SYMBOLCOMMON_NAMEaka. SYNONYMS

GOLD CABIN  (Back to overview)

aka: Shakthak, TA551

GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.


Associated Families
win.qakbot win.emotet win.icedid

References
2022-05-17KasperskyBrad Duncan
@online{duncan:20220517:emotet:5f61714, author = {Brad Duncan}, title = {{Emotet Summary: November 2021 Through January 2022}}, date = {2022-05-17}, organization = {Kaspersky}, url = {https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/}, language = {English}, urldate = {2022-05-17} } Emotet Summary: November 2021 Through January 2022
Emotet
2022-05-16vmwareOleg Boyarchuk, Stefano Ortolani, Jason Zhang, Threat Analysis Unit
@online{boyarchuk:20220516:emotet:6392ff3, author = {Oleg Boyarchuk and Stefano Ortolani and Jason Zhang and Threat Analysis Unit}, title = {{Emotet Moves to 64 bit and Updates its Loader}}, date = {2022-05-16}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html}, language = {English}, urldate = {2022-05-17} } Emotet Moves to 64 bit and Updates its Loader
Emotet
2022-05-12Intel 471Intel 471
@online{471:20220512:what:05369d4, author = {Intel 471}, title = {{What malware to look for if you want to prevent a ransomware attack}}, date = {2022-05-12}, organization = {Intel 471}, url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike}, language = {English}, urldate = {2022-05-13} } What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-11HPHP Wolf Security
@techreport{security:20220511:threat:bd460f0, author = {HP Wolf Security}, title = {{Threat Insights Report Q1 - 2022}}, date = {2022-05-11}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf}, language = {English}, urldate = {2022-05-13} } Threat Insights Report Q1 - 2022
AsyncRAT Emotet Mekotio Vjw0rm
2022-05-11IronNetBlake Cahen, IronNet Threat Research
@online{cahen:20220511:detecting:c61fd63, author = {Blake Cahen and IronNet Threat Research}, title = {{Detecting a MUMMY SPIDER campaign and Emotet infection}}, date = {2022-05-11}, organization = {IronNet}, url = {https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection}, language = {English}, urldate = {2022-05-17} } Detecting a MUMMY SPIDER campaign and Emotet infection
Emotet
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09CybereasonLior Rochberger
@online{rochberger:20220509:cybereason:9178f63, author = {Lior Rochberger}, title = {{Cybereason vs. Quantum Locker Ransomware}}, date = {2022-05-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware}, language = {English}, urldate = {2022-05-11} } Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-05-09NetresecErik Hjelmvik
@online{hjelmvik:20220509:emotet:ce90938, author = {Erik Hjelmvik}, title = {{Emotet C2 and Spam Traffic Video}}, date = {2022-05-09}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video}, language = {English}, urldate = {2022-05-09} } Emotet C2 and Spam Traffic Video
Emotet
2022-05-06NetskopeGustavo Palazolo
@online{palazolo:20220506:emotet:44a2595, author = {Gustavo Palazolo}, title = {{Emotet: New Delivery Mechanism to Bypass VBA Protection}}, date = {2022-05-06}, organization = {Netskope}, url = {https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection}, language = {English}, urldate = {2022-05-09} } Emotet: New Delivery Mechanism to Bypass VBA Protection
Emotet
2022-05-04Twitter (@felixw3000)Felix
@online{felix:20220504:twitter:0fb7e35, author = {Felix}, title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}}, date = {2022-05-04}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1521816045769662468}, language = {English}, urldate = {2022-05-09} } Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-05-04SophosAndreas Klopsch
@online{klopsch:20220504:attacking:750e07f, author = {Andreas Klopsch}, title = {{Attacking Emotet’s Control Flow Flattening}}, date = {2022-05-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/}, language = {English}, urldate = {2022-05-05} } Attacking Emotet’s Control Flow Flattening
Emotet
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-27CybleincCyble
@online{cyble:20220427:emotet:a8c919a, author = {Cyble}, title = {{Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims}}, date = {2022-04-27}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/}, language = {English}, urldate = {2022-05-04} } Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims
Emotet
2022-04-26Bleeping ComputerIonut Ilascu
@online{ilascu:20220426:emotet:d0b6f50, author = {Ionut Ilascu}, title = {{Emotet malware now installs via PowerShell in Windows shortcut files}}, date = {2022-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/}, language = {English}, urldate = {2022-04-29} } Emotet malware now installs via PowerShell in Windows shortcut files
Emotet
2022-04-26ProofpointAxel F
@online{f:20220426:emotet:afb4f87, author = {Axel F}, title = {{Emotet Tests New Delivery Techniques}}, date = {2022-04-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques}, language = {English}, urldate = {2022-04-29} } Emotet Tests New Delivery Techniques
Emotet
2022-04-26Intel 471Intel 471
@online{471:20220426:conti:6bcff7d, author = {Intel 471}, title = {{Conti and Emotet: A constantly destructive duo}}, date = {2022-04-26}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks}, language = {English}, urldate = {2022-04-29} } Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-25The DFIR ReportThe DFIR Report
@online{report:20220425:quantum:128d2b3, author = {The DFIR Report}, title = {{Quantum Ransomware}}, date = {2022-04-25}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/}, language = {English}, urldate = {2022-04-25} } Quantum Ransomware
Cobalt Strike IcedID
2022-04-24forensicitguyTony Lambert
@online{lambert:20220424:shortcut:b1a00dd, author = {Tony Lambert}, title = {{Shortcut to Emotet, an odd TTP change}}, date = {2022-04-24}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/}, language = {English}, urldate = {2022-04-25} } Shortcut to Emotet, an odd TTP change
Emotet
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20SANS ISCBrad Duncan
@online{duncan:20220420:aa:eb304fb, author = {Brad Duncan}, title = {{'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic}}, date = {2022-04-20}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28568}, language = {English}, urldate = {2022-04-25} } 'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic
QakBot
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-19Bleeping ComputerBill Toulas
@online{toulas:20220419:emotet:a7e392d, author = {Bill Toulas}, title = {{Emotet botnet switches to 64-bit modules, increases activity}}, date = {2022-04-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/}, language = {English}, urldate = {2022-04-20} } Emotet botnet switches to 64-bit modules, increases activity
Emotet
2022-04-19Twitter (@Cryptolaemus1)Cryptolaemus
@online{cryptolaemus:20220419:emotet:c68608b, author = {Cryptolaemus}, title = {{#Emotet Update: 64 bit upgrade of Epoch 5}}, date = {2022-04-19}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1516535343281025032}, language = {English}, urldate = {2022-04-20} } #Emotet Update: 64 bit upgrade of Epoch 5
Emotet
2022-04-18FortinetErin Lin
@online{lin:20220418:trends:fab9950, author = {Erin Lin}, title = {{Trends in the Recent Emotet Maldoc Outbreak}}, date = {2022-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak}, language = {English}, urldate = {2022-04-20} } Trends in the Recent Emotet Maldoc Outbreak
Emotet
2022-04-17BushidoToken BlogBushidoToken
@online{bushidotoken:20220417:lessons:d4d0595, author = {BushidoToken}, title = {{Lessons from the Conti Leaks}}, date = {2022-04-17}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html}, language = {English}, urldate = {2022-04-25} } Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-14Cert-UACert-UA
@online{certua:20220414:cyberattack:915dfa7, author = {Cert-UA}, title = {{Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)}}, date = {2022-04-14}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39609}, language = {Ukrainian}, urldate = {2022-04-20} } Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)
IcedID
2022-04-14Bleeping ComputerBill Toulas
@online{toulas:20220414:hackers:2b1153c, author = {Bill Toulas}, title = {{Hackers target Ukrainian govt with IcedID malware, Zimbra exploits}}, date = {2022-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/}, language = {English}, urldate = {2022-04-15} } Hackers target Ukrainian govt with IcedID malware, Zimbra exploits
IcedID
2022-04-13KasperskyAMR
@online{amr:20220413:emotet:113c0db, author = {AMR}, title = {{Emotet modules and recent attacks}}, date = {2022-04-13}, organization = {Kaspersky}, url = {https://securelist.com/emotet-modules-and-recent-attacks/106290/}, language = {English}, urldate = {2022-04-15} } Emotet modules and recent attacks
Emotet
2022-04-12Check PointCheck Point Research
@online{research:20220412:march:2c56dc6, author = {Check Point Research}, title = {{March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance}}, date = {2022-04-12}, organization = {Check Point}, url = {https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/}, language = {English}, urldate = {2022-04-20} } March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
Alien FluBot Agent Tesla Emotet
2022-04-12AhnLabASEC Analysis Team
@online{team:20220412:systembc:7bdd20c, author = {ASEC Analysis Team}, title = {{SystemBC Being Used by Various Attackers}}, date = {2022-04-12}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/33600/}, language = {English}, urldate = {2022-04-15} } SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC
2022-04-12Tech TimesJoseph Henry
@online{henry:20220412:qbot:9dd8d54, author = {Joseph Henry}, title = {{Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers}}, date = {2022-04-12}, organization = {Tech Times}, url = {https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm}, language = {English}, urldate = {2022-05-04} } Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers
QakBot
2022-04-11Bleeping ComputerSergiu Gatlan
@online{gatlan:20220411:qbot:7f1ddc7, author = {Sergiu Gatlan}, title = {{Qbot malware switches to new Windows Installer infection vector}}, date = {2022-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/}, language = {English}, urldate = {2022-05-04} } Qbot malware switches to new Windows Installer infection vector
QakBot
2022-04-04The DFIR Report@0xtornado, @yatinwad, @MettalicHack, @_pete_0
@online{0xtornado:20220404:stolen:3df91a7, author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0}, title = {{Stolen Images Campaign Ends in Conti Ransomware}}, date = {2022-04-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/}, language = {English}, urldate = {2022-04-04} } Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID
2022-04-02Github (pl-v)Player-V
@online{playerv:20220402:emotet:712f2ab, author = {Player-V}, title = {{Emotet Analysis Part 1: Unpacking}}, date = {2022-04-02}, organization = {Github (pl-v)}, url = {https://pl-v.github.io/plv/posts/Emotet-unpacking/}, language = {English}, urldate = {2022-04-08} } Emotet Analysis Part 1: Unpacking
Emotet
2022-03-31nccgroupNikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
@online{pantazopoulos:20220331:continuation:b38514d, author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team}, title = {{Conti-nuation: methods and techniques observed in operations post the leaks}}, date = {2022-03-31}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/}, language = {English}, urldate = {2022-03-31} } Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-30PrevailionPrevailion
@online{prevailion:20220330:wizard:6eb38a7, author = {Prevailion}, title = {{Wizard Spider continues to confound}}, date = {2022-03-30}, organization = {Prevailion}, url = {https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903}, language = {English}, urldate = {2022-03-31} } Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet
2022-03-29Threat PostElizabeth Montalbano
@online{montalbano:20220329:exchange:ff88f41, author = {Elizabeth Montalbano}, title = {{Exchange Servers Speared in IcedID Phishing Campaign}}, date = {2022-03-29}, organization = {Threat Post}, url = {https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/}, language = {English}, urldate = {2022-03-31} } Exchange Servers Speared in IcedID Phishing Campaign
IcedID
2022-03-29vmwareOleg Boyarchuk, Jason Zhang, Threat Analysis Unit
@online{boyarchuk:20220329:emotet:18b143b, author = {Oleg Boyarchuk and Jason Zhang and Threat Analysis Unit}, title = {{Emotet C2 Configuration Extraction and Analysis}}, date = {2022-03-29}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html}, language = {English}, urldate = {2022-04-04} } Emotet C2 Configuration Extraction and Analysis
Emotet
2022-03-28FortinetJames Slaughter, Val Saengphaibul, Fred Gutierrez
@online{slaughter:20220328:spoofed:0cd6f0e, author = {James Slaughter and Val Saengphaibul and Fred Gutierrez}, title = {{Spoofed Invoice Used to Drop IcedID}}, date = {2022-03-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id}, language = {English}, urldate = {2022-03-31} } Spoofed Invoice Used to Drop IcedID
IcedID
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
@online{kennedy:20220328:new:cede4da, author = {Joakim Kennedy and Ryan Robinson}, title = {{New Conversation Hijacking Campaign Delivering IcedID}}, date = {2022-03-28}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/}, language = {English}, urldate = {2022-04-05} } New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-03-28Bleeping ComputerBill Toulas
@online{toulas:20220328:microsoft:5bc32d1, author = {Bill Toulas}, title = {{Microsoft Exchange targeted for IcedID reply-chain hijacking attacks}}, date = {2022-03-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/}, language = {English}, urldate = {2022-03-30} } Microsoft Exchange targeted for IcedID reply-chain hijacking attacks
IcedID
2022-03-28CiscoMaría José Erquiaga, Onur Erdogan, Adela Jezkova
@online{erquiaga:20220328:emotet:d36774a, author = {María José Erquiaga and Onur Erdogan and Adela Jezkova}, title = {{Emotet is Back}}, date = {2022-03-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/emotet-is-back}, language = {English}, urldate = {2022-03-30} } Emotet is Back
Emotet
2022-03-25SANS ISCXavier Mertens
@online{mertens:20220325:xlsb:21fdeaf, author = {Xavier Mertens}, title = {{XLSB Files: Because Binary is Stealthier Than XML}}, date = {2022-03-25}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/}, language = {English}, urldate = {2022-03-25} } XLSB Files: Because Binary is Stealthier Than XML
QakBot
2022-03-23NVISO LabsBart Parys
@online{parys:20220323:hunting:1610697, author = {Bart Parys}, title = {{Hunting Emotet campaigns with Kusto}}, date = {2022-03-23}, organization = {NVISO Labs}, url = {https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/}, language = {English}, urldate = {2022-03-24} } Hunting Emotet campaigns with Kusto
Emotet
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:threat:84ad46c, author = {Counter Threat Unit ResearchTeam}, title = {{Threat Intelligence Executive Report Volume 2022, Number 2}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx}, language = {English}, urldate = {2022-03-25} } Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot
2022-03-23FortinetShunichi Imano, Val Saengphaibul
@online{imano:20220323:bad:06c3501, author = {Shunichi Imano and Val Saengphaibul}, title = {{Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams}}, date = {2022-03-23}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams}, language = {English}, urldate = {2022-03-25} } Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams
Emotet
2022-03-23FortinetXiaopeng Zhang
@online{zhang:20220323:ms:946096e, author = {Xiaopeng Zhang}, title = {{MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II}}, date = {2022-03-23}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii}, language = {English}, urldate = {2022-03-25} } MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II
Emotet
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:gold:0f3da90, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD ULRICK Leaks Reveal Organizational Structure and Relationships}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships}, language = {English}, urldate = {2022-03-25} } GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot
2022-03-21Info SecurityVinugayathri Chinnasamy
@online{chinnasamy:20220321:emotet:2d27f06, author = {Vinugayathri Chinnasamy}, title = {{Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware}}, date = {2022-03-21}, organization = {Info Security}, url = {https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/}, language = {English}, urldate = {2022-03-22} } Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware
Emotet
2022-03-21eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220321:conti:507fdf9, author = {eSentire Threat Response Unit (TRU)}, title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire}, language = {English}, urldate = {2022-05-23} } Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2022-03-17Github (eln0ty)Abdallah Elnoty
@online{elnoty:20220317:icedid:0b8ef27, author = {Abdallah Elnoty}, title = {{IcedID Analysis}}, date = {2022-03-17}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/IcedID/}, language = {English}, urldate = {2022-03-22} } IcedID Analysis
IcedID
2022-03-17Trend MicroTrend Micro Research
@techreport{research:20220317:navigating:5ad631e, author = {Trend Micro Research}, title = {{Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report}}, date = {2022-03-17}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf}, language = {English}, urldate = {2022-03-22} } Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil
2022-03-16DragosJosh Hanrahan
@online{hanrahan:20220316:suspected:325fc01, author = {Josh Hanrahan}, title = {{Suspected Conti Ransomware Activity in the Auto Manufacturing Sector}}, date = {2022-03-16}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/}, language = {English}, urldate = {2022-03-17} } Suspected Conti Ransomware Activity in the Auto Manufacturing Sector
Conti Emotet
2022-03-16SANS ISCBrad Duncan
@online{duncan:20220316:qakbot:7fe703f, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/}, language = {English}, urldate = {2022-03-17} } Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220316:qakbot:ff11e1e, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28448}, language = {English}, urldate = {2022-03-17} } Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03-09nikpxxors
@online{xors:20220309:bokbot:925e438, author = {xors}, title = {{BokBot Technical Analysis}}, date = {2022-03-09}, organization = {nikpx}, url = {https://nikpx.github.io/malware/analysis/2022/03/09/BokBot}, language = {English}, urldate = {2022-03-10} } BokBot Technical Analysis
IcedID
2022-03-08LumenBlack Lotus Labs
@online{labs:20220308:what:c99735b, author = {Black Lotus Labs}, title = {{What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets}}, date = {2022-03-08}, organization = {Lumen}, url = {https://blog.lumen.com/emotet-redux/}, language = {English}, urldate = {2022-03-10} } What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets
Emotet
2022-03-07FortinetXiaopeng Zhang
@online{zhang:20220307:ms:b388372, author = {Xiaopeng Zhang}, title = {{MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I}}, date = {2022-03-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one}, language = {English}, urldate = {2022-03-08} } MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I
Emotet
2022-03-03Trend MicroTrend Micro Research
@online{research:20220303:cyberattacks:d961eb0, author = {Trend Micro Research}, title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}}, date = {2022-03-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html}, language = {English}, urldate = {2022-03-04} } Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-03-02KrebsOnSecurityBrian Krebs
@online{krebs:20220302:conti:03b0358, author = {Brian Krebs}, title = {{Conti Ransomware Group Diaries, Part II: The Office}}, date = {2022-03-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/}, language = {English}, urldate = {2022-03-07} } Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot
2022-03-01Twitter (@ContiLeaks)ContiLeaks
@online{contileaks:20220301:emotet:b68be9c, author = {ContiLeaks}, title = {{Tweet on Emotet final server scheme}}, date = {2022-03-01}, organization = {Twitter (@ContiLeaks)}, url = {https://twitter.com/ContiLeaks/status/1498614197202079745}, language = {English}, urldate = {2022-03-02} } Tweet on Emotet final server scheme
Emotet
2022-02-26MandiantMandiant
@online{mandiant:20220226:trending:a445d4a, author = {Mandiant}, title = {{TRENDING EVIL Q1 2022}}, date = {2022-02-26}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil/p/1}, language = {English}, urldate = {2022-03-14} } TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot
2022-02-26LinkedIn (Zayed AlJaberi)Zayed AlJaberi
@online{aljaberi:20220226:hunting:270b30c, author = {Zayed AlJaberi}, title = {{Hunting Recent QakBot Malware}}, date = {2022-02-26}, organization = {LinkedIn (Zayed AlJaberi)}, url = {https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4}, language = {English}, urldate = {2022-03-01} } Hunting Recent QakBot Malware
QakBot
2022-02-25CyberScoopJoe Warminsky
@online{warminsky:20220225:trickbot:2d38470, author = {Joe Warminsky}, title = {{TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators}}, date = {2022-02-25}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/}, language = {English}, urldate = {2022-03-01} } TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators
BazarBackdoor Emotet TrickBot
2022-02-24CynetMax Malyutin
@online{malyutin:20220224:new:014251e, author = {Max Malyutin}, title = {{New Wave of Emotet – When Project X Turns Into Y}}, date = {2022-02-24}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/}, language = {English}, urldate = {2022-05-04} } New Wave of Emotet – When Project X Turns Into Y
Cobalt Strike Emotet
2022-02-24The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220224:trickbot:7e86d52, author = {Ravie Lakshmanan}, title = {{TrickBot Gang Likely Shifting Operations to Switch to New Malware}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html}, language = {English}, urldate = {2022-03-01} } TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot
2022-02-24The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220224:notorious:c5e1556, author = {Ravie Lakshmanan}, title = {{Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html}, language = {English}, urldate = {2022-03-04} } Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
BazarBackdoor Emotet TrickBot
2022-02-23cyber.wtf blogLuca Ebach
@online{ebach:20220223:what:0a4496e, author = {Luca Ebach}, title = {{What the Pack(er)?}}, date = {2022-02-23}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2022/03/23/what-the-packer/}, language = {English}, urldate = {2022-03-25} } What the Pack(er)?
