GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.
2023-05-22 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20230522:icedid:ecec658,
author = {The DFIR Report},
title = {{IcedID Macro Ends in Nokoyawa Ransomware}},
date = {2023-05-22},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/},
language = {English},
urldate = {2023-05-23}
}
IcedID Macro Ends in Nokoyawa Ransomware IcedID Nokoyawa Ransomware |
2023-05-21 ⋅ Github (0xThiebaut) ⋅ Maxime Thiebaut @online{thiebaut:20230521:pcapeek:f4107bc,
author = {Maxime Thiebaut},
title = {{PCAPeek}},
date = {2023-05-21},
organization = {Github (0xThiebaut)},
url = {https://github.com/0xThiebaut/PCAPeek/},
language = {English},
urldate = {2023-05-25}
}
PCAPeek IcedID QakBot |
2023-05-18 ⋅ Intezer ⋅ Ryan Robinson @online{robinson:20230518:how:3acd352,
author = {Ryan Robinson},
title = {{How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems}},
date = {2023-05-18},
organization = {Intezer},
url = {https://intezer.com/blog/research/how-hackers-use-binary-padding-to-outsmart-sandboxes/},
language = {English},
urldate = {2023-05-25}
}
How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems Emotet |
2023-05-17 ⋅ Team Cymru ⋅ Team Cymru @online{cymru:20230517:visualizing:a560ffb,
author = {Team Cymru},
title = {{Visualizing QakBot Infrastructure}},
date = {2023-05-17},
organization = {Team Cymru},
url = {https://www.team-cymru.com/post/visualizing-qakbot-infrastructure},
language = {English},
urldate = {2023-05-21}
}
Visualizing QakBot Infrastructure QakBot |
2023-05-10 ⋅ Bridewell ⋅ Bridewell @online{bridewell:20230510:hunting:461fdf0,
author = {Bridewell},
title = {{Hunting for Ursnif}},
date = {2023-05-10},
organization = {Bridewell},
url = {https://www.bridewell.com/insights/news/detail/hunting-for-ursnif},
language = {English},
urldate = {2023-05-15}
}
Hunting for Ursnif ISFB Royal Ransom |
2023-05-04 ⋅ Elastic ⋅ Cyril François @online{franois:20230504:unpacking:7f892ff,
author = {Cyril François},
title = {{Unpacking ICEDID}},
date = {2023-05-04},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/unpacking-icedid},
language = {English},
urldate = {2023-05-05}
}
Unpacking ICEDID IcedID PhotoLoader |
2023-05-03 ⋅ Palo Alto Networks Unit 42 ⋅ Mark Lim, Daniel Raygoza, Bob Jung @online{lim:20230503:teasing:eef7ae4,
author = {Mark Lim and Daniel Raygoza and Bob Jung},
title = {{Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale}},
date = {2023-05-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing},
language = {English},
urldate = {2023-05-04}
}
Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale IcedID PhotoLoader |
2023-05-03 ⋅ unpac.me ⋅ Sean Wilson @online{wilson:20230503:unpacme:ed52c88,
author = {Sean Wilson},
title = {{UnpacMe Weekly: New Version of IcedId Loader}},
date = {2023-05-03},
organization = {unpac.me},
url = {https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader},
language = {English},
urldate = {2023-05-04}
}
UnpacMe Weekly: New Version of IcedId Loader IcedID PhotoLoader |
2023-05-02 ⋅ loginsoft ⋅ System-41 @online{system41:20230502:icedid:88e0516,
author = {System-41},
title = {{IcedID Malware: Traversing Through its Various Incarnations}},
date = {2023-05-02},
organization = {loginsoft},
url = {https://research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/},
language = {English},
urldate = {2023-05-09}
}
IcedID Malware: Traversing Through its Various Incarnations IcedID |
2023-04-28 ⋅ DISCARDED Podcast ⋅ Joe Wise, Pim Trouerbach @online{wise:20230428:beyond:b45d805,
author = {Joe Wise and Pim Trouerbach},
title = {{Beyond Banking: IcedID Gets Forked}},
date = {2023-04-28},
organization = {DISCARDED Podcast},
url = {https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1},
language = {English},
urldate = {2023-05-04}
}
Beyond Banking: IcedID Gets Forked IcedID PhotoLoader |
2023-04-18 ⋅ Rapid7 Labs ⋅ Matt Green @online{green:20230418:automating:5252cc0,
author = {Matt Green},
title = {{Automating Qakbot Detection at Scale With Velociraptor}},
date = {2023-04-18},
organization = {Rapid7 Labs},
url = {https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/},
language = {English},
urldate = {2023-04-25}
}
Automating Qakbot Detection at Scale With Velociraptor QakBot |
2023-04-18 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20230418:mtrends:af1a28e,
author = {Mandiant},
title = {{M-Trends 2023}},
date = {2023-04-18},
organization = {Mandiant},
url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023},
language = {English},
urldate = {2023-04-18}
}
M-Trends 2023 QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate |
2023-04-13 ⋅ Sublime ⋅ Sam Scholten @online{scholten:20230413:detecting:18cb661,
author = {Sam Scholten},
title = {{Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction}},
date = {2023-04-13},
organization = {Sublime},
url = {https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction},
language = {English},
urldate = {2023-04-18}
}
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction QakBot |
2023-04-12 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20230412:recent:66863ee,
author = {Brad Duncan},
title = {{Recent IcedID (Bokbot) activity}},
date = {2023-04-12},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/29740},
language = {English},
urldate = {2023-04-18}
}
Recent IcedID (Bokbot) activity IcedID PhotoLoader |
2023-04-12 ⋅ loginsoft ⋅ Bhargav koduru @online{koduru:20230412:maximizing:167d572,
author = {Bhargav koduru},
title = {{Maximizing Threat Detections of Qakbot with Osquery}},
date = {2023-04-12},
organization = {loginsoft},
url = {https://research.loginsoft.com/threat-research/blog-maximizing-threat-detections-of-qakbot-with-osquery/},
language = {English},
urldate = {2023-04-14}
}
Maximizing Threat Detections of Qakbot with Osquery QakBot |
2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20230412:spamhaus:aa309d1,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q1 2023}},
date = {2023-04-12},
institution = {Spamhaus},
url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf},
language = {English},
urldate = {2023-04-18}
}
Spamhaus Botnet Threat Update Q1 2023 FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar |
2023-04-12 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20230412:recent:093f8b8,
author = {Brad Duncan},
title = {{Recent IcedID (Bokbot) activity}},
date = {2023-04-12},
organization = {SANS ISC},
url = {https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/},
language = {English},
urldate = {2023-04-18}
}
Recent IcedID (Bokbot) activity IcedID |
2023-04-11 ⋅ Twitter (@Unit42_Intel) ⋅ Unit42 @online{unit42:20230411:change:c20334e,
author = {Unit42},
title = {{Tweet on change of IcedID backconnect traffic port from 8080 to 443}},
date = {2023-04-11},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1645851799427874818},
language = {English},
urldate = {2023-04-18}
}
Tweet on change of IcedID backconnect traffic port from 8080 to 443 IcedID |
2023-04-10 ⋅ Check Point ⋅ Check Point @online{point:20230410:march:144c1ad,
author = {Check Point},
title = {{March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files}},
date = {2023-04-10},
organization = {Check Point},
url = {https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/},
language = {English},
urldate = {2023-04-12}
}
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee |
2023-04-05 ⋅ velociraptor ⋅ Matt Green @online{green:20230405:automating:ef8b30e,
author = {Matt Green},
title = {{Automating Qakbot Decode At Scale}},
date = {2023-04-05},
organization = {velociraptor},
url = {https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/},
language = {English},
urldate = {2023-04-18}
}
Automating Qakbot Decode At Scale QakBot |
2023-04-03 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20230403:malicious:238465b,
author = {The DFIR Report},
title = {{Malicious ISO File Leads to Domain Wide Ransomware}},
date = {2023-04-03},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/},
language = {English},
urldate = {2023-04-06}
}
Malicious ISO File Leads to Domain Wide Ransomware Cobalt Strike IcedID Mount Locker |
2023-03-30 ⋅ loginsoft ⋅ Saharsh Agrawal @online{agrawal:20230330:from:7b46ae0,
author = {Saharsh Agrawal},
title = {{From Innocence to Malice: The OneNote Malware Campaign Uncovered}},
date = {2023-03-30},
organization = {loginsoft},
url = {https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/},
language = {English},
urldate = {2023-04-14}
}
From Innocence to Malice: The OneNote Malware Campaign Uncovered Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm |
2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Microsoft, Fortra, HEALTH-ISAC @techreport{microsoft:20230330:cracked:08c67c0,
author = {Microsoft and Fortra and HEALTH-ISAC},
title = {{Cracked Cobalt Strike (1:23-cv-02447)}},
date = {2023-03-30},
institution = {United States District Court (Eastern District of New York)},
url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf},
language = {English},
urldate = {2023-04-28}
}
Cracked Cobalt Strike (1:23-cv-02447) Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader |
2023-03-27 ⋅ Proofpoint ⋅ Pim Trouerbach, Kelsey Merriman, Joe Wise @online{trouerbach:20230327:fork:62e7699,
author = {Pim Trouerbach and Kelsey Merriman and Joe Wise},
title = {{Fork in the Ice: The New Era of IcedID}},
date = {2023-03-27},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid},
language = {English},
urldate = {2023-03-27}
}
Fork in the Ice: The New Era of IcedID IcedID |
2023-03-24 ⋅ Lab52 ⋅ peko @online{peko:20230324:bypassing:a6439f7,
author = {peko},
title = {{Bypassing Qakbot Anti-Analysis}},
date = {2023-03-24},
organization = {Lab52},
url = {https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/},
language = {English},
urldate = {2023-03-27}
}
Bypassing Qakbot Anti-Analysis QakBot |
2023-03-22 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Jaeson Schultz @online{brumaghin:20230322:emotet:fa8054c,
author = {Edmund Brumaghin and Jaeson Schultz},
title = {{Emotet Resumes Spam Operations, Switches to OneNote}},
date = {2023-03-22},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/emotet-switches-to-onenote/},
language = {English},
urldate = {2023-03-23}
}
Emotet Resumes Spam Operations, Switches to OneNote Emotet |
2023-03-20 ⋅ NVISO Labs ⋅ Maxime Thiebaut @online{thiebaut:20230320:icedids:78b47a7,
author = {Maxime Thiebaut},
title = {{IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole}},
date = {2023-03-20},
organization = {NVISO Labs},
url = {https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/},
language = {English},
urldate = {2023-03-21}
}
IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole IcedID |
2023-03-19 ⋅ 0xToxin Labs ⋅ @0xToxin @online{0xtoxin:20230319:gozi:bb7bade,
author = {@0xToxin},
title = {{Gozi - Italian ShellCode Dance}},
date = {2023-03-19},
organization = {0xToxin Labs},
url = {https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/},
language = {English},
urldate = {2023-05-17}
}
Gozi - Italian ShellCode Dance Gozi ISFB |
2023-03-17 ⋅ Elastic ⋅ Cyril François, Daniel Stepanic @online{franois:20230317:thawing:b8065d4,
author = {Cyril François and Daniel Stepanic},
title = {{Thawing the permafrost of ICEDID Summary}},
date = {2023-03-17},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary},
language = {English},
urldate = {2023-03-20}
}
Thawing the permafrost of ICEDID Summary IcedID PhotoLoader |
2023-03-15 ⋅ Reliaquest ⋅ RELIAQUEST THREAT RESEARCH TEAM @online{team:20230315:qbot:cf3b85f,
author = {RELIAQUEST THREAT RESEARCH TEAM},
title = {{QBot: Laying the Foundations for Black Basta Ransomware Activity}},
date = {2023-03-15},
organization = {Reliaquest},
url = {https://www.reliaquest.com/blog/qbot-black-basta-ransomware/},
language = {English},
urldate = {2023-04-18}
}
QBot: Laying the Foundations for Black Basta Ransomware Activity Black Basta QakBot |
2023-03-13 ⋅ Trendmicro ⋅ Ian Kenefick @online{kenefick:20230313:emotet:7dc342d,
author = {Ian Kenefick},
title = {{Emotet Returns, Now Adopts Binary Padding for Evasion}},
date = {2023-03-13},
organization = {Trendmicro},
url = {https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html},
language = {English},
urldate = {2023-03-14}
}
Emotet Returns, Now Adopts Binary Padding for Evasion Emotet |
2023-03-09 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20230309:batloader:db50046,
author = {eSentire Threat Response Unit (TRU)},
title = {{BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif}},
date = {2023-03-09},
organization = {eSentire},
url = {https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif},
language = {English},
urldate = {2023-04-25}
}
BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif BATLOADER ISFB Vidar |
2023-03-07 ⋅ Trellix ⋅ Pham Duy Phuc, Raghav Kapoor, John Fokker, Alejandro Houspanossian, Mathanraj Thangaraju @online{phuc:20230307:qakbot:a1aef8e,
author = {Pham Duy Phuc and Raghav Kapoor and John Fokker and Alejandro Houspanossian and Mathanraj Thangaraju},
title = {{Qakbot Evolves to OneNote Malware Distribution}},
date = {2023-03-07},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html},
language = {English},
urldate = {2023-03-13}
}
Qakbot Evolves to OneNote Malware Distribution QakBot |
2023-03-07 ⋅ BleepingComputer ⋅ Lawrence Abrams @online{abrams:20230307:emotet:734058c,
author = {Lawrence Abrams},
title = {{Emotet malware attacks return after three-month break}},
date = {2023-03-07},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/},
language = {English},
urldate = {2023-03-13}
}
Emotet malware attacks return after three-month break Emotet |
2023-03-07 ⋅ Cofense ⋅ Cofense @online{cofense:20230307:emotet:daf5b46,
author = {Cofense},
title = {{Emotet Sending Malicious Emails After Three-Month Hiatus}},
date = {2023-03-07},
organization = {Cofense},
url = {https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/},
language = {English},
urldate = {2023-03-13}
}
Emotet Sending Malicious Emails After Three-Month Hiatus Emotet |
2023-03-02 ⋅ Youtube (Microsoft Security Response Center (MSRC)) ⋅ Daniel Taylor, Ben Magee @online{taylor:20230302:bluehat:cdd75a0,
author = {Daniel Taylor and Ben Magee},
title = {{BlueHat 2023: Hunting Qakbot with Daniel Taylor & Ben Magee}},
date = {2023-03-02},
organization = {Youtube (Microsoft Security Response Center (MSRC))},
url = {https://www.youtube.com/watch?v=OCRyEUhiEyw},
language = {English},
urldate = {2023-04-18}
}
BlueHat 2023: Hunting Qakbot with Daniel Taylor & Ben Magee QakBot |
2023-03-02 ⋅ Netresec ⋅ Erik Hjelmvik @online{hjelmvik:20230302:qakbot:978553c,
author = {Erik Hjelmvik},
title = {{QakBot C2 Traffic}},
date = {2023-03-02},
organization = {Netresec},
url = {https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic},
language = {English},
urldate = {2023-03-04}
}
QakBot C2 Traffic QakBot |
2023-03-01 ⋅ Zscaler ⋅ Meghraj Nandanwar, Shatak Jain @online{nandanwar:20230301:onenote:07aefe0,
author = {Meghraj Nandanwar and Shatak Jain},
title = {{OneNote: A Growing Threat for Malware Distribution}},
date = {2023-03-01},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution},
language = {English},
urldate = {2023-03-13}
}
OneNote: A Growing Threat for Malware Distribution AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer |
2023-02-28 ⋅ Intel 471 ⋅ Intel 471 @online{471:20230228:malvertising:268d961,
author = {Intel 471},
title = {{Malvertising Surges to Distribute Malware}},
date = {2023-02-28},
organization = {Intel 471},
url = {https://intel471.com/blog/malvertising-surges-to-distribute-malware},
language = {English},
urldate = {2023-03-13}
}
Malvertising Surges to Distribute Malware BATLOADER IcedID |
2023-02-27 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT @techreport{prodaft:20230227:rig:72076aa,
author = {PRODAFT},
title = {{RIG Exploit Kit: In-Depth Analysis}},
date = {2023-02-27},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf},
language = {English},
urldate = {2023-05-08}
}
RIG Exploit Kit: In-Depth Analysis Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader |
2023-02-26 ⋅ Medium Ilandu ⋅ Ilan Duhin, Yossi Poberezsky @online{duhin:20230226:emotet:b21451d,
author = {Ilan Duhin and Yossi Poberezsky},
title = {{Emotet Campaign}},
date = {2023-02-26},
organization = {Medium Ilandu},
url = {https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5},
language = {English},
urldate = {2023-02-27}
}
Emotet Campaign Emotet |
2023-02-24 ⋅ Team Cymru ⋅ Team Cymru @online{cymru:20230224:desde:d9ec280,
author = {Team Cymru},
title = {{Desde Chile con Malware (From Chile with Malware)}},
date = {2023-02-24},
organization = {Team Cymru},
url = {https://www.team-cymru.com/post/from-chile-with-malware},
language = {English},
urldate = {2023-03-13}
}
Desde Chile con Malware (From Chile with Malware) IcedID PhotoLoader |
2023-02-24 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt, Jonathan Mccay, Kirk Sayre @online{reaves:20230224:qbot:771bf3d,
author = {Jason Reaves and Joshua Platt and Jonathan Mccay and Kirk Sayre},
title = {{Qbot testing malvertising campaigns?}},
date = {2023-02-24},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a},
language = {English},
urldate = {2023-02-27}
}
Qbot testing malvertising campaigns? QakBot |
2023-02-17 ⋅ cyble ⋅ Cyble @online{cyble:20230217:many:101a732,
author = {Cyble},
title = {{The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods}},
date = {2023-02-17},
organization = {cyble},
url = {https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/},
language = {English},
urldate = {2023-02-21}
}
The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods QakBot |
2023-02-15 ⋅ Netresec ⋅ Erik Hjelmvik @online{hjelmvik:20230215:how:db64f7c,
author = {Erik Hjelmvik},
title = {{How to Identify IcedID Network Traffic}},
date = {2023-02-15},
organization = {Netresec},
url = {https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic},
language = {English},
urldate = {2023-02-16}
}
How to Identify IcedID Network Traffic IcedID |
2023-02-14 ⋅ DSIH ⋅ Charles Blanc-Rolin @online{blancrolin:20230214:comment:aa336bd,
author = {Charles Blanc-Rolin},
title = {{Comment Qbot revient en force avec OneNote ?}},
date = {2023-02-14},
organization = {DSIH},
url = {https://www.dsih.fr/article/5020/comment-qbot-revient-en-force-avec-onenote.html},
language = {French},
urldate = {2023-02-21}
}
Comment Qbot revient en force avec OneNote ? QakBot |
2023-02-08 ⋅ NTT Security ⋅ Ryu Hiyoshi @online{hiyoshi:20230208:steelclover:0f3b85a,
author = {Ryu Hiyoshi},
title = {{SteelClover Attacks Distributing Malware Via Google Ads Increased}},
date = {2023-02-08},
organization = {NTT Security},
url = {https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle},
language = {English},
urldate = {2023-02-13}
}
SteelClover Attacks Distributing Malware Via Google Ads Increased BATLOADER ISFB RedLine Stealer |
