rebuilding its botnet via TrickBot}},
date = {2021-11-15},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/},
language = {English},
urldate = {2021-11-17}
}
Emotet malware is back and rebuilding its botnet via TrickBot Emotet |
2021-11-15 ⋅ cyber.wtf blog ⋅ Luca Ebach @online{ebach:20211115:guess:81c7df8,
author = {Luca Ebach},
title = {{Guess who’s back}},
date = {2021-11-15},
organization = {cyber.wtf blog},
url = {https://cyber.wtf/2021/11/15/guess-whos-back/},
language = {English},
urldate = {2021-11-17}
}
Guess who’s back Emotet |
2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani @online{viggiani:20211115:proxyshell:bf17c6d,
author = {Fabio Viggiani},
title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}},
date = {2021-11-15},
organization = {TRUESEC},
url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks},
language = {English},
urldate = {2021-11-17}
}
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks Cobalt Strike Conti QakBot |
2021-11-13 ⋅ Trend Micro ⋅ Ian Kenefick, Vladimir Kropotov @online{kenefick:20211113:qakbot:3138b93,
author = {Ian Kenefick and Vladimir Kropotov},
title = {{QAKBOT Loader Returns With New Techniques and Tools}},
date = {2021-11-13},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html},
language = {English},
urldate = {2021-11-17}
}
QAKBOT Loader Returns With New Techniques and Tools QakBot |
2021-11-13 ⋅ YouTube (AGDC Services) ⋅ AGDC Services @online{services:20211113:automate:487e01f,
author = {AGDC Services},
title = {{Automate Qbot Malware String Decryption With Ghidra Script}},
date = {2021-11-13},
organization = {YouTube (AGDC Services)},
url = {https://www.youtube.com/watch?v=4I0LF8Vm7SI},
language = {English},
urldate = {2021-11-19}
}
Automate Qbot Malware String Decryption With Ghidra Script QakBot |
2021-11-12 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20211112:business:6d6cffa,
author = {Insikt Group®},
title = {{The Business of Fraud: Botnet Malware Dissemination}},
date = {2021-11-12},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf},
language = {English},
urldate = {2021-11-17}
}
The Business of Fraud: Botnet Malware Dissemination Mozi Dridex IcedID QakBot TrickBot |
2021-11-12 ⋅ Trend Micro ⋅ Ian Kenefick, Vladimir Kropotov @techreport{kenefick:20211112:prelude:781d4d7,
author = {Ian Kenefick and Vladimir Kropotov},
title = {{The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities}},
date = {2021-11-12},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf},
language = {English},
urldate = {2021-11-17}
}
The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities QakBot |
2021-11-11 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20211111:duck:897cc6f,
author = {Max Malyutin},
title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}},
date = {2021-11-11},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/},
language = {English},
urldate = {2021-11-25}
}
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation Cobalt Strike QakBot |
2021-11-11 ⋅ vmware ⋅ Jason Zhang, Stefano Ortolani, Giovanni Vigna, Threat Analysis Unit @online{zhang:20211111:research:b254ed6,
author = {Jason Zhang and Stefano Ortolani and Giovanni Vigna and Threat Analysis Unit},
title = {{Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer}},
date = {2021-11-11},
organization = {vmware},
url = {https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html},
language = {English},
urldate = {2022-03-22}
}
Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer Phorpiex QakBot |
2021-11-10 ⋅ CIRCL ⋅ CIRCL @online{circl:20211110:tr64:37ab4d8,
author = {CIRCL},
title = {{TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders}},
date = {2021-11-10},
organization = {CIRCL},
url = {https://www.circl.lu/pub/tr-64/},
language = {English},
urldate = {2021-11-25}
}
TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders QakBot |
2021-11-09 ⋅ MinervaLabs ⋅ Minerva Labs @online{labs:20211109:new:411a8fd,
author = {Minerva Labs},
title = {{A New DatopLoader Delivers QakBot Trojan}},
date = {2021-11-09},
organization = {MinervaLabs},
url = {https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan},
language = {English},
urldate = {2021-11-17}
}
A New DatopLoader Delivers QakBot Trojan QakBot Squirrelwaffle |
2021-11-04 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20211104:detecting:d8aba5b,
author = {Splunk Threat Research Team},
title = {{Detecting IcedID... Could It Be A Trickbot Copycat?}},
date = {2021-11-04},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html},
language = {English},
urldate = {2021-11-08}
}
Detecting IcedID... Could It Be A Trickbot Copycat? IcedID |
2021-11-03 ⋅ Twitter (@Corvid_Cyber) ⋅ CORVID @online{corvid:20211103:unique:3709f32,
author = {CORVID},
title = {{Tweet on a unique Qbot debugger dropped by an actor after compromise}},
date = {2021-11-03},
organization = {Twitter (@Corvid_Cyber)},
url = {https://twitter.com/Corvid_Cyber/status/1455844008081641472},
language = {English},
urldate = {2021-11-08}
}
Tweet on a unique Qbot debugger dropped by an actor after compromise QakBot |
2021-11-03 ⋅ Team Cymru ⋅ tcblogposts @online{tcblogposts:20211103:webinject:f4d41bb,
author = {tcblogposts},
title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}},
date = {2021-11-03},
organization = {Team Cymru},
url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/},
language = {English},
urldate = {2021-11-08}
}
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance DoppelDridex IcedID QakBot Zloader |
2021-10-26 ⋅ ANSSI @techreport{anssi:20211026:identification:9444ac3,
author = {ANSSI},
title = {{Identification of a new cyber criminal group: Lockean}},
date = {2021-10-26},
institution = {},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf},
language = {English},
urldate = {2022-01-25}
}
Identification of a new cyber criminal group: Lockean Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis @online{brumaghin:20211026:squirrelwaffle:88c5943,
author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis},
title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}},
date = {2021-10-26},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html},
language = {English},
urldate = {2021-11-02}
}
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike Cobalt Strike QakBot Squirrelwaffle |
2021-10-25 ⋅ Cleafy ⋅ Cleafy @online{cleafy:20211025:digital:48fbdf8,
author = {Cleafy},
title = {{Digital banking fraud: how the Gozi malware works}},
date = {2021-10-25},
organization = {Cleafy},
url = {https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work},
language = {English},
urldate = {2021-11-02}
}
Digital banking fraud: how the Gozi malware works ISFB |
2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20211018:icedid:0b574b0,
author = {The DFIR Report},
title = {{IcedID to XingLocker Ransomware in 24 hours}},
date = {2021-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/},
language = {English},
urldate = {2021-10-22}
}
IcedID to XingLocker Ransomware in 24 hours Cobalt Strike IcedID Mount Locker |
2021-10-15 ⋅ Trend Micro ⋅ Fernando Mercês @online{mercs:20211015:ransomware:c944933,
author = {Fernando Mercês},
title = {{Ransomware Operators Found Using New "Franchise" Business Model}},
date = {2021-10-15},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html},
language = {English},
urldate = {2021-10-24}
}
Ransomware Operators Found Using New "Franchise" Business Model Glupteba IcedID Mount Locker |
2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy @online{palazolo:20211007:squirrelwaffle:3506816,
author = {Gustavo Palazolo and Ghanashyam Satpathy},
title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}},
date = {2021-10-07},
organization = {Netskope},
url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot},
language = {English},
urldate = {2021-10-11}
}