Cobalt Strike Emotet
2022-02-22eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220222:icedid:67f870d, author = {eSentire Threat Response Unit (TRU)}, title = {{IcedID to Cobalt Strike In Under 20 Minutes}}, date = {2022-02-22}, organization = {eSentire}, url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes}, language = {English}, urldate = {2022-05-23} } IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2022-02-21The DFIR Report
@online{report:20220221:qbot:8b10b52, author = {The DFIR Report}, title = {{Qbot and Zerologon Lead To Full Domain Compromise}}, date = {2022-02-21}, url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/}, language = {English}, urldate = {2022-02-26} } Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot
2022-02-16Security OnionDoug Burks
@online{burks:20220216:quick:e515983, author = {Doug Burks}, title = {{Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08}}, date = {2022-02-16}, organization = {Security Onion}, url = {https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html}, language = {English}, urldate = {2022-02-17} } Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08
Cobalt Strike Emotet
2022-02-16Threat PostElizabeth Montalbano
@online{montalbano:20220216:emotet:a1297ac, author = {Elizabeth Montalbano}, title = {{Emotet Now Spreading Through Malicious Excel Files}}, date = {2022-02-16}, organization = {Threat Post}, url = {https://threatpost.com/emotet-spreading-malicious-excel-files/178444/}, language = {English}, urldate = {2022-02-18} } Emotet Now Spreading Through Malicious Excel Files
Emotet
2022-02-16SOC PrimeAlla Yurchenko
@online{yurchenko:20220216:qbot:db07ba5, author = {Alla Yurchenko}, title = {{QBot Malware Detection: Old Dog New Tricks}}, date = {2022-02-16}, organization = {SOC Prime}, url = {https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/}, language = {English}, urldate = {2022-02-17} } QBot Malware Detection: Old Dog New Tricks
QakBot
2022-02-15Palo Alto Networks Unit 42Saqib Khanzada, Tyler Halfpop, Micah Yates, Brad Duncan
@online{khanzada:20220215:new:822e8f9, author = {Saqib Khanzada and Tyler Halfpop and Micah Yates and Brad Duncan}, title = {{New Emotet Infection Method}}, date = {2022-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-emotet-infection-method/}, language = {English}, urldate = {2022-02-17} } New Emotet Infection Method
Emotet
2022-02-15eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220215:increase:a4de9ce, author = {eSentire Threat Response Unit (TRU)}, title = {{Increase in Emotet Activity and Cobalt Strike Deployment}}, date = {2022-02-15}, organization = {eSentire}, url = {https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment}, language = {English}, urldate = {2022-05-23} } Increase in Emotet Activity and Cobalt Strike Deployment
Cobalt Strike Emotet
2022-02-13NetbyteSECTaqi, Rosamira, Fareed
@online{taqi:20220213:technical:50aa099, author = {Taqi and Rosamira and Fareed}, title = {{Technical Malware Analysis: The Return of Emotet}}, date = {2022-02-13}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html}, language = {English}, urldate = {2022-02-14} } Technical Malware Analysis: The Return of Emotet
Emotet
2022-02-10CybereasonCybereason Global SOC Team
@online{team:20220210:threat:320574f, author = {Cybereason Global SOC Team}, title = {{Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot}}, date = {2022-02-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot}, language = {English}, urldate = {2022-02-10} } Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot
2022-02-08BleepingComputerBill Toulas
@online{toulas:20220208:qbot:a40ed5c, author = {Bill Toulas}, title = {{Qbot needs only 30 minutes to steal your credentials, emails}}, date = {2022-02-08}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/}, language = {English}, urldate = {2022-02-09} } Qbot needs only 30 minutes to steal your credentials, emails
QakBot
2022-02-07vmwareJason Zhang, Threat Analysis Unit
@online{zhang:20220207:emotet:e89deeb, author = {Jason Zhang and Threat Analysis Unit}, title = {{Emotet Is Not Dead (Yet) – Part 2}}, date = {2022-02-07}, organization = {vmware}, url = {https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/}, language = {English}, urldate = {2022-02-10} } Emotet Is Not Dead (Yet) – Part 2
Emotet
2022-02-07The DFIR ReportThe DFIR Report
@online{report:20220207:qbot:35410a9, author = {The DFIR Report}, title = {{Qbot Likes to Move It, Move It}}, date = {2022-02-07}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/}, language = {English}, urldate = {2022-02-09} } Qbot Likes to Move It, Move It
QakBot
2022-02-02VMRayVMRay Labs Team, Mateusz Lukaszewski
@online{team:20220202:malware:0eef3c2, author = {VMRay Labs Team and Mateusz Lukaszewski}, title = {{Malware Analysis Spotlight: Emotet’s Use of Cryptography}}, date = {2022-02-02}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/}, language = {English}, urldate = {2022-02-09} } Malware Analysis Spotlight: Emotet’s Use of Cryptography
Emotet
2022-01-27Threat Lab IndonesiaThreat Lab Indonesia
@online{indonesia:20220127:malware:8bcfff1, author = {Threat Lab Indonesia}, title = {{Malware Analysis Emotet Infection}}, date = {2022-01-27}, organization = {Threat Lab Indonesia}, url = {https://blog.threatlab.info/malware-analysis-emotet-infection/}, language = {Indonesian}, urldate = {2022-02-02} } Malware Analysis Emotet Infection
Emotet
2022-01-25SANS ISCBrad Duncan
@online{duncan:20220125:emotet:9c62525, author = {Brad Duncan}, title = {{Emotet Stops Using 0.0.0.0 in Spambot Traffic}}, date = {2022-01-25}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/}, language = {English}, urldate = {2022-02-01} } Emotet Stops Using 0.0.0.0 in Spambot Traffic
Emotet
2022-01-23kienmanowar Blogm4n0w4r, Tran Trung Kien
@online{m4n0w4r:20220123:quicknote:852995b, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Emotet epoch4 & epoch5 tactics}}, date = {2022-01-23}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/}, language = {English}, urldate = {2022-01-25} } [QuickNote] Emotet epoch4 & epoch5 tactics
Emotet
2022-01-22Atomic Matryoshkaz3r0day_504
@online{z3r0day504:20220122:malware:1ec08ef, author = {z3r0day_504}, title = {{Malware Headliners: Emotet}}, date = {2022-01-22}, organization = {Atomic Matryoshka}, url = {https://www.atomicmatryoshka.com/post/malware-headliners-emotet}, language = {English}, urldate = {2022-02-01} } Malware Headliners: Emotet
Emotet
2022-01-21vmwareJason Zhang, Threat Analysis Unit
@online{zhang:20220121:emotet:bdb4508, author = {Jason Zhang and Threat Analysis Unit}, title = {{Emotet Is Not Dead (Yet)}}, date = {2022-01-21}, organization = {vmware}, url = {https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/}, language = {English}, urldate = {2022-02-10} } Emotet Is Not Dead (Yet)
Emotet
2022-01-21Trend MicroIan Kenefick
@online{kenefick:20220121:emotet:daddaf1, author = {Ian Kenefick}, title = {{Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware}}, date = {2022-01-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html}, language = {English}, urldate = {2022-01-25} } Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware
Emotet
2022-01-19InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220119:0000:cdac125, author = {Brad Duncan}, title = {{0.0.0.0 in Emotet Spambot Traffic}}, date = {2022-01-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28254}, language = {English}, urldate = {2022-01-24} } 0.0.0.0 in Emotet Spambot Traffic
Emotet
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17, author = {The BlackBerry Research & Intelligence Team}, title = {{Kraken the Code on Prometheus}}, date = {2022-01-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus}, language = {English}, urldate = {2022-01-24} } Kraken the Code on Prometheus
BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2022-01-18Recorded FutureInsikt Group®
@techreport{group:20220118:2021:9cff6fc, author = {Insikt Group®}, title = {{2021 Adversary Infrastructure Report}}, date = {2022-01-18}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf}, language = {English}, urldate = {2022-01-24} } 2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-17forensicitguyTony Lambert
@online{lambert:20220117:emotets:85bf9d4, author = {Tony Lambert}, title = {{Emotet's Excel 4.0 Macros Dropping DLLs}}, date = {2022-01-17}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/emotet-excel4-macro-analysis/}, language = {English}, urldate = {2022-01-25} } Emotet's Excel 4.0 Macros Dropping DLLs
Emotet
2022-01-15Atomic Matryoshkaz3r0day_504
@online{z3r0day504:20220115:malware:ce94f8c, author = {z3r0day_504}, title = {{Malware Headliners: Qakbot}}, date = {2022-01-15}, organization = {Atomic Matryoshka}, url = {https://www.atomicmatryoshka.com/post/malware-headliners-qakbot}, language = {English}, urldate = {2022-02-01} } Malware Headliners: Qakbot
QakBot
2022-01-14RiskIQJordan Herman
@online{herman:20220114:riskiq:f4f5b68, author = {Jordan Herman}, title = {{RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers}}, date = {2022-01-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2cd1c003}, language = {English}, urldate = {2022-01-18} } RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers
Dridex Emotet
2022-01-13TrustwaveLloyd Macrohon, Rodel Mendrez
@online{macrohon:20220113:decrypting:274747e, author = {Lloyd Macrohon and Rodel Mendrez}, title = {{Decrypting Qakbot’s Encrypted Registry Keys}}, date = {2022-01-13}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/}, language = {English}, urldate = {2022-01-25} } Decrypting Qakbot’s Encrypted Registry Keys
QakBot
2022-01-11CybereasonOmri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
@online{refaeli:20220111:threat:fd22089, author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro}, title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}}, date = {2022-01-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike}, language = {English}, urldate = {2022-01-18} } Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2022-01-07muha2xmadMuhammad Hasan Ali
@online{ali:20220107:unpacking:e59d104, author = {Muhammad Hasan Ali}, title = {{Unpacking Emotet malware part 02}}, date = {2022-01-07}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/emotet-part-2/}, language = {English}, urldate = {2022-02-14} } Unpacking Emotet malware part 02
Emotet
2022-01-06muha2xmadMuhammad Hasan Ali
@online{ali:20220106:unpacking:57cdd55, author = {Muhammad Hasan Ali}, title = {{Unpacking Emotet malware part 01}}, date = {2022-01-06}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/emotet-part-1/}, language = {English}, urldate = {2022-02-14} } Unpacking Emotet malware part 01
Emotet
2022-01-01forensicitguyTony Lambert
@online{lambert:20220101:analyzing:1512a76, author = {Tony Lambert}, title = {{Analyzing an IcedID Loader Document}}, date = {2022-01-01}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-icedid-document/}, language = {English}, urldate = {2022-01-25} } Analyzing an IcedID Loader Document
IcedID
2021-12-17Trend MicroAbraham Camba, Jonna Santos, Gilbert Sison, Jay Yaneza
@online{camba:20211217:staging:0ec37d9, author = {Abraham Camba and Jonna Santos and Gilbert Sison and Jay Yaneza}, title = {{Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager}}, date = {2021-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html}, language = {English}, urldate = {2021-12-31} } Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager
QakBot
2021-12-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20211216:how:6fd0b06, author = {Brad Duncan}, title = {{How the "Contact Forms" campaign tricks people}}, date = {2021-12-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/}, language = {English}, urldate = {2021-12-31} } How the "Contact Forms" campaign tricks people
IcedID
2021-12-16Red CanaryThe Red Canary Team
@online{team:20211216:intelligence:f7bad55, author = {The Red Canary Team}, title = {{Intelligence Insights: December 2021}}, date = {2021-12-16}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-december-2021}, language = {English}, urldate = {2021-12-31} } Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle
2021-12-13ZscalerDennis Schwarz, Avinash Kumar
@online{schwarz:20211213:return:94bdbce, author = {Dennis Schwarz and Avinash Kumar}, title = {{Return of Emotet: Malware Analysis}}, date = {2021-12-13}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis}, language = {English}, urldate = {2021-12-20} } Return of Emotet: Malware Analysis
Emotet
2021-12-11YouTube (AGDC Services)AGDC Services
@online{services:20211211:how:358bd74, author = {AGDC Services}, title = {{How To Extract & Decrypt Qbot Configs Across Variants}}, date = {2021-12-11}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=M22c1JgpG-U}, language = {English}, urldate = {2021-12-20} } How To Extract & Decrypt Qbot Configs Across Variants
QakBot
2021-12-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20211209:closer:bace4ec, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{A closer look at Qakbot’s latest building blocks (and how to knock them down)}}, date = {2021-12-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/}, language = {English}, urldate = {2021-12-13} } A closer look at Qakbot’s latest building blocks (and how to knock them down)
QakBot
2021-12-09HPPatrick Schläpfer
@online{schlpfer:20211209:emotets:aa090a7, author = {Patrick Schläpfer}, title = {{Emotet’s Return: What’s Different?}}, date = {2021-12-09}, organization = {HP}, url = {https://threatresearch.ext.hp.com/emotets-return-whats-different/}, language = {English}, urldate = {2022-01-18} } Emotet’s Return: What’s Different?