2023-02-06 ⋅ Sophos ⋅ Andrew Brandt @online{brandt:20230206:qakbot:e85e83f,
author = {Andrew Brandt},
title = {{Qakbot mechanizes distribution of malicious OneNote notebooks}},
date = {2023-02-06},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/},
language = {English},
urldate = {2023-02-13}
}
Qakbot mechanizes distribution of malicious OneNote notebooks QakBot |
2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein @online{olshtein:20230130:following:e442fcc,
author = {Arie Olshtein},
title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}},
date = {2023-01-30},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/},
language = {English},
urldate = {2023-01-31}
}
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot |
2023-01-26 ⋅ Acronis ⋅ Ilan Duhin @online{duhin:20230126:unpacking:8ff4776,
author = {Ilan Duhin},
title = {{Unpacking Emotet Malware}},
date = {2023-01-26},
organization = {Acronis},
url = {https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb},
language = {English},
urldate = {2023-01-27}
}
Unpacking Emotet Malware Emotet |
2023-01-23 ⋅ Kroll ⋅ Stephen Green, Elio Biasiotto @online{green:20230123:black:dd89d21,
author = {Stephen Green and Elio Biasiotto},
title = {{Black Basta – Technical Analysis}},
date = {2023-01-23},
organization = {Kroll},
url = {https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis},
language = {English},
urldate = {2023-04-22}
}
Black Basta – Technical Analysis Black Basta Cobalt Strike MimiKatz QakBot SystemBC |
2023-01-20 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @online{team:20230120:emotet:3d5fe7f,
author = {BlackBerry Research & Intelligence Team},
title = {{Emotet Returns With New Methods of Evasion}},
date = {2023-01-20},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion},
language = {English},
urldate = {2023-01-25}
}
Emotet Returns With New Methods of Evasion Emotet IcedID |
2023-01-19 ⋅ Cisco ⋅ Guilherme Venere @online{venere:20230119:following:c60f349,
author = {Guilherme Venere},
title = {{Following the LNK metadata trail}},
date = {2023-01-19},
organization = {Cisco},
url = {https://blog.talosintelligence.com/following-the-lnk-metadata-trail},
language = {English},
urldate = {2023-04-06}
}
Following the LNK metadata trail BumbleBee PhotoLoader QakBot |
2023-01-12 ⋅ EclecticIQ ⋅ EclecticIQ Threat Research Team @online{team:20230112:qakbot:a26156d,
author = {EclecticIQ Threat Research Team},
title = {{QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature}},
date = {2023-01-12},
organization = {EclecticIQ},
url = {https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature},
language = {English},
urldate = {2023-01-16}
}
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature QakBot |
2023-01-09 ⋅ Intrinsec ⋅ Intrinsec, CTI Intrinsec @online{intrinsec:20230109:emotet:202716f,
author = {Intrinsec and CTI Intrinsec},
title = {{Emotet returns and deploys loaders}},
date = {2023-01-09},
organization = {Intrinsec},
url = {https://www.intrinsec.com/emotet-returns-and-deploys-loaders/},
language = {English},
urldate = {2023-01-10}
}
Emotet returns and deploys loaders BumbleBee Emotet IcedID |
2023-01-09 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20230109:unwrapping:d36b45f,
author = {The DFIR Report},
title = {{Unwrapping Ursnifs Gifts}},
date = {2023-01-09},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/},
language = {English},
urldate = {2023-01-13}
}
Unwrapping Ursnifs Gifts ISFB |
2022-12-28 ⋅ Micah Babinski @online{babinski:20221228:html:7dbe8af,
author = {Micah Babinski},
title = {{HTML Smuggling Detection}},
date = {2022-12-28},
url = {https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841},
language = {English},
urldate = {2022-12-31}
}
HTML Smuggling Detection QakBot |
2022-12-23 ⋅ Trendmicro ⋅ Ian Kenefick @online{kenefick:20221223:icedid:df95b05,
author = {Ian Kenefick},
title = {{IcedID Botnet Distributors Abuse Google PPC to Distribute Malware}},
date = {2022-12-23},
organization = {Trendmicro},
url = {https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html},
language = {English},
urldate = {2022-12-24}
}
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware IcedID |
2022-12-22 ⋅ ASEC ⋅ AhnLab @online{ahnlab:20221222:qakbot:9e92461,
author = {AhnLab},
title = {{Qakbot Being Distributed via Virtual Disk Files (*.vhd)}},
date = {2022-12-22},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/44662/},
language = {English},
urldate = {2022-12-24}
}
Qakbot Being Distributed via Virtual Disk Files (*.vhd) QakBot |
2022-12-21 ⋅ Team Cymru ⋅ S2 Research Team @online{team:20221221:inside:8298d24,
author = {S2 Research Team},
title = {{Inside the IcedID BackConnect Protocol}},
date = {2022-12-21},
organization = {Team Cymru},
url = {https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol},
language = {English},
urldate = {2022-12-24}
}
Inside the IcedID BackConnect Protocol IcedID |
2022-12-19 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20221219:z2abimonthly:8edee72,
author = {m4n0w4r and Tran Trung Kien},
title = {{[Z2A]Bimonthly malware challege – Emotet (Back From the Dead)}},
date = {2022-12-19},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/},
language = {English},
urldate = {2022-12-20}
}
[Z2A]Bimonthly malware challege – Emotet (Back From the Dead) Emotet |
2022-12-18 ⋅ ZAYOTEM ⋅ Berkay DOĞAN, Dilara BEHAR, Rabia EKŞİ, Zafer Yiğithan DERECİ @online{doan:20221218:icedid:f4a858a,
author = {Berkay DOĞAN and Dilara BEHAR and Rabia EKŞİ and Zafer Yiğithan DERECİ},
title = {{IcedID Technical Analysis Report}},
date = {2022-12-18},
organization = {ZAYOTEM},
url = {https://drive.google.com/file/d/1jB0CsDvAADSrBeGxoi5gzyx8eQIiOJ2G/view},
language = {English},
urldate = {2022-12-20}
}
IcedID Technical Analysis Report IcedID |
2022-12-15 ⋅ ISC ⋅ Brad Duncan @online{duncan:20221215:google:179f840,
author = {Brad Duncan},
title = {{Google ads lead to fake software pages pushing IcedID (Bokbot)}},
date = {2022-12-15},
organization = {ISC},
url = {https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344},
language = {English},
urldate = {2022-12-19}
}
Google ads lead to fake software pages pushing IcedID (Bokbot) IcedID |
2022-12-05 ⋅ Cybereason ⋅ Kotaro Ogino, Ralph Villanueva, Robin Plumer @online{ogino:20221205:threat:b2ffad4,
author = {Kotaro Ogino and Ralph Villanueva and Robin Plumer},
title = {{Threat Analysis: MSI - Masquerading as a Software Installer}},
date = {2022-12-05},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer},
language = {English},
urldate = {2022-12-05}
}
Threat Analysis: MSI - Masquerading as a Software Installer Magniber Matanbuchus QakBot |
2022-12-02 ⋅ Github (binref) ⋅ Jesko Hüttenhain @online{httenhain:20221202:refinery:ee32690,
author = {Jesko Hüttenhain},
title = {{The Refinery Files 0x06: Qakbot Decoder}},
date = {2022-12-02},
organization = {Github (binref)},
url = {https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x06.Qakbot.Decoder.ipynb},
language = {English},
urldate = {2022-12-02}
}
The Refinery Files 0x06: Qakbot Decoder QakBot |
2022-12-01 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20221201:from:4ac8d82,
author = {Splunk Threat Research Team},
title = {{From Macros to No Macros: Continuous Malware Improvements by QakBot}},
date = {2022-12-01},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html},
language = {English},
urldate = {2022-12-05}
}
From Macros to No Macros: Continuous Malware Improvements by QakBot QakBot |
2022-11-30 ⋅ Tidal Cyber Inc. ⋅ Scott Small @online{small:20221130:identifying:ed7c4b3,
author = {Scott Small},
title = {{Identifying and Defending Against QakBot's Evolving TTPs}},
date = {2022-11-30},
organization = {Tidal Cyber Inc.},
url = {https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps},
language = {English},
urldate = {2022-12-02}
}
Identifying and Defending Against QakBot's Evolving TTPs QakBot |
2022-11-28 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20221128:emotet:53a5fed,
author = {The DFIR Report},
title = {{Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware}},
date = {2022-11-28},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/},
language = {English},
urldate = {2022-11-28}
}
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware Emotet Mount Locker |
2022-11-23 ⋅ Cybereason ⋅ Cybereason Global SOC Team @online{team:20221123:threat:17093cc,
author = {Cybereason Global SOC Team},
title = {{THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies}},
date = {2022-11-23},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies},
language = {English},
urldate = {2022-11-25}
}
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies Black Basta QakBot |
2022-11-21 ⋅ BSides Sydney ⋅ Thomas Roccia @online{roccia:20221121:xray:da154d3,
author = {Thomas Roccia},
title = {{X-Ray of Malware Evasion Techniques - Analysis, Dissection, Cure?}},
date = {2022-11-21},
organization = {BSides Sydney},
url = {https://speakerdeck.com/fr0gger/x-ray-of-malware-evasion-techniques-analysis-dissection-cure},
language = {English},
urldate = {2022-12-29}
}
X-Ray of Malware Evasion Techniques - Analysis, Dissection, Cure? Emotet |
2022-11-16 ⋅ Proofpoint ⋅ Pim Trouerbach, Axel F @online{trouerbach:20221116:comprehensive:8278b4e,
author = {Pim Trouerbach and Axel F},
title = {{A Comprehensive Look at Emotet Virus’ Fall 2022 Return}},
date = {2022-11-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return},
language = {English},
urldate = {2022-12-29}
}
A Comprehensive Look at Emotet Virus’ Fall 2022 Return BumbleBee Emotet IcedID |
2022-11-14 ⋅ Twitter (@embee_research) ⋅ Matthew @online{matthew:20221114:twitter:9b57525,
author = {Matthew},
title = {{Twitter thread on Yara Signatures for Qakbot Encryption Routines}},
date = {2022-11-14},
organization = {Twitter (@embee_research)},
url = {https://twitter.com/embee_research/status/1592067841154756610?s=20},
language = {English},
urldate = {2022-11-18}
}
Twitter thread on Yara Signatures for Qakbot Encryption Routines IcedID QakBot |
2022-11-10 ⋅ Intezer ⋅ Nicole Fishbein @online{fishbein:20221110:how:6b334be,
author = {Nicole Fishbein},
title = {{How LNK Files Are Abused by Threat Actors}},
date = {2022-11-10},
organization = {Intezer},
url = {https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/},
language = {English},
urldate = {2022-11-11}
}
How LNK Files Are Abused by Threat Actors BumbleBee Emotet Mount Locker QakBot |
2022-11-03 ⋅ SentinelOne ⋅ SentinelLabs @online{sentinellabs:20221103:black:0be02f3,
author = {SentinelLabs},
title = {{Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor}},
date = {2022-11-03},
organization = {SentinelOne},
url = {https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta},
language = {English},
urldate = {2022-11-03}
}
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor Black Basta QakBot SocksBot |
2022-10-31 ⋅ Security homework ⋅ Christophe Rieunier @online{rieunier:20221031:qakbot:e82f924,
author = {Christophe Rieunier},
title = {{QakBot CCs prioritization and new record types}},
date = {2022-10-31},
organization = {Security homework},
url = {https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php},
language = {English},
urldate = {2022-10-31}
}
QakBot CCs prioritization and new record types QakBot |
2022-10-31 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20221031:orion:49e3b5c,
author = {Max Malyutin},
title = {{Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware}},
date = {2022-10-31},
organization = {Cynet},
url = {https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/},
language = {English},
urldate = {2022-11-15}
}
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware Black Basta Cobalt Strike QakBot |
2022-10-31 ⋅ Elastic ⋅ Seth Goodwin, Derek Ditch, Daniel Stepanic, Andrew Pease @online{goodwin:20221031:icedids:df089be,
author = {Seth Goodwin and Derek Ditch and Daniel Stepanic and Andrew Pease},
title = {{ICEDIDs network infrastructure is alive and well}},
date = {2022-10-31},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/icedids-network-infrastructure-is-alive-and-well},
language = {English},
urldate = {2022-11-02}
}
ICEDIDs network infrastructure is alive and well IcedID |
2022-10-28 ⋅ Elastic ⋅ @rsprooten, Elastic Security Intelligence & Analytics Team @online{rsprooten:20221028:emotet:ffabd03,
author = {@rsprooten and Elastic Security Intelligence & Analytics Team},
title = {{EMOTET dynamic config extraction}},
date = {2022-10-28},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction},
language = {English},
urldate = {2022-10-30}
}
EMOTET dynamic config extraction Emotet |
2022-10-24 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel @online{ancel:20221024:chapter:c870465,
author = {Benoît Ancel},
title = {{Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.}},
date = {2022-10-24},
organization = {Medium CSIS Techblog},
url = {https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef},
language = {English},
urldate = {2023-05-02}
}
Chapter 1 — From Gozi to ISFB: The history of a mythical malware family. Gozi ISFB Snifula |
2022-10-13 ⋅ Syrion ⋅ Raffaele Sabato @online{sabato:20221013:qakbot:f971585,
author = {Raffaele Sabato},
title = {{QAKBOT BB Configuration and C2 IPs List}},
date = {2022-10-13},
organization = {Syrion},
url = {https://syrion.me/malware/qakbot-bb-extractor/},
language = {English},
urldate = {2022-10-24}
}
QAKBOT BB Configuration and C2 IPs List QakBot |
2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20221013:spamhaus:43e3190,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q3 2022}},
date = {2022-10-13},
institution = {Spamhaus},
url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf},
language = {English},
urldate = {2022-12-29}
}
Spamhaus Botnet Threat Update Q3 2022 FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm |
2022-10-12 ⋅ Trend Micro ⋅ Ian Kenefick, Lucas Silva, Nicole Hernandez @online{kenefick:20221012:black:17505c9,
author = {Ian Kenefick and Lucas Silva and Nicole Hernandez},
title = {{Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike}},
date = {2022-10-12},
organization = {Trend Micro},
url = {https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html},
language = {English},
urldate = {2023-05-23}
}
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike Black Basta Brute Ratel C4 Cobalt Strike QakBot |
2022-10-12 ⋅ Netresec ⋅ Erik Hjelmvik @online{hjelmvik:20221012:icedid:ac8a79c,
author = {Erik Hjelmvik},
title = {{IcedID BackConnect Protocol}},
date = {2022-10-12},
organization = {Netresec},
url = {https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol},
language = {English},
urldate = {2023-02-16}
}
IcedID BackConnect Protocol IcedID |
2022-10-07 ⋅ Team Cymru ⋅ S2 Research Team @online{team:20221007:visualizza:0ed3fe8,
author = {S2 Research Team},
title = {{A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon}},
date = {2022-10-07},
organization = {Team Cymru},
url = {https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns},
language = {English},
urldate = {2022-10-10}
}
A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon IcedID PhotoLoader |
2022-10-03 ⋅ vmware ⋅ Threat Analysis Unit @techreport{unit:20221003:emotet:94323dc,
author = {Threat Analysis Unit},
title = {{Emotet Exposed: A Look Inside the Cybercriminal Supply Chain}},
date = {2022-10-03},
institution = {vmware},
url = {https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf},
language = {English},
urldate = {2022-10-24}
}
Emotet Exposed: A Look Inside the Cybercriminal Supply Chain Emotet |
2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence @online{intelligence:20220913:advintels:ea02331,
author = {Advanced Intelligence},
title = {{AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022}},
date = {2022-09-13},
organization = {AdvIntel},
url = {https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022},
language = {English},
urldate = {2022-09-19}
}
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022 Conti Cobalt Strike Emotet Ryuk TrickBot |
2022-09-12 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220912:dead:a6b31c3,
author = {The DFIR Report},
title = {{Dead or Alive? An Emotet Story}},
date = {2022-09-12},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/},
language = {English},
urldate = {2022-09-12}
}
Dead or Alive? An Emotet Story Cobalt Strike Emotet |
2022-09-07 ⋅ Google ⋅ Pierre-Marc Bureau, Google Threat Analysis Group @online{bureau:20220907:initial:d1975b3,
author = {Pierre-Marc Bureau and Google Threat Analysis Group},
title = {{Initial access broker repurposing techniques in targeted attacks against Ukraine}},
date = {2022-09-07},
organization = {Google},
url = {https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/},
language = {English},
urldate = {2022-09-13}
}
Initial access broker repurposing techniques in targeted attacks against Ukraine AnchorMail Cobalt Strike IcedID |
2022-09-06 ⋅ Zscaler ⋅ Brett Stone-Gross @online{stonegross:20220906:ares:e7ddb5d,
author = {Brett Stone-Gross},
title = {{The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA}},
date = {2022-09-06},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga},
language = {English},
urldate = {2022-09-07}
}
The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA Ares QakBot |
2022-09-01 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20220901:hunting:45c54de,
author = {Michael Koczwara},
title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}},
date = {2022-09-01},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f},
language = {English},
urldate = {2023-01-19}
}
Hunting C2/Adversaries Infrastructure with Shodan and Censys Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver |
2022-09-01 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20220901:ransomware:8eda6e4,
author = {Trend Micro},
title = {{Ransomware Spotlight Black Basta}},
date = {2022-09-01},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta},
language = {English},
urldate = {2022-09-19}
}
Ransomware Spotlight Black Basta Black Basta Cobalt Strike MimiKatz QakBot |
2022-08-25 ⋅ Palo Alto Networks Unit 42 ⋅ Amer Elsad @online{elsad:20220825:threat:b3514ed,
author = {Amer Elsad},
title = {{Threat Assessment: Black Basta Ransomware}},
date = {2022-08-25},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/},
language = {English},
urldate = {2022-10-05}
}
Threat Assessment: Black Basta Ransomware Black Basta QakBot |
2022-08-24 ⋅ Trellix ⋅ Adithya Chandra, Sushant Kumar Arya @online{chandra:20220824:demystifying:77609b2,
author = {Adithya Chandra and Sushant Kumar Arya},
title = {{Demystifying Qbot Malware}},
date = {2022-08-24},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html},
language = {English},
urldate = {2022-08-28}
}
Demystifying Qbot Malware QakBot |
2022-08-24 ⋅ Elastic ⋅ Cyril François @online{franois:20220824:qbot:152ef8d,
author = {Cyril François},
title = {{QBOT Malware Analysis}},