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot Cobalt Strike QakBot Squirrelwaffle |
2021-09-29 ⋅ Proofpoint ⋅ Selena Larson, Proofpoint Staff @online{larson:20210929:ta544:ab2f0d3,
author = {Selena Larson and Proofpoint Staff},
title = {{TA544 Targets Italian Organizations with Ursnif Malware}},
date = {2021-09-29},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware},
language = {English},
urldate = {2021-10-11}
}
TA544 Targets Italian Organizations with Ursnif Malware ISFB |
2021-09-03 ⋅ IBM ⋅ Camille Singleton, Andrew Gorecki, John Dwyer @online{singleton:20210903:dissecting:4d56786,
author = {Camille Singleton and Andrew Gorecki and John Dwyer},
title = {{Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight}},
date = {2021-09-03},
organization = {IBM},
url = {https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/},
language = {English},
urldate = {2021-09-09}
}
Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight Valak QakBot REvil |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel @techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-09-02 ⋅ Kaspersky ⋅ Anton Kuzmenko, Oleg Kupreev, Haim Zigel @online{kuzmenko:20210902:qakbot:219d23c,
author = {Anton Kuzmenko and Oleg Kupreev and Haim Zigel},
title = {{QakBot Technical Analysis}},
date = {2021-09-02},
organization = {Kaspersky},
url = {https://securelist.com/qakbot-technical-analysis/103931/},
language = {English},
urldate = {2021-09-06}
}
QakBot Technical Analysis QakBot |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team @techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-05 ⋅ Group-IB ⋅ Viktor Okorokov, Nikita Rostovcev @online{okorokov:20210805:prometheus:38ab6a6,
author = {Viktor Okorokov and Nikita Rostovcev},
title = {{Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot}},
date = {2021-08-05},
organization = {Group-IB},
url = {https://blog.group-ib.com/prometheus-tds},
language = {English},
urldate = {2021-08-06}
}
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot |
2021-08-05 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210805:meet:bce8310,
author = {Catalin Cimpanu},
title = {{Meet Prometheus, the secret TDS behind some of today’s malware campaigns}},
date = {2021-08-05},
organization = {The Record},
url = {https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/},
language = {English},
urldate = {2021-08-06}
}
Meet Prometheus, the secret TDS behind some of today’s malware campaigns Buer campoloader IcedID QakBot |
2021-07-30 ⋅ HP ⋅ Patrick Schläpfer @online{schlpfer:20210730:detecting:2291323,
author = {Patrick Schläpfer},
title = {{Detecting TA551 domains}},
date = {2021-07-30},
organization = {HP},
url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/},
language = {English},
urldate = {2021-08-02}
}
Detecting TA551 domains Valak Dridex IcedID ISFB QakBot |
2021-07-26 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari @online{fois:20210726:hunting:ff1181b,
author = {Quentin Fois and Pavankumar Chaudhari},
title = {{Hunting IcedID and unpacking automation with Qiling}},
date = {2021-07-26},
organization = {vmware},
url = {https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html},
language = {English},
urldate = {2021-07-27}
}
Hunting IcedID and unpacking automation with Qiling IcedID |
2021-07-24 ⋅ 0ffset Blog ⋅ Daniel Bunce @online{bunce:20210724:quack:ddda5cd,
author = {Daniel Bunce},
title = {{Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1}},
date = {2021-07-24},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/},
language = {English},
urldate = {2021-08-02}
}
Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1 QakBot |
2021-07-23 ⋅ Github (Lastline-Inc) ⋅ Quentin Fois, Pavankumar Chaudhari @online{fois:20210723:yara:e9a8a22,
author = {Quentin Fois and Pavankumar Chaudhari},
title = {{YARA rules, IOCs and Scripts for extracting IcedID C2s}},
date = {2021-07-23},
organization = {Github (Lastline-Inc)},
url = {https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2},
language = {English},
urldate = {2021-07-27}
}
YARA rules, IOCs and Scripts for extracting IcedID C2s IcedID |
2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210719:icedid:0365384,
author = {The DFIR Report},
title = {{IcedID and Cobalt Strike vs Antivirus}},
date = {2021-07-19},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/},
language = {English},
urldate = {2021-07-20}
}
IcedID and Cobalt Strike vs Antivirus Cobalt Strike IcedID |
2021-07-14 ⋅ Cerium Networks ⋅ Blumira @online{blumira:20210714:threat:614d084,
author = {Blumira},
title = {{Threat of the Month: IcedID Malware}},
date = {2021-07-14},
organization = {Cerium Networks},
url = {https://ceriumnetworks.com/threat-of-the-month-icedid-malware/},
language = {English},
urldate = {2021-07-20}
}
Threat of the Month: IcedID Malware IcedID |
2021-07-12 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210712:over:c88e351,
author = {Catalin Cimpanu},
title = {{Over 780,000 email accounts compromised by Emotet have been secured}},
date = {2021-07-12},
organization = {The Record},
url = {https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/},
language = {English},
urldate = {2021-07-20}
}
Over 780,000 email accounts compromised by Emotet have been secured Emotet |
2021-07-08 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari @online{fois:20210708:icedid:47da76d,
author = {Quentin Fois and Pavankumar Chaudhari},
title = {{IcedID: Analysis and Detection}},
date = {2021-07-08},
organization = {vmware},
url = {https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html},
language = {English},
urldate = {2021-07-20}
}
IcedID: Analysis and Detection IcedID |
2021-06-30 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20210630:shelob:1c93f5d,
author = {Max Malyutin},
title = {{Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration}},
date = {2021-06-30},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/},
language = {English},
urldate = {2021-07-20}
}
Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration Conti IcedID |
2021-06-30 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210630:gozi:8760ba7,
author = {Catalin Cimpanu},
title = {{Gozi malware gang member arrested in Colombia}},
date = {2021-06-30},
organization = {The Record},
url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/},
language = {English},
urldate = {2021-07-02}
}
Gozi malware gang member arrested in Colombia Gozi ISFB |
2021-06-24 ⋅ Kaspersky ⋅ Anton Kuzmenko @online{kuzmenko:20210624:malicious:83a5c83,
author = {Anton Kuzmenko},
title = {{Malicious spam campaigns delivering banking Trojans}},
date = {2021-06-24},
organization = {Kaspersky},
url = {https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917},
language = {English},
urldate = {2021-06-25}
}
Malicious spam campaigns delivering banking Trojans IcedID QakBot |
2021-06-24 ⋅ SentinelOne ⋅ Marco Figueroa @online{figueroa:20210624:evasive:7f0d507,
author = {Marco Figueroa},
title = {{Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros}},
date = {2021-06-24},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/},
language = {English},
urldate = {2021-06-29}
}
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros IcedID |
2021-06-23 ⋅ IBM ⋅ Itzik Chimino @online{chimino:20210623:ursnif:700b0a7,
author = {Itzik Chimino},
title = {{Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy}},
date = {2021-06-23},
organization = {IBM},
url = {https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/},
language = {English},
urldate = {2021-06-24}
}
Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy ISFB |
2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210620:from:aadb7e8,
author = {The DFIR Report},
title = {{From Word to Lateral Movement in 1 Hour}},
date = {2021-06-20},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/},
language = {English},
urldate = {2021-06-22}