Emotet
2021-12-08Check Point ResearchRaman Ladutska, Aliaksandr Trafimchuk, David Driker, Yali Magiel
@online{ladutska:20211208:when:16ee92b, author = {Raman Ladutska and Aliaksandr Trafimchuk and David Driker and Yali Magiel}, title = {{When old friends meet again: why Emotet chose Trickbot for rebirth}}, date = {2021-12-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/}, language = {English}, urldate = {2022-02-18} } When old friends meet again: why Emotet chose Trickbot for rebirth
Emotet TrickBot
2021-12-07Bleeping ComputerLawrence Abrams
@online{abrams:20211207:emotet:f33c999, author = {Lawrence Abrams}, title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}}, date = {2021-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/}, language = {English}, urldate = {2021-12-08} } Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet
2021-12-03SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20211203:ta551:f71be57, author = {Brad Duncan}, title = {{TA551 (Shathak) pushes IcedID (Bokbot)}}, date = {2021-12-03}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/}, language = {English}, urldate = {2021-12-06} } TA551 (Shathak) pushes IcedID (Bokbot)
IcedID
2021-11-25DSIHCharles Blanc-Rolin
@online{blancrolin:20211125:emotet:b02b32b, author = {Charles Blanc-Rolin}, title = {{Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine?}}, date = {2021-11-25}, organization = {DSIH}, url = {https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html}, language = {French}, urldate = {2021-12-06} } Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine?
Emotet
2021-11-23AnomaliAnomali Threat Research
@online{research:20211123:mummy:8cffd4e, author = {Anomali Threat Research}, title = {{Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return}}, date = {2021-11-23}, organization = {Anomali}, url = {https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return}, language = {English}, urldate = {2021-11-26} } Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return
Emotet
2021-11-21Twitter (@tylabs)Tyler McLellan, Twitter (@ffforward)
@online{mclellan:20211121:twitter:018d4b1, author = {Tyler McLellan and Twitter (@ffforward)}, title = {{Twitter Thread about UNC1500 phishing using QAKBOT}}, date = {2021-11-21}, organization = {Twitter (@tylabs)}, url = {https://twitter.com/tylabs/status/1462195377277476871}, language = {English}, urldate = {2021-11-29} } Twitter Thread about UNC1500 phishing using QAKBOT
QakBot
2021-11-20Advanced IntelligenceYelisey Boguslavskiy, Vitali Kremez
@online{boguslavskiy:20211120:corporate:a8b0a1c, author = {Yelisey Boguslavskiy and Vitali Kremez}, title = {{Corporate Loader "Emotet": History of "X" Project Return for Ransomware}}, date = {2021-11-20}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware}, language = {English}, urldate = {2021-11-25} } Corporate Loader "Emotet": History of "X" Project Return for Ransomware
Emotet
2021-11-20Youtube (HEXORCIST)Nicolas Brulez
@online{brulez:20211120:unpacking:b26d2fb, author = {Nicolas Brulez}, title = {{Unpacking Emotet and Reversing Obfuscated Word Document}}, date = {2021-11-20}, organization = {Youtube (HEXORCIST)}, url = {https://www.youtube.com/watch?v=AkZ5TYBqcU4}, language = {English}, urldate = {2021-12-20} } Unpacking Emotet and Reversing Obfuscated Word Document
Emotet
2021-11-20Twitter (@eduardfir)Eduardo Mattos
@online{mattos:20211120:velociraptor:bc6d897, author = {Eduardo Mattos}, title = {{Tweet on Velociraptor artifact analysis for Emotet}}, date = {2021-11-20}, organization = {Twitter (@eduardfir)}, url = {https://twitter.com/eduardfir/status/1461856030292422659}, language = {English}, urldate = {2021-11-25} } Tweet on Velociraptor artifact analysis for Emotet
Emotet
2021-11-19Trend MicroMohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
@online{fahmy:20211119:squirrelwaffle:1e8fa78, author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar}, title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}}, date = {2021-11-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html}, language = {English}, urldate = {2021-11-25} } Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle
2021-11-19CRONUPGermán Fernández
@online{fernndez:20211119:la:2cbc6a0, author = {Germán Fernández}, title = {{La Botnet de EMOTET reinicia ataques en Chile y LATAM}}, date = {2021-11-19}, organization = {CRONUP}, url = {https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/}, language = {Spanish}, urldate = {2021-11-25} } La Botnet de EMOTET reinicia ataques en Chile y LATAM
Emotet
2021-11-19LAC WATCHLAC WATCH
@online{watch:20211119:malware:c504e6f, author = {LAC WATCH}, title = {{Malware Emotet resumes its activities for the first time in 10 months, and Japan is also the target of the attack}}, date = {2021-11-19}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/alert/20211119_002801.html}, language = {English}, urldate = {2021-11-25} } Malware Emotet resumes its activities for the first time in 10 months, and Japan is also the target of the attack
Emotet
2021-11-18Red CanaryThe Red Canary Team
@online{team:20211118:intelligence:7b00cb9, author = {The Red Canary Team}, title = {{Intelligence Insights: November 2021}}, date = {2021-11-18}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-november-2021/}, language = {English}, urldate = {2021-11-19} } Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle
2021-11-18NetskopeGustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211118:netskope:39d2098, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{Netskope Threat Coverage: The Return of Emotet}}, date = {2021-11-18}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet}, language = {English}, urldate = {2021-11-25} } Netskope Threat Coverage: The Return of Emotet
Emotet
2021-11-18eSentireeSentire
@online{esentire:20211118:emotet:ded09a3, author = {eSentire}, title = {{Emotet Activity Identified}}, date = {2021-11-18}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/emotet-activity-identified}, language = {English}, urldate = {2021-11-19} } Emotet Activity Identified
Emotet
2021-11-17Twitter (@Unit42_Intel)Unit 42
@online{42:20211117:matanbuchus:9e3556c, author = {Unit 42}, title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}}, date = {2021-11-17}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1461004489234829320}, language = {English}, urldate = {2021-11-25} } Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot
2021-11-16IronNetIronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
@online{research:20211116:how:d7fdaf8, author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski}, title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}}, date = {2021-11-16}, organization = {IronNet}, url = {https://www.ironnet.com/blog/ransomware-graphic-blog}, language = {English}, urldate = {2021-11-25} } How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil
2021-11-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20211116:emotet:3545954, author = {Brad Duncan}, title = {{Emotet Returns}}, date = {2021-11-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28044}, language = {English}, urldate = {2021-11-17} } Emotet Returns
Emotet
2021-11-16HornetsecuritySecurity Lab
@online{lab:20211116:comeback:7f2b540, author = {Security Lab}, title = {{Comeback of Emotet}}, date = {2021-11-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/comeback-emotet/}, language = {English}, urldate = {2021-11-25} } Comeback of Emotet
Emotet
2021-11-16ZscalerDeepen Desai
@online{desai:20211116:return:936dad6, author = {Deepen Desai}, title = {{Return of Emotet malware}}, date = {2021-11-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware}, language = {English}, urldate = {2021-11-19} } Return of Emotet malware
Emotet
2021-11-16MalwarebytesMalwarebytes Threat Intelligence Team
@online{team:20211116:trickbot:b624694, author = {Malwarebytes Threat Intelligence Team}, title = {{TrickBot helps Emotet come back from the dead}}, date = {2021-11-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/}, language = {English}, urldate = {2021-11-17} } TrickBot helps Emotet come back from the dead
Emotet TrickBot
2021-11-16Twitter (@kienbigmummy)m4n0w4r
@online{m4n0w4r:20211116:short:97d45fa, author = {m4n0w4r}, title = {{Tweet on short analysis of QakBot}}, date = {2021-11-16}, organization = {Twitter (@kienbigmummy)}, url = {https://twitter.com/kienbigmummy/status/1460537501676802051}, language = {English}, urldate = {2021-11-19} } Tweet on short analysis of QakBot
QakBot
2021-11-15Bleeping ComputerLawrence Abrams
@online{abrams:20211115:emotet:8de6d81, author = {Lawrence Abrams}, title = {{Emotet malware is back and rebuilding its botnet via TrickBot}}, date = {2021-11-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/}, language = {English}, urldate = {2021-11-17} } Emotet malware is back and rebuilding its botnet via TrickBot
Emotet
2021-11-15TRUESECFabio Viggiani
@online{viggiani:20211115:proxyshell:bf17c6d, author = {Fabio Viggiani}, title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}}, date = {2021-11-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks}, language = {English}, urldate = {2021-11-17} } ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot
2021-11-15cyber.wtf blogLuca Ebach
@online{ebach:20211115:guess:81c7df8, author = {Luca Ebach}, title = {{Guess who’s back}}, date = {2021-11-15}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2021/11/15/guess-whos-back/}, language = {English}, urldate = {2021-11-17} } Guess who’s back
Emotet
2021-11-13YouTube (AGDC Services)AGDC Services
@online{services:20211113:automate:487e01f, author = {AGDC Services}, title = {{Automate Qbot Malware String Decryption With Ghidra Script}}, date = {2021-11-13}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=4I0LF8Vm7SI}, language = {English}, urldate = {2021-11-19} } Automate Qbot Malware String Decryption With Ghidra Script
QakBot
2021-11-13Trend MicroIan Kenefick, Vladimir Kropotov
@online{kenefick:20211113:qakbot:3138b93, author = {Ian Kenefick and Vladimir Kropotov}, title = {{QAKBOT Loader Returns With New Techniques and Tools}}, date = {2021-11-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html}, language = {English}, urldate = {2021-11-17} } QAKBOT Loader Returns With New Techniques and Tools
QakBot
2021-11-12Recorded FutureInsikt Group®
@techreport{group:20211112:business:6d6cffa, author = {Insikt Group®}, title = {{The Business of Fraud: Botnet Malware Dissemination}}, date = {2021-11-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf}, language = {English}, urldate = {2021-11-17} } The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot
2021-11-12Trend MicroIan Kenefick, Vladimir Kropotov
@techreport{kenefick:20211112:prelude:781d4d7, author = {Ian Kenefick and Vladimir Kropotov}, title = {{The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities}}, date = {2021-11-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf}, language = {English}, urldate = {2021-11-17} } The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities
QakBot
2021-11-11CynetMax Malyutin
@online{malyutin:20211111:duck:897cc6f, author = {Max Malyutin}, title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}}, date = {2021-11-11}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/}, language = {English}, urldate = {2021-11-25} } A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot
2021-11-11vmwareJason Zhang, Stefano Ortolani, Giovanni Vigna, Threat Analysis Unit
@online{zhang:20211111:research:b254ed6, author = {Jason Zhang and Stefano Ortolani and Giovanni Vigna and Threat Analysis Unit}, title = {{Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer}}, date = {2021-11-11}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html}, language = {English}, urldate = {2022-03-22} } Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer
Phorpiex QakBot
2021-11-10CIRCLCIRCL
@online{circl:20211110:tr64:37ab4d8, author = {CIRCL}, title = {{TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders}}, date = {2021-11-10}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-64/}, language = {English}, urldate = {2021-11-25} } TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders
QakBot
2021-11-09MinervaLabsMinerva Labs
@online{labs:20211109:new:411a8fd, author = {Minerva Labs}, title = {{A New DatopLoader Delivers QakBot Trojan}}, date = {2021-11-09}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan}, language = {English}, urldate = {2021-11-17} } A New DatopLoader Delivers QakBot Trojan
QakBot Squirrelwaffle
2021-11-04splunkSplunk Threat Research Team
@online{team:20211104:detecting:d8aba5b, author = {Splunk Threat Research Team}, title = {{Detecting IcedID... Could It Be A Trickbot Copycat?}}, date = {2021-11-04}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html}, language = {English}, urldate = {2021-11-08} } Detecting IcedID... Could It Be A Trickbot Copycat?