date = {2022-08-24},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/qbot-malware-analysis},
language = {English},
urldate = {2022-08-30}
}
QBOT Malware Analysis QakBot |
2022-08-23 ⋅ Darktrace ⋅ Eugene Chua, Paul Jennings, Hanah Darley @online{chua:20220823:emotet:8e4522c,
author = {Eugene Chua and Paul Jennings and Hanah Darley},
title = {{Emotet Resurgence: Cross-Industry Campaign Analysis}},
date = {2022-08-23},
organization = {Darktrace},
url = {https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis},
language = {English},
urldate = {2022-08-30}
}
Emotet Resurgence: Cross-Industry Campaign Analysis Emotet |
2022-08-19 ⋅ vmware ⋅ Oleg Boyarchuk, Stefano Ortolani @online{boyarchuk:20220819:how:a43d0e2,
author = {Oleg Boyarchuk and Stefano Ortolani},
title = {{How to Replicate Emotet Lateral Movement}},
date = {2022-08-19},
organization = {vmware},
url = {https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html},
language = {English},
urldate = {2022-08-31}
}
How to Replicate Emotet Lateral Movement Emotet |
2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220812:monster:cbf3101,
author = {Brad Duncan},
title = {{Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike}},
date = {2022-08-12},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/rss/28934},
language = {English},
urldate = {2022-08-15}
}
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike Cobalt Strike DarkVNC IcedID |
2022-08-10 ⋅ BitSight ⋅ João Batista @online{batista:20220810:emotet:2248a42,
author = {João Batista},
title = {{Emotet SMB Spreader is Back}},
date = {2022-08-10},
organization = {BitSight},
url = {https://www.bitsight.com/blog/emotet-smb-spreader-back},
language = {English},
urldate = {2022-08-11}
}
Emotet SMB Spreader is Back Emotet |
2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel @online{ancel:20220808:inside:67ef9a0,
author = {Benoît Ancel},
title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}},
date = {2022-08-08},
organization = {Medium CSIS Techblog},
url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145},
language = {English},
urldate = {2022-08-28}
}
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader |
2022-08-04 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves @online{platt:20220804:icedid:546c931,
author = {Joshua Platt and Jason Reaves},
title = {{IcedID leverages PrivateLoader}},
date = {2022-08-04},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f},
language = {English},
urldate = {2022-08-11}
}
IcedID leverages PrivateLoader IcedID PrivateLoader |
2022-07-27 ⋅ Elastic ⋅ Cyril François, Derek Ditch @online{franois:20220727:qbot:82146d1,
author = {Cyril François and Derek Ditch},
title = {{QBOT Configuration Extractor}},
date = {2022-07-27},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/qbot-configuration-extractor},
language = {English},
urldate = {2022-08-05}
}
QBOT Configuration Extractor QakBot |
2022-07-27 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220727:icedid:839e33a,
author = {Brad Duncan},
title = {{IcedID (Bokbot) with Dark VNC and Cobalt Strike}},
date = {2022-07-27},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884},
language = {English},
urldate = {2022-07-28}
}
IcedID (Bokbot) with Dark VNC and Cobalt Strike DarkVNC IcedID |
2022-07-27 ⋅ cyble ⋅ Cyble Research Labs @online{labs:20220727:targeted:aa69498,
author = {Cyble Research Labs},
title = {{Targeted Attacks Being Carried Out Via DLL SideLoading}},
date = {2022-07-27},
organization = {cyble},
url = {https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/},
language = {English},
urldate = {2022-08-15}
}
Targeted Attacks Being Carried Out Via DLL SideLoading Cobalt Strike QakBot |
2022-07-27 ⋅ Elastic ⋅ Cyril François, Andrew Pease, Seth Goodwin @online{franois:20220727:exploring:67dc644,
author = {Cyril François and Andrew Pease and Seth Goodwin},
title = {{Exploring the QBOT Attack Pattern}},
date = {2022-07-27},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern},
language = {English},
urldate = {2022-08-05}
}
Exploring the QBOT Attack Pattern QakBot |
2022-07-24 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220724:qbot:f6c03d9,
author = {Bill Toulas},
title = {{QBot phishing uses Windows Calculator sideloading to infect devices}},
date = {2022-07-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/},
language = {English},
urldate = {2022-07-29}
}
QBot phishing uses Windows Calculator sideloading to infect devices QakBot |
2022-07-19 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20220719:new:a3b1085,
author = {Xiaopeng Zhang},
title = {{New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails}},
date = {2022-07-19},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails},
language = {English},
urldate = {2022-07-25}
}
New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails QakBot |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:monster:1aaba4e,
author = {Unit 42},
title = {{Monster Libra}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/monsterlibra/},
language = {English},
urldate = {2022-07-29}
}
Monster Libra Valak IcedID GOLD CABIN |
2022-07-17 ⋅ Resecurity ⋅ Resecurity @online{resecurity:20220717:shortcutbased:6cd77fb,
author = {Resecurity},
title = {{Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise}},
date = {2022-07-17},
organization = {Resecurity},
url = {https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise},
language = {English},
urldate = {2022-07-28}
}
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise AsyncRAT BumbleBee Emotet IcedID QakBot |
2022-07-12 ⋅ Zscaler ⋅ Tarun Dewan, Aditya Sharma @online{dewan:20220712:rise:1cc657e,
author = {Tarun Dewan and Aditya Sharma},
title = {{Rise in Qakbot attacks traced to evolving threat techniques}},
date = {2022-07-12},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques},
language = {English},
urldate = {2022-07-14}
}
Rise in Qakbot attacks traced to evolving threat techniques QakBot |
2022-07-12 ⋅ Cyren ⋅ Kervin Alintanahin @online{alintanahin:20220712:example:ae62e81,
author = {Kervin Alintanahin},
title = {{Example Analysis of Multi-Component Malware}},
date = {2022-07-12},
organization = {Cyren},
url = {https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware},
language = {English},
urldate = {2022-07-18}
}
Example Analysis of Multi-Component Malware Emotet Formbook |
2022-07-07 ⋅ Fortinet ⋅ Erin Lin @online{lin:20220707:notable:71d2df3,
author = {Erin Lin},
title = {{Notable Droppers Emerge in Recent Threat Campaigns}},
date = {2022-07-07},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns},
language = {English},
urldate = {2022-07-15}
}
Notable Droppers Emerge in Recent Threat Campaigns BumbleBee Emotet PhotoLoader QakBot |
2022-07-07 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220707:emotet:3732ca7,
author = {Brad Duncan},
title = {{Emotet infection with Cobalt Strike}},
date = {2022-07-07},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/},
language = {English},
urldate = {2022-07-12}
}
Emotet infection with Cobalt Strike Cobalt Strike Emotet |
2022-07-07 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond, Kat Weinberger @online{villadsen:20220707:unprecedented:d0a6add,
author = {Ole Villadsen and Charlotte Hammond and Kat Weinberger},
title = {{Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine}},
date = {2022-07-07},
organization = {IBM},
url = {https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine},
language = {English},
urldate = {2022-07-12}
}
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter |
2022-07-05 ⋅ Soc Investigation ⋅ Priyadharshini Balaji @online{balaji:20220705:qbot:75c3b14,
author = {Priyadharshini Balaji},
title = {{QBot Spreads via LNK Files – Detection & Response}},
date = {2022-07-05},
organization = {Soc Investigation},
url = {https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/},
language = {English},
urldate = {2022-07-13}
}
QBot Spreads via LNK Files – Detection & Response QakBot |
2022-06-30 ⋅ Trend Micro ⋅ Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa @online{apostol:20220630:black:7464953,
author = {Kenneth Adrian Apostol and Paolo Ronniel Labrador and Mirah Manlapig and James Panlilio and Emmanuel Panopio and John Kenneth Reyes and Melvin Singwa},
title = {{Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit}},
date = {2022-06-30},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html},
language = {English},
urldate = {2022-07-05}
}
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit Black Basta Cobalt Strike QakBot |
2022-06-27 ⋅ Netskope ⋅ Gustavo Palazolo @online{palazolo:20220627:emotet:e01f0fb,
author = {Gustavo Palazolo},
title = {{Emotet: Still Abusing Microsoft Office Macros}},
date = {2022-06-27},
organization = {Netskope},
url = {https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros},
language = {English},
urldate = {2022-06-30}
}
Emotet: Still Abusing Microsoft Office Macros Emotet |
2022-06-24 ⋅ Soc Investigation ⋅ BalaGanesh @online{balaganesh:20220624:icedid:2bb9d0d,
author = {BalaGanesh},
title = {{IcedID Banking Trojan returns with new TTPS – Detection & Response}},
date = {2022-06-24},
organization = {Soc Investigation},
url = {https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/},
language = {English},
urldate = {2022-06-27}
}
IcedID Banking Trojan returns with new TTPS – Detection & Response IcedID |
2022-06-24 ⋅ Group-IB ⋅ Albert Priego @online{priego:20220624:we:0ed77e2,
author = {Albert Priego},
title = {{We see you, Gozi Hunting the latest TTPs used for delivering the Trojan}},
date = {2022-06-24},
organization = {Group-IB},
url = {https://blog.group-ib.com/gozi-latest-ttps},
language = {English},
urldate = {2022-08-17}
}
We see you, Gozi Hunting the latest TTPs used for delivering the Trojan ISFB |
2022-06-21 ⋅ McAfee ⋅ Lakshya Mathur @online{mathur:20220621:rise:71e04f0,
author = {Lakshya Mathur},
title = {{Rise of LNK (Shortcut files) Malware}},
date = {2022-06-21},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/},
language = {English},
urldate = {2022-07-05}
}
Rise of LNK (Shortcut files) Malware BazarBackdoor Emotet IcedID QakBot |
2022-06-17 ⋅ Github (NtQuerySystemInformation) ⋅ Twitter (@kasua02) @techreport{kasua02:20220617:reverse:b218c67,
author = {Twitter (@kasua02)},
title = {{A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.}},
date = {2022-06-17},
institution = {Github (NtQuerySystemInformation)},
url = {https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf},
language = {English},
urldate = {2022-07-01}
}
A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading. QakBot |
2022-06-16 ⋅ ESET Research ⋅ Rene Holt @online{holt:20220616:how:d3225fc,
author = {Rene Holt},
title = {{How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security}},
date = {2022-06-16},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/},
language = {English},
urldate = {2022-06-17}
}
How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security Emotet |
2022-06-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220609:ta570:a51c1eb,
author = {Brad Duncan},
title = {{TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)}},
date = {2022-06-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28728},
language = {English},
urldate = {2022-06-09}
}
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt) QakBot |
2022-06-07 ⋅ McAfee ⋅ Jyothi Naveen, Kiran Raj @online{naveen:20220607:phishing:704f5f7,
author = {Jyothi Naveen and Kiran Raj},
title = {{Phishing Campaigns featuring Ursnif Trojan on the Rise}},
date = {2022-06-07},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/},
language = {English},
urldate = {2022-06-15}
}
Phishing Campaigns featuring Ursnif Trojan on the Rise ISFB |
2022-06-02 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20220602:trending:0bcdbc4,
author = {Mandiant},
title = {{TRENDING EVIL Q2 2022}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://experience.mandiant.com/trending-evil-2/p/1},
language = {English},
urldate = {2022-06-07}
}
TRENDING EVIL Q2 2022 CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot |
2022-05-30 ⋅ Matthieu Walter @online{walter:20220530:automatically:a02278f,
author = {Matthieu Walter},
title = {{Automatically Unpacking IcedID Stage 1 with Angr}},
date = {2022-05-30},
url = {https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/},
language = {English},
urldate = {2022-05-31}
}
Automatically Unpacking IcedID Stage 1 with Angr IcedID |
2022-05-27 ⋅ Kroll ⋅ Cole Manaster, George Glass, Elio Biasiotto @online{manaster:20220527:emotet:77000c1,
author = {Cole Manaster and George Glass and Elio Biasiotto},
title = {{Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20}},
date = {2022-05-27},
organization = {Kroll},
url = {https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain},
language = {English},
urldate = {2022-05-31}
}
Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20 Emotet |
2022-05-25 ⋅ vmware ⋅ Oleg Boyarchuk, Stefano Ortolani @online{boyarchuk:20220525:emotet:ada82ac,
author = {Oleg Boyarchuk and Stefano Ortolani},
title = {{Emotet Config Redux}},
date = {2022-05-25},
organization = {vmware},
url = {https://blogs.vmware.com/security/2022/05/emotet-config-redux.html},
language = {English},
urldate = {2022-05-29}
}
Emotet Config Redux Emotet |
2022-05-24 ⋅ Deep instinct ⋅ Bar Block @online{block:20220524:blame:9f45829,
author = {Bar Block},
title = {{Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them}},
date = {2022-05-24},
organization = {Deep instinct},
url = {https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office},
language = {English},
urldate = {2022-05-29}
}
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them Dridex Emotet |
2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight @online{batista:20220524:emotet:cae57f1,
author = {João Batista and Pedro Umbelino and BitSight},
title = {{Emotet Botnet Rises Again}},
date = {2022-05-24},
organization = {BitSight},
url = {https://www.bitsight.com/blog/emotet-botnet-rises-again},
language = {English},
urldate = {2022-05-25}
}
Emotet Botnet Rises Again Cobalt Strike Emotet QakBot SystemBC |
2022-05-19 ⋅ Trend Micro ⋅ Adolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray @online{silverio:20220519:bruised:f5c6775,
author = {Adolph Christian Silverio and Jeric Miguel Abordo and Khristian Joseph Morales and Maria Emreen Viray},
title = {{Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware}},
date = {2022-05-19},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html},
language = {English},
urldate = {2022-05-25}
}
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware Emotet QakBot |
2022-05-19 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen, Golo Mühr @online{hammond:20220519:itg23:eab10e2,
author = {Charlotte Hammond and Ole Villadsen and Golo Mühr},
title = {{ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups}},
date = {2022-05-19},
organization = {IBM},
url = {https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/},
language = {English},
urldate = {2022-05-25}
}
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups IcedID ISFB Mount Locker |
2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220517:ransomware:7b86339,
author = {Trend Micro Research},
title = {{Ransomware Spotlight: RansomEXX}},
date = {2022-05-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx},
language = {English},
urldate = {2022-05-25}
}
Ransomware Spotlight: RansomEXX LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot |
2022-05-17 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20220517:emotet:5f61714,
author = {Brad Duncan},
title = {{Emotet Summary: November 2021 Through January 2022}},
date = {2022-05-17},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/},
language = {English},
urldate = {2022-05-29}
}
Emotet Summary: November 2021 Through January 2022 Emotet |
2022-05-16 ⋅ vmware ⋅ Oleg Boyarchuk, Stefano Ortolani, Jason Zhang, Threat Analysis Unit @online{boyarchuk:20220516:emotet:6392ff3,
author = {Oleg Boyarchuk and Stefano Ortolani and Jason Zhang and Threat Analysis Unit},
title = {{Emotet Moves to 64 bit and Updates its Loader}},
date = {2022-05-16},
organization = {vmware},
url = {https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html},
language = {English},
urldate = {2022-05-17}
}
Emotet Moves to 64 bit and Updates its Loader Emotet |
2022-05-12 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220512:what:05369d4,
author = {Intel 471},
title = {{What malware to look for if you want to prevent a ransomware attack}},
date = {2022-05-12},
organization = {Intel 471},
url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike},
language = {English},
urldate = {2022-05-13}
}
What malware to look for if you want to prevent a ransomware attack Conti BumbleBee Cobalt Strike IcedID Sliver |
2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220511:ta578:0a0a686,
author = {Brad Duncan},
title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}},
date = {2022-05-11},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/28636},
language = {English},
urldate = {2022-05-11}
}
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware BumbleBee Cobalt Strike IcedID PhotoLoader |
2022-05-11 ⋅ IronNet ⋅ Blake Cahen, IronNet Threat Research @online{cahen:20220511:detecting:c61fd63,
author = {Blake Cahen and IronNet Threat Research},
title = {{Detecting a MUMMY SPIDER campaign and Emotet infection}},
date = {2022-05-11},
organization = {IronNet},
url = {https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection},
language = {English},
urldate = {2022-05-17}
}
Detecting a MUMMY SPIDER campaign and Emotet infection Emotet |
2022-05-11 ⋅ HP ⋅ HP Wolf Security @techreport{security:20220511:threat:bd460f0,
author = {HP Wolf Security},
title = {{Threat Insights Report Q1 - 2022}},
date = {2022-05-11},
institution = {HP},
url = {https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf},
language = {English},
urldate = {2022-05-13}
}
Threat Insights Report Q1 - 2022 AsyncRAT Emotet Mekotio Vjw0rm |
2022-05-09 ⋅ Netresec ⋅ Erik Hjelmvik @online{hjelmvik:20220509:emotet:ce90938,
author = {Erik Hjelmvik},
title = {{Emotet C2 and Spam Traffic Video}},
date = {2022-05-09},
organization = {Netresec},
url = {https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video},
language = {English},
urldate = {2022-05-09}
}
Emotet C2 and Spam Traffic Video Emotet |
2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20220509:ransomwareasaservice:13ec472,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}},
date = {2022-05-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself},
language = {English},
urldate = {2022-05-17}
}
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
2022-05-09 ⋅ Cybereason ⋅ Lior Rochberger @online{rochberger:20220509:cybereason:9178f63,
author = {Lior Rochberger},
title = {{Cybereason vs. Quantum Locker Ransomware}},
date = {2022-05-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware},