}
From Word to Lateral Movement in 1 Hour Cobalt Strike IcedID |
2021-06-16 ⋅ S2 Grupo ⋅ CSIRT-CV (the ICT Security Center of the Valencian Community) @online{community:20210616:emotet:7e0fafe,
author = {CSIRT-CV (the ICT Security Center of the Valencian Community)},
title = {{Emotet campaign analysis}},
date = {2021-06-16},
organization = {S2 Grupo},
url = {https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/},
language = {Spanish},
urldate = {2021-06-21}
}
Emotet campaign analysis Emotet QakBot |
2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff @online{larson:20210616:first:2e436a0,
author = {Selena Larson and Daniel Blackford and Garrett M. Graff},
title = {{The First Step: Initial Access Leads to Ransomware}},
date = {2021-06-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware},
language = {English},
urldate = {2021-06-21}
}
The First Step: Initial Access Leads to Ransomware BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker |
2021-06-16 ⋅ Twitter (@ChouchWard) ⋅ ch0uch ward @online{ward:20210616:qbot:1adaa08,
author = {ch0uch ward},
title = {{Tweet on Qbot operators left their web server's access.log file unsecured}},
date = {2021-06-16},
organization = {Twitter (@ChouchWard)},
url = {https://twitter.com/ChouchWard/status/1405168040254316547},
language = {English},
urldate = {2021-06-21}
}
Tweet on Qbot operators left their web server's access.log file unsecured QakBot |
2021-06-15 ⋅ Perception Point ⋅ Shai Golderman @online{golderman:20210615:insights:d3fc7b6,
author = {Shai Golderman},
title = {{Insights Into an Excel 4.0 Macro Attack using Qakbot Malware}},
date = {2021-06-15},
organization = {Perception Point},
url = {https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware},
language = {English},
urldate = {2021-06-21}
}
Insights Into an Excel 4.0 Macro Attack using Qakbot Malware QakBot |
2021-06-10 ⋅ ZEIT Online ⋅ Von Kai Biermann, Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Zachary Kamel @online{biermann:20210610:trail:42969a8,
author = {Von Kai Biermann and Astrid Geisler and Herwig G. Höller and Karsten Polke-Majewski and Zachary Kamel},
title = {{On the Trail of the Internet Extortionists}},
date = {2021-06-10},
organization = {ZEIT Online},
url = {https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers},
language = {English},
urldate = {2021-07-02}
}
On the Trail of the Internet Extortionists Emotet Mailto |
2021-06-10 ⋅ ZAYOTEM ⋅ İlker Verimoğlu, Emre Doğan, Kaan Binen, Abdulkadir Binan, Emrah Sarıdağ @online{verimolu:20210610:qakbot:4896852,
author = {İlker Verimoğlu and Emre Doğan and Kaan Binen and Abdulkadir Binan and Emrah Sarıdağ},
title = {{QakBot Technical Analysis Report}},
date = {2021-06-10},
organization = {ZAYOTEM},
url = {https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view},
language = {English},
urldate = {2021-06-16}
}
QakBot Technical Analysis Report QakBot |
2021-06-10 ⋅ Tagesschau ⋅ Hakan Tanriverdi, Maximilian Zierer @online{tanriverdi:20210610:schadsoftware:834b3fd,
author = {Hakan Tanriverdi and Maximilian Zierer},
title = {{Schadsoftware Emotet: BKA befragt Schlüsselfigur}},
date = {2021-06-10},
organization = {Tagesschau},
url = {https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html},
language = {English},
urldate = {2021-07-02}
}
Schadsoftware Emotet: BKA befragt Schlüsselfigur Emotet |
2021-06-08 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy @online{kremez:20210608:from:62f4d20,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{From QBot...with REvil Ransomware: Initial Attack Exposure of JBS}},
date = {2021-06-08},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs},
language = {English},
urldate = {2021-06-09}
}
From QBot...with REvil Ransomware: Initial Attack Exposure of JBS QakBot REvil |
2021-06-02 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20210602:fujifilm:eced96f,
author = {Lawrence Abrams},
title = {{FUJIFILM shuts down network after suspected ransomware attack}},
date = {2021-06-02},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/},
language = {English},
urldate = {2021-06-09}
}
FUJIFILM shuts down network after suspected ransomware attack QakBot |
2021-05-29 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani @online{kasmani:20210529:analysis:96b0902,
author = {AhmedS Kasmani},
title = {{Analysis of ICEID Malware Installer DLL}},
date = {2021-05-29},
organization = {Youtube (AhmedS Kasmani)},
url = {https://www.youtube.com/watch?v=wMXD4Sv1Alw},
language = {English},
urldate = {2021-06-04}
}
Analysis of ICEID Malware Installer DLL IcedID |
2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak @online{yizhak:20210526:deep:c123a19,
author = {Ron Ben Yizhak},
title = {{A Deep Dive into Packing Software CryptOne}},
date = {2021-05-26},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/},
language = {English},
urldate = {2021-06-22}
}
A Deep Dive into Packing Software CryptOne Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
2021-05-26 ⋅ Check Point ⋅ Alex Ilgayev @online{ilgayev:20210526:melting:40f5caf,
author = {Alex Ilgayev},
title = {{Melting Ice – Tracking IcedID Servers with a few simple steps}},
date = {2021-05-26},
organization = {Check Point},
url = {https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/},
language = {English},
urldate = {2021-06-09}
}
Melting Ice – Tracking IcedID Servers with a few simple steps IcedID |
2021-05-19 ⋅ Team Cymru ⋅ Josh Hopkins, Andy Kraus, Nick Byers @online{hopkins:20210519:tracking:45749be,
author = {Josh Hopkins and Andy Kraus and Nick Byers},
title = {{Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network}},
date = {2021-05-19},
organization = {Team Cymru},
url = {https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/},
language = {English},
urldate = {2021-05-26}
}
Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network IcedID |
2021-05-19 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210519:look:5ba9516,
author = {Intel 471},
title = {{Look how many cybercriminals love Cobalt Strike}},
date = {2021-05-19},
organization = {Intel 471},
url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor},
language = {English},
urldate = {2021-05-19}
}
Look how many cybercriminals love Cobalt Strike BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot |
2021-05-18 ⋅ RECON INFOSEC ⋅ Andrew Cook @online{cook:20210518:encounter:c4ef6d9,
author = {Andrew Cook},
title = {{An Encounter With TA551/Shathak}},
date = {2021-05-18},
organization = {RECON INFOSEC},
url = {https://blog.reconinfosec.com/an-encounter-with-ta551-shathak},
language = {English},
urldate = {2021-05-25}
}
An Encounter With TA551/Shathak IcedID |
2021-05-17 ⋅ Github (telekom-security) ⋅ Deutsche Telekom Security GmbH @online{gmbh:20210517:icedidanalysis:e985983,
author = {Deutsche Telekom Security GmbH},
title = {{icedid_analysis}},
date = {2021-05-17},
organization = {Github (telekom-security)},
url = {https://github.com/telekom-security/icedid_analysis},
language = {English},
urldate = {2021-05-17}
}
icedid_analysis IcedID |
2021-05-17 ⋅ Telekom ⋅ Thomas Barabosch @online{barabosch:20210517:lets:04a8b63,
author = {Thomas Barabosch},
title = {{Let’s set ice on fire: Hunting and detecting IcedID infections}},
date = {2021-05-17},
organization = {Telekom},
url = {https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240},
language = {English},
urldate = {2021-05-17}
}
Let’s set ice on fire: Hunting and detecting IcedID infections IcedID |
2021-05-12 ⋅ The DFIR Report @online{report:20210512:conti:598c5f2,
author = {The DFIR Report},
title = {{Conti Ransomware}},
date = {2021-05-12},
url = {https://thedfirreport.com/2021/05/12/conti-ransomware/},
language = {English},
urldate = {2021-05-13}
}
Conti Ransomware Cobalt Strike Conti IcedID |
2021-05-10 ⋅ Wirtschaftswoche ⋅ Thomas Kuhn @online{kuhn:20210510:how:5f1953b,