IcedID
2021-11-03Twitter (@Corvid_Cyber)CORVID
@online{corvid:20211103:unique:3709f32, author = {CORVID}, title = {{Tweet on a unique Qbot debugger dropped by an actor after compromise}}, date = {2021-11-03}, organization = {Twitter (@Corvid_Cyber)}, url = {https://twitter.com/Corvid_Cyber/status/1455844008081641472}, language = {English}, urldate = {2021-11-08} } Tweet on a unique Qbot debugger dropped by an actor after compromise
QakBot
2021-11-03Team Cymrutcblogposts
@online{tcblogposts:20211103:webinject:f4d41bb, author = {tcblogposts}, title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}}, date = {2021-11-03}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/}, language = {English}, urldate = {2021-11-08} } Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader
2021-10-26ANSSI
@techreport{anssi:20211026:identification:9444ac3, author = {ANSSI}, title = {{Identification of a new cyber criminal group: Lockean}}, date = {2021-10-26}, institution = {}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf}, language = {English}, urldate = {2022-01-25} } Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-10-26Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Mavis
@online{brumaghin:20211026:squirrelwaffle:88c5943, author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis}, title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}}, date = {2021-10-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html}, language = {English}, urldate = {2021-11-02} } SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-10-18The DFIR ReportThe DFIR Report
@online{report:20211018:icedid:0b574b0, author = {The DFIR Report}, title = {{IcedID to XingLocker Ransomware in 24 hours}}, date = {2021-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/}, language = {English}, urldate = {2021-10-22} } IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-15Trend MicroFernando Mercês
@online{mercs:20211015:ransomware:c944933, author = {Fernando Mercês}, title = {{Ransomware Operators Found Using New "Franchise" Business Model}}, date = {2021-10-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html}, language = {English}, urldate = {2021-10-24} } Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-10-07NetskopeGustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211007:squirrelwaffle:3506816, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}}, date = {2021-10-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot}, language = {English}, urldate = {2021-10-11} } SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-03IBMCamille Singleton, Andrew Gorecki, John Dwyer
@online{singleton:20210903:dissecting:4d56786, author = {Camille Singleton and Andrew Gorecki and John Dwyer}, title = {{Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight}}, date = {2021-09-03}, organization = {IBM}, url = {https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/}, language = {English}, urldate = {2021-09-09} } Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
Valak QakBot REvil
2021-09-02KasperskyAnton Kuzmenko, Oleg Kupreev, Haim Zigel
@online{kuzmenko:20210902:qakbot:219d23c, author = {Anton Kuzmenko and Oleg Kupreev and Haim Zigel}, title = {{QakBot Technical Analysis}}, date = {2021-09-02}, organization = {Kaspersky}, url = {https://securelist.com/qakbot-technical-analysis/103931/}, language = {English}, urldate = {2021-09-06} } QakBot Technical Analysis
QakBot
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05The RecordCatalin Cimpanu
@online{cimpanu:20210805:meet:bce8310, author = {Catalin Cimpanu}, title = {{Meet Prometheus, the secret TDS behind some of today’s malware campaigns}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/}, language = {English}, urldate = {2021-08-06} } Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot
2021-08-05Group-IBViktor Okorokov, Nikita Rostovcev
@online{okorokov:20210805:prometheus:38ab6a6, author = {Viktor Okorokov and Nikita Rostovcev}, title = {{Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot}}, date = {2021-08-05}, organization = {Group-IB}, url = {https://blog.group-ib.com/prometheus-tds}, language = {English}, urldate = {2021-08-06} } Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot
2021-07-30HPPatrick Schläpfer
@online{schlpfer:20210730:detecting:2291323, author = {Patrick Schläpfer}, title = {{Detecting TA551 domains}}, date = {2021-07-30}, organization = {HP}, url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/}, language = {English}, urldate = {2021-08-02} } Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-07-26vmwareQuentin Fois, Pavankumar Chaudhari
@online{fois:20210726:hunting:ff1181b, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{Hunting IcedID and unpacking automation with Qiling}}, date = {2021-07-26}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html}, language = {English}, urldate = {2021-07-27} } Hunting IcedID and unpacking automation with Qiling
IcedID
2021-07-240ffset BlogDaniel Bunce
@online{bunce:20210724:quack:ddda5cd, author = {Daniel Bunce}, title = {{Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1}}, date = {2021-07-24}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/}, language = {English}, urldate = {2021-08-02} } Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1
QakBot
2021-07-23Github (Lastline-Inc)Quentin Fois, Pavankumar Chaudhari
@online{fois:20210723:yara:e9a8a22, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{YARA rules, IOCs and Scripts for extracting IcedID C2s}}, date = {2021-07-23}, organization = {Github (Lastline-Inc)}, url = {https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2}, language = {English}, urldate = {2021-07-27} } YARA rules, IOCs and Scripts for extracting IcedID C2s
IcedID
2021-07-19The DFIR ReportThe DFIR Report
@online{report:20210719:icedid:0365384, author = {The DFIR Report}, title = {{IcedID and Cobalt Strike vs Antivirus}}, date = {2021-07-19}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/}, language = {English}, urldate = {2021-07-20} } IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID
2021-07-14Cerium NetworksBlumira
@online{blumira:20210714:threat:614d084, author = {Blumira}, title = {{Threat of the Month: IcedID Malware}}, date = {2021-07-14}, organization = {Cerium Networks}, url = {https://ceriumnetworks.com/threat-of-the-month-icedid-malware/}, language = {English}, urldate = {2021-07-20} } Threat of the Month: IcedID Malware
IcedID
2021-07-12The RecordCatalin Cimpanu
@online{cimpanu:20210712:over:c88e351, author = {Catalin Cimpanu}, title = {{Over 780,000 email accounts compromised by Emotet have been secured}}, date = {2021-07-12}, organization = {The Record}, url = {https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/}, language = {English}, urldate = {2021-07-20} } Over 780,000 email accounts compromised by Emotet have been secured
Emotet
2021-07-08vmwareQuentin Fois, Pavankumar Chaudhari
@online{fois:20210708:icedid:47da76d, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{IcedID: Analysis and Detection}}, date = {2021-07-08}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html}, language = {English}, urldate = {2021-07-20} } IcedID: Analysis and Detection
IcedID
2021-06-30CynetMax Malyutin
@online{malyutin:20210630:shelob:1c93f5d, author = {Max Malyutin}, title = {{Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration}}, date = {2021-06-30}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/}, language = {English}, urldate = {2021-07-20} } Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID
2021-06-24SentinelOneMarco Figueroa
@online{figueroa:20210624:evasive:7f0d507, author = {Marco Figueroa}, title = {{Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros}}, date = {2021-06-24}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/}, language = {English}, urldate = {2021-06-29} } Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
IcedID
2021-06-24KasperskyAnton Kuzmenko
@online{kuzmenko:20210624:malicious:83a5c83, author = {Anton Kuzmenko}, title = {{Malicious spam campaigns delivering banking Trojans}}, date = {2021-06-24}, organization = {Kaspersky}, url = {https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917}, language = {English}, urldate = {2021-06-25} } Malicious spam campaigns delivering banking Trojans
IcedID QakBot
2021-06-20The DFIR ReportThe DFIR Report
@online{report:20210620:from:aadb7e8, author = {The DFIR Report}, title = {{From Word to Lateral Movement in 1 Hour}}, date = {2021-06-20}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/}, language = {English}, urldate = {2021-06-22} } From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-06-16Twitter (@ChouchWard)ch0uch ward
@online{ward:20210616:qbot:1adaa08, author = {ch0uch ward}, title = {{Tweet on Qbot operators left their web server's access.log file unsecured}}, date = {2021-06-16}, organization = {Twitter (@ChouchWard)}, url = {https://twitter.com/ChouchWard/status/1405168040254316547}, language = {English}, urldate = {2021-06-21} } Tweet on Qbot operators left their web server's access.log file unsecured
QakBot
2021-06-16S2 GrupoCSIRT-CV (the ICT Security Center of the Valencian Community)
@online{community:20210616:emotet:7e0fafe, author = {CSIRT-CV (the ICT Security Center of the Valencian Community)}, title = {{Emotet campaign analysis}}, date = {2021-06-16}, organization = {S2 Grupo}, url = {https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/}, language = {Spanish}, urldate = {2021-06-21} } Emotet campaign analysis
Emotet QakBot
2021-06-15Perception PointShai Golderman
@online{golderman:20210615:insights:d3fc7b6, author = {Shai Golderman}, title = {{Insights Into an Excel 4.0 Macro Attack using Qakbot Malware}}, date = {2021-06-15}, organization = {Perception Point}, url = {https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware}, language = {English}, urldate = {2021-06-21} } Insights Into an Excel 4.0 Macro Attack using Qakbot Malware
QakBot
2021-06-10TagesschauHakan Tanriverdi, Maximilian Zierer
@online{tanriverdi:20210610:schadsoftware:834b3fd, author = {Hakan Tanriverdi and Maximilian Zierer}, title = {{Schadsoftware Emotet: BKA befragt Schlüsselfigur}}, date = {2021-06-10}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html}, language = {English}, urldate = {2021-07-02} } Schadsoftware Emotet: BKA befragt Schlüsselfigur
Emotet
2021-06-10ZEIT OnlineVon Kai Biermann, Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Zachary Kamel
@online{biermann:20210610:trail:42969a8, author = {Von Kai Biermann and Astrid Geisler and Herwig G. Höller and Karsten Polke-Majewski and Zachary Kamel}, title = {{On the Trail of the Internet Extortionists}}, date = {2021-06-10}, organization = {ZEIT Online}, url = {https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers}, language = {English}, urldate = {2021-07-02} } On the Trail of the Internet Extortionists
Emotet Mailto
2021-06-10ZAYOTEMİlker Verimoğlu, Emre Doğan, Kaan Binen, Abdulkadir Binan, Emrah Sarıdağ
@online{verimolu:20210610:qakbot:4896852, author = {İlker Verimoğlu and Emre Doğan and Kaan Binen and Abdulkadir Binan and Emrah Sarıdağ}, title = {{QakBot Technical Analysis Report}}, date = {2021-06-10}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view}, language = {English}, urldate = {2021-06-16} } QakBot Technical Analysis Report
QakBot
2021-06-08Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210608:from:62f4d20, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{From QBot...with REvil Ransomware: Initial Attack Exposure of JBS}}, date = {2021-06-08}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs}, language = {English}, urldate = {2021-06-09} } From QBot...with REvil Ransomware: Initial Attack Exposure of JBS
QakBot REvil
2021-06-02Bleeping ComputerLawrence Abrams
@online{abrams:20210602:fujifilm:eced96f, author = {Lawrence Abrams}, title = {{FUJIFILM shuts down network after suspected ransomware attack}}, date = {2021-06-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } FUJIFILM shuts down network after suspected ransomware attack
QakBot
2021-05-29Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210529:analysis:96b0902, author = {AhmedS Kasmani}, title = {{Analysis of ICEID Malware Installer DLL}}, date = {2021-05-29}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=wMXD4Sv1Alw}, language = {English}, urldate = {2021-06-04} } Analysis of ICEID Malware Installer DLL
IcedID
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-26Check PointAlex Ilgayev
@online{ilgayev:20210526:melting:40f5caf, author = {Alex Ilgayev}, title = {{Melting Ice – Tracking IcedID Servers with a few simple steps}}, date = {2021-05-26}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/}, language = {English}, urldate = {2021-06-09} } Melting Ice – Tracking IcedID Servers with a few simple steps
IcedID
2021-05-19Team CymruJosh Hopkins, Andy Kraus, Nick Byers
@online{hopkins:20210519:tracking:45749be, author = {Josh Hopkins and Andy Kraus and Nick Byers}, title = {{Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network}}, date = {2021-05-19}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/}, language = {English}, urldate = {2021-05-26} } Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network
IcedID
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-18RECON INFOSECAndrew Cook
@online{cook:20210518:encounter:c4ef6d9, author = {Andrew Cook}, title = {{An Encounter With TA551/Shathak}}, date = {2021-05-18}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/an-encounter-with-ta551-shathak}, language = {English}, urldate = {2021-05-25} } An Encounter With TA551/Shathak
IcedID
2021-05-17TelekomThomas Barabosch
@online{barabosch:20210517:lets:04a8b63, author = {Thomas Barabosch}, title = {{Let’s set ice on fire: Hunting and detecting IcedID infections}}, date = {2021-05-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240}, language = {English}, urldate = {2021-05-17} } Let’s set ice on fire: Hunting and detecting IcedID infections
IcedID
2021-05-17Github (telekom-security)Deutsche Telekom Security GmbH
@online{gmbh:20210517:icedidanalysis:e985983, author = {Deutsche Telekom Security GmbH}, title = {{icedid_analysis}}, date = {2021-05-17}, organization = {Github (telekom-security)}, url = {https://github.com/telekom-security/icedid_analysis}, language = {English}, urldate = {2021-05-17} } icedid_analysis
IcedID
2021-05-12The DFIR Report
@online{report:20210512:conti:598c5f2, author = {The DFIR Report}, title = {{Conti Ransomware}}, date = {2021-05-12}, url = {https://thedfirreport.com/2021/05/12/conti-ransomware/}, language = {English}, urldate = {2021-05-13} } Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-10MALWATIONmalwation
@online{malwation:20210510:icedid:0637539, author = {malwation}, title = {{IcedID Malware Technical Analysis Report}}, date = {2021-05-10}, organization = {MALWATION}, url = {https://malwation.com/icedid-malware-technical-analysis-report/}, language = {English}, urldate = {2021-07-02} } IcedID Malware Technical Analysis Report
IcedID
2021-05-10WirtschaftswocheThomas Kuhn
@online{kuhn:20210510:how:5f1953b, author = {Thomas Kuhn}, title = {{How one of the largest hacker networks in the world was paralyzed}}, date = {2021-05-10}, organization = {Wirtschaftswoche}, url = {https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html}, language = {German}, urldate = {2021-05-13} } How one of the largest hacker networks in the world was paralyzed
Emotet
2021-05-04Seguranca InformaticaPedro Tavares
@online{tavares:20210504:taste:b6a3380, author = {Pedro Tavares}, title = {{A taste of the latest release of QakBot}}, date = {2021-05-04}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot}, language = {English}, urldate = {2021-05-07} } A taste of the latest release of QakBot
QakBot
2021-04-30MADRID LabsOdin Bernstein
@online{bernstein:20210430:qbot:104bad4, author = {Odin Bernstein}, title = {{Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server}}, date = {2021-04-30}, organization = {MADRID Labs}, url = {https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/}, language = {English}, urldate = {2021-05-08} } Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server
QakBot
2021-04-28IBMDavid Bisson
@online{bisson:20210428:qbot:dcbcd50, author = {David Bisson}, title = {{QBot Malware Spotted Using Windows Defender Antivirus Lure}}, date = {2021-04-28}, organization = {IBM}, url = {https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/}, language = {English}, urldate = {2021-05-03} } QBot Malware Spotted Using Windows Defender Antivirus Lure
QakBot
2021-04-28Reversing LabsKarlo Zanki
@online{zanki:20210428:spotting:61ba0f6, author = {Karlo Zanki}, title = {{Spotting malicious Excel4 macros}}, date = {2021-04-28}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros}, language = {English}, urldate = {2021-05-03} } Spotting malicious Excel4 macros
QakBot
2021-04-22Github (@cecio)@red5heep
@online{red5heep:20210422:emotet:44c2798, author = {@red5heep}, title = {{EMOTET: a State-Machine reversing exercise}}, date = {2021-04-22}, organization = {Github (@cecio)}, url = {https://github.com/cecio/EMOTET-2020-Reversing}, language = {English}, urldate = {2021-11-12} } EMOTET: a State-Machine reversing exercise
Emotet
2021-04-22SpamhausSpamhaus Malware Labs
@techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-19Twitter (@_alex_il_)Alex Ilgayev
@online{ilgayev:20210419:qakbots:b3b929c, author = {Alex Ilgayev}, title = {{Tweet on QakBot's additional decryption mechanism}}, date = {2021-04-19}, organization = {Twitter (@_alex_il_)}, url = {https://twitter.com/_alex_il_/status/1384094623270727685}, language = {English}, urldate = {2021-04-20} } Tweet on QakBot's additional decryption mechanism
QakBot
2021-04-19NetresecErik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49, author = {Erik Hjelmvik}, title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}}, date = {2021-04-19}, organization = {Netresec}, url = {https://netresec.com/?b=214d7ff}, language = {English}, urldate = {2021-04-20} } Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-17YouTube (Worcester DEFCON Group)Joel Snape, Nettitude
@online{snape:20210417:inside:2c3ae5c, author = {Joel Snape and Nettitude}, title = {{Inside IcedID: Anatomy Of An Infostealer}}, date = {2021-04-17}, organization = {YouTube (Worcester DEFCON Group)}, url = {https://www.youtube.com/watch?v=YEqLIR6hfOM}, language = {English}, urldate = {2021-04-20} } Inside IcedID: Anatomy Of An Infostealer
IcedID
2021-04-15AT&TDax Morrow, Ofer Caspi
@online{morrow:20210415:rise:73d9a21, author = {Dax Morrow and Ofer Caspi}, title = {{The rise of QakBot}}, date = {2021-04-15}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot}, language = {English}, urldate = {2021-04-16} } The rise of QakBot
QakBot
2021-04-12Twitter (@elisalem9)Eli Salem
@online{salem:20210412:tweets:7b7280e, author = {Eli Salem}, title = {{Tweets on QakBot}}, date = {2021-04-12}, organization = {Twitter (@elisalem9)}, url = {https://twitter.com/elisalem9/status/1381859965875462144}, language = {English}, urldate = {2021-04-14} } Tweets on QakBot
QakBot
2021-04-12Trend MicroRaphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
@online{centeno:20210412:spike:d67dcb0, author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy}, title = {{A Spike in BazarCall and IcedID Activity Detected in March}}, date = {2021-04-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html}, language = {English}, urldate = {2021-04-14} } A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-114rchibld4rchibld
@online{4rchibld:20210411:icedid:4135c21, author = {4rchibld}, title = {{IcedID on my neck I’m the coolest}}, date = {2021-04-11}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/}, language = {English}, urldate = {2021-05-11} } IcedID on my neck I’m the coolest
IcedID
2021-04-10Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210410:malware:e2000de, author = {AhmedS Kasmani}, title = {{Malware Analysis: IcedID Banking Trojan JavaScript Dropper}}, date = {2021-04-10}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=oZ4bwnjcXWg}, language = {English}, urldate = {2021-04-12} } Malware Analysis: IcedID Banking Trojan JavaScript Dropper
IcedID
2021-04-09Palo Alto Networks Unit 42Yanhui Jia, Chris Navarrete
@online{jia:20210409:emotet:c376dd2, author = {Yanhui Jia and Chris Navarrete}, title = {{Emotet Command and Control Case Study}}, date = {2021-04-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emotet-command-and-control/}, language = {English}, urldate = {2021-04-12} } Emotet Command and Control Case Study
Emotet
2021-04-09MicrosoftEmily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team
@online{hacker:20210409:investigating:2b6f30a, author = {Emily Hacker and Justin Carroll and Microsoft 365 Defender Threat Intelligence Team}, title = {{Investigating a unique “form” of email delivery for IcedID malware}}, date = {2021-04-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/}, language = {English}, urldate = {2021-04-12} } Investigating a unique “form” of email delivery for IcedID malware
IcedID
2021-04-09aaqeel01Ali Aqeel
@online{aqeel:20210409:icedid:a6e3243, author = {Ali Aqeel}, title = {{IcedID Analysis}}, date = {2021-04-09}, organization = {aaqeel01}, url = {https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/}, language = {English}, urldate = {2021-04-12} } IcedID Analysis
IcedID
2021-04-07MinervaMinerva Labs
@online{labs:20210407:icedid:d178d16, author = {Minerva Labs}, title = {{IcedID - A New Threat In Office Attachments}}, date = {2021-04-07}, organization = {Minerva}, url = {https://blog.minerva-labs.com/icedid-maas}, language = {English}, urldate = {2021-04-09} } IcedID - A New Threat In Office Attachments
IcedID
2021-04-07UptycsAshwin Vamshi, Abhijit Mohanta
@online{vamshi:20210407:icedid:bbda303, author = {Ashwin Vamshi and Abhijit Mohanta}, title = {{IcedID campaign spotted being spiced with Excel 4 Macros}}, date = {2021-04-07}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros}, language = {English}, urldate = {2021-04-09} } IcedID campaign spotted being spiced with Excel 4 Macros