language = {English},
urldate = {2022-05-11}
}
Cybereason vs. Quantum Locker Ransomware IcedID Mount Locker |
2022-05-08 ⋅ Qualys ⋅ Amit Gadhave @online{gadhave:20220508:ursnif:4e8605b,
author = {Amit Gadhave},
title = {{Ursnif Malware Banks on News Events for Phishing Attacks}},
date = {2022-05-08},
organization = {Qualys},
url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks},
language = {English},
urldate = {2022-05-17}
}
Ursnif Malware Banks on News Events for Phishing Attacks ISFB |
2022-05-06 ⋅ Netskope ⋅ Gustavo Palazolo @online{palazolo:20220506:emotet:44a2595,
author = {Gustavo Palazolo},
title = {{Emotet: New Delivery Mechanism to Bypass VBA Protection}},
date = {2022-05-06},
organization = {Netskope},
url = {https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection},
language = {English},
urldate = {2022-05-09}
}
Emotet: New Delivery Mechanism to Bypass VBA Protection Emotet |
2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix @online{felix:20220504:twitter:0fb7e35,
author = {Felix},
title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}},
date = {2022-05-04},
organization = {Twitter (@felixw3000)},
url = {https://twitter.com/felixw3000/status/1521816045769662468},
language = {English},
urldate = {2022-05-09}
}
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC. Cobalt Strike IcedID PhotoLoader |
2022-05-04 ⋅ Sophos ⋅ Andreas Klopsch @online{klopsch:20220504:attacking:750e07f,
author = {Andreas Klopsch},
title = {{Attacking Emotet’s Control Flow Flattening}},
date = {2022-05-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/},
language = {English},
urldate = {2022-05-05}
}
Attacking Emotet’s Control Flow Flattening Emotet |
2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble @online{kasiviswanathan:20220428:ransomware:95feafb,
author = {Karthikeyan C Kasiviswanathan and Vishal Kamble},
title = {{Ransomware: How Attackers are Breaching Corporate Networks}},
date = {2022-04-28},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker},
language = {English},
urldate = {2022-05-04}
}
Ransomware: How Attackers are Breaching Corporate Networks AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot |
2022-04-27 ⋅ Cybleinc ⋅ Cyble @online{cyble:20220427:emotet:a8c919a,
author = {Cyble},
title = {{Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims}},
date = {2022-04-27},
organization = {Cybleinc},
url = {https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/},
language = {English},
urldate = {2022-05-04}
}
Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims Emotet |
2022-04-26 ⋅ Proofpoint ⋅ Axel F @online{f:20220426:emotet:afb4f87,
author = {Axel F},
title = {{Emotet Tests New Delivery Techniques}},
date = {2022-04-26},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques},
language = {English},
urldate = {2022-04-29}
}
Emotet Tests New Delivery Techniques Emotet |
2022-04-26 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220426:conti:6bcff7d,
author = {Intel 471},
title = {{Conti and Emotet: A constantly destructive duo}},
date = {2022-04-26},
organization = {Intel 471},
url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks},
language = {English},
urldate = {2022-04-29}
}
Conti and Emotet: A constantly destructive duo Cobalt Strike Conti Emotet IcedID QakBot TrickBot |
2022-04-26 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20220426:emotet:d0b6f50,
author = {Ionut Ilascu},
title = {{Emotet malware now installs via PowerShell in Windows shortcut files}},
date = {2022-04-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/},
language = {English},
urldate = {2022-04-29}
}
Emotet malware now installs via PowerShell in Windows shortcut files Emotet |
2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220425:quantum:128d2b3,
author = {The DFIR Report},
title = {{Quantum Ransomware}},
date = {2022-04-25},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/},
language = {English},
urldate = {2022-04-25}
}
Quantum Ransomware Cobalt Strike IcedID |
2022-04-24 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220424:shortcut:b1a00dd,
author = {Tony Lambert},
title = {{Shortcut to Emotet, an odd TTP change}},
date = {2022-04-24},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/},
language = {English},
urldate = {2022-04-25}
}
Shortcut to Emotet, an odd TTP change Emotet |
2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA) @techreport{cisa:20220420:aa22110a:4fde5d6,
author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)},
title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
institution = {CISA},
url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf},
language = {English},
urldate = {2022-04-25}
}
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader |
2022-04-20 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220420:aa:eb304fb,
author = {Brad Duncan},
title = {{'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic}},
date = {2022-04-20},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/rss/28568},
language = {English},
urldate = {2022-04-25}
}
'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic QakBot |
2022-04-20 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220420:malware:b20963e,
author = {cocomelonc},
title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}},
date = {2022-04-20},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html},
language = {English},
urldate = {2022-12-01}
}
Malware development: persistence - part 1. Registry run keys. C++ example. Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky |
2022-04-20 ⋅ CISA ⋅ CISA @online{cisa:20220420:alert:529e28c,
author = {CISA},
title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a},
language = {English},
urldate = {2022-04-25}
}
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet |
2022-04-19 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus @online{cryptolaemus:20220419:emotet:c68608b,
author = {Cryptolaemus},
title = {{#Emotet Update: 64 bit upgrade of Epoch 5}},
date = {2022-04-19},
organization = {Twitter (@Cryptolaemus1)},
url = {https://twitter.com/Cryptolaemus1/status/1516535343281025032},
language = {English},
urldate = {2022-04-20}
}
#Emotet Update: 64 bit upgrade of Epoch 5 Emotet |
2022-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220419:emotet:a7e392d,
author = {Bill Toulas},
title = {{Emotet botnet switches to 64-bit modules, increases activity}},
date = {2022-04-19},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/},
language = {English},
urldate = {2022-04-20}
}
Emotet botnet switches to 64-bit modules, increases activity Emotet |
2022-04-18 ⋅ Fortinet ⋅ Erin Lin @online{lin:20220418:trends:fab9950,
author = {Erin Lin},
title = {{Trends in the Recent Emotet Maldoc Outbreak}},
date = {2022-04-18},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak},
language = {English},
urldate = {2022-04-20}
}
Trends in the Recent Emotet Maldoc Outbreak Emotet |
2022-04-17 ⋅ Malwarology ⋅ Gaetano Pellegrino @online{pellegrino:20220417:qakbot:6af138c,
author = {Gaetano Pellegrino},
title = {{Qakbot Series: API Hashing}},
date = {2022-04-17},
organization = {Malwarology},
url = {https://www.malwarology.com/2022/04/qakbot-series-api-hashing/},
language = {English},
urldate = {2022-05-29}
}
Qakbot Series: API Hashing QakBot |
2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken @online{bushidotoken:20220417:lessons:d4d0595,
author = {BushidoToken},
title = {{Lessons from the Conti Leaks}},
date = {2022-04-17},
organization = {BushidoToken Blog},
url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html},
language = {English},
urldate = {2022-04-25}
}
Lessons from the Conti Leaks BazarBackdoor Conti Emotet IcedID Ryuk TrickBot |
2022-04-16 ⋅ Malwarology ⋅ Gaetano Pellegrino @online{pellegrino:20220416:qakbot:0b60d1c,
author = {Gaetano Pellegrino},
title = {{Qakbot Series: Process Injection}},
date = {2022-04-16},
organization = {Malwarology},
url = {https://www.malwarology.com/2022/04/qakbot-series-process-injection/},
language = {English},
urldate = {2022-05-31}
}
Qakbot Series: Process Injection QakBot |
2022-04-14 ⋅ Cert-UA ⋅ Cert-UA @online{certua:20220414:cyberattack:915dfa7,
author = {Cert-UA},
title = {{Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)}},
date = {2022-04-14},
organization = {Cert-UA},
url = {https://cert.gov.ua/article/39609},
language = {Ukrainian},
urldate = {2022-04-20}
}
Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464) IcedID |
2022-04-14 ⋅ Avast Decoded ⋅ Vladimir Martyanov @online{martyanov:20220414:zloader:23c520a,
author = {Vladimir Martyanov},
title = {{Zloader 2: The Silent Night}},
date = {2022-04-14},
organization = {Avast Decoded},
url = {https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/},
language = {English},
urldate = {2022-04-15}
}
Zloader 2: The Silent Night ISFB Raccoon Zloader |
2022-04-14 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220414:hackers:2b1153c,
author = {Bill Toulas},
title = {{Hackers target Ukrainian govt with IcedID malware, Zimbra exploits}},
date = {2022-04-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/},
language = {English},
urldate = {2022-04-15}
}
Hackers target Ukrainian govt with IcedID malware, Zimbra exploits IcedID |
2022-04-13 ⋅ Kaspersky ⋅ AMR @online{amr:20220413:emotet:113c0db,
author = {AMR},
title = {{Emotet modules and recent attacks}},
date = {2022-04-13},
organization = {Kaspersky},
url = {https://securelist.com/emotet-modules-and-recent-attacks/106290/},
language = {English},
urldate = {2022-04-15}
}
Emotet modules and recent attacks Emotet |
2022-04-13 ⋅ Malwarology ⋅ Gaetano Pellegrino @online{pellegrino:20220413:qakbot:4bc5d74,
author = {Gaetano Pellegrino},
title = {{Qakbot Series: Configuration Extraction}},
date = {2022-04-13},
organization = {Malwarology},
url = {https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/},
language = {English},
urldate = {2022-05-29}
}
Qakbot Series: Configuration Extraction QakBot |
2022-04-12 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20220412:systembc:7bdd20c,
author = {ASEC Analysis Team},
title = {{SystemBC Being Used by Various Attackers}},
date = {2022-04-12},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/33600/},
language = {English},
urldate = {2022-04-15}
}
SystemBC Being Used by Various Attackers Emotet SmokeLoader SystemBC |
2022-04-12 ⋅ Tech Times ⋅ Joseph Henry @online{henry:20220412:qbot:9dd8d54,
author = {Joseph Henry},
title = {{Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers}},
date = {2022-04-12},
organization = {Tech Times},
url = {https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm},
language = {English},
urldate = {2022-05-04}
}
Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers QakBot |
2022-04-12 ⋅ Check Point ⋅ Check Point Research @online{research:20220412:march:2c56dc6,
author = {Check Point Research},
title = {{March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance}},
date = {2022-04-12},
organization = {Check Point},
url = {https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/},
language = {English},
urldate = {2022-04-20}
}
March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance Alien FluBot Agent Tesla Emotet |
2022-04-11 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20220411:qbot:7f1ddc7,
author = {Sergiu Gatlan},
title = {{Qbot malware switches to new Windows Installer infection vector}},
date = {2022-04-11},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/},
language = {English},
urldate = {2022-05-04}
}
Qbot malware switches to new Windows Installer infection vector QakBot |
2022-04-10 ⋅ Malwarology ⋅ Gaetano Pellegrino @online{pellegrino:20220410:qakbot:d46c1cc,
author = {Gaetano Pellegrino},
title = {{Qakbot Series: String Obfuscation}},
date = {2022-04-10},
organization = {Malwarology},
url = {https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/},
language = {English},
urldate = {2022-05-29}
}
Qakbot Series: String Obfuscation QakBot |
2022-04-08 ⋅ ReversingLabs ⋅ Paul Roberts @online{roberts:20220408:conversinglabs:270c740,
author = {Paul Roberts},
title = {{ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles}},
date = {2022-04-08},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles},
language = {English},
urldate = {2022-06-09}
}
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles Conti Emotet TrickBot |
2022-04-04 ⋅ The DFIR Report ⋅ @0xtornado, @yatinwad, @MettalicHack, @_pete_0 @online{0xtornado:20220404:stolen:3df91a7,
author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0},
title = {{Stolen Images Campaign Ends in Conti Ransomware}},
date = {2022-04-04},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/},
language = {English},
urldate = {2022-04-04}
}
Stolen Images Campaign Ends in Conti Ransomware Conti IcedID |
2022-04-02 ⋅ Github (pl-v) ⋅ Player-V @online{playerv:20220402:emotet:712f2ab,
author = {Player-V},
title = {{Emotet Analysis Part 1: Unpacking}},
date = {2022-04-02},
organization = {Github (pl-v)},
url = {https://pl-v.github.io/plv/posts/Emotet-unpacking/},
language = {English},
urldate = {2022-04-08}
}
Emotet Analysis Part 1: Unpacking Emotet |
2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov @online{fokker:20220331:conti:3bc2974,
author = {John Fokker and Jambul Tologonov},
title = {{Conti Leaks: Examining the Panama Papers of Ransomware}},
date = {2022-03-31},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html},
language = {English},
urldate = {2022-04-07}
}
Conti Leaks: Examining the Panama Papers of Ransomware LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot |
2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team @online{pantazopoulos:20220331:continuation:b38514d,
author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team},
title = {{Conti-nuation: methods and techniques observed in operations post the leaks}},
date = {2022-03-31},
organization = {nccgroup},
url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/},
language = {English},
urldate = {2022-03-31}
}
Conti-nuation: methods and techniques observed in operations post the leaks Cobalt Strike Conti QakBot |
2022-03-30 ⋅ Prevailion ⋅ Prevailion @online{prevailion:20220330:wizard:6eb38a7,
author = {Prevailion},
title = {{Wizard Spider continues to confound}},
date = {2022-03-30},
organization = {Prevailion},
url = {https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903},
language = {English},
urldate = {2022-03-31}
}
Wizard Spider continues to confound BazarBackdoor Cobalt Strike Emotet |
2022-03-29 ⋅ vmware ⋅ Oleg Boyarchuk, Jason Zhang, Threat Analysis Unit @online{boyarchuk:20220329:emotet:18b143b,
author = {Oleg Boyarchuk and Jason Zhang and Threat Analysis Unit},
title = {{Emotet C2 Configuration Extraction and Analysis}},
date = {2022-03-29},
organization = {vmware},
url = {https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html},
language = {English},
urldate = {2022-04-04}
}
Emotet C2 Configuration Extraction and Analysis Emotet |
2022-03-29 ⋅ Threat Post ⋅ Elizabeth Montalbano @online{montalbano:20220329:exchange:ff88f41,
author = {Elizabeth Montalbano},
title = {{Exchange Servers Speared in IcedID Phishing Campaign}},
date = {2022-03-29},
organization = {Threat Post},
url = {https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/},
language = {English},
urldate = {2022-03-31}
}
Exchange Servers Speared in IcedID Phishing Campaign IcedID |
2022-03-28 ⋅ Fortinet ⋅ James Slaughter, Val Saengphaibul, Fred Gutierrez @online{slaughter:20220328:spoofed:0cd6f0e,
author = {James Slaughter and Val Saengphaibul and Fred Gutierrez},
title = {{Spoofed Invoice Used to Drop IcedID}},
date = {2022-03-28},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id},
language = {English},
urldate = {2022-03-31}
}
Spoofed Invoice Used to Drop IcedID IcedID |
2022-03-28 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220328:microsoft:5bc32d1,
author = {Bill Toulas},
title = {{Microsoft Exchange targeted for IcedID reply-chain hijacking attacks}},
date = {2022-03-28},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/},
language = {English},
urldate = {2022-03-30}
}
Microsoft Exchange targeted for IcedID reply-chain hijacking attacks IcedID |
2022-03-28 ⋅ Cisco ⋅ María José Erquiaga, Onur Erdogan, Adela Jezkova @online{erquiaga:20220328:emotet:d36774a,
author = {María José Erquiaga and Onur Erdogan and Adela Jezkova},
title = {{Emotet is Back}},
date = {2022-03-28},
organization = {Cisco},
url = {https://blogs.cisco.com/security/emotet-is-back},
language = {English},
urldate = {2022-03-30}
}
Emotet is Back Emotet |
2022-03-28 ⋅ Intezer ⋅ Joakim Kennedy, Ryan Robinson @online{kennedy:20220328:new:cede4da,
author = {Joakim Kennedy and Ryan Robinson},
title = {{New Conversation Hijacking Campaign Delivering IcedID}},
date = {2022-03-28},
organization = {Intezer},
url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/},
language = {English},
urldate = {2022-04-05}
}
New Conversation Hijacking Campaign Delivering IcedID IcedID PhotoLoader |
2022-03-25 ⋅ SANS ISC ⋅ Xavier Mertens @online{mertens:20220325:xlsb:21fdeaf,
author = {Xavier Mertens},
title = {{XLSB Files: Because Binary is Stealthier Than XML}},
date = {2022-03-25},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/},
language = {English},
urldate = {2022-03-25}
}
XLSB Files: Because Binary is Stealthier Than XML QakBot |
2022-03-23 ⋅ Fortinet ⋅ Shunichi Imano, Val Saengphaibul @online{imano:20220323:bad:06c3501,
author = {Shunichi Imano and Val Saengphaibul},
title = {{Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams}},
date = {2022-03-23},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams},
language = {English},
urldate = {2022-03-25}
}
Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams Emotet |
2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220323:gold:0f3da90,
author = {Counter Threat Unit ResearchTeam},
title = {{GOLD ULRICK Leaks Reveal Organizational Structure and Relationships}},
date = {2022-03-23},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships},
language = {English},
urldate = {2022-03-25}
}
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships Conti Emotet IcedID TrickBot |
2022-03-23 ⋅ NVISO Labs ⋅ Bart Parys @online{parys:20220323:hunting:1610697,
author = {Bart Parys},
title = {{Hunting Emotet campaigns with Kusto}},
date = {2022-03-23},
organization = {NVISO Labs},
url = {https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/},
language = {English},
urldate = {2022-03-24}
}
Hunting Emotet campaigns with Kusto Emotet |
2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220323:threat:84ad46c,
author = {Counter Threat Unit ResearchTeam},
title = {{Threat Intelligence Executive Report Volume 2022, Number 2}},
date = {2022-03-23},
organization = {Secureworks},
url = {https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx},
language = {English},
urldate = {2022-03-25}
}