author = {Thomas Kuhn},
title = {{How one of the largest hacker networks in the world was paralyzed}},
date = {2021-05-10},
organization = {Wirtschaftswoche},
url = {https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html},
language = {German},
urldate = {2021-05-13}
}
How one of the largest hacker networks in the world was paralyzed Emotet |
2021-05-10 ⋅ MALWATION ⋅ malwation @online{malwation:20210510:icedid:0637539,
author = {malwation},
title = {{IcedID Malware Technical Analysis Report}},
date = {2021-05-10},
organization = {MALWATION},
url = {https://malwation.com/icedid-malware-technical-analysis-report/},
language = {English},
urldate = {2021-07-02}
}
IcedID Malware Technical Analysis Report IcedID |
2021-05-10 ⋅ Mal-Eats ⋅ mal_eats @online{maleats:20210510:overview:50ff3b3,
author = {mal_eats},
title = {{Overview of Campo, a new attack campaign targeting Japan}},
date = {2021-05-10},
organization = {Mal-Eats},
url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-05-13}
}
Overview of Campo, a new attack campaign targeting Japan AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
2021-05-04 ⋅ NCC Group ⋅ fumik0, NCC RIFT @online{fumik0:20210504:rm3:cd994e6,
author = {fumik0 and NCC RIFT},
title = {{RM3 – Curiosities of the wildest banking malware}},
date = {2021-05-04},
organization = {NCC Group},
url = {https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/},
language = {English},
urldate = {2021-05-19}
}
RM3 – Curiosities of the wildest banking malware ISFB RM3 |
2021-05-04 ⋅ Seguranca Informatica ⋅ Pedro Tavares @online{tavares:20210504:taste:b6a3380,
author = {Pedro Tavares},
title = {{A taste of the latest release of QakBot}},
date = {2021-05-04},
organization = {Seguranca Informatica},
url = {https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot},
language = {English},
urldate = {2021-05-07}
}
A taste of the latest release of QakBot QakBot |
2021-05-04 ⋅ Fox-IT ⋅ fumik0, the RIFT Team, Fox IT @online{fumik0:20210504:rm3:41d6969,
author = {fumik0 and the RIFT Team and Fox IT},
title = {{RM3 – Curiosities of the wildest banking malware}},
date = {2021-05-04},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/},
language = {English},
urldate = {2021-05-04}
}
RM3 – Curiosities of the wildest banking malware ISFB |
2021-04-30 ⋅ MADRID Labs ⋅ Odin Bernstein @online{bernstein:20210430:qbot:104bad4,
author = {Odin Bernstein},
title = {{Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server}},
date = {2021-04-30},
organization = {MADRID Labs},
url = {https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/},
language = {English},
urldate = {2021-05-08}
}
Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server QakBot |
2021-04-28 ⋅ IBM ⋅ David Bisson @online{bisson:20210428:qbot:dcbcd50,
author = {David Bisson},
title = {{QBot Malware Spotted Using Windows Defender Antivirus Lure}},
date = {2021-04-28},
organization = {IBM},
url = {https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/},
language = {English},
urldate = {2021-05-03}
}
QBot Malware Spotted Using Windows Defender Antivirus Lure QakBot |
2021-04-28 ⋅ Reversing Labs ⋅ Karlo Zanki @online{zanki:20210428:spotting:61ba0f6,
author = {Karlo Zanki},
title = {{Spotting malicious Excel4 macros}},
date = {2021-04-28},
organization = {Reversing Labs},
url = {https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros},
language = {English},
urldate = {2021-05-03}
}
Spotting malicious Excel4 macros QakBot |
2021-04-22 ⋅ Github (@cecio) ⋅ @red5heep @online{red5heep:20210422:emotet:44c2798,
author = {@red5heep},
title = {{EMOTET: a State-Machine reversing exercise}},
date = {2021-04-22},
organization = {Github (@cecio)},
url = {https://github.com/cecio/EMOTET-2020-Reversing},
language = {English},
urldate = {2021-11-12}
}
EMOTET: a State-Machine reversing exercise Emotet |
2021-04-22 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20210422:spamhaus:4a32a4d,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q1 2021}},
date = {2021-04-22},
institution = {Spamhaus},
url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf},
language = {English},
urldate = {2021-04-28}
}
Spamhaus Botnet Threat Update Q1 2021 Emotet Ficker Stealer Raccoon |
2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik @online{hjelmvik:20210419:analysing:c6bff49,
author = {Erik Hjelmvik},
title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}},
date = {2021-04-19},
organization = {Netresec},
url = {https://netresec.com/?b=214d7ff},
language = {English},
urldate = {2021-04-20}
}
Analysing a malware PCAP with IcedID and Cobalt Strike traffic Cobalt Strike IcedID |
2021-04-19 ⋅ Twitter (@_alex_il_) ⋅ Alex Ilgayev @online{ilgayev:20210419:qakbots:b3b929c,
author = {Alex Ilgayev},
title = {{Tweet on QakBot's additional decryption mechanism}},
date = {2021-04-19},
organization = {Twitter (@_alex_il_)},
url = {https://twitter.com/_alex_il_/status/1384094623270727685},
language = {English},
urldate = {2021-04-20}
}
Tweet on QakBot's additional decryption mechanism QakBot |
2021-04-17 ⋅ YouTube (Worcester DEFCON Group) ⋅ Joel Snape, Nettitude @online{snape:20210417:inside:2c3ae5c,
author = {Joel Snape and Nettitude},
title = {{Inside IcedID: Anatomy Of An Infostealer}},
date = {2021-04-17},
organization = {YouTube (Worcester DEFCON Group)},
url = {https://www.youtube.com/watch?v=YEqLIR6hfOM},
language = {English},
urldate = {2021-04-20}
}
Inside IcedID: Anatomy Of An Infostealer IcedID |
2021-04-15 ⋅ AT&T ⋅ Dax Morrow, Ofer Caspi @online{morrow:20210415:rise:73d9a21,
author = {Dax Morrow and Ofer Caspi},
title = {{The rise of QakBot}},
date = {2021-04-15},
organization = {AT&T},
url = {https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot},
language = {English},
urldate = {2021-04-16}
}
The rise of QakBot QakBot |
2021-04-13 ⋅ Silent Push ⋅ Martijn Grooten @online{grooten:20210413:malicious:094869a,
author = {Martijn Grooten},
title = {{Malicious infrastructure as a service}},
date = {2021-04-13},
organization = {Silent Push},
url = {https://www.silentpush.com/blog/malicious-infrastructure-as-a-service},
language = {English},
urldate = {2022-06-09}
}
Malicious infrastructure as a service IcedID PhotoLoader QakBot |
2021-04-12 ⋅ Trend Micro ⋅ Raphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy @online{centeno:20210412:spike:d67dcb0,
author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy},
title = {{A Spike in BazarCall and IcedID Activity Detected in March}},
date = {2021-04-12},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html},
language = {English},
urldate = {2021-04-14}
}
A Spike in BazarCall and IcedID Activity Detected in March BazarBackdoor IcedID |
2021-04-12 ⋅ Twitter (@elisalem9) ⋅ Eli Salem @online{salem:20210412:tweets:7b7280e,
author = {Eli Salem},
title = {{Tweets on QakBot}},
date = {2021-04-12},
organization = {Twitter (@elisalem9)},
url = {https://twitter.com/elisalem9/status/1381859965875462144},
language = {English},
urldate = {2021-04-14}
}
Tweets on QakBot QakBot |
2021-04-12 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20210412:paas:1d06836,
author = {PTSecurity},
title = {{PaaS, or how hackers evade antivirus software}},
date = {2021-04-12},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/},
language = {English},
urldate = {2021-04-12}
}
PaaS, or how hackers evade antivirus software Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader |
2021-04-11 ⋅ 4rchibld ⋅ 4rchibld @online{4rchibld:20210411:icedid:4135c21,
author = {4rchibld},
title = {{IcedID on my neck I’m the coolest}},
date = {2021-04-11},
organization = {4rchibld},
url = {https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/},
language = {English},
urldate = {2021-05-11}
}
IcedID on my neck I’m the coolest IcedID |
2021-04-10 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani @online{kasmani:20210410:malware:e2000de,