IcedID
2021-04-06Intel 471Intel 471
@online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-04-01Reversing LabsRobert Simmons
@online{simmons:20210401:code:885c081, author = {Robert Simmons}, title = {{Code Reuse Across Packers and DLL Loaders}}, date = {2021-04-01}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders}, language = {English}, urldate = {2021-04-09} } Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-29The DFIR ReportThe DFIR Report
@online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-26Trend MicroTrend Micro
@online{micro:20210326:alleged:ce2115c, author = {Trend Micro}, title = {{Alleged Members of Egregor Ransomware Cartel Arrested}}, date = {2021-03-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html}, language = {English}, urldate = {2021-04-28} } Alleged Members of Egregor Ransomware Cartel Arrested
Egregor QakBot
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-18VinCSSTran Trung Kien
@online{kien:20210318:re021:00caf5b, author = {Tran Trung Kien}, title = {{[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade}}, date = {2021-03-18}, organization = {VinCSS}, url = {https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html}, language = {English}, urldate = {2021-03-19} } [RE021] Qakbot analysis – Dangerous malware has been around for more than a decade
QakBot
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-03-12Binary DefenseJames Quinn
@online{quinn:20210312:icedid:3e6db43, author = {James Quinn}, title = {{IcedID GZIPLOADER Analysis}}, date = {2021-03-12}, organization = {Binary Defense}, url = {https://www.binarydefense.com/icedid-gziploader-analysis/}, language = {English}, urldate = {2021-03-16} } IcedID GZIPLOADER Analysis
IcedID
2021-03-08Palo Alto Networks Unit 42Chris Navarrete, Yanhui Jia, Matthew Tennis, Durgesh Sangvikar, Rongbo Shao
@online{navarrete:20210308:attack:6238643, author = {Chris Navarrete and Yanhui Jia and Matthew Tennis and Durgesh Sangvikar and Rongbo Shao}, title = {{Attack Chain Overview: Emotet in December 2020 and January 2021}}, date = {2021-03-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/}, language = {English}, urldate = {2021-03-11} } Attack Chain Overview: Emotet in December 2020 and January 2021
Emotet
2021-03-04F5Dor Nizar, Roy Moshailov
@online{nizar:20210304:icedid:bfcc689, author = {Dor Nizar and Roy Moshailov}, title = {{IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims}}, date = {2021-03-04}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims}, language = {English}, urldate = {2021-03-06} } IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims
IcedID
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28NetbyteSEC
@online{netbytesec:20210228:deobfuscating:a975d4c, author = {NetbyteSEC}, title = {{Deobfuscating Emotet Macro Document and Powershell Command}}, date = {2021-02-28}, url = {https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html}, language = {English}, urldate = {2022-02-14} } Deobfuscating Emotet Macro Document and Powershell Command
Emotet
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-25JPCERT/CCKen Sajo
@online{sajo:20210225:emotet:f78fb4e, author = {Ken Sajo}, title = {{Emotet Disruption and Outreach to Affected Users}}, date = {2021-02-25}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html}, language = {English}, urldate = {2021-02-25} } Emotet Disruption and Outreach to Affected Users
Emotet
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-24AllsafeShota Nakajima, Hara Hiroaki
@techreport{nakajima:20210224:malware:0f5ff88, author = {Shota Nakajima and Hara Hiroaki}, title = {{Malware Analysis at Scale - Defeating Emotet by Ghidra}}, date = {2021-02-24}, institution = {Allsafe}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf}, language = {English}, urldate = {2021-02-26} } Malware Analysis at Scale - Defeating Emotet by Ghidra
Emotet
2021-02-24IBMIBM SECURITY X-FORCE
@online{xforce:20210224:xforce:ac9a90e, author = {IBM SECURITY X-FORCE}, title = {{X-Force Threat Intelligence Index 2021}}, date = {2021-02-24}, organization = {IBM}, url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89}, language = {English}, urldate = {2021-03-02} } X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-17Politie NLPolitie NL
@online{nl:20210217:politie:a27a279, author = {Politie NL}, title = {{Politie bestrijdt cybercrime via Nederlandse infrastructuur}}, date = {2021-02-17}, organization = {Politie NL}, url = {https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html}, language = {Dutch}, urldate = {2021-02-20} } Politie bestrijdt cybercrime via Nederlandse infrastructuur
Emotet
2021-02-17YouTube (AGDC Services)AGDC Services
@online{services:20210217:how:d492b9b, author = {AGDC Services}, title = {{How Malware Can Resolve APIs By Hash}}, date = {2021-02-17}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=q8of74upT_g}, language = {English}, urldate = {2021-02-24} } How Malware Can Resolve APIs By Hash
Emotet Mailto
2021-02-16ProofpointProofpoint Threat Research Team
@online{team:20210216:q4:4a82474, author = {Proofpoint Threat Research Team}, title = {{Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes}}, date = {2021-02-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes}, language = {English}, urldate = {2021-05-31} } Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes
Emotet Ryuk NARWHAL SPIDER TA800
2021-02-15Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210215:qakbot:f692e9c, author = {The DFIR Report}, title = {{Tweet on Qakbot post infection discovery activity}}, date = {2021-02-15}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1361331598344478727}, language = {English}, urldate = {2021-02-18} } Tweet on Qakbot post infection discovery activity
QakBot
2021-02-12CERT-FRCERT-FR
@techreport{certfr:20210212:malwareaaaservice:c6454b5, author = {CERT-FR}, title = {{The Malware-Aa-A-Service Emotet}}, date = {2021-02-12}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf}, language = {English}, urldate = {2021-02-20} } The Malware-Aa-A-Service Emotet
Emotet
2021-02-08GRNET CERTDimitris Kolotouros, Marios Levogiannis
@online{kolotouros:20210208:reverse:a034919, author = {Dimitris Kolotouros and Marios Levogiannis}, title = {{Reverse engineering Emotet – Our approach to protect GRNET against the trojan}}, date = {2021-02-08}, organization = {GRNET CERT}, url = {https://cert.grnet.gr/en/blog/reverse-engineering-emotet/}, language = {English}, urldate = {2021-02-09} } Reverse engineering Emotet – Our approach to protect GRNET against the trojan
Emotet
2021-02-03Mimecast, Nettitude
@techreport{mimecast:20210203:ta551shathak:4bd9a01, author = {Mimecast and Nettitude}, title = {{TA551/Shathak Threat Research}}, date = {2021-02-03}, institution = {}, url = {https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf}, language = {English}, urldate = {2021-05-26} } TA551/Shathak Threat Research
IcedID
2021-02-03Digital ShadowsStefano De Blasi
@online{blasi:20210203:emotet:8e8ac18, author = {Stefano De Blasi}, title = {{Emotet Disruption: what it means for the cyber threat landscape}}, date = {2021-02-03}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/emotet-disruption/}, language = {English}, urldate = {2021-02-06} } Emotet Disruption: what it means for the cyber threat landscape
Emotet
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210201:what:2e12897, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}}, date = {2021-02-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/}, language = {English}, urldate = {2021-02-02} } What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot
2021-01-29MalwarebytesThreat Intelligence Team
@online{team:20210129:cleaning:489c8b3, author = {Threat Intelligence Team}, title = {{Cleaning up after Emotet: the law enforcement file}}, date = {2021-01-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/}, language = {English}, urldate = {2021-02-02} } Cleaning up after Emotet: the law enforcement file
Emotet
2021-01-28Department of Homeland SecurityDepartment of Justice
@online{justice:20210128:emotet:cb82f8e, author = {Department of Justice}, title = {{Emotet Botnet Disrupted in International Cyber Operation}}, date = {2021-01-28}, organization = {Department of Homeland Security}, url = {https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation}, language = {English}, urldate = {2021-02-01} } Emotet Botnet Disrupted in International Cyber Operation
Emotet
2021-01-28HornetsecurityHornetsecurity Security Lab
@online{lab:20210128:emotet:863df45, author = {Hornetsecurity Security Lab}, title = {{Emotet Botnet Takedown}}, date = {2021-01-28}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/}, language = {English}, urldate = {2021-01-29} } Emotet Botnet Takedown
Emotet
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
@online{ancel:20210128:bagsu:7de60de, author = {Benoît Ancel}, title = {{The Bagsu banker case}}, date = {2021-01-28}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=EyDiIAt__dI}, language = {English}, urldate = {2021-02-01} } The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2021-01-28InfoSec Handlers Diary BlogDaniel Wesemann
@online{wesemann:20210128:emotet:2939e8d, author = {Daniel Wesemann}, title = {{Emotet vs. Windows Attack Surface Reduction}}, date = {2021-01-28}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27036}, language = {English}, urldate = {2021-01-29} } Emotet vs. Windows Attack Surface Reduction
Emotet
2021-01-28NTTDan Saunders
@online{saunders:20210128:emotet:19b0313, author = {Dan Saunders}, title = {{Emotet disruption - Europol counterattack}}, date = {2021-01-28}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack}, language = {English}, urldate = {2021-01-29} } Emotet disruption - Europol counterattack
Emotet
2021-01-27Intel 471Intel 471
@online{471:20210127:emotet:0a7344b, author = {Intel 471}, title = {{Emotet takedown is not like the Trickbot takedown}}, date = {2021-01-27}, organization = {Intel 471}, url = {https://intel471.com/blog/emotet-takedown-2021/}, language = {English}, urldate = {2021-01-29} } Emotet takedown is not like the Trickbot takedown
Emotet
2021-01-27EurojustEurojust
@online{eurojust:20210127:worlds:d416adc, author = {Eurojust}, title = {{World’s most dangerous malware EMOTET disrupted through global action}}, date = {2021-01-27}, organization = {Eurojust}, url = {https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action}, language = {English}, urldate = {2021-01-27} } World’s most dangerous malware EMOTET disrupted through global action
Emotet
2021-01-27KrebsOnSecurityBrian Krebs
@online{krebs:20210127:international:dc5699a, author = {Brian Krebs}, title = {{International Action Targets Emotet Crimeware}}, date = {2021-01-27}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware}, language = {English}, urldate = {2021-01-29} } International Action Targets Emotet Crimeware
Emotet
2021-01-27BundeskriminalamtBundeskriminalamt
@online{bundeskriminalamt:20210127:infrastruktur:eb4ede6, author = {Bundeskriminalamt}, title = {{In­fra­struk­tur der Emo­tet-Schad­soft­wa­re zer­schla­gen}}, date = {2021-01-27}, organization = {Bundeskriminalamt}, url = {https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html}, language = {German}, urldate = {2021-01-27} } In­fra­struk­tur der Emo­tet-Schad­soft­wa­re zer­schla­gen
Emotet
2021-01-27Twitter (@milkr3am)milkream
@online{milkream:20210127:all:e3c3773, author = {milkream}, title = {{Tweet on all Emotet epoch pushing payload to self remove emotet malware on 2021-04-25}}, date = {2021-01-27}, organization = {Twitter (@milkr3am)}, url = {https://twitter.com/milkr3am/status/1354459859912192002}, language = {English}, urldate = {2021-01-29} } Tweet on all Emotet epoch pushing payload to self remove emotet malware on 2021-04-25
Emotet
2021-01-27Team CymruJames Shank
@online{shank:20210127:taking:fa40609, author = {James Shank}, title = {{Taking Down Emotet How Team Cymru Leveraged Visibility and Relationships to Coordinate Community Efforts}}, date = {2021-01-27}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/01/27/taking-down-emotet/}, language = {English}, urldate = {2021-01-29} } Taking Down Emotet How Team Cymru Leveraged Visibility and Relationships to Coordinate Community Efforts
Emotet
2021-01-27Youtube (Національна поліція України)Національна поліція України
@online{:20210127:emotet:abc27db, author = {Національна поліція України}, title = {{Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні вірусу EMOTET}}, date = {2021-01-27}, organization = {Youtube (Національна поліція України)}, url = {https://www.youtube.com/watch?v=_BLOmClsSpc}, language = {Ukrainian}, urldate = {2021-01-27} } Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні вірусу EMOTET
Emotet
2021-01-19Medium elis531989Eli Salem
@online{salem:20210119:funtastic:42f9250, author = {Eli Salem}, title = {{Funtastic Packers And Where To Find Them}}, date = {2021-01-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7}, language = {English}, urldate = {2021-01-21} } Funtastic Packers And Where To Find Them
Get2 IcedID QakBot
2021-01-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2021-01-18tccontre Blogtcontre
@online{tcontre:20210118:extracting:4935b1c, author = {tcontre}, title = {{Extracting Shellcode in ICEID .PNG Steganography}}, date = {2021-01-18}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2021/01/}, language = {English}, urldate = {2021-01-21} } Extracting Shellcode in ICEID .PNG Steganography
IcedID
2021-01-14NetskopeGhanashyam Satpathy, Dagmawi Mulugeta
@online{satpathy:20210114:you:f7f99aa, author = {Ghanashyam Satpathy and Dagmawi Mulugeta}, title = {{You Can Run, But You Can’t Hide: Advanced Emotet Updates}}, date = {2021-01-14}, organization = {Netskope}, url = {https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates}, language = {English}, urldate = {2021-01-18} } You Can Run, But You Can’t Hide: Advanced Emotet Updates
Emotet
2021-01-13VinCSSTran Trung Kien, m4n0w4r
@online{kien:20210113:re019:5b00767, author = {Tran Trung Kien and m4n0w4r}, title = {{[RE019] From A to X analyzing some real cases which used recent Emotet samples}}, date = {2021-01-13}, organization = {VinCSS}, url = {https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html}, language = {English}, urldate = {2021-01-25} } [RE019] From A to X analyzing some real cases which used recent Emotet samples
Emotet
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-07Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210107:ta551:6346c62, author = {Brad Duncan}, title = {{TA551: Email Attack Campaign Switches from Valak to IcedID}}, date = {2021-01-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ta551-shathak-icedid/}, language = {English}, urldate = {2021-01-11} } TA551: Email Attack Campaign Switches from Valak to IcedID
IcedID
2021-01-06FBIFBI
@techreport{fbi:20210106:pin:66d55ca, author = {FBI}, title = {{PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data}}, date = {2021-01-06}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf}, language = {English}, urldate = {2021-01-11} } PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data
Egregor QakBot
2021-01-05r3mrum blogR3MRUM
@online{r3mrum:20210105:manual:0d15421, author = {R3MRUM}, title = {{Manual analysis of new PowerSplit maldocs delivering Emotet}}, date = {2021-01-05}, organization = {r3mrum blog}, url = {https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/}, language = {English}, urldate = {2021-01-10} } Manual analysis of new PowerSplit maldocs delivering Emotet
Emotet
2021SecureworksSecureWorks
@online{secureworks:2021:threat:a35a451, author = {SecureWorks}, title = {{Threat Profile: GOLD CABIN}}, date = {2021}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-cabin}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD CABIN
GOLD CABIN
2021SecureworksSecureWorks
@online{secureworks:2021:threat:5afd502, author = {SecureWorks}, title = {{Threat Profile: GOLD LAGOON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-lagoon}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD LAGOON
QakBot MALLARD SPIDER
2020-12-31Cert-AgIDCert-AgID
@online{certagid:20201231:simplify:1a7bcd2, author = {Cert-AgID}, title = {{Simplify Emotet parsing with Python and iced x86}}, date = {2020-12-31}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/}, language = {Italian}, urldate = {2021-01-05} } Simplify Emotet parsing with Python and iced x86
Emotet
2020-12-30Bleeping ComputerSergiu Gatlan
@online{gatlan:20201230:emotet:1f2a80b, author = {Sergiu Gatlan}, title = {{Emotet malware hits Lithuania's National Public Health Center}}, date = {2020-12-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/}, language = {English}, urldate = {2021-01-05} } Emotet malware hits Lithuania's National Public Health Center
Emotet
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-12-15HornetsecurityHornetsecurity Security Lab
@online{lab:20201215:qakbot:9397167, author = {Hornetsecurity Security Lab}, title = {{QakBot reducing its on disk artifacts}}, date = {2020-12-15}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/}, language = {English}, urldate = {2020-12-16} } QakBot reducing its on disk artifacts
Egregor PwndLocker QakBot
2020-12-12Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20201212:reversing:945a5b8, author = {0xthreatintel}, title = {{Reversing QakBot [ TLP: White]}}, date = {2020-12-12}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7}, language = {English}, urldate = {2020-12-14} } Reversing QakBot [ TLP: White]
QakBot
2020-12-10Youtube (OALabs)Sergei Frankoff
@online{frankoff:20201210:malware:0a70511, author = {Sergei Frankoff}, title = {{Malware Triage Analyzing PrnLoader Used To Drop Emotet}}, date = {2020-12-10}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=5_-oR_135ss}, language = {English}, urldate = {2020-12-18} } Malware Triage Analyzing PrnLoader Used To Drop Emotet
Emotet
2020-12-10NRI SECURENeoSOC
@online{neosoc:20201210:icedid:b05d899, author = {NeoSOC}, title = {{マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説}}, date = {2020-12-10}, organization = {NRI SECURE}, url = {https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid}, language = {Japanese}, urldate = {2020-12-11} } マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説
IcedID
2020-12-09MicrosoftMicrosoft 365 Defender Research Team
@online{team:20201209:edr:c8811f1, author = {Microsoft 365 Defender Research Team}, title = {{EDR in block mode stops IcedID cold}}, date = {2020-12-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/}, language = {English}, urldate = {2020-12-11} } EDR in block mode stops IcedID cold
IcedID
2020-12-09FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } Recent Qakbot (Qbot) activity
Cobalt Strike QakBot
2020-12-04Kaspersky LabsOleg Kupreev
@online{kupreev:20201204:chronicles:faab5a6, author = {Oleg Kupreev}, title = {{The chronicles of Emotet}}, date = {2020-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-chronicles-of-emotet/99660/}, language = {English}, urldate = {2020-12-08} } The chronicles of Emotet
Emotet
2020-12-03Recorded FutureInsikt Group®
@techreport{group:20201203:egregor:a56f637, author = {Insikt Group®}, title = {{Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot}}, date = {2020-12-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf}, language = {English}, urldate = {2020-12-08} } Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot
Egregor QakBot
2020-12-02Red Canarytwitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce, author = {twitter (@redcanary)}, title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}}, date = {2020-12-02}, organization = {Red Canary}, url = {https://twitter.com/redcanary/status/1334224861628039169}, language = {English}, urldate = {2020-12-08} } Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12-02CyberIntCyberint Research
@online{research:20201202:icedid:d43e06d, author = {Cyberint Research}, title = {{IcedID Stealer Man-in-the-browser Banking Trojan}}, date = {2020-12-02}, organization = {CyberInt}, url = {https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan}, language = {English}, urldate = {2020-12-11} } IcedID Stealer Man-in-the-browser Banking Trojan
IcedID
2020-12-01Group-IBGroup-IB, Oleg Skulkin, Semyon Rogachev, Roman Rezvukhin
@techreport{groupib:20201201:egregor:37e5698, author = {Group-IB and Oleg Skulkin and Semyon Rogachev and Roman Rezvukhin}, title = {{Egregor ransomware: The legacy of Maze lives on}}, date = {2020-12-01}, institution = {Group-IB}, url = {https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf}, language = {English}, urldate = {2021-01-21} } Egregor ransomware: The legacy of Maze lives on
Egregor QakBot
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-27Fiducia & GAD IT AGFrank Boldewin
@techreport{boldewin:20201127:when:9697611, author = {Frank Boldewin}, title = {{When ransomware hits an ATM giant - The Diebold Nixdorf case dissected}}, date = {2020-11-27}, institution = {Fiducia & GAD IT AG}, url = {https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf}, language = {English}, urldate = {2020-12-01} } When ransomware hits an ATM giant - The Diebold Nixdorf case dissected
PwndLocker QakBot
2020-11-26VirusTotalEmiliano Martinez
@online{martinez:20201126:using:2d0ccc3, author = {Emiliano Martinez}, title = {{Using similarity to expand context and map out threat campaigns}}, date = {2020-11-26}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html}, language = {English}, urldate = {2020-12-03} } Using similarity to expand context and map out threat campaigns
Emotet
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-22Irshad's BlogIrshad Muhammad
@online{muhammad:20201122:analyzing:d3915d0, author = {Irshad Muhammad}, title = {{Analyzing an Emotet Dropper and Writing a Python Script to Statically Unpack Payload.}}, date = {2020-11-22}, organization = {Irshad's Blog}, url = {https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/}, language = {English}, urldate = {2020-11-23} } Analyzing an Emotet Dropper and Writing a Python Script to Statically Unpack Payload.