Threat Intelligence Executive Report Volume 2022, Number 2 Conti Emotet IcedID TrickBot |
2022-03-23 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20220323:ms:946096e,
author = {Xiaopeng Zhang},
title = {{MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II}},
date = {2022-03-23},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii},
language = {English},
urldate = {2022-03-25}
}
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II Emotet |
2022-03-21 ⋅ Info Security ⋅ Vinugayathri Chinnasamy @online{chinnasamy:20220321:emotet:2d27f06,
author = {Vinugayathri Chinnasamy},
title = {{Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware}},
date = {2022-03-21},
organization = {Info Security},
url = {https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/},
language = {English},
urldate = {2022-03-22}
}
Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware Emotet |
2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220321:conti:507fdf9,
author = {eSentire Threat Response Unit (TRU)},
title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}},
date = {2022-03-21},
organization = {eSentire},
url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire},
language = {English},
urldate = {2022-05-23}
}
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID |
2022-03-17 ⋅ Github (eln0ty) ⋅ Abdallah Elnoty @online{elnoty:20220317:icedid:0b8ef27,
author = {Abdallah Elnoty},
title = {{IcedID Analysis}},
date = {2022-03-17},
organization = {Github (eln0ty)},
url = {https://eln0ty.github.io/malware%20analysis/IcedID/},
language = {English},
urldate = {2022-03-22}
}
IcedID Analysis IcedID |
2022-03-17 ⋅ Trend Micro ⋅ Trend Micro Research @techreport{research:20220317:navigating:5ad631e,
author = {Trend Micro Research},
title = {{Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report}},
date = {2022-03-17},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf},
language = {English},
urldate = {2022-03-22}
}
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report REvil BazarBackdoor Buer IcedID QakBot REvil |
2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220316:qakbot:7fe703f,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity Cobalt Strike QakBot |
2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team @techreport{team:20220316:ransomware:1c2a72a,
author = {Symantec Threat Hunter Team},
title = {{The Ransomware Threat Landscape: What to Expect in 2022}},
date = {2022-03-16},
institution = {Symantec},
url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf},
language = {English},
urldate = {2022-03-22}
}
The Ransomware Threat Landscape: What to Expect in 2022 AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin |
2022-03-16 ⋅ Dragos ⋅ Josh Hanrahan @online{hanrahan:20220316:suspected:325fc01,
author = {Josh Hanrahan},
title = {{Suspected Conti Ransomware Activity in the Auto Manufacturing Sector}},
date = {2022-03-16},
organization = {Dragos},
url = {https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/},
language = {English},
urldate = {2022-03-17}
}
Suspected Conti Ransomware Activity in the Auto Manufacturing Sector Conti Emotet |
2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220316:qakbot:ff11e1e,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28448},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity Cobalt Strike QakBot |
2022-03-09 ⋅ nikpx ⋅ xors @online{xors:20220309:bokbot:925e438,
author = {xors},
title = {{BokBot Technical Analysis}},
date = {2022-03-09},
organization = {nikpx},
url = {https://nikpx.github.io/malware/analysis/2022/03/09/BokBot},
language = {English},
urldate = {2022-03-10}
}
BokBot Technical Analysis IcedID |
2022-03-08 ⋅ Lumen ⋅ Black Lotus Labs @online{labs:20220308:what:c99735b,
author = {Black Lotus Labs},
title = {{What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets}},
date = {2022-03-08},
organization = {Lumen},
url = {https://blog.lumen.com/emotet-redux/},
language = {English},
urldate = {2022-03-10}
}
What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets Emotet |
2022-03-07 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20220307:ms:b388372,
author = {Xiaopeng Zhang},
title = {{MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I}},
date = {2022-03-07},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one},
language = {English},
urldate = {2022-03-08}
}
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I Emotet |
2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220303:cyberattacks:d961eb0,
author = {Trend Micro Research},
title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}},
date = {2022-03-03},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html},
language = {English},
urldate = {2022-03-04}
}
Cyberattacks are Prominent in the Russia-Ukraine Conflict BazarBackdoor Cobalt Strike Conti Emotet WhisperGate |
2022-03-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20220302:conti:03b0358,
author = {Brian Krebs},
title = {{Conti Ransomware Group Diaries, Part II: The Office}},
date = {2022-03-02},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/},
language = {English},
urldate = {2022-03-07}
}
Conti Ransomware Group Diaries, Part II: The Office Conti Emotet Ryuk TrickBot |
2022-03-01 ⋅ Twitter (@ContiLeaks) ⋅ ContiLeaks @online{contileaks:20220301:emotet:b68be9c,
author = {ContiLeaks},
title = {{Tweet on Emotet final server scheme}},
date = {2022-03-01},
organization = {Twitter (@ContiLeaks)},
url = {https://twitter.com/ContiLeaks/status/1498614197202079745},
language = {English},
urldate = {2022-03-02}
}
Tweet on Emotet final server scheme Emotet |
2022-02-26 ⋅ LinkedIn (Zayed AlJaberi) ⋅ Zayed AlJaberi @online{aljaberi:20220226:hunting:270b30c,
author = {Zayed AlJaberi},
title = {{Hunting Recent QakBot Malware}},
date = {2022-02-26},
organization = {LinkedIn (Zayed AlJaberi)},
url = {https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4},
language = {English},
urldate = {2022-03-01}
}
Hunting Recent QakBot Malware QakBot |
2022-02-26 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20220226:trending:a445d4a,
author = {Mandiant},
title = {{TRENDING EVIL Q1 2022}},
date = {2022-02-26},
organization = {Mandiant},
url = {https://experience.mandiant.com/trending-evil/p/1},
language = {English},
urldate = {2022-03-14}
}
TRENDING EVIL Q1 2022 KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot |
2022-02-25 ⋅ CyberScoop ⋅ Joe Warminsky @online{warminsky:20220225:trickbot:2d38470,
author = {Joe Warminsky},
title = {{TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators}},
date = {2022-02-25},
organization = {CyberScoop},
url = {https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/},
language = {English},
urldate = {2022-03-01}
}
TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators BazarBackdoor Emotet TrickBot |
2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220224:notorious:c5e1556,
author = {Ravie Lakshmanan},
title = {{Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure}},
date = {2022-02-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html},
language = {English},
urldate = {2022-03-04}
}
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure BazarBackdoor Emotet TrickBot |
2022-02-24 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20220224:new:014251e,
author = {Max Malyutin},
title = {{New Wave of Emotet – When Project X Turns Into Y}},
date = {2022-02-24},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/},
language = {English},
urldate = {2022-05-04}
}
New Wave of Emotet – When Project X Turns Into Y Cobalt Strike Emotet |
2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220224:trickbot:7e86d52,
author = {Ravie Lakshmanan},
title = {{TrickBot Gang Likely Shifting Operations to Switch to New Malware}},
date = {2022-02-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html},
language = {English},
urldate = {2022-03-01}
}
TrickBot Gang Likely Shifting Operations to Switch to New Malware BazarBackdoor Emotet QakBot TrickBot |
2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach @online{ebach:20220223:what:0a4496e,
author = {Luca Ebach},
title = {{What the Pack(er)?}},
date = {2022-02-23},
organization = {cyber.wtf blog},
url = {https://cyber.wtf/2022/03/23/what-the-packer/},
language = {English},
urldate = {2022-03-25}
}
What the Pack(er)? Cobalt Strike Emotet |
2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220222:icedid:67f870d,
author = {eSentire Threat Response Unit (TRU)},
title = {{IcedID to Cobalt Strike In Under 20 Minutes}},
date = {2022-02-22},
organization = {eSentire},
url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes},
language = {English},
urldate = {2022-05-23}
}
IcedID to Cobalt Strike In Under 20 Minutes Cobalt Strike IcedID PhotoLoader |
2022-02-21 ⋅ The DFIR Report @online{report:20220221:qbot:8b10b52,
author = {The DFIR Report},
title = {{Qbot and Zerologon Lead To Full Domain Compromise}},
date = {2022-02-21},
url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/},
language = {English},
urldate = {2022-02-26}
}
Qbot and Zerologon Lead To Full Domain Compromise Cobalt Strike QakBot |
2022-02-16 ⋅ Threat Post ⋅ Elizabeth Montalbano @online{montalbano:20220216:emotet:a1297ac,
author = {Elizabeth Montalbano},
title = {{Emotet Now Spreading Through Malicious Excel Files}},
date = {2022-02-16},
organization = {Threat Post},
url = {https://threatpost.com/emotet-spreading-malicious-excel-files/178444/},
language = {English},
urldate = {2022-02-18}
}
Emotet Now Spreading Through Malicious Excel Files Emotet |
2022-02-16 ⋅ SOC Prime ⋅ Alla Yurchenko @online{yurchenko:20220216:qbot:db07ba5,
author = {Alla Yurchenko},
title = {{QBot Malware Detection: Old Dog New Tricks}},
date = {2022-02-16},
organization = {SOC Prime},
url = {https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/},
language = {English},
urldate = {2022-02-17}
}
QBot Malware Detection: Old Dog New Tricks QakBot |
2022-02-16 ⋅ Security Onion ⋅ Doug Burks @online{burks:20220216:quick:e515983,
author = {Doug Burks},
title = {{Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08}},
date = {2022-02-16},
organization = {Security Onion},
url = {https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html},
language = {English},
urldate = {2022-02-17}
}
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08 Cobalt Strike Emotet |
2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220215:increase:a4de9ce,
author = {eSentire Threat Response Unit (TRU)},
title = {{Increase in Emotet Activity and Cobalt Strike Deployment}},
date = {2022-02-15},
organization = {eSentire},
url = {https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment},
language = {English},
urldate = {2022-05-23}
}
Increase in Emotet Activity and Cobalt Strike Deployment Cobalt Strike Emotet |
2022-02-15 ⋅ Palo Alto Networks Unit 42 ⋅ Saqib Khanzada, Tyler Halfpop, Micah Yates, Brad Duncan @online{khanzada:20220215:new:822e8f9,
author = {Saqib Khanzada and Tyler Halfpop and Micah Yates and Brad Duncan},
title = {{New Emotet Infection Method}},
date = {2022-02-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/new-emotet-infection-method/},
language = {English},
urldate = {2022-02-17}
}
New Emotet Infection Method Emotet |
2022-02-13 ⋅ NetbyteSEC ⋅ Taqi, Rosamira, Fareed @online{taqi:20220213:technical:50aa099,
author = {Taqi and Rosamira and Fareed},
title = {{Technical Malware Analysis: The Return of Emotet}},
date = {2022-02-13},
organization = {NetbyteSEC},
url = {https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html},
language = {English},
urldate = {2022-02-14}
}
Technical Malware Analysis: The Return of Emotet Emotet |
2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team @online{team:20220210:threat:320574f,
author = {Cybereason Global SOC Team},
title = {{Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot}},
date = {2022-02-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot},
language = {English},
urldate = {2022-02-10}
}
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot Cobalt Strike Emotet IcedID QakBot |
2022-02-08 ⋅ BleepingComputer ⋅ Bill Toulas @online{toulas:20220208:qbot:a40ed5c,
author = {Bill Toulas},
title = {{Qbot needs only 30 minutes to steal your credentials, emails}},
date = {2022-02-08},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/},
language = {English},
urldate = {2022-02-09}
}
Qbot needs only 30 minutes to steal your credentials, emails QakBot |
2022-02-07 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220207:qbot:35410a9,
author = {The DFIR Report},
title = {{Qbot Likes to Move It, Move It}},
date = {2022-02-07},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/},
language = {English},
urldate = {2022-02-09}
}
Qbot Likes to Move It, Move It QakBot |
2022-02-07 ⋅ vmware ⋅ Jason Zhang, Threat Analysis Unit @online{zhang:20220207:emotet:e89deeb,
author = {Jason Zhang and Threat Analysis Unit},
title = {{Emotet Is Not Dead (Yet) – Part 2}},
date = {2022-02-07},
organization = {vmware},
url = {https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/},
language = {English},
urldate = {2022-02-10}
}
Emotet Is Not Dead (Yet) – Part 2 Emotet |
2022-02-02 ⋅ VMRay ⋅ VMRay Labs Team, Mateusz Lukaszewski @online{team:20220202:malware:0eef3c2,
author = {VMRay Labs Team and Mateusz Lukaszewski},
title = {{Malware Analysis Spotlight: Emotet’s Use of Cryptography}},
date = {2022-02-02},
organization = {VMRay},
url = {https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/},
language = {English},
urldate = {2022-02-09}
}
Malware Analysis Spotlight: Emotet’s Use of Cryptography Emotet |
2022-01-27 ⋅ Threat Lab Indonesia ⋅ Threat Lab Indonesia @online{indonesia:20220127:malware:8bcfff1,
author = {Threat Lab Indonesia},
title = {{Malware Analysis Emotet Infection}},
date = {2022-01-27},
organization = {Threat Lab Indonesia},
url = {https://blog.threatlab.info/malware-analysis-emotet-infection/},
language = {Indonesian},
urldate = {2022-02-02}
}
Malware Analysis Emotet Infection Emotet |
2022-01-25 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220125:emotet:9c62525,
author = {Brad Duncan},
title = {{Emotet Stops Using 0.0.0.0 in Spambot Traffic}},
date = {2022-01-25},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/},
language = {English},
urldate = {2022-02-01}
}
Emotet Stops Using 0.0.0.0 in Spambot Traffic Emotet |
2022-01-23 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20220123:quicknote:852995b,
author = {m4n0w4r and Tran Trung Kien},
title = {{[QuickNote] Emotet epoch4 & epoch5 tactics}},
date = {2022-01-23},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/},
language = {English},
urldate = {2022-01-25}
}
[QuickNote] Emotet epoch4 & epoch5 tactics Emotet |
2022-01-22 ⋅ Atomic Matryoshka ⋅ z3r0day_504 @online{z3r0day504:20220122:malware:1ec08ef,
author = {z3r0day_504},
title = {{Malware Headliners: Emotet}},
date = {2022-01-22},
organization = {Atomic Matryoshka},
url = {https://www.atomicmatryoshka.com/post/malware-headliners-emotet},
language = {English},
urldate = {2022-02-01}
}
Malware Headliners: Emotet Emotet |
2022-01-21 ⋅ Trend Micro ⋅ Ian Kenefick @online{kenefick:20220121:emotet:daddaf1,
author = {Ian Kenefick},
title = {{Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware}},
date = {2022-01-21},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html},
language = {English},
urldate = {2022-01-25}
}
Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware Emotet |
2022-01-21 ⋅ vmware ⋅ Jason Zhang, Threat Analysis Unit @online{zhang:20220121:emotet:bdb4508,
author = {Jason Zhang and Threat Analysis Unit},
title = {{Emotet Is Not Dead (Yet)}},
date = {2022-01-21},
organization = {vmware},
url = {https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/},
language = {English},
urldate = {2022-02-10}
}
Emotet Is Not Dead (Yet) Emotet |
2022-01-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220119:0000:cdac125,
author = {Brad Duncan},
title = {{0.0.0.0 in Emotet Spambot Traffic}},
date = {2022-01-19},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28254},
language = {English},
urldate = {2022-01-24}
}
0.0.0.0 in Emotet Spambot Traffic Emotet |
2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20220119:kraken:5b52d17,
author = {The BlackBerry Research & Intelligence Team},
title = {{Kraken the Code on Prometheus}},
date = {2022-01-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus},
language = {English},
urldate = {2022-05-25}
}
Kraken the Code on Prometheus Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk |
2022-01-19 ⋅ Gdata ⋅ Karsten Hahn @online{hahn:20220119:malware:293c00c,
author = {Karsten Hahn},
title = {{Malware vaccines can prevent pandemics, yet are rarely used}},
date = {2022-01-19},
organization = {Gdata},
url = {https://www.gdatasoftware.com/blog/2022/01/malware-vaccines},
language = {English},
urldate = {2023-03-24}
}
Malware vaccines can prevent pandemics, yet are rarely used Emotet STOP |
2022-01-18 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20220118:2021:9cff6fc,
author = {Insikt Group®},
title = {{2021 Adversary Infrastructure Report}},
date = {2022-01-18},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf},
language = {English},
urldate = {2022-01-24}
}
2021 Adversary Infrastructure Report BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot |
2022-01-17 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220117:emotets:85bf9d4,
author = {Tony Lambert},
title = {{Emotet's Excel 4.0 Macros Dropping DLLs}},
date = {2022-01-17},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/emotet-excel4-macro-analysis/},
language = {English},
urldate = {2022-01-25}
}
Emotet's Excel 4.0 Macros Dropping DLLs Emotet |
2022-01-15 ⋅ Atomic Matryoshka ⋅ z3r0day_504 @online{z3r0day504:20220115:malware:ce94f8c,
author = {z3r0day_504},
title = {{Malware Headliners: Qakbot}},
date = {2022-01-15},
organization = {Atomic Matryoshka},
url = {https://www.atomicmatryoshka.com/post/malware-headliners-qakbot},
language = {English},
urldate = {2022-02-01}
}
Malware Headliners: Qakbot QakBot |
2022-01-14 ⋅ RiskIQ ⋅ Jordan Herman @online{herman:20220114:riskiq:f4f5b68,
author = {Jordan Herman},
title = {{RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers}},
date = {2022-01-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/2cd1c003},
language = {English},
urldate = {2022-01-18}
}
RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers Dridex Emotet |
2022-01-13 ⋅ Trustwave ⋅ Lloyd Macrohon, Rodel Mendrez @online{macrohon:20220113:decrypting:274747e,
author = {Lloyd Macrohon and Rodel Mendrez},
title = {{Decrypting Qakbot’s Encrypted Registry Keys}},
date = {2022-01-13},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/},
language = {English},
urldate = {2022-01-25}
}
Decrypting Qakbot’s Encrypted Registry Keys QakBot |
2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro @online{refaeli:20220111:threat:fd22089,
author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro},