author = {AhmedS Kasmani},
title = {{Malware Analysis: IcedID Banking Trojan JavaScript Dropper}},
date = {2021-04-10},
organization = {Youtube (AhmedS Kasmani)},
url = {https://www.youtube.com/watch?v=oZ4bwnjcXWg},
language = {English},
urldate = {2021-04-12}
}
Malware Analysis: IcedID Banking Trojan JavaScript Dropper IcedID |
2021-04-09 ⋅ aaqeel01 ⋅ Ali Aqeel @online{aqeel:20210409:icedid:a6e3243,
author = {Ali Aqeel},
title = {{IcedID Analysis}},
date = {2021-04-09},
organization = {aaqeel01},
url = {https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/},
language = {English},
urldate = {2021-04-12}
}
IcedID Analysis IcedID |
2021-04-09 ⋅ Microsoft ⋅ Emily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team @online{hacker:20210409:investigating:2b6f30a,
author = {Emily Hacker and Justin Carroll and Microsoft 365 Defender Threat Intelligence Team},
title = {{Investigating a unique “form” of email delivery for IcedID malware}},
date = {2021-04-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/},
language = {English},
urldate = {2021-04-12}
}
Investigating a unique “form” of email delivery for IcedID malware IcedID |
2021-04-09 ⋅ Palo Alto Networks Unit 42 ⋅ Yanhui Jia, Chris Navarrete @online{jia:20210409:emotet:c376dd2,
author = {Yanhui Jia and Chris Navarrete},
title = {{Emotet Command and Control Case Study}},
date = {2021-04-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emotet-command-and-control/},
language = {English},
urldate = {2021-04-12}
}
Emotet Command and Control Case Study Emotet |
2021-04-07 ⋅ Uptycs ⋅ Ashwin Vamshi, Abhijit Mohanta @online{vamshi:20210407:icedid:bbda303,
author = {Ashwin Vamshi and Abhijit Mohanta},
title = {{IcedID campaign spotted being spiced with Excel 4 Macros}},
date = {2021-04-07},
organization = {Uptycs},
url = {https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros},
language = {English},
urldate = {2021-04-09}
}
IcedID campaign spotted being spiced with Excel 4 Macros IcedID |
2021-04-07 ⋅ Minerva ⋅ Minerva Labs @online{labs:20210407:icedid:d178d16,
author = {Minerva Labs},
title = {{IcedID - A New Threat In Office Attachments}},
date = {2021-04-07},
organization = {Minerva},
url = {https://blog.minerva-labs.com/icedid-maas},
language = {English},
urldate = {2021-04-09}
}
IcedID - A New Threat In Office Attachments IcedID |
2021-04-06 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210406:ettersilent:b591f59,
author = {Intel 471},
title = {{EtterSilent: the underground’s new favorite maldoc builder}},
date = {2021-04-06},
organization = {Intel 471},
url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/},
language = {English},
urldate = {2021-04-06}
}
EtterSilent: the underground’s new favorite maldoc builder BazarBackdoor ISFB QakBot TrickBot |
2021-04-01 ⋅ Reversing Labs ⋅ Robert Simmons @online{simmons:20210401:code:885c081,
author = {Robert Simmons},
title = {{Code Reuse Across Packers and DLL Loaders}},
date = {2021-04-01},
organization = {Reversing Labs},
url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders},
language = {English},
urldate = {2021-04-09}
}
Code Reuse Across Packers and DLL Loaders IcedID SystemBC |
2021-03-31 ⋅ Silent Push ⋅ Martijn Grooten @online{grooten:20210331:icedid:42c6051,
author = {Martijn Grooten},
title = {{IcedID Command and Control Infrastructure}},
date = {2021-03-31},
organization = {Silent Push},
url = {https://www.silentpush.com/blog/icedid-command-and-control-infrastructure},
language = {English},
urldate = {2022-06-09}
}
IcedID Command and Control Infrastructure IcedID PhotoLoader |
2021-03-31 ⋅ Kaspersky ⋅ Kaspersky @online{kaspersky:20210331:financial:3371aa0,
author = {Kaspersky},
title = {{Financial Cyberthreats in 2020}},
date = {2021-03-31},
organization = {Kaspersky},
url = {https://securelist.com/financial-cyberthreats-in-2020/101638/},
language = {English},
urldate = {2021-04-06}
}
Financial Cyberthreats in 2020 BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus |
2021-03-31 ⋅ Red Canary ⋅ Red Canary @techreport{canary:20210331:2021:cd81f2d,
author = {Red Canary},
title = {{2021 Threat Detection Report}},
date = {2021-03-31},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf},
language = {English},
urldate = {2021-04-06}
}
2021 Threat Detection Report Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210329:sodinokibi:4c63e20,
author = {The DFIR Report},
title = {{Sodinokibi (aka REvil) Ransomware}},
date = {2021-03-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/},
language = {English},
urldate = {2021-03-30}
}
Sodinokibi (aka REvil) Ransomware Cobalt Strike IcedID REvil |
2021-03-26 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20210326:alleged:ce2115c,
author = {Trend Micro},
title = {{Alleged Members of Egregor Ransomware Cartel Arrested}},
date = {2021-03-26},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html},
language = {English},
urldate = {2021-04-28}
}
Alleged Members of Egregor Ransomware Cartel Arrested Egregor QakBot |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-19 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20210319:ta551:48627e5,
author = {MITRE ATT&CK},
title = {{TA551}},
date = {2021-03-19},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0127/},
language = {English},
urldate = {2022-07-13}
}
TA551 GOLD CABIN |
2021-03-18 ⋅ VinCSS ⋅ Tran Trung Kien @online{kien:20210318:re021:00caf5b,
author = {Tran Trung Kien},
title = {{[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade}},
date = {2021-03-18},
organization = {VinCSS},
url = {https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html},
language = {English},
urldate = {2021-03-19}
}
[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade QakBot |
2021-03-17 ⋅ HP ⋅ HP Bromium @techreport{bromium:20210317:threat:3aed551,
author = {HP Bromium},
title = {{Threat Insights Report Q4-2020}},
date = {2021-03-17},
institution = {HP},
url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf},
language = {English},
urldate = {2021-03-19}
}
Threat Insights Report Q4-2020 Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader |
2021-03-12 ⋅ Binary Defense ⋅ James Quinn @online{quinn:20210312:icedid:3e6db43,
author = {James Quinn},
title = {{IcedID GZIPLOADER Analysis}},
date = {2021-03-12},
organization = {Binary Defense},
url = {https://www.binarydefense.com/icedid-gziploader-analysis/},
language = {English},
urldate = {2021-03-16}
}
IcedID GZIPLOADER Analysis IcedID |
2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Yanhui Jia, Matthew Tennis, Durgesh Sangvikar, Rongbo Shao @online{navarrete:20210308:attack:6238643,
author = {Chris Navarrete and Yanhui Jia and Matthew Tennis and Durgesh Sangvikar and Rongbo Shao},
title = {{Attack Chain Overview: Emotet in December 2020 and January 2021}},
date = {2021-03-08},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/},
language = {English},
urldate = {2021-03-11}
}
Attack Chain Overview: Emotet in December 2020 and January 2021 Emotet |
2021-03-04 ⋅ F5 ⋅ Dor Nizar, Roy Moshailov @online{nizar:20210304:icedid:bfcc689,
author = {Dor Nizar and Roy Moshailov},
title = {{IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims}},
date = {2021-03-04},
organization = {F5},
url = {https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims},
language = {English},
urldate = {2021-03-06}
}
IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims IcedID |
2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev @techreport{skulkin:202103:ransomware:992ca10,
author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev},
title = {{Ransomware Uncovered 2020/2021}},
date = {2021-03},
institution = {Group-IB},
url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf},
language = {English},
urldate = {2021-06-16}
}
Ransomware Uncovered 2020/2021 RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team |
2021-02-28 ⋅ NetbyteSEC @online{netbytesec:20210228:deobfuscating:a975d4c,
author = {NetbyteSEC},
title = {{Deobfuscating Emotet Macro Document and Powershell Command}},
date = {2021-02-28},
url = {https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html},
language = {English},
urldate = {2022-02-14}
}
Deobfuscating Emotet Macro Document and Powershell Command Emotet |
2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff @online{loui:20210226:hypervisor:8dadf9c,
author = {Eric Loui and Sergei Frankoff},
title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}},
date = {2021-02-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout},
language = {English},
urldate = {2021-05-26}
}
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil |
2021-02-25 ⋅ ANSSI ⋅ CERT-FR @techreport{certfr:20210225:ryuk:7895e12,
author = {CERT-FR},
title = {{Ryuk Ransomware}},
date = {2021-02-25},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf},
language = {English},
urldate = {2021-03-02}
}
Ryuk Ransomware BazarBackdoor Buer Conti Emotet Ryuk TrickBot |
2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta @online{abdo:20210225:so:88f3400,
author = {Bryce Abdo and Brendan McKeague and Van Ta},
title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}},
date = {2021-02-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html},
language = {English},
urldate = {2021-03-02}
}
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC |
2021-02-25 ⋅ JPCERT/CC ⋅ Ken Sajo @online{sajo:20210225:emotet:f78fb4e,
author = {Ken Sajo},
title = {{Emotet Disruption and Outreach to Affected Users}},
date = {2021-02-25},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html},
language = {English},
urldate = {2021-02-25}
}
Emotet Disruption and Outreach to Affected Users Emotet |
2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE @online{xforce:20210224:xforce:ac9a90e,
author = {IBM SECURITY X-FORCE},
title = {{X-Force Threat Intelligence Index 2021}},
date = {2021-02-24},
organization = {IBM},
url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89},
language = {English},
urldate = {2021-03-02}
}
X-Force Threat Intelligence Index 2021 Emotet QakBot Ramnit REvil TrickBot |
2021-02-24 ⋅ Allsafe ⋅ Shota Nakajima, Hara Hiroaki @techreport{nakajima:20210224:malware:0f5ff88,
author = {Shota Nakajima and Hara Hiroaki},
title = {{Malware Analysis at Scale - Defeating Emotet by Ghidra}},
date = {2021-02-24},
institution = {Allsafe},
url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf},
language = {English},
urldate = {2021-02-26}
}
Malware Analysis at Scale - Defeating Emotet by Ghidra Emotet |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-17 ⋅ Politie NL ⋅ Politie NL @online{nl:20210217:politie:a27a279,
author = {Politie NL},
title = {{Politie bestrijdt cybercrime via Nederlandse infrastructuur}},
date = {2021-02-17},
organization = {Politie NL},
url = {https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html},
language = {Dutch},
urldate = {2021-02-20}
}
Politie bestrijdt cybercrime via Nederlandse infrastructuur Emotet |
2021-02-17 ⋅ YouTube (AGDC Services) ⋅ AGDC Services @online{services:20210217:how:d492b9b,
author = {AGDC Services},
title = {{How Malware Can Resolve APIs By Hash}},
date = {2021-02-17},
organization = {YouTube (AGDC Services)},
url = {https://www.youtube.com/watch?v=q8of74upT_g},
language = {English},
urldate = {2021-02-24}
}
How Malware Can Resolve APIs By Hash Emotet Mailto |
2021-02-16 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team @online{team:20210216:q4:4a82474,
author = {Proofpoint Threat Research Team},
title = {{Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes}},
date = {2021-02-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes},
language = {English},
urldate = {2021-05-31}
}
Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes Emotet Ryuk NARWHAL SPIDER TA800 |
2021-02-15 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210215:qakbot:f692e9c,
author = {The DFIR Report},
title = {{Tweet on Qakbot post infection discovery activity}},
date = {2021-02-15},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1361331598344478727},
language = {English},
urldate = {2021-02-18}
}
Tweet on Qakbot post infection discovery activity QakBot |
2021-02-12 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20210212:malwareaaaservice:c6454b5,
author = {CERT-FR},
title = {{The Malware-Aa-A-Service Emotet}},
date = {2021-02-12},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf},
language = {English},
urldate = {2021-02-20}
}
The Malware-Aa-A-Service Emotet Emotet |
2021-02-08 ⋅ GRNET CERT ⋅ Dimitris Kolotouros, Marios Levogiannis @online{kolotouros:20210208:reverse:a034919,
author = {Dimitris Kolotouros and Marios Levogiannis},
title = {{Reverse engineering Emotet – Our approach to protect GRNET against the trojan}},
date = {2021-02-08},
organization = {GRNET CERT},
url = {https://cert.grnet.gr/en/blog/reverse-engineering-emotet/},
language = {English},
urldate = {2021-02-09}
}
Reverse engineering Emotet – Our approach to protect GRNET against the trojan Emotet |
2021-02-03 ⋅ Digital Shadows ⋅ Stefano De Blasi @online{blasi:20210203:emotet:8e8ac18,
author = {Stefano De Blasi},
title = {{Emotet Disruption: what it means for the cyber threat landscape}},
date = {2021-02-03},
organization = {Digital Shadows},
url = {https://www.digitalshadows.com/blog-and-research/emotet-disruption/},
language = {English},
urldate = {2021-02-06}
}
Emotet Disruption: what it means for the cyber threat landscape Emotet |
2021-02-03 ⋅ Mimecast, Nettitude @techreport{mimecast:20210203:ta551shathak:4bd9a01,
author = {Mimecast and Nettitude},
title = {{TA551/Shathak Threat Research}},
date = {2021-02-03},
institution = {},
url = {https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf},
language = {English},
urldate = {2021-05-26}
}
TA551/Shathak Threat Research IcedID |
2021-02-03 ⋅ ZDNet ⋅ Charlie Osborne @online{osborne:20210203:ursnif:936317a,
author = {Charlie Osborne},
title = {{Ursnif Trojan has targeted over 100 Italian banks}},
date = {2021-02-03},
organization = {ZDNet},
url = {https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/},
language = {English},
urldate = {2021-06-29}
}
Ursnif Trojan has targeted over 100 Italian banks ISFB Snifula |
2021-02-02 ⋅ CRONUP ⋅ Germán Fernández @online{fernndez:20210202:de:6ff4f3a,
author = {Germán Fernández},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-03-02}
}
De ataque con Malware a incidente de Ransomware Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-01 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20210201:what:2e12897,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}},
date = {2021-02-01},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/},
language = {English},
urldate = {2021-02-02}
}
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations Dridex Emotet Makop Ransomware SmokeLoader TrickBot |
2021-01-29 ⋅ Malwarebytes ⋅ Threat Intelligence Team @online{team:20210129:cleaning:489c8b3,
author = {Threat Intelligence Team},
title = {{Cleaning up after Emotet: the law enforcement file}},
date = {2021-01-29},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/},
language = {English},
urldate = {2021-02-02}
}
Cleaning up after Emotet: the law enforcement file Emotet |
2021-01-28 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab @online{lab:20210128:emotet:863df45,
author = {Hornetsecurity Security Lab},
title = {{Emotet Botnet Takedown}},
date = {2021-01-28},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/},
language = {English},
urldate = {2021-01-29}
}
Emotet Botnet Takedown Emotet |
2021-01-28 ⋅ Department of Homeland Security ⋅ Department of Justice @online{justice:20210128:emotet:cb82f8e,
author = {Department of Justice},
title = {{Emotet Botnet Disrupted in International Cyber Operation}},
date = {2021-01-28},
organization = {Department of Homeland Security},
url = {https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation},
language = {English},
urldate = {2021-02-01}
}
Emotet Botnet Disrupted in International Cyber Operation Emotet |
2021-01-28 ⋅ NTT ⋅ Dan Saunders @online{saunders:20210128:emotet:19b0313,
author = {Dan Saunders},
title = {{Emotet disruption - Europol counterattack}},
date = {2021-01-28},
organization = {NTT},
url = {https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack},
language = {English},
urldate = {2021-01-29}
}
Emotet disruption - Europol counterattack Emotet |
2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel @online{ancel:20210128:bagsu:7de60de,
author = {Benoît Ancel},
title = {{The Bagsu banker case}},
date = {2021-01-28},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=EyDiIAt__dI},
language = {English},
urldate = {2021-02-01}
}
The Bagsu banker case Azorult DreamBot Emotet Pony TrickBot ZeusAction |
2021-01-28 ⋅ InfoSec Handlers Diary Blog ⋅ Daniel Wesemann @online{wesemann:20210128:emotet:2939e8d,
author = {Daniel Wesemann},
title = {{Emotet vs. Windows Attack Surface Reduction}},
date = {2021-01-28},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/27036},
language = {English},
urldate = {2021-01-29}
}
Emotet vs. Windows Attack Surface Reduction Emotet |
2021-01-27 ⋅ Team Cymru ⋅ James Shank @online{shank:20210127:taking:fa40609,
author = {James Shank},
title = {{Taking Down Emotet How Team Cymru Leveraged Visibility and Relationships to Coordinate Community Efforts}},
date = {2021-01-27},
organization = {Team Cymru},
url = {https://team-cymru.com/blog/2021/01/27/taking-down-emotet/},
language = {English},
urldate = {2021-01-29}
}
Taking Down Emotet How Team Cymru Leveraged Visibility and Relationships to Coordinate Community Efforts Emotet |
2021-01-27 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20210127:international:dc5699a,
author = {Brian Krebs},
title = {{International Action Targets Emotet Crimeware}},
date = {2021-01-27},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware},
language = {English},
urldate = {2021-01-29}
}
International Action Targets Emotet Crimeware Emotet |
2021-01-27 ⋅ Youtube (Національна поліція України) ⋅ Національна поліція України @online{:20210127:emotet:abc27db,
author = {Національна поліція України},
title = {{Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні вірусу EMOTET}},
date = {2021-01-27},
organization = {Youtube (Національна поліція України)},
url = {https://www.youtube.com/watch?v=_BLOmClsSpc},
language = {Ukrainian},
urldate = {2021-01-27}
}
Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні вірусу EMOTET Emotet |
2021-01-27 ⋅ Bundeskriminalamt ⋅ Bundeskriminalamt @online{bundeskriminalamt:20210127:infrastruktur:eb4ede6,
author = {Bundeskriminalamt},
title = {{Infrastruktur der Emotet-Schadsoftware zerschlagen}},
date = {2021-01-27},
organization = {Bundeskriminalamt},
url = {https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html},
language = {German},
urldate = {2021-01-27}
}
Infrastruktur der Emotet-Schadsoftware zerschlagen Emotet |
2021-01-27 ⋅ Twitter (@milkr3am) ⋅ milkream @online{milkream:20210127:all:e3c3773,
author = {milkream},
title = {{Tweet on all Emotet epoch pushing payload to self remove emotet malware on 2021-04-25}},
date = {2021-01-27},
organization = {Twitter (@milkr3am)},
url = {https://twitter.com/milkr3am/status/1354459859912192002},
language = {English},
urldate = {2021-01-29}
}
Tweet on all Emotet epoch pushing payload to self remove emotet malware on 2021-04-25 Emotet |
2021-01-27 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210127:emotet:0a7344b,
author = {Intel 471},
title = {{Emotet takedown is not like the Trickbot takedown}},
date = {2021-01-27},
organization = {Intel 471},
url = {https://intel471.com/blog/emotet-takedown-2021/},
language = {English},
urldate = {2021-01-29}
}
Emotet takedown is not like the Trickbot takedown Emotet |
2021-01-27 ⋅ Eurojust ⋅ Eurojust @online{eurojust:20210127:worlds:d416adc,
author = {Eurojust},
title = {{World’s most dangerous malware EMOTET disrupted through global action}},
date = {2021-01-27},
organization = {Eurojust},
url = {https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action},
language = {English},
urldate = {2021-01-27}
}
World’s most dangerous malware EMOTET disrupted through global action Emotet |
2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20210119:wireshark:be0c831,
author = {Brad Duncan},
title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}},
date = {2021-01-19},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/},
language = {English},
urldate = {2021-01-21}
}
Wireshark Tutorial: Examining Emotet Infection Traffic Emotet GootKit IcedID QakBot TrickBot |
2021-01-19 ⋅ Medium elis531989 ⋅ Eli Salem @online{salem:20210119:funtastic:42f9250,
author = {Eli Salem},
title = {{Funtastic Packers And Where To Find Them}},
date = {2021-01-19},
organization = {Medium elis531989},
url = {https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7},
language = {English},
urldate = {2021-01-21}
}
Funtastic Packers And Where To Find Them Get2 IcedID QakBot |
2021-01-18 ⋅ tccontre Blog ⋅ tcontre @online{tcontre:20210118:extracting:4935b1c,
author = {tcontre},
title = {{Extracting Shellcode in ICEID .PNG Steganography}},
date = {2021-01-18},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2021/01/},
language = {English},
urldate = {2021-01-21}
}
Extracting Shellcode in ICEID .PNG Steganography IcedID |
2021-01-14 ⋅ Netskope ⋅ Ghanashyam Satpathy, Dagmawi Mulugeta @online{satpathy:20210114:you:f7f99aa,
author = {Ghanashyam Satpathy and Dagmawi Mulugeta},
title = {{You Can Run, But You Can’t Hide: Advanced Emotet Updates}},
date = {2021-01-14},
organization = {Netskope},
url = {https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates},
language = {English},
urldate = {2021-01-18}
}
You Can Run, But You Can’t Hide: Advanced Emotet Updates Emotet |
2021-01-13 ⋅ VinCSS ⋅ Tran Trung Kien, m4n0w4r @online{kien:20210113:re019:5b00767,
author = {Tran Trung Kien and m4n0w4r},
title = {{[RE019] From A to X analyzing some real cases which used recent Emotet samples}},
date = {2021-01-13},
organization = {VinCSS},
url = {https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html},
language = {English},
urldate = {2021-01-25}
}
[RE019] From A to X analyzing some real cases which used recent Emotet samples Emotet |
2021-01-12 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20210112:new:bdf3ebb,
author = {Xiaopeng Zhang},
title = {{New Variant of Ursnif Continuously Targeting Italy}},
date = {2021-01-12},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy},
language = {English},
urldate = {2021-01-18}
}
New Variant of Ursnif Continuously Targeting Italy ISFB |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-08 ⋅ 0xC0DECAFE ⋅ Thomas Barabosch @online{barabosch:20210108:malware:27c7ee2,
author = {Thomas Barabosch},
title = {{The malware analyst’s guide to aPLib decompression}},
date = {2021-01-08},
organization = {0xC0DECAFE},
url = {https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/},
language = {English},
urldate = {2021-01-11}
}
The malware analyst’s guide to aPLib decompression ISFB Rovnix |
2021-01-07 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20210107:ta551:6346c62,
author = {Brad Duncan},
title = {{TA551: Email Attack Campaign Switches from Valak to IcedID}},
date = {2021-01-07},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/ta551-shathak-icedid/},
language = {English},
urldate = {2021-01-11}
}
TA551: Email Attack Campaign Switches from Valak to IcedID IcedID |
2021-01-06 ⋅ FBI ⋅ FBI @techreport{fbi:20210106:pin:66d55ca,
author = {FBI},
title = {{PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data}},
date = {2021-01-06},
institution = {FBI},
url = {https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf},
language = {English},
urldate = {2021-01-11}
}
PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data Egregor QakBot |
2021-01-05 ⋅ r3mrum blog ⋅ R3MRUM @online{r3mrum:20210105:manual:0d15421,
author = {R3MRUM},
title = {{Manual analysis of new PowerSplit maldocs delivering Emotet}},
date = {2021-01-05},
organization = {r3mrum blog},
url = {https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/},
language = {English},
urldate = {2021-01-10}
}
Manual analysis of new PowerSplit maldocs delivering Emotet Emotet |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:a35a451,
author = {SecureWorks},
title = {{Threat Profile: GOLD CABIN}},
date = {2021},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-cabin},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD CABIN GOLD CABIN |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:5afd502,
author = {SecureWorks},
title = {{Threat Profile: GOLD LAGOON}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-lagoon},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD LAGOON QakBot MALLARD SPIDER |
2021 ⋅ AWAKE ⋅ Awake Security @online{security:2021:breaking:3bdfe99,
author = {Awake Security},
title = {{Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)}},
date = {2021},
organization = {AWAKE},
url = {https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/},
language = {English},
urldate = {2022-06-09}
}
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR) Cobalt Strike IcedID PhotoLoader |
2020-12-31 ⋅ Cert-AgID ⋅ Cert-AgID @online{certagid:20201231:simplify:1a7bcd2,
author = {Cert-AgID},
title = {{Simplify Emotet parsing with Python and iced x86}},
date = {2020-12-31},
organization = {Cert-AgID},
url = {https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/},
language = {Italian},
urldate = {2021-01-05}
}
Simplify Emotet parsing with Python and iced x86 Emotet |
2020-12-30 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20201230:emotet:1f2a80b,
author = {Sergiu Gatlan},
title = {{Emotet malware hits Lithuania's National Public Health Center}},
date = {2020-12-30},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/},
language = {English},
urldate = {2021-01-05}
}
Emotet malware hits Lithuania's National Public Health Center Emotet |
2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW @online{munshaw:20201221:2020:4a88f84,
author = {JON MUNSHAW},
title = {{2020: The year in malware}},
date = {2020-12-21},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html},
language = {English},
urldate = {2020-12-26}
}
2020: The year in malware WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader |
2020-12-15 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab @online{lab:20201215:qakbot:9397167,
author = {Hornetsecurity Security Lab},
title = {{QakBot reducing its on disk artifacts}},
date = {2020-12-15},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/},
language = {English},
urldate = {2020-12-16}
}
QakBot reducing its on disk artifacts Egregor PwndLocker QakBot |
2020-12-12 ⋅ Medium 0xthreatintel ⋅ 0xthreatintel @online{0xthreatintel:20201212:reversing:945a5b8,
author = {0xthreatintel},
title = {{Reversing QakBot [ TLP: White]}},
date = {2020-12-12},
organization = {Medium 0xthreatintel},
url = {https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7},
language = {English},
urldate = {2020-12-14}
}
Reversing QakBot [ TLP: White] QakBot |
2020-12-10 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff @online{frankoff:20201210:malware:0a70511,
author = {Sergei Frankoff},
title = {{Malware Triage Analyzing PrnLoader Used To Drop Emotet}},
date = {2020-12-10},
organization = {Youtube (OALabs)},
url = {https://www.youtube.com/watch?v=5_-oR_135ss},
language = {English},
urldate = {2020-12-18}
}
Malware Triage Analyzing PrnLoader Used To Drop Emotet Emotet |
2020-12-10 ⋅ NRI SECURE ⋅ NeoSOC @online{neosoc:20201210:icedid:b05d899,
author = {NeoSOC},
title = {{マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説}},
date = {2020-12-10},
organization = {NRI SECURE},
url = {https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid},
language = {Japanese},
urldate = {2020-12-11}
}
マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説 IcedID |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020 Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20201209:recent:0992506,
author = {Brad Duncan},
title = {{Recent Qakbot (Qbot) activity}},
date = {2020-12-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/26862},
language = {English},
urldate = {2020-12-10}
}
Recent Qakbot (Qbot) activity Cobalt Strike QakBot |
2020-12-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team @online{team:20201209:edr:c8811f1,
author = {Microsoft 365 Defender Research Team},
title = {{EDR in block mode stops IcedID cold}},
date = {2020-12-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/},
language = {English},
urldate = {2020-12-11}
}
EDR in block mode stops IcedID cold IcedID |
2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201209:its:c312acc,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}},
date = {2020-12-09},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf},
language = {English},
urldate = {2020-12-15}
}
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike DoppelPaymer QakBot REvil |
2020-12-04 ⋅ Kaspersky Labs ⋅ Oleg Kupreev @online{kupreev:20201204:chronicles:faab5a6,
author = {Oleg Kupreev},
title = {{The chronicles of Emotet}},
date = {2020-12-04},
organization = {Kaspersky Labs},
url = {https://securelist.com/the-chronicles-of-emotet/99660/},
language = {English},
urldate = {2020-12-08}
}
The chronicles of Emotet Emotet |
2020-12-03 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20201203:egregor:a56f637,
author = {Insikt Group®},
title = {{Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot}},
date = {2020-12-03},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf},
language = {English},
urldate = {2020-12-08}
}
Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot Egregor QakBot |
2020-12-02 ⋅ CyberInt ⋅ Cyberint Research @online{research:20201202:icedid:d43e06d,
author = {Cyberint Research},
title = {{IcedID Stealer Man-in-the-browser Banking Trojan}},
date = {2020-12-02},
organization = {CyberInt},
url = {https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan},
language = {English},
urldate = {2020-12-11}
}
IcedID Stealer Man-in-the-browser Banking Trojan IcedID |
2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary) @online{redcanary:20201202:increased:5db5dce,
author = {twitter (@redcanary)},
title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}},
date = {2020-12-02},
organization = {Red Canary},
url = {https://twitter.com/redcanary/status/1334224861628039169},
language = {English},
urldate = {2020-12-08}
}
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware Cobalt Strike Egregor QakBot |
2020-12-01 ⋅ Group-IB ⋅ Group-IB, Oleg Skulkin, Semyon Rogachev, Roman Rezvukhin @techreport{groupib:20201201:egregor:37e5698,
author = {Group-IB and Oleg Skulkin and Semyon Rogachev and Roman Rezvukhin},
title = {{Egregor ransomware: The legacy of Maze lives on}},
date = {2020-12-01},
institution = {Group-IB},
url = {https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf},
language = {English},
urldate = {2021-01-21}
}
Egregor ransomware: The legacy of Maze lives on Egregor QakBot |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-27 ⋅ malware.love ⋅ Robert Giczewski @online{giczewski:20201127:having:7cd6ae8,
author = {Robert Giczewski},
title = {{Having fun with a Ursnif VBS dropper}},
date = {2020-11-27},
organization = {malware.love},
url = {https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html},
language = {English},
urldate = {2020-12-01}
}
Having fun with a Ursnif VBS dropper
|