Emotet
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-20Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@online{skulkin:20201120:locking:cdb06cf, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{The Locking Egregor}}, date = {2020-11-20}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/egregor}, language = {English}, urldate = {2020-11-23} } The Locking Egregor
Egregor QakBot
2020-11-18CiscoNick Biasini, Edmund Brumaghin, Jaeson Schultz
@online{biasini:20201118:back:178d20d, author = {Nick Biasini and Edmund Brumaghin and Jaeson Schultz}, title = {{Back from vacation: Analyzing Emotet’s activity in 2020}}, date = {2020-11-18}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/11/emotet-2020.html}, language = {English}, urldate = {2020-11-19} } Back from vacation: Analyzing Emotet’s activity in 2020
Emotet
2020-11-12IntrinsecJean Bichet
@online{bichet:20201112:egregor:1ac0eb1, author = {Jean Bichet}, title = {{Egregor – Prolock: Fraternal Twins ?}}, date = {2020-11-12}, organization = {Intrinsec}, url = {https://www.intrinsec.com/egregor-prolock/}, language = {English}, urldate = {2020-11-23} } Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot
2020-11-06LAC WATCHMatsumoto, Takagen, Ishikawa
@online{matsumoto:20201106:emotetzloader:ba310e4, author = {Matsumoto and Takagen and Ishikawa}, title = {{分析レポート:Emotetの裏で動くバンキングマルウェア「Zloader」に注意}}, date = {2020-11-06}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/people/20201106_002321.html}, language = {Japanese}, urldate = {2020-11-09} } 分析レポート:Emotetの裏で動くバンキングマルウェア「Zloader」に注意
Emotet Zloader
2020-11-06Security Soup BlogRyan Campbell
@online{campbell:20201106:quick:741d84a, author = {Ryan Campbell}, title = {{Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs}}, date = {2020-11-06}, organization = {Security Soup Blog}, url = {https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/}, language = {English}, urldate = {2020-11-09} } Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs
Emotet
2020-11-05Brim SecurityOliver Rochford
@online{rochford:20201105:hunting:c53aca3, author = {Oliver Rochford}, title = {{Hunting Emotet with Brim and Zeek}}, date = {2020-11-05}, organization = {Brim Security}, url = {https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff}, language = {English}, urldate = {2020-11-09} } Hunting Emotet with Brim and Zeek
Emotet
2020-10-29Palo Alto Networks Unit 42Ruian Duan, Zhanhao Chen, Seokkyung Chung, Janos Szurdi, Jingwei Fan
@online{duan:20201029:domain:413ffab, author = {Ruian Duan and Zhanhao Chen and Seokkyung Chung and Janos Szurdi and Jingwei Fan}, title = {{Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/domain-parking/}, language = {English}, urldate = {2020-11-02} } Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee
Emotet
2020-10-29CERT-FRCERT-FR
@techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot
2020-10-28BitdefenderRuben Andrei Condor
@techreport{condor:20201028:decade:b8d7422, author = {Ruben Andrei Condor}, title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}}, date = {2020-10-28}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-11-02} } A Decade of WMI Abuse – an Overview of Techniques in Modern Malware
sLoad Emotet Maze
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
@online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-19SPAM AuditorThomas
@online{thomas:20201019:many:b85e434, author = {Thomas}, title = {{The Many Faces of Emotet}}, date = {2020-10-19}, organization = {SPAM Auditor}, url = {https://spamauditor.org/2020/10/the-many-faces-of-emotet/}, language = {English}, urldate = {2020-10-23} } The Many Faces of Emotet
Emotet
2020-10-16ProofpointCassandra A., Proofpoint Threat Research Team
@online{a:20201016:geofenced:8c31198, author = {Cassandra A. and Proofpoint Threat Research Team}, title = {{Geofenced Amazon Japan Credential Phishing Volumes Rival Emotet}}, date = {2020-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet}, language = {English}, urldate = {2020-10-23} } Geofenced Amazon Japan Credential Phishing Volumes Rival Emotet
Emotet
2020-10-14CrowdStrikeThe Falcon Complete Team
@online{team:20201014:duck:d227846, author = {The Falcon Complete Team}, title = {{Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3}}, date = {2020-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/}, language = {English}, urldate = {2020-11-09} } Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3
QakBot
2020-10-12DeepInstinctRon Ben Yizhak
@online{yizhak:20201012:why:df976a3, author = {Ron Ben Yizhak}, title = {{Why Emotet’s Latest Wave is Harder to Catch Than Ever Before – Part 2}}, date = {2020-10-12}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/}, language = {English}, urldate = {2020-10-15} } Why Emotet’s Latest Wave is Harder to Catch Than Ever Before – Part 2
Emotet
2020-10-07CrowdStrikeThe Falcon Complete Team
@online{team:20201007:duck:69360c9, author = {The Falcon Complete Team}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2}}, date = {2020-10-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/}, language = {English}, urldate = {2020-10-12} } Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2
QakBot Zloader
2020-10-01CrowdStrikeDylan Barker, Quinten Bowen, Ryan Campbell
@online{barker:20201001:duck:edcc017, author = {Dylan Barker and Quinten Bowen and Ryan Campbell}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1}}, date = {2020-10-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/}, language = {English}, urldate = {2020-10-07} } Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1
QakBot MALLARD SPIDER
2020-10-01ProofpointAxel F, Proofpoint Threat Research Team
@online{f:20201001:emotet:59780d9, author = {Axel F and Proofpoint Threat Research Team}, title = {{Emotet Makes Timely Adoption of Political and Elections Lures}}, date = {2020-10-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures}, language = {English}, urldate = {2020-10-05} } Emotet Makes Timely Adoption of Political and Elections Lures
Emotet
2020-09-29SeqritePrashant Tilekar
@online{tilekar:20200929:return:d989aaf, author = {Prashant Tilekar}, title = {{The return of the Emotet as the world unlocks!}}, date = {2020-09-29}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/}, language = {English}, urldate = {2021-01-01} } The return of the Emotet as the world unlocks!
Emotet
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-11ThreatConnectThreatConnect Research Team
@online{team:20200911:research:edfb074, author = {ThreatConnect Research Team}, title = {{Research Roundup: Activity on Previously Identified APT33 Domains}}, date = {2020-09-11}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/}, language = {English}, urldate = {2020-09-15} } Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33
2020-09-10QuoSec GmbHQuosec Blog
@online{blog:20200910:grap:d2f055d, author = {Quosec Blog}, title = {{grap: Automating QakBot strings decryption}}, date = {2020-09-10}, organization = {QuoSec GmbH}, url = {https://quosecgmbh.github.io/blog/grap_qakbot_strings.html}, language = {English}, urldate = {2021-03-22} } grap: Automating QakBot strings decryption
QakBot
2020-09-10Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20200910:lock:a6f630a, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting}}, date = {2020-09-10}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/prolock_evolution}, language = {English}, urldate = {2020-09-15} } Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting
PwndLocker QakBot
2020-09-07CERT-FRCERT-FR
@online{certfr:20200907:bulletin:f7b2023, author = {CERT-FR}, title = {{Bulletin d'alerte du CERT-FR: Recrudescence d’activité Emotet en France}}, date = {2020-09-07}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/}, language = {English}, urldate = {2020-09-15} } Bulletin d'alerte du CERT-FR: Recrudescence d’activité Emotet en France
Emotet
2020-09-07CERT NZCERT NZ
@online{nz:20200907:emotet:e7965c2, author = {CERT NZ}, title = {{Emotet Malware being spread via email}}, date = {2020-09-07}, organization = {CERT NZ}, url = {https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/}, language = {English}, urldate = {2020-09-15} } Emotet Malware being spread via email
Emotet
2020-09-04QuoSec GmbHQuosec Blog
@online{blog:20200904:navigating:75404a6, author = {Quosec Blog}, title = {{Navigating QakBot samples with grap}}, date = {2020-09-04}, organization = {QuoSec GmbH}, url = {https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html}, language = {English}, urldate = {2021-03-22} } Navigating QakBot samples with grap
QakBot
2020-08-31IndeChris Campbell
@online{campbell:20200831:analysis:33c982e, author = {Chris Campbell}, title = {{Analysis of the latest wave of Emotet malicious documents}}, date = {2020-08-31}, organization = {Inde}, url = {https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents}, language = {English}, urldate = {2022-04-29} } Analysis of the latest wave of Emotet malicious documents
Emotet
2020-08-28ProofpointAxel F, Proofpoint Threat Research Team
@online{f:20200828:comprehensive:df5ff9b, author = {Axel F and Proofpoint Threat Research Team}, title = {{A Comprehensive Look at Emotet’s Summer 2020 Return}}, date = {2020-08-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return}, language = {English}, urldate = {2020-08-30} } A Comprehensive Look at Emotet’s Summer 2020 Return
Emotet MUMMY SPIDER
2020-08-27CheckpointAlex Ilgayev
@online{ilgayev:20200827:old:8859e51, author = {Alex Ilgayev}, title = {{An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods}}, date = {2020-08-27}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/}, language = {English}, urldate = {2020-08-31} } An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods
QakBot
2020-08-24HornetsecuritySecurity Lab
@online{lab:20200824:emotet:252c8de, author = {Security Lab}, title = {{Emotet Update increases Downloads}}, date = {2020-08-24}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/}, language = {English}, urldate = {2020-08-30} } Emotet Update increases Downloads
Emotet
2020-08-20MorphisecArnold Osipov
@online{osipov:20200820:qakbot:a7e14ef, author = {Arnold Osipov}, title = {{QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal}}, date = {2020-08-20}, organization = {Morphisec}, url = {https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques}, language = {English}, urldate = {2020-08-25} } QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal
QakBot
2020-08-16kienmanowar Blogm4n0w4r
@online{m4n0w4r:20200816:manual:7a970b8, author = {m4n0w4r}, title = {{Manual Unpacking IcedID Write-up}}, date = {2020-08-16}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/}, language = {English}, urldate = {2020-08-20} } Manual Unpacking IcedID Write-up
IcedID
2020-08-14Binary DefenseJames Quinn
@online{quinn:20200814:emocrash:4f12855, author = {James Quinn}, title = {{EmoCrash: Exploiting a Vulnerability in Emotet Malware for Defense}}, date = {2020-08-14}, organization = {Binary Defense}, url = {https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/}, language = {English}, urldate = {2020-08-19} } EmoCrash: Exploiting a Vulnerability in Emotet Malware for Defense
Emotet
2020-08-12DeepInstinctRon Ben Yizhak
@online{yizhak:20200812:why:b99aef4, author = {Ron Ben Yizhak}, title = {{Why Emotet’s Latest Wave is Harder to Catch than Ever Before}}, date = {2020-08-12}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/}, language = {English}, urldate = {2020-10-15} } Why Emotet’s Latest Wave is Harder to Catch than Ever Before
Emotet
2020-08-12JuniperPaul Kimayong
@online{kimayong:20200812:icedid:b40f8b4, author = {Paul Kimayong}, title = {{IcedID Campaign Strikes Back}}, date = {2020-08-12}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back}, language = {English}, urldate = {2020-08-27} } IcedID Campaign Strikes Back
IcedID
2020-08-10tccontre Blogtccontre
@online{tccontre:20200810:learning:8cc052c, author = {tccontre}, title = {{Learning From ICEID loader - Including its Steganography Payload Parsing}}, date = {2020-08-10}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html}, language = {English}, urldate = {2020-08-14} } Learning From ICEID loader - Including its Steganography Payload Parsing
IcedID
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-08-05Github (mauronz)Francesco Muroni
@online{muroni:20200805:emotet:0fe027e, author = {Francesco Muroni}, title = {{Emotet API+string deobfuscator (v0.1)}}, date = {2020-08-05}, organization = {Github (mauronz)}, url = {https://github.com/mauronz/binja-emotet}, language = {English}, urldate = {2020-08-18} } Emotet API+string deobfuscator (v0.1)
Emotet
2020-08TG SoftTG Soft
@online{soft:202008:tg:88b671c, author = {TG Soft}, title = {{TG Soft Cyber - Threat Report}}, date = {2020-08}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=7481257469}, language = {Italian}, urldate = {2020-09-15} } TG Soft Cyber - Threat Report
DarkComet Darktrack RAT Emotet ISFB
2020-07-31HornetsecurityHornetsecurity Security Lab
@online{lab:20200731:webshells:4963ea5, author = {Hornetsecurity Security Lab}, title = {{The webshells powering Emotet}}, date = {2020-07-31}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/}, language = {English}, urldate = {2020-08-21} } The webshells powering Emotet
Emotet
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29Sophos LabsAndrew Brandt
@online{brandt:20200729:emotets:cb1de9b, author = {Andrew Brandt}, title = {{Emotet’s return is the canary in the coal mine}}, date = {2020-07-29}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728}, language = {English}, urldate = {2020-07-30} } Emotet’s return is the canary in the coal mine
Emotet
2020-07-28Bleeping ComputerSergiu Gatlan
@online{gatlan:20200728:emotet:37429c5, author = {Sergiu Gatlan}, title = {{Emotet malware now steals your email attachments to attack contacts}}, date = {2020-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/}, language = {English}, urldate = {2020-07-30} } Emotet malware now steals your email attachments to attack contacts
Emotet
2020-07-20HornetsecurityHornetsecurity Security Lab
@online{lab:20200720:emotet:f918eaf, author = {Hornetsecurity Security Lab}, title = {{Emotet is back}}, date = {2020-07-20}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/emotet-is-back/}, language = {English}, urldate = {2020-07-30} } Emotet is back
Emotet
2020-07-20Bleeping ComputerLawrence Abrams
@online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } Emotet-TrickBot malware duo is back infecting Windows machines
Emotet TrickBot
2020-07-20NTTSecurity division of NTT Ltd.