title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}},
date = {2022-01-11},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike},
language = {English},
urldate = {2022-01-18}
}
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike Cobalt Strike QakBot Squirrelwaffle |
2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20220111:signed:0f32583,
author = {Jason Reaves and Joshua Platt},
title = {{Signed DLL campaigns as a service}},
date = {2022-01-11},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489},
language = {English},
urldate = {2023-01-31}
}
Signed DLL campaigns as a service BATLOADER Cobalt Strike ISFB Zloader |
2022-01-07 ⋅ muha2xmad ⋅ Muhammad Hasan Ali @online{ali:20220107:unpacking:e59d104,
author = {Muhammad Hasan Ali},
title = {{Unpacking Emotet malware part 02}},
date = {2022-01-07},
organization = {muha2xmad},
url = {https://muha2xmad.github.io/unpacking/emotet-part-2/},
language = {English},
urldate = {2022-02-14}
}
Unpacking Emotet malware part 02 Emotet |
2022-01-06 ⋅ muha2xmad ⋅ Muhammad Hasan Ali @online{ali:20220106:unpacking:57cdd55,
author = {Muhammad Hasan Ali},
title = {{Unpacking Emotet malware part 01}},
date = {2022-01-06},
organization = {muha2xmad},
url = {https://muha2xmad.github.io/unpacking/emotet-part-1/},
language = {English},
urldate = {2022-02-14}
}
Unpacking Emotet malware part 01 Emotet |
2022-01-01 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220101:analyzing:1512a76,
author = {Tony Lambert},
title = {{Analyzing an IcedID Loader Document}},
date = {2022-01-01},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/analyzing-icedid-document/},
language = {English},
urldate = {2022-01-25}
}
Analyzing an IcedID Loader Document IcedID |
2021-12-22 ⋅ Cloudsek ⋅ Anandeshwar Unnikrishnan @online{unnikrishnan:20211222:emotet:29082b3,
author = {Anandeshwar Unnikrishnan},
title = {{Emotet 2.0: Everything you need to know about the new Variant of the Banking Trojan}},
date = {2021-12-22},
organization = {Cloudsek},
url = {https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/},
language = {English},
urldate = {2022-05-25}
}
Emotet 2.0: Everything you need to know about the new Variant of the Banking Trojan Emotet |
2021-12-17 ⋅ Trend Micro ⋅ Abraham Camba, Jonna Santos, Gilbert Sison, Jay Yaneza @online{camba:20211217:staging:0ec37d9,
author = {Abraham Camba and Jonna Santos and Gilbert Sison and Jay Yaneza},
title = {{Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager}},
date = {2021-12-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html},
language = {English},
urldate = {2021-12-31}
}
Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager QakBot |
2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20211216:intelligence:f7bad55,
author = {The Red Canary Team},
title = {{Intelligence Insights: December 2021}},
date = {2021-12-16},
organization = {Red Canary},
url = {https://redcanary.com/blog/intelligence-insights-december-2021},
language = {English},
urldate = {2021-12-31}
}
Intelligence Insights: December 2021 Cobalt Strike QakBot Squirrelwaffle |
2021-12-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20211216:how:6fd0b06,
author = {Brad Duncan},
title = {{How the "Contact Forms" campaign tricks people}},
date = {2021-12-16},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/},
language = {English},
urldate = {2021-12-31}
}
How the "Contact Forms" campaign tricks people IcedID |
2021-12-13 ⋅ Zscaler ⋅ Dennis Schwarz, Avinash Kumar @online{schwarz:20211213:return:94bdbce,
author = {Dennis Schwarz and Avinash Kumar},
title = {{Return of Emotet: Malware Analysis}},
date = {2021-12-13},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis},
language = {English},
urldate = {2021-12-20}
}
Return of Emotet: Malware Analysis Emotet |
2021-12-11 ⋅ YouTube (AGDC Services) ⋅ AGDC Services @online{services:20211211:how:358bd74,
author = {AGDC Services},
title = {{How To Extract & Decrypt Qbot Configs Across Variants}},
date = {2021-12-11},
organization = {YouTube (AGDC Services)},
url = {https://www.youtube.com/watch?v=M22c1JgpG-U},
language = {English},
urldate = {2021-12-20}
}
How To Extract & Decrypt Qbot Configs Across Variants QakBot |
2021-12-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20211209:closer:bace4ec,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{A closer look at Qakbot’s latest building blocks (and how to knock them down)}},
date = {2021-12-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/},
language = {English},
urldate = {2021-12-13}
}
A closer look at Qakbot’s latest building blocks (and how to knock them down) QakBot |
2021-12-09 ⋅ HP ⋅ Patrick Schläpfer @online{schlpfer:20211209:emotets:aa090a7,
author = {Patrick Schläpfer},
title = {{Emotet’s Return: What’s Different?}},
date = {2021-12-09},
organization = {HP},
url = {https://threatresearch.ext.hp.com/emotets-return-whats-different/},
language = {English},
urldate = {2022-01-18}
}
Emotet’s Return: What’s Different? Emotet |
2021-12-08 ⋅ Check Point Research ⋅ Raman Ladutska, Aliaksandr Trafimchuk, David Driker, Yali Magiel @online{ladutska:20211208:when:16ee92b,
author = {Raman Ladutska and Aliaksandr Trafimchuk and David Driker and Yali Magiel},
title = {{When old friends meet again: why Emotet chose Trickbot for rebirth}},
date = {2021-12-08},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/},
language = {English},
urldate = {2022-02-18}
}
When old friends meet again: why Emotet chose Trickbot for rebirth Emotet TrickBot |
2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20211207:emotet:f33c999,
author = {Lawrence Abrams},
title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}},
date = {2021-12-07},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/},
language = {English},
urldate = {2021-12-08}
}
Emotet now drops Cobalt Strike, fast forwards ransomware attacks Cobalt Strike Emotet |
2021-12-03 ⋅ SANS ISC InfoSec Forums ⋅ Brad Duncan @online{duncan:20211203:ta551:f71be57,
author = {Brad Duncan},
title = {{TA551 (Shathak) pushes IcedID (Bokbot)}},
date = {2021-12-03},
organization = {SANS ISC InfoSec Forums},
url = {https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/},
language = {English},
urldate = {2021-12-06}
}
TA551 (Shathak) pushes IcedID (Bokbot) IcedID |
2021-11-30 ⋅ Deep instinct ⋅ Ron Ben Yizhak @online{yizhak:20211130:reemergence:3f232d5,
author = {Ron Ben Yizhak},
title = {{The Re-Emergence of Emotet}},
date = {2021-11-30},
organization = {Deep instinct},
url = {https://www.deepinstinct.com/blog/the-re-emergence-of-emotet},
language = {English},
urldate = {2022-07-18}
}
The Re-Emergence of Emotet Emotet |
2021-11-25 ⋅ DSIH ⋅ Charles Blanc-Rolin @online{blancrolin:20211125:emotet:b02b32b,
author = {Charles Blanc-Rolin},
title = {{Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine?}},
date = {2021-11-25},
organization = {DSIH},
url = {https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html},
language = {French},
urldate = {2021-12-06}
}
Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine? Emotet |
2021-11-23 ⋅ Anomali ⋅ Anomali Threat Research @online{research:20211123:mummy:8cffd4e,
author = {Anomali Threat Research},
title = {{Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return}},
date = {2021-11-23},
organization = {Anomali},
url = {https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return},
language = {English},
urldate = {2021-11-26}
}
Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return Emotet |
2021-11-21 ⋅ Twitter (@tylabs) ⋅ Tyler McLellan, Twitter (@ffforward) @online{mclellan:20211121:twitter:018d4b1,
author = {Tyler McLellan and Twitter (@ffforward)},
title = {{Twitter Thread about UNC1500 phishing using QAKBOT}},
date = {2021-11-21},
organization = {Twitter (@tylabs)},
url = {https://twitter.com/tylabs/status/1462195377277476871},
language = {English},
urldate = {2021-11-29}
}
Twitter Thread about UNC1500 phishing using QAKBOT QakBot |
2021-11-20 ⋅ Twitter (@eduardfir) ⋅ Eduardo Mattos @online{mattos:20211120:velociraptor:bc6d897,
author = {Eduardo Mattos},
title = {{Tweet on Velociraptor artifact analysis for Emotet}},
date = {2021-11-20},
organization = {Twitter (@eduardfir)},
url = {https://twitter.com/eduardfir/status/1461856030292422659},
language = {English},
urldate = {2021-11-25}
}
Tweet on Velociraptor artifact analysis for Emotet Emotet |
2021-11-20 ⋅ Youtube (HEXORCIST) ⋅ Nicolas Brulez @online{brulez:20211120:unpacking:b26d2fb,
author = {Nicolas Brulez},
title = {{Unpacking Emotet and Reversing Obfuscated Word Document}},
date = {2021-11-20},
organization = {Youtube (HEXORCIST)},
url = {https://www.youtube.com/watch?v=AkZ5TYBqcU4},
language = {English},
urldate = {2021-12-20}
}
Unpacking Emotet and Reversing Obfuscated Word Document Emotet |
2021-11-20 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy, Vitali Kremez @online{boguslavskiy:20211120:corporate:a8b0a1c,
author = {Yelisey Boguslavskiy and Vitali Kremez},
title = {{Corporate Loader "Emotet": History of "X" Project Return for Ransomware}},
date = {2021-11-20},
organization = {Advanced Intelligence},
url = {https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware},
language = {English},
urldate = {2021-11-25}
}
Corporate Loader "Emotet": History of "X" Project Return for Ransomware Emotet |
2021-11-19 ⋅ CRONUP ⋅ Germán Fernández @online{fernndez:20211119:la:2cbc6a0,
author = {Germán Fernández},
title = {{La Botnet de EMOTET reinicia ataques en Chile y LATAM}},
date = {2021-11-19},
organization = {CRONUP},
url = {https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/},
language = {Spanish},
urldate = {2021-11-25}
}
La Botnet de EMOTET reinicia ataques en Chile y LATAM Emotet |
2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar @online{fahmy:20211119:squirrelwaffle:1e8fa78,
author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar},
title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}},
date = {2021-11-19},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html},
language = {English},
urldate = {2021-11-25}
}
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains Cobalt Strike QakBot Squirrelwaffle |
2021-11-19 ⋅ LAC WATCH ⋅ LAC WATCH @online{watch:20211119:malware:c504e6f,
author = {LAC WATCH},
title = {{Malware Emotet resumes its activities for the first time in 10 months, and Japan is also the target of the attack}},
date = {2021-11-19},
organization = {LAC WATCH},
url = {https://www.lac.co.jp/lacwatch/alert/20211119_002801.html},
language = {English},
urldate = {2021-11-25}
}
Malware Emotet resumes its activities for the first time in 10 months, and Japan is also the target of the attack Emotet |
2021-11-18 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy @online{palazolo:20211118:netskope:39d2098,
author = {Gustavo Palazolo and Ghanashyam Satpathy},
title = {{Netskope Threat Coverage: The Return of Emotet}},
date = {2021-11-18},
organization = {Netskope},
url = {https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet},
language = {English},
urldate = {2021-11-25}
}
Netskope Threat Coverage: The Return of Emotet Emotet |
2021-11-18 ⋅ eSentire ⋅ eSentire @online{esentire:20211118:emotet:ded09a3,
author = {eSentire},
title = {{Emotet Activity Identified}},
date = {2021-11-18},
organization = {eSentire},
url = {https://www.esentire.com/security-advisories/emotet-activity-identified},
language = {English},
urldate = {2021-11-19}
}
Emotet Activity Identified Emotet |
2021-11-18 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20211118:intelligence:7b00cb9,
author = {The Red Canary Team},
title = {{Intelligence Insights: November 2021}},
date = {2021-11-18},
organization = {Red Canary},
url = {https://redcanary.com/blog/intelligence-insights-november-2021/},
language = {English},
urldate = {2021-11-19}
}
Intelligence Insights: November 2021 Andromeda Conti LockBit QakBot Squirrelwaffle |
2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42 @online{42:20211117:matanbuchus:9e3556c,
author = {Unit 42},
title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}},
date = {2021-11-17},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1461004489234829320},
language = {English},
urldate = {2021-11-25}
}
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike Cobalt Strike QakBot |
2021-11-16 ⋅ Twitter (@kienbigmummy) ⋅ m4n0w4r @online{m4n0w4r:20211116:short:97d45fa,
author = {m4n0w4r},
title = {{Tweet on short analysis of QakBot}},
date = {2021-11-16},
organization = {Twitter (@kienbigmummy)},
url = {https://twitter.com/kienbigmummy/status/1460537501676802051},
language = {English},
urldate = {2021-11-19}
}
Tweet on short analysis of QakBot QakBot |
2021-11-16 ⋅ Malwarebytes ⋅ Malwarebytes Threat Intelligence Team @online{team:20211116:trickbot:b624694,
author = {Malwarebytes Threat Intelligence Team},
title = {{TrickBot helps Emotet come back from the dead}},
date = {2021-11-16},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/},
language = {English},
urldate = {2021-11-17}
}
TrickBot helps Emotet come back from the dead Emotet TrickBot |
2021-11-16 ⋅ Zscaler ⋅ Deepen Desai @online{desai:20211116:return:936dad6,
author = {Deepen Desai},
title = {{Return of Emotet malware}},
date = {2021-11-16},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware},
language = {English},
urldate = {2021-11-19}
}
Return of Emotet malware Emotet |
2021-11-16 ⋅ Hornetsecurity ⋅ Security Lab @online{lab:20211116:comeback:7f2b540,
author = {Security Lab},
title = {{Comeback of Emotet}},
date = {2021-11-16},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/threat-research/comeback-emotet/},
language = {English},
urldate = {2021-11-25}
}
Comeback of Emotet Emotet |
2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski @online{research:20211116:how:d7fdaf8,
author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski},
title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}},
date = {2021-11-16},
organization = {IronNet},
url = {https://www.ironnet.com/blog/ransomware-graphic-blog},
language = {English},
urldate = {2021-11-25}
}
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware Cobalt Strike Conti IcedID REvil |
2021-11-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20211116:emotet:3545954,
author = {Brad Duncan},
title = {{Emotet Returns}},
date = {2021-11-16},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/28044},
language = {English},
urldate = {2021-11-17}
}
Emotet Returns Emotet |
2021-11-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20211115:emotet:8de6d81,
author = {Lawrence Abrams},
title = {{Emotet malware is back and rebuilding its botnet via TrickBot}},
date = {2021-11-15},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/},
language = {English},
urldate = {2021-11-17}
}
Emotet malware is back and rebuilding its botnet via TrickBot Emotet |
2021-11-15 ⋅ cyber.wtf blog ⋅ Luca Ebach @online{ebach:20211115:guess:81c7df8,
author = {Luca Ebach},
title = {{Guess who’s back}},
date = {2021-11-15},
organization = {cyber.wtf blog},
url = {https://cyber.wtf/2021/11/15/guess-whos-back/},
language = {English},
urldate = {2021-11-17}
}
Guess who’s back Emotet |
2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani @online{viggiani:20211115:proxyshell:bf17c6d,
author = {Fabio Viggiani},
title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}},
date = {2021-11-15},
organization = {TRUESEC},
url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks},
language = {English},
urldate = {2021-11-17}
}
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks Cobalt Strike Conti QakBot |
2021-11-13 ⋅ Trend Micro ⋅ Ian Kenefick, Vladimir Kropotov @online{kenefick:20211113:qakbot:3138b93,
author = {Ian Kenefick and Vladimir Kropotov},
title = {{QAKBOT Loader Returns With New Techniques and Tools}},
date = {2021-11-13},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html},
language = {English},
urldate = {2021-11-17}
}
QAKBOT Loader Returns With New Techniques and Tools QakBot |
2021-11-13 ⋅ YouTube (AGDC Services) ⋅ AGDC Services @online{services:20211113:automate:487e01f,
author = {AGDC Services},
title = {{Automate Qbot Malware String Decryption With Ghidra Script}},
date = {2021-11-13},
organization = {YouTube (AGDC Services)},
url = {https://www.youtube.com/watch?v=4I0LF8Vm7SI},
language = {English},
urldate = {2021-11-19}
}
Automate Qbot Malware String Decryption With Ghidra Script QakBot |
2021-11-12 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20211112:business:6d6cffa,
author = {Insikt Group®},
title = {{The Business of Fraud: Botnet Malware Dissemination}},
date = {2021-11-12},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf},
language = {English},
urldate = {2021-11-17}
}
The Business of Fraud: Botnet Malware Dissemination Mozi Dridex IcedID QakBot TrickBot |
2021-11-12 ⋅ Trend Micro ⋅ Ian Kenefick, Vladimir Kropotov @techreport{kenefick:20211112:prelude:781d4d7,
author = {Ian Kenefick and Vladimir Kropotov},
title = {{The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities}},
date = {2021-11-12},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf},
language = {English},
urldate = {2021-11-17}
}
The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities QakBot |
2021-11-11 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20211111:duck:897cc6f,
author = {Max Malyutin},
title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}},
date = {2021-11-11},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/},
language = {English},
urldate = {2021-11-25}
}
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation Cobalt Strike QakBot |
2021-11-11 ⋅ vmware ⋅ Jason Zhang, Stefano Ortolani, Giovanni Vigna, Threat Analysis Unit @online{zhang:20211111:research:b254ed6,
author = {Jason Zhang and Stefano Ortolani and Giovanni Vigna and Threat Analysis Unit},
title = {{Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer}},
date = {2021-11-11},
organization = {vmware},
url = {https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html},
language = {English},
urldate = {2022-03-22}
}
Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer Phorpiex QakBot |
2021-11-10 ⋅ CIRCL ⋅ CIRCL @online{circl:20211110:tr64:37ab4d8,
author = {CIRCL},
title = {{TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders}},
date = {2021-11-10},
organization = {CIRCL},
url = {https://www.circl.lu/pub/tr-64/},
language = {English},
urldate = {2021-11-25}
}
TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders QakBot |
2021-11-09 ⋅ MinervaLabs ⋅ Minerva Labs @online{labs:20211109:new:411a8fd,
author = {Minerva Labs},
title = {{A New DatopLoader Delivers QakBot Trojan}},
date = {2021-11-09},
organization = {MinervaLabs},
url = {https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan},
language = {English},
urldate = {2021-11-17}
}
A New DatopLoader Delivers QakBot Trojan QakBot Squirrelwaffle |
2021-11-04 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20211104:detecting:d8aba5b,
author = {Splunk Threat Research Team},
title = {{Detecting IcedID... Could It Be A Trickbot Copycat?}},
date = {2021-11-04},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html},
language = {English},
urldate = {2021-11-08}
}
Detecting IcedID... Could It Be A Trickbot Copycat? IcedID |
2021-11-03 ⋅ Twitter (@Corvid_Cyber) ⋅ CORVID @online{corvid:20211103:unique:3709f32,
author = {CORVID},
title = {{Tweet on a unique Qbot debugger dropped by an actor after compromise}},
date = {2021-11-03},
organization = {Twitter (@Corvid_Cyber)},
url = {https://twitter.com/Corvid_Cyber/status/1455844008081641472},
language = {English},
urldate = {2021-11-08}
}
Tweet on a unique Qbot debugger dropped by an actor after compromise QakBot |
2021-11-03 ⋅ Team Cymru ⋅ tcblogposts @online{tcblogposts:20211103:webinject:f4d41bb,
author = {tcblogposts},
title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}},
date = {2021-11-03},
organization = {Team Cymru},
url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/},
language = {English},
urldate = {2021-11-08}
}
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance DoppelDridex IcedID QakBot Zloader |
2021-10-26 ⋅ ANSSI @techreport{anssi:20211026:identification:9444ac3,
author = {ANSSI},
title = {{Identification of a new cyber criminal group: Lockean}},
date = {2021-10-26},
institution = {},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf},
language = {English},
urldate = {2022-01-25}
}
Identification of a new cyber criminal group: Lockean Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis @online{brumaghin:20211026:squirrelwaffle:88c5943,
author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis},
title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}},
date = {2021-10-26},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html},
language = {English},
urldate = {2021-11-02}
}
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike Cobalt Strike QakBot Squirrelwaffle |
2021-10-25 ⋅ Cleafy ⋅ Cleafy @online{cleafy:20211025:digital:48fbdf8,
author = {Cleafy},
title = {{Digital banking fraud: how the Gozi malware works}},
date = {2021-10-25},
organization = {Cleafy},
url = {https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work},
language = {English},
urldate = {2021-11-02}
}
Digital banking fraud: how the Gozi malware works ISFB |
2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20211018:icedid:0b574b0,
author = {The DFIR Report},
title = {{IcedID to XingLocker Ransomware in 24 hours}},
date = {2021-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/},
language = {English},
urldate = {2021-10-22}
}
IcedID to XingLocker Ransomware in 24 hours Cobalt Strike IcedID Mount Locker |
2021-10-15 ⋅ Trend Micro ⋅ Fernando Mercês @online{mercs:20211015:ransomware:c944933,
author = {Fernando Mercês},
title = {{Ransomware Operators Found Using New "Franchise" Business Model}},
date = {2021-10-15},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html},
language = {English},
urldate = {2021-10-24}
}
Ransomware Operators Found Using New "Franchise" Business Model Glupteba IcedID Mount Locker |
2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy @online{palazolo:20211007:squirrelwaffle:3506816,
author = {Gustavo Palazolo and Ghanashyam Satpathy},
title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}},
date = {2021-10-07},
organization = {Netskope},
url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot},
language = {English},
urldate = {2021-10-11}
}
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot Cobalt Strike QakBot Squirrelwaffle |
2021-09-29 ⋅ Proofpoint ⋅ Selena Larson, Proofpoint Staff @online{larson:20210929:ta544:ab2f0d3,
author = {Selena Larson and Proofpoint Staff},
title = {{TA544 Targets Italian Organizations with Ursnif Malware}},
date = {2021-09-29},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware},
language = {English},
urldate = {2021-10-11}
}
TA544 Targets Italian Organizations with Ursnif Malware ISFB |
2021-09-03 ⋅ IBM ⋅ Camille Singleton, Andrew Gorecki, John Dwyer @online{singleton:20210903:dissecting:4d56786,
author = {Camille Singleton and Andrew Gorecki and John Dwyer},
title = {{Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight}},
date = {2021-09-03},
organization = {IBM},
url = {https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/},
language = {English},
urldate = {2021-09-09}
}
Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight Valak QakBot REvil |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel @techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-09-02 ⋅ Kaspersky ⋅ Anton Kuzmenko, Oleg Kupreev, Haim Zigel @online{kuzmenko:20210902:qakbot:219d23c,
author = {Anton Kuzmenko and Oleg Kupreev and Haim Zigel},
title = {{QakBot Technical Analysis}},
date = {2021-09-02},
organization = {Kaspersky},
url = {https://securelist.com/qakbot-technical-analysis/103931/},
language = {English},
urldate = {2021-09-06}
}
QakBot Technical Analysis QakBot |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team @techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-05 ⋅ Group-IB ⋅ Viktor Okorokov, Nikita Rostovcev @online{okorokov:20210805:prometheus:38ab6a6,
author = {Viktor Okorokov and Nikita Rostovcev},
title = {{Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot}},
date = {2021-08-05},
organization = {Group-IB},
url = {https://blog.group-ib.com/prometheus-tds},
language = {English},
urldate = {2021-08-06}
}
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot |
2021-08-05 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210805:meet:bce8310,
author = {Catalin Cimpanu},
title = {{Meet Prometheus, the secret TDS behind some of today’s malware campaigns}},
date = {2021-08-05},
organization = {The Record},
url = {https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/},
language = {English},
urldate = {2021-08-06}
}
Meet Prometheus, the secret TDS behind some of today’s malware campaigns Buer campoloader IcedID QakBot |
2021-07-30 ⋅ HP ⋅ Patrick Schläpfer @online{schlpfer:20210730:detecting:2291323,
author = {Patrick Schläpfer},
title = {{Detecting TA551 domains}},
date = {2021-07-30},
organization = {HP},
url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/},
language = {English},
urldate = {2021-08-02}
}
Detecting TA551 domains Valak Dridex IcedID ISFB QakBot |
2021-07-26 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari @online{fois:20210726:hunting:ff1181b,
author = {Quentin Fois and Pavankumar Chaudhari},
title = {{Hunting IcedID and unpacking automation with Qiling}},
date = {2021-07-26},
organization = {vmware},
url = {https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html},
language = {English},
urldate = {2021-07-27}
}
Hunting IcedID and unpacking automation with Qiling IcedID |
2021-07-24 ⋅ 0ffset Blog ⋅ Daniel Bunce @online{bunce:20210724:quack:ddda5cd,
author = {Daniel Bunce},
title = {{Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1}},
date = {2021-07-24},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/},
language = {English},
urldate = {2021-08-02}
}
Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1 QakBot |
2021-07-23 ⋅ Github (Lastline-Inc) ⋅ Quentin Fois, Pavankumar Chaudhari @online{fois:20210723:yara:e9a8a22,
author = {Quentin Fois and Pavankumar Chaudhari},
title = {{YARA rules, IOCs and Scripts for extracting IcedID C2s}},
date = {2021-07-23},
organization = {Github (Lastline-Inc)},
url = {https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2},
language = {English},
urldate = {2021-07-27}
}
YARA rules, IOCs and Scripts for extracting IcedID C2s IcedID |
2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210719:icedid:0365384,
author = {The DFIR Report},
title = {{IcedID and Cobalt Strike vs Antivirus}},
date = {2021-07-19},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/},
language = {English},
urldate = {2021-07-20}
}
IcedID and Cobalt Strike vs Antivirus Cobalt Strike IcedID |
2021-07-14 ⋅ Cerium Networks ⋅ Blumira @online{blumira:20210714:threat:614d084,
author = {Blumira},
title = {{Threat of the Month: IcedID Malware}},
date = {2021-07-14},
organization = {Cerium Networks},
url = {https://ceriumnetworks.com/threat-of-the-month-icedid-malware/},
language = {English},
urldate = {2021-07-20}
}
Threat of the Month: IcedID Malware IcedID |
2021-07-12 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210712:over:c88e351,
author = {Catalin Cimpanu},
title = {{Over 780,000 email accounts compromised by Emotet have been secured}},
date = {2021-07-12},
organization = {The Record},
url = {https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/},
language = {English},
urldate = {2021-07-20}
}
Over 780,000 email accounts compromised by Emotet have been secured Emotet |
2021-07-08 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari @online{fois:20210708:icedid:47da76d,
author = {Quentin Fois and Pavankumar Chaudhari},
title = {{IcedID: Analysis and Detection}},
date = {2021-07-08},
organization = {vmware},
url = {https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html},
language = {English},
urldate = {2021-07-20}
}
IcedID: Analysis and Detection IcedID |
2021-06-30 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20210630:shelob:1c93f5d,
author = {Max Malyutin},
title = {{Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration}},
date = {2021-06-30},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/},
language = {English},
urldate = {2021-07-20}
}
Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration Conti IcedID |
2021-06-30 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210630:gozi:8760ba7,
author = {Catalin Cimpanu},
title = {{Gozi malware gang member arrested in Colombia}},
date = {2021-06-30},
organization = {The Record},
url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/},
language = {English},
urldate = {2021-07-02}
}
Gozi malware gang member arrested in Colombia Gozi ISFB |
2021-06-24 ⋅ Kaspersky ⋅ Anton Kuzmenko @online{kuzmenko:20210624:malicious:83a5c83,
author = {Anton Kuzmenko},
title = {{Malicious spam campaigns delivering banking Trojans}},
date = {2021-06-24},
organization = {Kaspersky},
url = {https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917},
language = {English},
urldate = {2021-06-25}
}
Malicious spam campaigns delivering banking Trojans IcedID QakBot |
2021-06-24 ⋅ SentinelOne ⋅ Marco Figueroa @online{figueroa:20210624:evasive:7f0d507,
author = {Marco Figueroa},
title = {{Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros}},
date = {2021-06-24},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/},
language = {English},
urldate = {2021-06-29}
}
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros IcedID |
2021-06-23 ⋅ IBM ⋅ Itzik Chimino @online{chimino:20210623:ursnif:700b0a7,
author = {Itzik Chimino},
title = {{Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy}},
date = {2021-06-23},
organization = {IBM},
url = {https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/},
language = {English},
urldate = {2021-06-24}
}
Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy ISFB |
2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210620:from:aadb7e8,
author = {The DFIR Report},
title = {{From Word to Lateral Movement in 1 Hour}},
date = {2021-06-20},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/},
language = {English},
urldate = {2021-06-22}
}
From Word to Lateral Movement in 1 Hour Cobalt Strike IcedID |
2021-06-16 ⋅ S2 Grupo ⋅ CSIRT-CV (the ICT Security Center of the Valencian Community) @online{community:20210616:emotet:7e0fafe,
author = {CSIRT-CV (the ICT Security Center of the Valencian Community)},
title = {{Emotet campaign analysis}},
date = {2021-06-16},
organization = {S2 Grupo},
url = {https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/},
language = {Spanish},
urldate = {2021-06-21}
}
Emotet campaign analysis Emotet QakBot |
2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff @online{larson:20210616:first:2e436a0,
author = {Selena Larson and Daniel Blackford and Garrett M. Graff},
title = {{The First Step: Initial Access Leads to Ransomware}},
date = {2021-06-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware},
language = {English},
urldate = {2021-06-21}
}
The First Step: Initial Access Leads to Ransomware BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker |
2021-06-16 ⋅ Twitter (@ChouchWard) ⋅ ch0uch ward @online{ward:20210616:qbot:1adaa08,
author = {ch0uch ward},
title = {{Tweet on Qbot operators left their web server's access.log file unsecured}},
date = {2021-06-16},
organization = {Twitter (@ChouchWard)},
url = {https://twitter.com/ChouchWard/status/1405168040254316547},
language = {English},
urldate = {2021-06-21}
}
Tweet on Qbot operators left their web server's access.log file unsecured QakBot |
2021-06-15 ⋅ Perception Point ⋅ Shai Golderman @online{golderman:20210615:insights:d3fc7b6,
author = {Shai Golderman},
title = {{Insights Into an Excel 4.0 Macro Attack using Qakbot Malware}},
date = {2021-06-15},
organization = {Perception Point},
url = {https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware},
language = {English},
urldate = {2021-06-21}
}
Insights Into an Excel 4.0 Macro Attack using Qakbot Malware QakBot |
2021-06-10 ⋅ ZEIT Online ⋅ Von Kai Biermann, Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Zachary Kamel @online{biermann:20210610:trail:42969a8,
author = {Von Kai Biermann and Astrid Geisler and Herwig G. Höller and Karsten Polke-Majewski and Zachary Kamel},
title = {{On the Trail of the Internet Extortionists}},
date = {2021-06-10},
organization = {ZEIT Online},
url = {https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers},
language = {English},
urldate = {2021-07-02}
}
On the Trail of the Internet Extortionists Emotet Mailto |
2021-06-10 ⋅ ZAYOTEM ⋅ İlker Verimoğlu, Emre Doğan, Kaan Binen, Abdulkadir Binan, Emrah Sarıdağ @online{verimolu:20210610:qakbot:4896852,
author = {İlker Verimoğlu and Emre Doğan and Kaan Binen and Abdulkadir Binan and Emrah Sarıdağ},
title = {{QakBot Technical Analysis Report}},
date = {2021-06-10},
organization = {ZAYOTEM},
url = {https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view},
language = {English},
urldate = {2021-06-16}
}
QakBot Technical Analysis Report QakBot |
2021-06-10 ⋅ Tagesschau ⋅ Hakan Tanriverdi, Maximilian Zierer @online{tanriverdi:20210610:schadsoftware:834b3fd,
author = {Hakan Tanriverdi and Maximilian Zierer},
title = {{Schadsoftware Emotet: BKA befragt Schlüsselfigur}},
date = {2021-06-10},
organization = {Tagesschau},
url = {https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html},
language = {English},
urldate = {2021-07-02}
}
Schadsoftware Emotet: BKA befragt Schlüsselfigur Emotet |
2021-06-08 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy @online{kremez:20210608:from:62f4d20,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{From QBot...with REvil Ransomware: Initial Attack Exposure of JBS}},
date = {2021-06-08},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs},
language = {English},
urldate = {2021-06-09}
}
From QBot...with REvil Ransomware: Initial Attack Exposure of JBS QakBot REvil |
2021-06-02 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20210602:fujifilm:eced96f,
author = {Lawrence Abrams},
title = {{FUJIFILM shuts down network after suspected ransomware attack}},
date = {2021-06-02},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/},
language = {English},
urldate = {2021-06-09}
}
FUJIFILM shuts down network after suspected ransomware attack QakBot |
2021-05-29 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani @online{kasmani:20210529:analysis:96b0902,
author = {AhmedS Kasmani},
title = {{Analysis of ICEID Malware Installer DLL}},
date = {2021-05-29},
organization = {Youtube (AhmedS Kasmani)},
url = {https://www.youtube.com/watch?v=wMXD4Sv1Alw},
language = {English},
urldate = {2021-06-04}
}
Analysis of ICEID Malware Installer DLL IcedID |
2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak @online{yizhak:20210526:deep:c123a19,
author = {Ron Ben Yizhak},
title = {{A Deep Dive into Packing Software CryptOne}},
date = {2021-05-26},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/},
language = {English},
urldate = {2021-06-22}
}
A Deep Dive into Packing Software CryptOne Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
2021-05-26 ⋅ Check Point ⋅ Alex Ilgayev @online{ilgayev:20210526:melting:40f5caf,
author = {Alex Ilgayev},
title = {{Melting Ice – Tracking IcedID Servers with a few simple steps}},
date = {2021-05-26},
organization = {Check Point},
url = {https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/},
language = {English},
urldate = {2021-06-09}
}
Melting Ice – Tracking IcedID Servers with a few simple steps IcedID |
2021-05-19 ⋅ Team Cymru ⋅ Josh Hopkins, Andy Kraus, Nick Byers @online{hopkins:20210519:tracking:45749be,
author = {Josh Hopkins and Andy Kraus and Nick Byers},
title = {{Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network}},
date = {2021-05-19},
organization = {Team Cymru},
url = {https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/},
language = {English},
urldate = {2021-05-26}
}
Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network IcedID |
2021-05-19 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210519:look:5ba9516,
author = {Intel 471},
title = {{Look how many cybercriminals love Cobalt Strike}},
date = {2021-05-19},
organization = {Intel 471},
url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor},
language = {English},
urldate = {2021-05-19}
}
Look how many cybercriminals love Cobalt Strike BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot |
2021-05-18 ⋅ RECON INFOSEC ⋅ Andrew Cook @online{cook:20210518:encounter:c4ef6d9,
author = {Andrew Cook},
title = {{An Encounter With TA551/Shathak}},
date = {2021-05-18},
organization = {RECON INFOSEC},
url = {https://blog.reconinfosec.com/an-encounter-with-ta551-shathak},
language = {English},
urldate = {2021-05-25}
}
An Encounter With TA551/Shathak IcedID |
2021-05-17 ⋅ Github (telekom-security) ⋅ Deutsche Telekom Security GmbH @online{gmbh:20210517:icedidanalysis:e985983,
author = {Deutsche Telekom Security GmbH},
title = {{icedid_analysis}},
date = {2021-05-17},
organization = {Github (telekom-security)},
url = {https://github.com/telekom-security/icedid_analysis},
language = {English},
urldate = {2021-05-17}
}
icedid_analysis IcedID |
2021-05-17 ⋅ Telekom ⋅ Thomas Barabosch @online{barabosch:20210517:lets:04a8b63,
author = {Thomas Barabosch},
title = {{Let’s set ice on fire: Hunting and detecting IcedID infections}},
date = {2021-05-17},
organization = {Telekom},
url = {https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240},
language = {English},
urldate = {2021-05-17}
}
Let’s set ice on fire: Hunting and detecting IcedID infections IcedID |
2021-05-12 ⋅ The DFIR Report @online{report:20210512:conti:598c5f2,
author = {The DFIR Report},
title = {{Conti Ransomware}},