@online{ltd:20200720:shellbot:adab896, author = {Security division of NTT Ltd.}, title = {{Shellbot victim overlap with Emotet network infrastructure}}, date = {2020-07-20}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure}, language = {English}, urldate = {2020-07-30} } Shellbot victim overlap with Emotet network infrastructure
Emotet
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-07-15N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200715:deep:9b38d20, author = {Abdallah Elshinbary}, title = {{Deep Analysis of QBot Banking Trojan}}, date = {2020-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/}, language = {English}, urldate = {2020-07-16} } Deep Analysis of QBot Banking Trojan
QakBot
2020-07-01Cisco TalosNick Biasini, Edmund Brumaghin, Mariano Graziano
@online{biasini:20200701:threat:a726b7e, author = {Nick Biasini and Edmund Brumaghin and Mariano Graziano}, title = {{Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks}}, date = {2020-07-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/valak-emerges.html}, language = {English}, urldate = {2020-08-18} } Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks
Valak IcedID ISFB MyKings Spreader
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-22zero2autoDaniel Bunce
@online{bunce:20200622:unpacking:8a02d84, author = {Daniel Bunce}, title = {{Unpacking Visual Basic Packers – IcedID}}, date = {2020-06-22}, organization = {zero2auto}, url = {https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/}, language = {English}, urldate = {2020-06-24} } Unpacking Visual Basic Packers – IcedID
IcedID
2020-06-21Malware and StuffAndreas Klopsch
@online{klopsch:20200621:upnp:f54abe6, author = {Andreas Klopsch}, title = {{UpnP – Messing up Security since years}}, date = {2020-06-21}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/upnp-messing-up-security-since-years/}, language = {English}, urldate = {2020-06-22} } UpnP – Messing up Security since years
QakBot
2020-06-18JuniperPaul Kimayong
@online{kimayong:20200618:covid19:4bb5511, author = {Paul Kimayong}, title = {{COVID-19 and FMLA Campaigns used to install new IcedID banking malware}}, date = {2020-06-18}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware}, language = {English}, urldate = {2020-06-23} } COVID-19 and FMLA Campaigns used to install new IcedID banking malware
IcedID
2020-06-18NTT SecuritySecurity division of NTT Ltd.
@online{ltd:20200618:behind:a5e168d, author = {Security division of NTT Ltd.}, title = {{Behind the scenes of the Emotet Infrastructure}}, date = {2020-06-18}, organization = {NTT Security}, url = {https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure}, language = {English}, urldate = {2020-06-20} } Behind the scenes of the Emotet Infrastructure
Emotet
2020-06-17Github (f0wl)Marius Genheimer
@online{genheimer:20200617:deicer:de78cca, author = {Marius Genheimer}, title = {{deICEr: A Go tool for extracting config from IcedID second stage Loaders}}, date = {2020-06-17}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/deICEr}, language = {English}, urldate = {2020-06-18} } deICEr: A Go tool for extracting config from IcedID second stage Loaders
IcedID
2020-06-16HornetsecuritySecurity Lab
@online{lab:20200616:qakbot:0353100, author = {Security Lab}, title = {{QakBot malspam leading to ProLock: Nothing personal just business}}, date = {2020-06-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/}, language = {English}, urldate = {2020-07-01} } QakBot malspam leading to ProLock: Nothing personal just business
PwndLocker QakBot
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky
2020-06-11F5 LabsDoron Voolf
@online{voolf:20200611:qbot:1bd9fe7, author = {Doron Voolf}, title = {{Qbot Banking Trojan Still Up to Its Old Tricks}}, date = {2020-06-11}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks}, language = {English}, urldate = {2020-06-16} } Qbot Banking Trojan Still Up to Its Old Tricks
QakBot
2020-05-29Group-IBIvan Pisarev
@online{pisarev:20200529:icedid:9627fda, author = {Ivan Pisarev}, title = {{IcedID: When ice burns through bank accounts}}, date = {2020-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/icedid}, language = {English}, urldate = {2020-06-02} } IcedID: When ice burns through bank accounts
IcedID
2020-05-28VMWare Carbon BlackTom Kellermann, Ryan Murphy
@techreport{kellermann:20200528:modern:8155ea4, author = {Tom Kellermann and Ryan Murphy}, title = {{Modern Bank Heists 3.0}}, date = {2020-05-28}, institution = {VMWare Carbon Black}, url = {https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf}, language = {English}, urldate = {2022-04-25} } Modern Bank Heists 3.0
Emotet
2020-05-24Palo Alto Networks Unit 42Ajaya Neupane, Stefan Achleitner
@online{neupane:20200524:using:2f77c1c, author = {Ajaya Neupane and Stefan Achleitner}, title = {{Using AI to Detect Malicious C2 Traffic}}, date = {2020-05-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/c2-traffic/}, language = {English}, urldate = {2021-06-09} } Using AI to Detect Malicious C2 Traffic
Emotet Sality
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-05-05HornetsecuritySecurity Lab
@online{lab:20200505:awaiting:513382e, author = {Security Lab}, title = {{Awaiting the Inevitable Return of Emotet}}, date = {2020-05-05}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/}, language = {English}, urldate = {2020-05-05} } Awaiting the Inevitable Return of Emotet
Emotet
2020-05-05Malware and StuffAndreas Klopsch
@online{klopsch:20200505:old:84beb5b, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 3}}, date = {2020-05-05}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/}, language = {English}, urldate = {2020-05-05} } An old enemy – Diving into QBot part 3
QakBot
2020-04-22Youtube (Infosec Alpha)Raashid Bhat
@online{bhat:20200422:flattenthecurve:0bdf5a3, author = {Raashid Bhat}, title = {{FlattenTheCurve - Emotet Control Flow Unflattening | Episode 2}}, date = {2020-04-22}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=8PHCZdpNKrw}, language = {English}, urldate = {2020-04-23} } FlattenTheCurve - Emotet Control Flow Unflattening | Episode 2
Emotet
2020-04-14Intel 471Intel 471
@online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-04-03Bleeping ComputerSergiu Gatlan
@online{gatlan:20200403:microsoft:c12a844, author = {Sergiu Gatlan}, title = {{Microsoft: Emotet Took Down a Network by Overheating All Computers}}, date = {2020-04-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/}, language = {English}, urldate = {2020-04-08} } Microsoft: Emotet Took Down a Network by Overheating All Computers
Emotet
2020-03-31Youtube (Infosec Alpha)Raashid Bhat
@online{bhat:20200331:emotet:50264e0, author = {Raashid Bhat}, title = {{Emotet Binary Deobfuscation | Coconut Paradise | Episode 1}}, date = {2020-03-31}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=_mGMJFNJWSk}, language = {English}, urldate = {2020-04-23} } Emotet Binary Deobfuscation | Coconut Paradise | Episode 1
Emotet
2020-03-30Malware and StuffAndreas Klopsch
@online{klopsch:20200330:old:ed1f6ef, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 1}}, date = {2020-03-30}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/}, language = {English}, urldate = {2020-04-01} } An old enemy – Diving into QBot part 1
QakBot
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-30SymantecNguyen Hoang Giang, Mingwei Zhang
@online{giang:20200330:emotet:6034d14, author = {Nguyen Hoang Giang and Mingwei Zhang}, title = {{Emotet: Dangerous Malware Keeps on Evolving}}, date = {2020-03-30}, organization = {Symantec}, url = {https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de}, language = {English}, urldate = {2020-04-01} } Emotet: Dangerous Malware Keeps on Evolving
Emotet
2020-03-12Digital ShadowsAlex Guirakhoo
@online{guirakhoo:20200312:how:cf2276f, author = {Alex Guirakhoo}, title = {{How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation}}, date = {2020-03-12}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/}, language = {English}, urldate = {2020-03-19} } How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation
Emotet
2020-03-11Twitter (@raashidbhatt)Raashid Bhat
@online{bhat:20200311:emotet:c178008, author = {Raashid Bhat}, title = {{Tweet on Emotet Deobfuscation with Video}}, date = {2020-03-11}, organization = {Twitter (@raashidbhatt)}, url = {https://twitter.com/raashidbhatt/status/1237853549200936960}, language = {English}, urldate = {2020-03-13} } Tweet on Emotet Deobfuscation with Video
Emotet
2020-03-06TelekomThomas Barabosch
@online{barabosch:20200306:dissecting:809bc54, author = {Thomas Barabosch}, title = {{Dissecting Emotet - Part 2}}, date = {2020-03-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128}, language = {English}, urldate = {2020-03-09} } Dissecting Emotet - Part 2
Emotet
2020-03-06Binary DefenseJames Quinn
@online{quinn:20200306:emotet:e93ab0b, author = {James Quinn}, title = {{Emotet Wi-Fi Spreader Upgraded}}, date = {2020-03-06}, organization = {Binary Defense}, url = {https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/}, language = {English}, urldate = {2020-03-09} } Emotet Wi-Fi Spreader Upgraded
Emotet
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-03-02c'tChristian Wölbert
@online{wlbert:20200302:was:1b9cc93, author = {Christian Wölbert}, title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}}, date = {2020-03-02}, organization = {c't}, url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html}, language = {German}, urldate = {2020-03-02} } Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk
2020-02-29ZDNetCatalin Cimpanu
@online{cimpanu:20200229:meet:b1d7dbd, author = {Catalin Cimpanu}, title = {{Meet the white-hat group fighting Emotet, the world's most dangerous malware}}, date = {2020-02-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/}, language = {English}, urldate = {2020-03-02} } Meet the white-hat group fighting Emotet, the world's most dangerous malware
Emotet
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18CERT.PLMichał Praszmo
@online{praszmo:20200218:whats:2790998, author = {Michał Praszmo}, title = {{What’s up Emotet?}}, date = {2020-02-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/whats-up-emotet/}, language = {English}, urldate = {2020-02-18} } What’s up Emotet?
Emotet
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-02-13TalosNick Biasini, Edmund Brumaghin
@online{biasini:20200213:threat:443d687, author = {Nick Biasini and Edmund Brumaghin}, title = {{Threat actors attempt to capitalize on coronavirus outbreak}}, date = {2020-02-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html}, language = {English}, urldate = {2020-03-19} } Threat actors attempt to capitalize on coronavirus outbreak
Emotet Nanocore RAT Parallax RAT
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-08PICUS SecuritySüleyman Özarslan
@online{zarslan:20200208:emotet:1fac6a4, author = {Süleyman Özarslan}, title = {{Emotet Technical Analysis - Part 2 PowerShell Unveiled}}, date = {2020-02-08}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled}, language = {English}, urldate = {2020-06-03} } Emotet Technical Analysis - Part 2 PowerShell Unveiled
Emotet
2020-02-07Binary DefenseJames Quinn
@online{quinn:20200207:emotet:07de43a, author = {James Quinn}, title = {{Emotet Evolves With New Wi-Fi Spreader}}, date = {2020-02-07}, organization = {Binary Defense}, url = {https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/}, language = {English}, urldate = {2020-02-09} } Emotet Evolves With New Wi-Fi Spreader
Emotet
2020-02-03TelekomThomas Barabosch
@online{barabosch:20200203:dissecting:c1a6bca, author = {Thomas Barabosch}, title = {{Dissecting Emotet – Part 1}}, date = {2020-02-03}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612}, language = {English}, urldate = {2020-02-07} } Dissecting Emotet – Part 1
Emotet
2020-01-30IBM X-Force ExchangeAshkan Vila, Golo Mühr
@online{vila:20200130:coronavirus:f0121b9, author = {Ashkan Vila and Golo Mühr}, title = {{Coronavirus Goes Cyber With Emotet}}, date = {2020-01-30}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b}, language = {English}, urldate = {2020-02-03} } Coronavirus Goes Cyber With Emotet
Emotet
2020-01-30PICUS SecuritySüleyman Özarslan
@online{zarslan:20200130:emotet:1d5ef78, author = {Süleyman Özarslan}, title = {{Emotet Technical Analysis - Part 1 Reveal the Evil Code}}, date = {2020-01-30}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code}, language = {English}, urldate = {2020-06-03} } Emotet Technical Analysis - Part 1 Reveal the Evil Code
Emotet
2020-01-27T-SystemsT-Systems
@techreport{tsystems:20200127:vorlufiger:39dc989, author = {T-Systems}, title = {{Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht}}, date = {2020-01-27}, institution = {T-Systems}, url = {https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf}, language = {German}, urldate = {2020-01-28} } Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht
Emotet TrickBot
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020-01-17JPCERT/CCTakayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1, author = {Takayoshi Shiigi}, title = {{Looking back on the incidents in 2019}}, date = {2020-01-17}, institution = {JPCERT/CC}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf}, language = {English}, urldate = {2020-04-06} } Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2020-01-17Hiroaki Ogawa, Manabu Niseki
@techreport{ogawa:20200117:100:035a7dd, author = {Hiroaki Ogawa and Manabu Niseki}, title = {{100 more behind cockroaches?}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf}, language = {English}, urldate = {2020-01-17} } 100 more behind cockroaches?
MoqHao Emotet Predator The Thief
2020-01-14Bleeping ComputerLawrence Abrams
@online{abrams:20200114:united:a309baa, author = {Lawrence Abrams}, title = {{United Nations Targeted With Emotet Malware Phishing Attack}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/}, language = {English}, urldate = {2020-01-20} } United Nations Targeted With Emotet Malware Phishing Attack
Emotet
2020-01-13GigamonWilliam Peteroy, Ed Miles
@online{peteroy:20200113:emotet:60abae1, author = {William Peteroy and Ed Miles}, title = {{Emotet: Not your Run-of-the-mill Malware}}, date = {2020-01-13}, organization = {Gigamon}, url = {https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/}, language = {English}, urldate = {2020-01-17} } Emotet: Not your Run-of-the-mill Malware
Emotet
2020-01-10CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-07Hatching.ioTeam
@online{team:20200107:powershell:fb8264e, author = {Team}, title = {{Powershell Static Analysis & Emotet results}}, date = {2020-01-07}, organization = {Hatching.io}, url = {https://hatching.io/blog/powershell-analysis}, language = {English}, urldate = {2020-01-12} } Powershell Static Analysis & Emotet results
Emotet
2020-01-03Youtube (BSides Belfast)Nick Summerlin, Jorge Rodriguez
@online{summerlin:20200103:demystifying:c0a1a19, author = {Nick Summerlin and Jorge Rodriguez}, title = {{Demystifying QBot Banking Trojan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=iB1psRMtlqg}, language = {English}, urldate = {2020-02-21} } Demystifying QBot Banking Trojan
QakBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:9b89cea, author = {SecureWorks}, title = {{GOLD CRESTWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-crestwood}, language = {English}, urldate = {2020-05-23} } GOLD CRESTWOOD
Emotet MUMMY SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:00ad0eb, author = {SecureWorks}, title = {{GOLD LAGOON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-lagoon}, language = {English}, urldate = {2020-05-23} } GOLD LAGOON
QakBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2020University of MaltaSteve Borg
@online{borg:2020:memory:974bf75, author = {Steve Borg}, title = {{Memory Forensics of Qakbot}}, date = {2020}, organization = {University of Malta}, url = {https://www.um.edu.mt/library/oar/handle/123456789/76802}, language = {English}, urldate = {2021-06-24} } Memory Forensics of Qakbot
QakBot
2019-12-18Github (psrok1)Paweł Srokosz
@online{srokosz:20191218:icedid:05c3255, author = {Paweł Srokosz}, title = {{IcedID PNG Extractor}}, date = {2019-12-18}, organization = {Github (psrok1)}, url = {https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b}, language = {English}, urldate = {2020-01-13} } IcedID PNG Extractor
IcedID
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-10JPCERT/CCJPCERT/CC
@online{jpcertcc:20191210:updated:86aee30, author = {JPCERT/CC}, title = {{[Updated] Alert Regarding Emotet Malware Infection}}, date = {2019-12-10}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/english/at/2019/at190044.html}, language = {English}, urldate = {2020-01-09} } [Updated] Alert Regarding Emotet Malware Infection
Emotet
2019-12-07SecureworksKevin O’Reilly, Keith Jarvis
@techreport{oreilly:20191207:endtoend:84340da, author = {Kevin O’Reilly and Keith Jarvis}, title = {{End-to-end Botnet Monitoring... Botconf 2019}}, date = {2019-12-07}, institution = {Secureworks}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf}, language = {English}, urldate = {2021-11-08} } End-to-end Botnet Monitoring... Botconf 2019
Emotet ISFB QakBot
2019-12-04JPCERT/CCKen Sajo
@online{sajo:20191204:how:60225fe, author = {Ken Sajo}, title = {{How to Respond to Emotet Infection (FAQ)}}, date = {2019-12-04}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html}, language = {English}, urldate = {2020-01-13} } How to Respond to Emotet Infection (FAQ)
Emotet
2019-12-03MalwarebytesThreat Intelligence Team
@online{team:20191203:new:39b59e1, author = {Threat Intelligence Team}, title = {{New version of IcedID Trojan uses steganographic payloads}}, date = {2019-12-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/}, language = {English}, urldate = {2019-12-24} } New version of IcedID Trojan uses steganographic payloads
IcedID
2019-11-12Hatching.ioMarkel Picado
@online{picado:20191112:reversing:de8a8b6, author = {Markel Picado}, title = {{Reversing Qakbot}}, date = {2019-11-12}, organization = {Hatching.io}, url = {https://hatching.io/blog/reversing-qakbot}, language = {English}, urldate = {2020-01-07} } Reversing Qakbot
QakBot
2019-11-06Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-10-30ZscalerAtinderpal Singh, Abhay Yadav
@online{singh:20191030:emotet:61821fe, author = {Atinderpal Singh and Abhay Yadav}, title = {{Emotet is back in action after a short break}}, date = {2019-10-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break}, language = {English}, urldate = {2020-07-01} } Emotet is back in action after a short break
Emotet
2019-10-14Marco Ramilli
@online{ramilli:20191014:is:de28de6, author = {Marco Ramilli}, title = {{Is Emotet gang targeting companies with external SOC?}}, date = {2019-10-14}, url = {https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/}, language = {English}, urldate = {2019-12-20} } Is Emotet gang targeting companies with external SOC?