date = {2021-05-12},
url = {https://thedfirreport.com/2021/05/12/conti-ransomware/},
language = {English},
urldate = {2021-05-13}
}
Conti Ransomware Cobalt Strike Conti IcedID |
2021-05-10 ⋅ Wirtschaftswoche ⋅ Thomas Kuhn @online{kuhn:20210510:how:5f1953b,
author = {Thomas Kuhn},
title = {{How one of the largest hacker networks in the world was paralyzed}},
date = {2021-05-10},
organization = {Wirtschaftswoche},
url = {https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html},
language = {German},
urldate = {2021-05-13}
}
How one of the largest hacker networks in the world was paralyzed Emotet |
2021-05-10 ⋅ MALWATION ⋅ malwation @online{malwation:20210510:icedid:0637539,
author = {malwation},
title = {{IcedID Malware Technical Analysis Report}},
date = {2021-05-10},
organization = {MALWATION},
url = {https://malwation.com/icedid-malware-technical-analysis-report/},
language = {English},
urldate = {2021-07-02}
}
IcedID Malware Technical Analysis Report IcedID |
2021-05-10 ⋅ Mal-Eats ⋅ mal_eats @online{maleats:20210510:overview:50ff3b3,
author = {mal_eats},
title = {{Overview of Campo, a new attack campaign targeting Japan}},
date = {2021-05-10},
organization = {Mal-Eats},
url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-05-13}
}
Overview of Campo, a new attack campaign targeting Japan AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
2021-05-04 ⋅ NCC Group ⋅ fumik0, NCC RIFT @online{fumik0:20210504:rm3:cd994e6,
author = {fumik0 and NCC RIFT},
title = {{RM3 – Curiosities of the wildest banking malware}},
date = {2021-05-04},
organization = {NCC Group},
url = {https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/},
language = {English},
urldate = {2021-05-19}
}
RM3 – Curiosities of the wildest banking malware ISFB RM3 |
2021-05-04 ⋅ Seguranca Informatica ⋅ Pedro Tavares @online{tavares:20210504:taste:b6a3380,
author = {Pedro Tavares},
title = {{A taste of the latest release of QakBot}},
date = {2021-05-04},
organization = {Seguranca Informatica},
url = {https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot},
language = {English},
urldate = {2021-05-07}
}
A taste of the latest release of QakBot QakBot |
2021-05-04 ⋅ Fox-IT ⋅ fumik0, the RIFT Team, Fox IT @online{fumik0:20210504:rm3:41d6969,
author = {fumik0 and the RIFT Team and Fox IT},
title = {{RM3 – Curiosities of the wildest banking malware}},
date = {2021-05-04},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/},
language = {English},
urldate = {2021-05-04}
}
RM3 – Curiosities of the wildest banking malware ISFB |
2021-04-30 ⋅ MADRID Labs ⋅ Odin Bernstein @online{bernstein:20210430:qbot:104bad4,
author = {Odin Bernstein},
title = {{Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server}},
date = {2021-04-30},
organization = {MADRID Labs},
url = {https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/},
language = {English},
urldate = {2021-05-08}
}
Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server QakBot |
2021-04-28 ⋅ IBM ⋅ David Bisson @online{bisson:20210428:qbot:dcbcd50,
author = {David Bisson},
title = {{QBot Malware Spotted Using Windows Defender Antivirus Lure}},
date = {2021-04-28},
organization = {IBM},
url = {https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/},
language = {English},
urldate = {2021-05-03}
}
QBot Malware Spotted Using Windows Defender Antivirus Lure QakBot |
2021-04-28 ⋅ Reversing Labs ⋅ Karlo Zanki @online{zanki:20210428:spotting:61ba0f6,
author = {Karlo Zanki},
title = {{Spotting malicious Excel4 macros}},
date = {2021-04-28},
organization = {Reversing Labs},
url = {https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros},
language = {English},
urldate = {2021-05-03}
}
Spotting malicious Excel4 macros QakBot |
2021-04-22 ⋅ Github (@cecio) ⋅ @red5heep @online{red5heep:20210422:emotet:44c2798,
author = {@red5heep},
title = {{EMOTET: a State-Machine reversing exercise}},
date = {2021-04-22},
organization = {Github (@cecio)},
url = {https://github.com/cecio/EMOTET-2020-Reversing},
language = {English},
urldate = {2021-11-12}
}
EMOTET: a State-Machine reversing exercise Emotet |
2021-04-22 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20210422:spamhaus:4a32a4d,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q1 2021}},
date = {2021-04-22},
institution = {Spamhaus},
url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf},
language = {English},
urldate = {2021-04-28}
}
Spamhaus Botnet Threat Update Q1 2021 Emotet Ficker Stealer Raccoon |
2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik @online{hjelmvik:20210419:analysing:c6bff49,
author = {Erik Hjelmvik},
title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}},
date = {2021-04-19},
organization = {Netresec},
url = {https://netresec.com/?b=214d7ff},
language = {English},
urldate = {2021-04-20}
}
Analysing a malware PCAP with IcedID and Cobalt Strike traffic Cobalt Strike IcedID |
2021-04-19 ⋅ Twitter (@_alex_il_) ⋅ Alex Ilgayev @online{ilgayev:20210419:qakbots:b3b929c,
author = {Alex Ilgayev},
title = {{Tweet on QakBot's additional decryption mechanism}},
date = {2021-04-19},
organization = {Twitter (@_alex_il_)},
url = {https://twitter.com/_alex_il_/status/1384094623270727685},
language = {English},
urldate = {2021-04-20}
}
Tweet on QakBot's additional decryption mechanism QakBot |
2021-04-17 ⋅ YouTube (Worcester DEFCON Group) ⋅ Joel Snape, Nettitude @online{snape:20210417:inside:2c3ae5c,
author = {Joel Snape and Nettitude},
title = {{Inside IcedID: Anatomy Of An Infostealer}},
date = {2021-04-17},
organization = {YouTube (Worcester DEFCON Group)},
url = {https://www.youtube.com/watch?v=YEqLIR6hfOM},
language = {English},
urldate = {2021-04-20}
}
Inside IcedID: Anatomy Of An Infostealer IcedID |
2021-04-15 ⋅ AT&T ⋅ Dax Morrow, Ofer Caspi @online{morrow:20210415:rise:73d9a21,
author = {Dax Morrow and Ofer Caspi},
title = {{The rise of QakBot}},
date = {2021-04-15},
organization = {AT&T},
url = {https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot},
language = {English},
urldate = {2021-04-16}
}
The rise of QakBot QakBot |
2021-04-13 ⋅ Silent Push ⋅ Martijn Grooten @online{grooten:20210413:malicious:094869a,
author = {Martijn Grooten},
title = {{Malicious infrastructure as a service}},
date = {2021-04-13},
organization = {Silent Push},
url = {https://www.silentpush.com/blog/malicious-infrastructure-as-a-service},
language = {English},
urldate = {2022-06-09}
}
Malicious infrastructure as a service IcedID PhotoLoader QakBot |
2021-04-12 ⋅ Trend Micro ⋅ Raphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy @online{centeno:20210412:spike:d67dcb0,
author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy},
title = {{A Spike in BazarCall and IcedID Activity Detected in March}},
date = {2021-04-12},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html},
language = {English},
urldate = {2021-04-14}
}
A Spike in BazarCall and IcedID Activity Detected in March BazarBackdoor IcedID |
2021-04-12 ⋅ Twitter (@elisalem9) ⋅ Eli Salem @online{salem:20210412:tweets:7b7280e,
author = {Eli Salem},
title = {{Tweets on QakBot}},
date = {2021-04-12},
organization = {Twitter (@elisalem9)},
url = {https://twitter.com/elisalem9/status/1381859965875462144},
language = {English},
urldate = {2021-04-14}
}
Tweets on QakBot QakBot |
2021-04-12 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20210412:paas:1d06836,
author = {PTSecurity},
title = {{PaaS, or how hackers evade antivirus software}},
date = {2021-04-12},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/},
language = {English},
urldate = {2021-04-12}
}
PaaS, or how hackers evade antivirus software Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader |
2021-04-11 ⋅ 4rchibld ⋅ 4rchibld @online{4rchibld:20210411:icedid:4135c21,
author = {4rchibld},
title = {{IcedID on my neck I’m the coolest}},
date = {2021-04-11},
organization = {4rchibld},
url = {https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/},
language = {English},
urldate = {2021-05-11}
}
IcedID on my neck I’m the coolest IcedID |
2021-04-10 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani @online{kasmani:20210410:malware:e2000de,
author = {AhmedS Kasmani},
title = {{Malware Analysis: IcedID Banking Trojan JavaScript Dropper}},
date = {2021-04-10},
organization = {Youtube (AhmedS Kasmani)},
url = {https://www.youtube.com/watch?v=oZ4bwnjcXWg},
language = {English},
urldate = {2021-04-12}
}
Malware Analysis: IcedID Banking Trojan JavaScript Dropper IcedID |
2021-04-09 ⋅ aaqeel01 ⋅ Ali Aqeel @online{aqeel:20210409:icedid:a6e3243,
author = {Ali Aqeel},
title = {{IcedID Analysis}},
date = {2021-04-09},
organization = {aaqeel01},
url = {https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/},
language = {English},
urldate = {2021-04-12}
}
IcedID Analysis IcedID |
2021-04-09 ⋅ Microsoft ⋅ Emily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team @online{hacker:20210409:investigating:2b6f30a,
author = {Emily Hacker and Justin Carroll and Microsoft 365 Defender Threat Intelligence Team},
title = {{Investigating a unique “form” of email delivery for IcedID malware}},
date = {2021-04-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/},
language = {English},
urldate = {2021-04-12}
}
Investigating a unique “form” of email delivery for IcedID malware IcedID |
2021-04-09 ⋅ Palo Alto Networks Unit 42 ⋅ Yanhui Jia, Chris Navarrete @online{jia:20210409:emotet:c376dd2,
author = {Yanhui Jia and Chris Navarrete},
title = {{Emotet Command and Control Case Study}},
date = {2021-04-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emotet-command-and-control/},
language = {English},
urldate = {2021-04-12}
}
Emotet Command and Control Case Study Emotet |
2021-04-07 ⋅ Uptycs ⋅ Ashwin Vamshi, Abhijit Mohanta @online{vamshi:20210407:icedid:bbda303,
author = {Ashwin Vamshi and Abhijit Mohanta},
title = {{IcedID campaign spotted being spiced with Excel 4 Macros}},
date = {2021-04-07},
organization = {Uptycs},
url = {https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros},
language = {English},
urldate = {2021-04-09}
}
IcedID campaign spotted being spiced with Excel 4 Macros IcedID |
2021-04-07 ⋅ Minerva ⋅ Minerva Labs @online{labs:20210407:icedid:d178d16,
author = {Minerva Labs},
title = {{IcedID - A New Threat In Office Attachments}},
date = {2021-04-07},
organization = {Minerva},
url = {https://blog.minerva-labs.com/icedid-maas},
language = {English},
urldate = {2021-04-09}
}
IcedID - A New Threat In Office Attachments IcedID |
2021-04-06 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210406:ettersilent:b591f59,
author = {Intel 471},
title = {{EtterSilent: the underground’s new favorite maldoc builder}},
date = {2021-04-06},
organization = {Intel 471},
url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/},
language = {English},
urldate = {2021-04-06}
}
EtterSilent: the underground’s new favorite maldoc builder BazarBackdoor ISFB QakBot TrickBot |
2021-04-01 ⋅ Reversing Labs ⋅ Robert Simmons @online{simmons:20210401:code:885c081,
author = {Robert Simmons},
title = {{Code Reuse Across Packers and DLL Loaders}},
date = {2021-04-01},
organization = {Reversing Labs},
url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders},
language = {English},
urldate = {2021-04-09}
}
Code Reuse Across Packers and DLL Loaders IcedID SystemBC |
2021-03-31 ⋅ Silent Push ⋅ Martijn Grooten @online{grooten:20210331:icedid:42c6051,
author = {Martijn Grooten},
title = {{IcedID Command and Control Infrastructure}},
date = {2021-03-31},
organization = {Silent Push},
url = {https://www.silentpush.com/blog/icedid-command-and-control-infrastructure},
language = {English},
urldate = {2022-06-09}
}
IcedID Command and Control Infrastructure IcedID PhotoLoader |
2021-03-31 ⋅ Kaspersky ⋅ Kaspersky @online{kaspersky:20210331:financial:3371aa0,
author = {Kaspersky},
title = {{Financial Cyberthreats in 2020}},
date = {2021-03-31},
organization = {Kaspersky},
url = {https://securelist.com/financial-cyberthreats-in-2020/101638/},
language = {English},
urldate = {2021-04-06}
}
Financial Cyberthreats in 2020 BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus |
2021-03-31 ⋅ Red Canary ⋅ Red Canary @techreport{canary:20210331:2021:cd81f2d,
author = {Red Canary},
title = {{2021 Threat Detection Report}},
date = {2021-03-31},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf},
language = {English},
urldate = {2021-04-06}
}
2021 Threat Detection Report Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210329:sodinokibi:4c63e20,
author = {The DFIR Report},
title = {{Sodinokibi (aka REvil) Ransomware}},
date = {2021-03-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/},
language = {English},
urldate = {2021-03-30}
}
Sodinokibi (aka REvil) Ransomware Cobalt Strike IcedID REvil |
2021-03-26 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20210326:alleged:ce2115c,
author = {Trend Micro},
title = {{Alleged Members of Egregor Ransomware Cartel Arrested}},
date = {2021-03-26},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html},
language = {English},
urldate = {2021-04-28}
}
Alleged Members of Egregor Ransomware Cartel Arrested Egregor QakBot |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-19 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20210319:ta551:48627e5,
author = {MITRE ATT&CK},
title = {{TA551}},
date = {2021-03-19},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0127/},
language = {English},
urldate = {2022-07-13}
}
TA551 GOLD CABIN |
2021-03-18 ⋅ VinCSS ⋅ Tran Trung Kien @online{kien:20210318:re021:00caf5b,
author = {Tran Trung Kien},
title = {{[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade}},
date = {2021-03-18},
organization = {VinCSS},
url = {https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html},
language = {English},
urldate = {2021-03-19}
}
[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade QakBot |
2021-03-17 ⋅ HP ⋅ HP Bromium @techreport{bromium:20210317:threat:3aed551,
author = {HP Bromium},
title = {{Threat Insights Report Q4-2020}},
date = {2021-03-17},
institution = {HP},
url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf},
language = {English},
urldate = {2021-03-19}
}
Threat Insights Report Q4-2020 Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader |
2021-03-12 ⋅ Binary Defense ⋅ James Quinn @online{quinn:20210312:icedid:3e6db43,
author = {James Quinn},
title = {{IcedID GZIPLOADER Analysis}},
date = {2021-03-12},
organization = {Binary Defense},
url = {https://www.binarydefense.com/icedid-gziploader-analysis/},
language = {English},
urldate = {2021-03-16}
}
IcedID GZIPLOADER Analysis IcedID |
2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Yanhui Jia, Matthew Tennis, Durgesh Sangvikar, Rongbo Shao @online{navarrete:20210308:attack:6238643,
author = {Chris Navarrete and Yanhui Jia and Matthew Tennis and Durgesh Sangvikar and Rongbo Shao},
title = {{Attack Chain Overview: Emotet in December 2020 and January 2021}},
date = {2021-03-08},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/},
language = {English},
urldate = {2021-03-11}
}
Attack Chain Overview: Emotet in December 2020 and January 2021 Emotet |
2021-03-04 ⋅ F5 ⋅ Dor Nizar, Roy Moshailov @online{nizar:20210304:icedid:bfcc689,
author = {Dor Nizar and Roy Moshailov},
title = {{IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims}},
date = {2021-03-04},
organization = {F5},
url = {https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims},
language = {English},
urldate = {2021-03-06}
}
IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims IcedID |
2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev @techreport{skulkin:202103:ransomware:992ca10,
author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev},
title = {{Ransomware Uncovered 2020/2021}},
date = {2021-03},
institution = {Group-IB},
url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf},
language = {English},
urldate = {2021-06-16}
}
Ransomware Uncovered 2020/2021 RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team |
2021-02-28 ⋅ NetbyteSEC @online{netbytesec:20210228:deobfuscating:a975d4c,
author = {NetbyteSEC},
title = {{Deobfuscating Emotet Macro Document and Powershell Command}},
date = {2021-02-28},
url = {https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html},
language = {English},
urldate = {2022-02-14}
}
Deobfuscating Emotet Macro Document and Powershell Command Emotet |
2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff @online{loui:20210226:hypervisor:8dadf9c,
author = {Eric Loui and Sergei Frankoff},
title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}},
date = {2021-02-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout},
language = {English},
urldate = {2021-05-26}
}
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil |
2021-02-25 ⋅ ANSSI ⋅ CERT-FR @techreport{certfr:20210225:ryuk:7895e12,
author = {CERT-FR},
title = {{Ryuk Ransomware}},
date = {2021-02-25},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf},
language = {English},
urldate = {2021-03-02}
}
Ryuk Ransomware BazarBackdoor Buer Conti Emotet Ryuk TrickBot |
2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta @online{abdo:20210225:so:88f3400,
author = {Bryce Abdo and Brendan McKeague and Van Ta},
title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}},
date = {2021-02-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html},
language = {English},
urldate = {2021-03-02}
}
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC |
2021-02-25 ⋅ JPCERT/CC ⋅ Ken Sajo @online{sajo:20210225:emotet:f78fb4e,
author = {Ken Sajo},
title = {{Emotet Disruption and Outreach to Affected Users}},
date = {2021-02-25},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html},
language = {English},
urldate = {2021-02-25}
}
Emotet Disruption and Outreach to Affected Users Emotet |
2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE @online{xforce:20210224:xforce:ac9a90e,
author = {IBM SECURITY X-FORCE},
title = {{X-Force Threat Intelligence Index 2021}},
date = {2021-02-24},
organization = {IBM},
url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89},
language = {English},
urldate = {2021-03-02}
}
X-Force Threat Intelligence Index 2021 Emotet QakBot Ramnit REvil TrickBot |
2021-02-24 ⋅ Allsafe ⋅ Shota Nakajima, Hara Hiroaki @techreport{nakajima:20210224:malware:0f5ff88,
author = {Shota Nakajima and Hara Hiroaki},
title = {{Malware Analysis at Scale - Defeating Emotet by Ghidra}},
date = {2021-02-24},
institution = {Allsafe},
url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf},
language = {English},
urldate = {2021-02-26}
}
Malware Analysis at Scale - Defeating Emotet by Ghidra Emotet |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-17 ⋅ Politie NL ⋅ Politie NL @online{nl:20210217:politie:a27a279,
author = {Politie NL},
title = {{Politie bestrijdt cybercrime via Nederlandse infrastructuur}},
date = {2021-02-17},
organization = {Politie NL},
url = {https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html}, |