Emotet
2019-09-24Dissecting MalwareMarius Genheimer
@online{genheimer:20190924:return:f85ef19, author = {Marius Genheimer}, title = {{Return of the Mummy - Welcome back, Emotet}}, date = {2019-09-24}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html}, language = {English}, urldate = {2020-03-27} } Return of the Mummy - Welcome back, Emotet
Emotet
2019-09-16MalwarebytesThreat Intelligence Team
@online{team:20190916:emotet:9c6c8f3, author = {Threat Intelligence Team}, title = {{Emotet is back: botnet springs back to life with new spam campaign}}, date = {2019-09-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/}, language = {English}, urldate = {2019-12-20} } Emotet is back: botnet springs back to life with new spam campaign
Emotet
2019-08-13AdalogicsDavid Korczynski
@online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } The state of advanced code injections
Dridex Emotet Tinba
2019-08-12Schweizerische EidgenossenschaftSchweizerische Eidgenossenschaft
@online{eidgenossenschaft:20190812:trojaner:60574cc, author = {Schweizerische Eidgenossenschaft}, title = {{Trojaner Emotet greift Unternehmensnetzwerke an}}, date = {2019-08-12}, organization = {Schweizerische Eidgenossenschaft}, url = {https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html}, language = {German}, urldate = {2020-01-08} } Trojaner Emotet greift Unternehmensnetzwerke an
Emotet
2019-07-09FortinetKai Lu
@online{lu:20190709:deep:90d708f, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection}}, date = {2019-07-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html}, language = {English}, urldate = {2020-01-08} } A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
IcedID
2019-06-25Dawid Golak
@online{golak:20190625:icedid:0a3e153, author = {Dawid Golak}, title = {{IcedID aka #Bokbot Analysis with Ghidra}}, date = {2019-06-25}, url = {https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766}, language = {English}, urldate = {2019-12-02} } IcedID aka #Bokbot Analysis with Ghidra
IcedID
2019-06-16FortinetKai Lu
@online{lu:20190616:deep:ba89738, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)}}, date = {2019-06-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html}, language = {English}, urldate = {2019-11-27} } A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
IcedID
2019-06-06FortinetKai Lu
@online{lu:20190606:deep:0ac679a, author = {Kai Lu}, title = {{A Deep Dive into the Emotet Malware}}, date = {2019-06-06}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html}, language = {English}, urldate = {2020-01-07} } A Deep Dive into the Emotet Malware
Emotet
2019-06-03VaronisDolev Taler, Eric Saraga
@online{taler:20190603:varonis:21ad52e, author = {Dolev Taler and Eric Saraga}, title = {{Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims}}, date = {2019-06-03}, organization = {Varonis}, url = {https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/}, language = {English}, urldate = {2020-01-05} } Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims
QakBot
2019-05-15ProofpointAxel F, Proofpoint Threat Insight Team
@online{f:20190515:threat:06b415a, author = {Axel F and Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA542, From Banker to Malware Distribution Service}}, date = {2019-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service}, language = {English}, urldate = {2019-12-20} } Threat Actor Profile: TA542, From Banker to Malware Distribution Service
Emotet MUMMY SPIDER
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-02Cisco TalosAshlee Benge, Nick Randolph
@online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } Qakbot levels up with new obfuscation techniques
QakBot
2019-04-29BluelivBlueliv Labs Team
@online{team:20190429:where:8c3db39, author = {Blueliv Labs Team}, title = {{Where is Emotet? Latest geolocation data}}, date = {2019-04-29}, organization = {Blueliv}, url = {https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/}, language = {English}, urldate = {2020-01-08} } Where is Emotet? Latest geolocation data
Emotet
2019-04-25Trend MicroTrendmicro
@online{trendmicro:20190425:emotet:04884ca, author = {Trendmicro}, title = {{Emotet Adds New Evasion Technique}}, date = {2019-04-25}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/}, language = {English}, urldate = {2019-11-26} } Emotet Adds New Evasion Technique
Emotet
2019-04-22int 0xcc blogRaashid Bhat
@online{bhat:20190422:dissecting:ffba987, author = {Raashid Bhat}, title = {{Dissecting Emotet’s network communication protocol}}, date = {2019-04-22}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol}, language = {English}, urldate = {2020-01-06} } Dissecting Emotet’s network communication protocol
Emotet
2019-04-12SpamTitantitanadmin
@online{titanadmin:20190412:emotet:12ca0e7, author = {titanadmin}, title = {{Emotet Malware Revives Old Email Conversations Threads to Increase Infection Rates}}, date = {2019-04-12}, organization = {SpamTitan}, url = {https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/}, language = {English}, urldate = {2020-01-09} } Emotet Malware Revives Old Email Conversations Threads to Increase Infection Rates
Emotet
2019-04-07Sveatoslav Persianov
@online{persianov:20190407:emotet:0aeaa67, author = {Sveatoslav Persianov}, title = {{Emotet malware analysis. Part 2}}, date = {2019-04-07}, url = {https://persianov.net/emotet-malware-analysis-part-2}, language = {English}, urldate = {2020-01-05} } Emotet malware analysis. Part 2
Emotet
2019-04-04SecurityIntelligenceNir Somech, Limor Kessem
@online{somech:20190404:icedid:54ba40f, author = {Nir Somech and Limor Kessem}, title = {{IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth}}, date = {2019-04-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/}, language = {English}, urldate = {2020-01-08} } IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
IcedID
2019-04Cafe Babe
@online{babe:201904:analyzing:3a404ff, author = {Cafe Babe}, title = {{Analyzing Emotet with Ghidra — Part 1}}, date = {2019-04}, url = {https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69}, language = {English}, urldate = {2019-12-06} } Analyzing Emotet with Ghidra — Part 1
Emotet
2019-03-27SpamhausSpamhaus Malware Labs
@online{labs:20190327:emotet:388559f, author = {Spamhaus Malware Labs}, title = {{Emotet adds a further layer of camouflage}}, date = {2019-03-27}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage}, language = {English}, urldate = {2020-01-06} } Emotet adds a further layer of camouflage
Emotet
2019-03-21CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190321:interception:7e57329, author = {Shaun Hurley and James Scalise}, title = {{Interception: Dissecting BokBot’s “Man in the Browser”}}, date = {2019-03-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/}, language = {English}, urldate = {2019-12-20} } Interception: Dissecting BokBot’s “Man in the Browser”
IcedID
2019-03-17Persianov on SecuritySveatoslav Persianov
@online{persianov:20190317:emotet:ee3ed0b, author = {Sveatoslav Persianov}, title = {{Emotet malware analysis. Part 1}}, date = {2019-03-17}, organization = {Persianov on Security}, url = {https://persianov.net/emotet-malware-analysis-part-1}, language = {English}, urldate = {2019-12-17} } Emotet malware analysis. Part 1
Emotet
2019-03-15CofenseThreat Intelligence
@online{intelligence:20190315:flash:c7544fd, author = {Threat Intelligence}, title = {{Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication}}, date = {2019-03-15}, organization = {Cofense}, url = {https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/}, language = {English}, urldate = {2019-10-23} } Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication
Emotet
2019-03-08The Daily SwigJames Walker
@online{walker:20190308:emotet:f1a68de, author = {James Walker}, title = {{Emotet trojan implicated in Wolverine Solutions ransomware attack}}, date = {2019-03-08}, organization = {The Daily Swig}, url = {https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack}, language = {English}, urldate = {2019-07-10} } Emotet trojan implicated in Wolverine Solutions ransomware attack
Emotet
2019-02-16Max Kersten's BlogMax Kersten
@online{kersten:20190216:emotet:7cb0628, author = {Max Kersten}, title = {{Emotet droppers}}, date = {2019-02-16}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/}, language = {English}, urldate = {2020-01-09} } Emotet droppers
Emotet
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER
2019-02-06SecurityIntelligenceItzik Chimino, Limor Kessem, Ophir Harpaz
@online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites
IcedID
2019-01-17SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20190117:emotet:0754347, author = {Brad Duncan}, title = {{Emotet infections and follow-up malware}}, date = {2019-01-17}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/}, language = {English}, urldate = {2020-01-13} } Emotet infections and follow-up malware
Emotet
2019-01-05Github (d00rt)d00rt
@online{d00rt:20190105:emotet:8dee25a, author = {d00rt}, title = {{Emotet Research}}, date = {2019-01-05}, organization = {Github (d00rt)}, url = {https://github.com/d00rt/emotet_research}, language = {English}, urldate = {2020-01-10} } Emotet Research
Emotet
2019-01-03CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190103:digging:5219f6d, author = {Shaun Hurley and James Scalise}, title = {{Digging into BokBot’s Core Module}}, date = {2019-01-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/}, language = {English}, urldate = {2019-12-20} } Digging into BokBot’s Core Module
IcedID
2019D00RT_RM
@online{d00rtrm:2019:emutet:8913da8, author = {D00RT_RM}, title = {{Emutet}}, date = {2019}, url = {https://d00rt.github.io/emotet_network_protocol/}, language = {English}, urldate = {2020-01-07} } Emutet
Emotet
2018-12-18Trend MicroTrendmicro
@online{trendmicro:20181218:ursnif:cc5ce31, author = {Trendmicro}, title = {{URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader}}, date = {2018-12-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/}, language = {English}, urldate = {2020-01-07} } URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-11-16Trend MicroTrend Micro
@online{micro:20181116:exploring:be1e153, author = {Trend Micro}, title = {{Exploring Emotet: Examining Emotet’s Activities, Infrastructure}}, date = {2018-11-16}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/}, language = {English}, urldate = {2020-01-12} } Exploring Emotet: Examining Emotet’s Activities, Infrastructure
Emotet
2018-11-09ESET ResearchESET Research
@online{research:20181109:emotet:b12ec91, author = {ESET Research}, title = {{Emotet launches major new spam campaign}}, date = {2018-11-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/}, language = {English}, urldate = {2019-11-14} } Emotet launches major new spam campaign
Emotet
2018-11-09Youtube (OALabs)Sean Wilson, Sergei Frankoff
@online{wilson:20181109:reverse:7e90205, author = {Sean Wilson and Sergei Frankoff}, title = {{Reverse Engineering IcedID / Bokbot Malware Part 2}}, date = {2018-11-09}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=7Dk7NkIbVqY}, language = {English}, urldate = {2019-07-09} } Reverse Engineering IcedID / Bokbot Malware Part 2
IcedID
2018-10-31Kryptos LogicKryptos Logic
@online{logic:20181031:emotet:ab7226f, author = {Kryptos Logic}, title = {{Emotet Awakens With New Campaign of Mass Email Exfiltration}}, date = {2018-10-31}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html}, language = {English}, urldate = {2020-01-08} } Emotet Awakens With New Campaign of Mass Email Exfiltration
Emotet
2018-10-26Youtube (OALabs)Sergei Frankoff
@online{frankoff:20181026:unpacking:b6155cc, author = {Sergei Frankoff}, title = {{Unpacking Bokbot / IcedID Malware - Part 1}}, date = {2018-10-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=wObF9n2UIAM}, language = {English}, urldate = {2020-01-08} } Unpacking Bokbot / IcedID Malware - Part 1
IcedID
2018-09-12Cryptolaemus PastedumpCryptolaemus
@online{cryptolaemus:20180912:emotet:013e01b, author = {Cryptolaemus}, title = {{Emotet IOC}}, date = {2018-09-12}, organization = {Cryptolaemus Pastedump}, url = {https://paste.cryptolaemus.com}, language = {English}, urldate = {2020-01-13} } Emotet IOC
Emotet
2018-09-07Vitali Kremez
@online{kremez:20180907:lets:8515a2b, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1}}, date = {2018-09-07}, url = {https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1
IcedID
2018-08-09Fox-ITAlfred Klason
@online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } Bokbot: The (re)birth of a banker
IcedID Vawtrak
2018-08-01Kryptos LogicKryptos Logic
@online{logic:20180801:inside:e5a8e2c, author = {Kryptos Logic}, title = {{Inside Look at Emotet's Global Victims and Malspam Qakbot Payloads}}, date = {2018-08-01}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html}, language = {English}, urldate = {2020-01-09} } Inside Look at Emotet's Global Victims and Malspam Qakbot Payloads
Emotet
2018-07-29Vitali Kremez BlogVitali Kremez
@online{kremez:20180729:lets:8f04eed, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1}}, date = {2018-07-29}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html}, language = {English}, urldate = {2020-01-06} } Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1
QakBot
2018-07-26IntezerItai Tevet
@online{tevet:20180726:mitigating:30dc2fb, author = {Itai Tevet}, title = {{Mitigating Emotet, The Most Common Banking Trojan}}, date = {2018-07-26}, organization = {Intezer}, url = {https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/}, language = {English}, urldate = {2019-12-31} } Mitigating Emotet, The Most Common Banking Trojan
Emotet
2018-07-24Check PointOfer Caspi, Ben Herzog
@online{caspi:20180724:emotet:a26725d, author = {Ofer Caspi and Ben Herzog}, title = {{Emotet: The Tricky Trojan that ‘Git Clones’}}, date = {2018-07-24}, organization = {Check Point}, url = {https://research.checkpoint.com/emotet-tricky-trojan-git-clones/}, language = {English}, urldate = {2020-01-13} } Emotet: The Tricky Trojan that ‘Git Clones’
Emotet
2018-07-23MalFindLasq
@online{lasq:20180723:deobfuscating:dd200d6, author = {Lasq}, title = {{Deobfuscating Emotet’s powershell payload}}, date = {2018-07-23}, organization = {MalFind}, url = {https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/}, language = {English}, urldate = {2020-01-09} } Deobfuscating Emotet’s powershell payload
Emotet
2018-07-20NCCICNational Cybersecurity, Communications Integration Center
@online{cybersecurity:20180720:alert:89ca0c7, author = {National Cybersecurity and Communications Integration Center}, title = {{Alert (TA18-201A) Emotet Malware}}, date = {2018-07-20}, organization = {NCCIC}, url = {https://www.us-cert.gov/ncas/alerts/TA18-201A}, language = {English}, urldate = {2019-10-27} } Alert (TA18-201A) Emotet Malware
Emotet
2018-07-18SymantecSecurity Response Attack Investigation Team
@online{team:20180718:evolution:25e5d39, author = {Security Response Attack Investigation Team}, title = {{The Evolution of Emotet: From Banking Trojan to Threat Distributor}}, date = {2018-07-18}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor}, language = {English}, urldate = {2019-11-27} } The Evolution of Emotet: From Banking Trojan to Threat Distributor
Emotet
2018-04-10Cisco TalosRoss Gibb, Daphne Galme, Michael Gorelik
@online{gibb:20180410:icedid:f1a3ff2, author = {Ross Gibb and Daphne Galme and Michael Gorelik}, title = {{IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution}}, date = {2018-04-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html}, language = {English}, urldate = {2019-12-17} } IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution
IcedID
2018-02-08CrowdStrikeAdam Meyers
@online{meyers:20180208:meet:39f25b3, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for February: MUMMY SPIDER}}, date = {2018-02-08}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/}, language = {English}, urldate = {2019-12-20} } Meet CrowdStrike’s Adversary of the Month for February: MUMMY SPIDER
Emotet MUMMY SPIDER
2018-01-12ProofpointProofpoint Staff
@online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs