SYMBOLCOMMON_NAMEaka. SYNONYMS

GOLD CABIN  (Back to overview)

aka: Shakthak, TA551, ATK236, G0127, Monster Libra

GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.


Associated Families
win.isfb win.emotet win.icedid win.qakbot

References
2023-05-22The DFIR ReportThe DFIR Report
@online{report:20230522:icedid:ecec658, author = {The DFIR Report}, title = {{IcedID Macro Ends in Nokoyawa Ransomware}}, date = {2023-05-22}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/}, language = {English}, urldate = {2023-05-23} } IcedID Macro Ends in Nokoyawa Ransomware
IcedID Nokoyawa Ransomware
2023-05-21Github (0xThiebaut)Maxime Thiebaut
@online{thiebaut:20230521:pcapeek:f4107bc, author = {Maxime Thiebaut}, title = {{PCAPeek}}, date = {2023-05-21}, organization = {Github (0xThiebaut)}, url = {https://github.com/0xThiebaut/PCAPeek/}, language = {English}, urldate = {2023-05-25} } PCAPeek
IcedID QakBot
2023-05-18IntezerRyan Robinson
@online{robinson:20230518:how:3acd352, author = {Ryan Robinson}, title = {{How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems}}, date = {2023-05-18}, organization = {Intezer}, url = {https://intezer.com/blog/research/how-hackers-use-binary-padding-to-outsmart-sandboxes/}, language = {English}, urldate = {2023-05-25} } How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems
Emotet
2023-05-17Team CymruTeam Cymru
@online{cymru:20230517:visualizing:a560ffb, author = {Team Cymru}, title = {{Visualizing QakBot Infrastructure}}, date = {2023-05-17}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/visualizing-qakbot-infrastructure}, language = {English}, urldate = {2023-05-21} } Visualizing QakBot Infrastructure
QakBot
2023-05-10BridewellBridewell
@online{bridewell:20230510:hunting:461fdf0, author = {Bridewell}, title = {{Hunting for Ursnif}}, date = {2023-05-10}, organization = {Bridewell}, url = {https://www.bridewell.com/insights/news/detail/hunting-for-ursnif}, language = {English}, urldate = {2023-05-15} } Hunting for Ursnif
ISFB Royal Ransom
2023-05-04ElasticCyril François
@online{franois:20230504:unpacking:7f892ff, author = {Cyril François}, title = {{Unpacking ICEDID}}, date = {2023-05-04}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/unpacking-icedid}, language = {English}, urldate = {2023-05-05} } Unpacking ICEDID
IcedID PhotoLoader
2023-05-03Palo Alto Networks Unit 42Mark Lim, Daniel Raygoza, Bob Jung
@online{lim:20230503:teasing:eef7ae4, author = {Mark Lim and Daniel Raygoza and Bob Jung}, title = {{Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale}}, date = {2023-05-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing}, language = {English}, urldate = {2023-05-04} } Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale
IcedID PhotoLoader
2023-05-03unpac.meSean Wilson
@online{wilson:20230503:unpacme:ed52c88, author = {Sean Wilson}, title = {{UnpacMe Weekly: New Version of IcedId Loader}}, date = {2023-05-03}, organization = {unpac.me}, url = {https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader}, language = {English}, urldate = {2023-05-04} } UnpacMe Weekly: New Version of IcedId Loader
IcedID PhotoLoader
2023-05-02loginsoftSystem-41
@online{system41:20230502:icedid:88e0516, author = {System-41}, title = {{IcedID Malware: Traversing Through its Various Incarnations}}, date = {2023-05-02}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/}, language = {English}, urldate = {2023-05-09} } IcedID Malware: Traversing Through its Various Incarnations
IcedID
2023-04-28DISCARDED PodcastJoe Wise, Pim Trouerbach
@online{wise:20230428:beyond:b45d805, author = {Joe Wise and Pim Trouerbach}, title = {{Beyond Banking: IcedID Gets Forked}}, date = {2023-04-28}, organization = {DISCARDED Podcast}, url = {https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1}, language = {English}, urldate = {2023-05-04} } Beyond Banking: IcedID Gets Forked
IcedID PhotoLoader
2023-04-18Rapid7 LabsMatt Green
@online{green:20230418:automating:5252cc0, author = {Matt Green}, title = {{Automating Qakbot Detection at Scale With Velociraptor}}, date = {2023-04-18}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/}, language = {English}, urldate = {2023-04-25} } Automating Qakbot Detection at Scale With Velociraptor
QakBot
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-13SublimeSam Scholten
@online{scholten:20230413:detecting:18cb661, author = {Sam Scholten}, title = {{Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction}}, date = {2023-04-13}, organization = {Sublime}, url = {https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction}, language = {English}, urldate = {2023-04-18} } Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction
QakBot
2023-04-12InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20230412:recent:66863ee, author = {Brad Duncan}, title = {{Recent IcedID (Bokbot) activity}}, date = {2023-04-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/29740}, language = {English}, urldate = {2023-04-18} } Recent IcedID (Bokbot) activity
IcedID PhotoLoader
2023-04-12loginsoftBhargav koduru
@online{koduru:20230412:maximizing:167d572, author = {Bhargav koduru}, title = {{Maximizing Threat Detections of Qakbot with Osquery}}, date = {2023-04-12}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/blog-maximizing-threat-detections-of-qakbot-with-osquery/}, language = {English}, urldate = {2023-04-14} } Maximizing Threat Detections of Qakbot with Osquery
QakBot
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-12SANS ISCBrad Duncan
@online{duncan:20230412:recent:093f8b8, author = {Brad Duncan}, title = {{Recent IcedID (Bokbot) activity}}, date = {2023-04-12}, organization = {SANS ISC}, url = {https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/}, language = {English}, urldate = {2023-04-18} } Recent IcedID (Bokbot) activity
IcedID
2023-04-11Twitter (@Unit42_Intel)Unit42
@online{unit42:20230411:change:c20334e, author = {Unit42}, title = {{Tweet on change of IcedID backconnect traffic port from 8080 to 443}}, date = {2023-04-11}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1645851799427874818}, language = {English}, urldate = {2023-04-18} } Tweet on change of IcedID backconnect traffic port from 8080 to 443
IcedID
2023-04-10Check PointCheck Point
@online{point:20230410:march:144c1ad, author = {Check Point}, title = {{March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files}}, date = {2023-04-10}, organization = {Check Point}, url = {https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/}, language = {English}, urldate = {2023-04-12} } March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-04-05velociraptorMatt Green
@online{green:20230405:automating:ef8b30e, author = {Matt Green}, title = {{Automating Qakbot Decode At Scale}}, date = {2023-04-05}, organization = {velociraptor}, url = {https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/}, language = {English}, urldate = {2023-04-18} } Automating Qakbot Decode At Scale
QakBot
2023-04-03The DFIR ReportThe DFIR Report
@online{report:20230403:malicious:238465b, author = {The DFIR Report}, title = {{Malicious ISO File Leads to Domain Wide Ransomware}}, date = {2023-04-03}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2023-04-06} } Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker
2023-03-30loginsoftSaharsh Agrawal
@online{agrawal:20230330:from:7b46ae0, author = {Saharsh Agrawal}, title = {{From Innocence to Malice: The OneNote Malware Campaign Uncovered}}, date = {2023-03-30}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/}, language = {English}, urldate = {2023-04-14} } From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-27ProofpointPim Trouerbach, Kelsey Merriman, Joe Wise
@online{trouerbach:20230327:fork:62e7699, author = {Pim Trouerbach and Kelsey Merriman and Joe Wise}, title = {{Fork in the Ice: The New Era of IcedID}}, date = {2023-03-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid}, language = {English}, urldate = {2023-03-27} } Fork in the Ice: The New Era of IcedID
IcedID
2023-03-24Lab52peko
@online{peko:20230324:bypassing:a6439f7, author = {peko}, title = {{Bypassing Qakbot Anti-Analysis}}, date = {2023-03-24}, organization = {Lab52}, url = {https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/}, language = {English}, urldate = {2023-03-27} } Bypassing Qakbot Anti-Analysis
QakBot
2023-03-22Cisco TalosEdmund Brumaghin, Jaeson Schultz
@online{brumaghin:20230322:emotet:fa8054c, author = {Edmund Brumaghin and Jaeson Schultz}, title = {{Emotet Resumes Spam Operations, Switches to OneNote}}, date = {2023-03-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/emotet-switches-to-onenote/}, language = {English}, urldate = {2023-03-23} } Emotet Resumes Spam Operations, Switches to OneNote
Emotet
2023-03-20NVISO LabsMaxime Thiebaut
@online{thiebaut:20230320:icedids:78b47a7, author = {Maxime Thiebaut}, title = {{IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole}}, date = {2023-03-20}, organization = {NVISO Labs}, url = {https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/}, language = {English}, urldate = {2023-03-21} } IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole
IcedID
2023-03-190xToxin Labs@0xToxin
@online{0xtoxin:20230319:gozi:bb7bade, author = {@0xToxin}, title = {{Gozi - Italian ShellCode Dance}}, date = {2023-03-19}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/}, language = {English}, urldate = {2023-05-17} } Gozi - Italian ShellCode Dance
Gozi ISFB
2023-03-17ElasticCyril François, Daniel Stepanic
@online{franois:20230317:thawing:b8065d4, author = {Cyril François and Daniel Stepanic}, title = {{Thawing the permafrost of ICEDID Summary}}, date = {2023-03-17}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary}, language = {English}, urldate = {2023-03-20} } Thawing the permafrost of ICEDID Summary
IcedID PhotoLoader
2023-03-15ReliaquestRELIAQUEST THREAT RESEARCH TEAM
@online{team:20230315:qbot:cf3b85f, author = {RELIAQUEST THREAT RESEARCH TEAM}, title = {{QBot: Laying the Foundations for Black Basta Ransomware Activity}}, date = {2023-03-15}, organization = {Reliaquest}, url = {https://www.reliaquest.com/blog/qbot-black-basta-ransomware/}, language = {English}, urldate = {2023-04-18} } QBot: Laying the Foundations for Black Basta Ransomware Activity
Black Basta QakBot
2023-03-13TrendmicroIan Kenefick
@online{kenefick:20230313:emotet:7dc342d, author = {Ian Kenefick}, title = {{Emotet Returns, Now Adopts Binary Padding for Evasion}}, date = {2023-03-13}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html}, language = {English}, urldate = {2023-03-14} } Emotet Returns, Now Adopts Binary Padding for Evasion
Emotet
2023-03-09eSentireeSentire Threat Response Unit (TRU)
@online{tru:20230309:batloader:db50046, author = {eSentire Threat Response Unit (TRU)}, title = {{BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif}}, date = {2023-03-09}, organization = {eSentire}, url = {https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif}, language = {English}, urldate = {2023-04-25} } BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif
BATLOADER ISFB Vidar
2023-03-07TrellixPham Duy Phuc, Raghav Kapoor, John Fokker, Alejandro Houspanossian, Mathanraj Thangaraju
@online{phuc:20230307:qakbot:a1aef8e, author = {Pham Duy Phuc and Raghav Kapoor and John Fokker and Alejandro Houspanossian and Mathanraj Thangaraju}, title = {{Qakbot Evolves to OneNote Malware Distribution}}, date = {2023-03-07}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html}, language = {English}, urldate = {2023-03-13} } Qakbot Evolves to OneNote Malware Distribution
QakBot
2023-03-07BleepingComputerLawrence Abrams
@online{abrams:20230307:emotet:734058c, author = {Lawrence Abrams}, title = {{Emotet malware attacks return after three-month break}}, date = {2023-03-07}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/}, language = {English}, urldate = {2023-03-13} } Emotet malware attacks return after three-month break
Emotet
2023-03-07CofenseCofense
@online{cofense:20230307:emotet:daf5b46, author = {Cofense}, title = {{Emotet Sending Malicious Emails After Three-Month Hiatus}}, date = {2023-03-07}, organization = {Cofense}, url = {https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/}, language = {English}, urldate = {2023-03-13} } Emotet Sending Malicious Emails After Three-Month Hiatus
Emotet
2023-03-02Youtube (Microsoft Security Response Center (MSRC))Daniel Taylor, Ben Magee
@online{taylor:20230302:bluehat:cdd75a0, author = {Daniel Taylor and Ben Magee}, title = {{BlueHat 2023: Hunting Qakbot with Daniel Taylor & Ben Magee}}, date = {2023-03-02}, organization = {Youtube (Microsoft Security Response Center (MSRC))}, url = {https://www.youtube.com/watch?v=OCRyEUhiEyw}, language = {English}, urldate = {2023-04-18} } BlueHat 2023: Hunting Qakbot with Daniel Taylor & Ben Magee
QakBot
2023-03-02NetresecErik Hjelmvik
@online{hjelmvik:20230302:qakbot:978553c, author = {Erik Hjelmvik}, title = {{QakBot C2 Traffic}}, date = {2023-03-02}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic}, language = {English}, urldate = {2023-03-04} } QakBot C2 Traffic
QakBot
2023-03-01ZscalerMeghraj Nandanwar, Shatak Jain
@online{nandanwar:20230301:onenote:07aefe0, author = {Meghraj Nandanwar and Shatak Jain}, title = {{OneNote: A Growing Threat for Malware Distribution}}, date = {2023-03-01}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution}, language = {English}, urldate = {2023-03-13} } OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer
2023-02-28Intel 471Intel 471
@online{471:20230228:malvertising:268d961, author = {Intel 471}, title = {{Malvertising Surges to Distribute Malware}}, date = {2023-02-28}, organization = {Intel 471}, url = {https://intel471.com/blog/malvertising-surges-to-distribute-malware}, language = {English}, urldate = {2023-03-13} } Malvertising Surges to Distribute Malware
BATLOADER IcedID
2023-02-27PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20230227:rig:72076aa, author = {PRODAFT}, title = {{RIG Exploit Kit: In-Depth Analysis}}, date = {2023-02-27}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf}, language = {English}, urldate = {2023-05-08} } RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2023-02-26Medium IlanduIlan Duhin, Yossi Poberezsky
@online{duhin:20230226:emotet:b21451d, author = {Ilan Duhin and Yossi Poberezsky}, title = {{Emotet Campaign}}, date = {2023-02-26}, organization = {Medium Ilandu}, url = {https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5}, language = {English}, urldate = {2023-02-27} } Emotet Campaign
Emotet
2023-02-24Team CymruTeam Cymru
@online{cymru:20230224:desde:d9ec280, author = {Team Cymru}, title = {{Desde Chile con Malware (From Chile with Malware)}}, date = {2023-02-24}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/from-chile-with-malware}, language = {English}, urldate = {2023-03-13} } Desde Chile con Malware (From Chile with Malware)
IcedID PhotoLoader
2023-02-24Medium walmartglobaltechJason Reaves, Joshua Platt, Jonathan Mccay, Kirk Sayre
@online{reaves:20230224:qbot:771bf3d, author = {Jason Reaves and Joshua Platt and Jonathan Mccay and Kirk Sayre}, title = {{Qbot testing malvertising campaigns?}}, date = {2023-02-24}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a}, language = {English}, urldate = {2023-02-27} } Qbot testing malvertising campaigns?
QakBot
2023-02-17cybleCyble
@online{cyble:20230217:many:101a732, author = {Cyble}, title = {{The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods}}, date = {2023-02-17}, organization = {cyble}, url = {https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/}, language = {English}, urldate = {2023-02-21} } The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods
QakBot
2023-02-15NetresecErik Hjelmvik
@online{hjelmvik:20230215:how:db64f7c, author = {Erik Hjelmvik}, title = {{How to Identify IcedID Network Traffic}}, date = {2023-02-15}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic}, language = {English}, urldate = {2023-02-16} } How to Identify IcedID Network Traffic
IcedID
2023-02-14DSIHCharles Blanc-Rolin
@online{blancrolin:20230214:comment:aa336bd, author = {Charles Blanc-Rolin}, title = {{Comment Qbot revient en force avec OneNote ?}}, date = {2023-02-14}, organization = {DSIH}, url = {https://www.dsih.fr/article/5020/comment-qbot-revient-en-force-avec-onenote.html}, language = {French}, urldate = {2023-02-21} } Comment Qbot revient en force avec OneNote ?
QakBot
2023-02-08NTT SecurityRyu Hiyoshi
@online{hiyoshi:20230208:steelclover:0f3b85a, author = {Ryu Hiyoshi}, title = {{SteelClover Attacks Distributing Malware Via Google Ads Increased}}, date = {2023-02-08}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle}, language = {English}, urldate = {2023-02-13} } SteelClover Attacks Distributing Malware Via Google Ads Increased
BATLOADER ISFB RedLine Stealer
2023-02-06SophosAndrew Brandt
@online{brandt:20230206:qakbot:e85e83f, author = {Andrew Brandt}, title = {{Qakbot mechanizes distribution of malicious OneNote notebooks}}, date = {2023-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/}, language = {English}, urldate = {2023-02-13} } Qakbot mechanizes distribution of malicious OneNote notebooks
QakBot
2023-01-30CheckpointArie Olshtein
@online{olshtein:20230130:following:e442fcc, author = {Arie Olshtein}, title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}}, date = {2023-01-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/}, language = {English}, urldate = {2023-01-31} } Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-26AcronisIlan Duhin
@online{duhin:20230126:unpacking:8ff4776, author = {Ilan Duhin}, title = {{Unpacking Emotet Malware}}, date = {2023-01-26}, organization = {Acronis}, url = {https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb}, language = {English}, urldate = {2023-01-27} } Unpacking Emotet Malware
Emotet
2023-01-23KrollStephen Green, Elio Biasiotto
@online{green:20230123:black:dd89d21, author = {Stephen Green and Elio Biasiotto}, title = {{Black Basta – Technical Analysis}}, date = {2023-01-23}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis}, language = {English}, urldate = {2023-04-22} } Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2023-01-20BlackberryBlackBerry Research & Intelligence Team
@online{team:20230120:emotet:3d5fe7f, author = {BlackBerry Research & Intelligence Team}, title = {{Emotet Returns With New Methods of Evasion}}, date = {2023-01-20}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion}, language = {English}, urldate = {2023-01-25} } Emotet Returns With New Methods of Evasion
Emotet IcedID
2023-01-19CiscoGuilherme Venere
@online{venere:20230119:following:c60f349, author = {Guilherme Venere}, title = {{Following the LNK metadata trail}}, date = {2023-01-19}, organization = {Cisco}, url = {https://blog.talosintelligence.com/following-the-lnk-metadata-trail}, language = {English}, urldate = {2023-04-06} } Following the LNK metadata trail
BumbleBee PhotoLoader QakBot
2023-01-12EclecticIQEclecticIQ Threat Research Team
@online{team:20230112:qakbot:a26156d, author = {EclecticIQ Threat Research Team}, title = {{QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature}}, date = {2023-01-12}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature}, language = {English}, urldate = {2023-01-16} } QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
QakBot
2023-01-09IntrinsecIntrinsec, CTI Intrinsec
@online{intrinsec:20230109:emotet:202716f, author = {Intrinsec and CTI Intrinsec}, title = {{Emotet returns and deploys loaders}}, date = {2023-01-09}, organization = {Intrinsec}, url = {https://www.intrinsec.com/emotet-returns-and-deploys-loaders/}, language = {English}, urldate = {2023-01-10} } Emotet returns and deploys loaders
BumbleBee Emotet IcedID
2023-01-09The DFIR ReportThe DFIR Report
@online{report:20230109:unwrapping:d36b45f, author = {The DFIR Report}, title = {{Unwrapping Ursnifs Gifts}}, date = {2023-01-09}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/}, language = {English}, urldate = {2023-01-13} } Unwrapping Ursnifs Gifts
ISFB
2022-12-28Micah Babinski
@online{babinski:20221228:html:7dbe8af, author = {Micah Babinski}, title = {{HTML Smuggling Detection}}, date = {2022-12-28}, url = {https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841}, language = {English}, urldate = {2022-12-31} } HTML Smuggling Detection
QakBot
2022-12-23TrendmicroIan Kenefick
@online{kenefick:20221223:icedid:df95b05, author = {Ian Kenefick}, title = {{IcedID Botnet Distributors Abuse Google PPC to Distribute Malware}}, date = {2022-12-23}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html}, language = {English}, urldate = {2022-12-24} } IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
IcedID
2022-12-22ASECAhnLab
@online{ahnlab:20221222:qakbot:9e92461, author = {AhnLab}, title = {{Qakbot Being Distributed via Virtual Disk Files (*.vhd)}}, date = {2022-12-22}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/44662/}, language = {English}, urldate = {2022-12-24} } Qakbot Being Distributed via Virtual Disk Files (*.vhd)
QakBot
2022-12-21Team CymruS2 Research Team
@online{team:20221221:inside:8298d24, author = {S2 Research Team}, title = {{Inside the IcedID BackConnect Protocol}}, date = {2022-12-21}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol}, language = {English}, urldate = {2022-12-24} } Inside the IcedID BackConnect Protocol
IcedID
2022-12-19kienmanowar Blogm4n0w4r, Tran Trung Kien
@online{m4n0w4r:20221219:z2abimonthly:8edee72, author = {m4n0w4r and Tran Trung Kien}, title = {{[Z2A]Bimonthly malware challege – Emotet (Back From the Dead)}}, date = {2022-12-19}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/}, language = {English}, urldate = {2022-12-20} } [Z2A]Bimonthly malware challege – Emotet (Back From the Dead)
Emotet
2022-12-18ZAYOTEMBerkay DOĞAN, Dilara BEHAR, Rabia EKŞİ, Zafer Yiğithan DERECİ
@online{doan:20221218:icedid:f4a858a, author = {Berkay DOĞAN and Dilara BEHAR and Rabia EKŞİ and Zafer Yiğithan DERECİ}, title = {{IcedID Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1jB0CsDvAADSrBeGxoi5gzyx8eQIiOJ2G/view}, language = {English}, urldate = {2022-12-20} } IcedID Technical Analysis Report
IcedID
2022-12-15ISCBrad Duncan
@online{duncan:20221215:google:179f840, author = {Brad Duncan}, title = {{Google ads lead to fake software pages pushing IcedID (Bokbot)}}, date = {2022-12-15}, organization = {ISC}, url = {https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344}, language = {English}, urldate = {2022-12-19} } Google ads lead to fake software pages pushing IcedID (Bokbot)
IcedID
2022-12-05CybereasonKotaro Ogino, Ralph Villanueva, Robin Plumer
@online{ogino:20221205:threat:b2ffad4, author = {Kotaro Ogino and Ralph Villanueva and Robin Plumer}, title = {{Threat Analysis: MSI - Masquerading as a Software Installer}}, date = {2022-12-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer}, language = {English}, urldate = {2022-12-05} } Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot
2022-12-02Github (binref)Jesko Hüttenhain
@online{httenhain:20221202:refinery:ee32690, author = {Jesko Hüttenhain}, title = {{The Refinery Files 0x06: Qakbot Decoder}}, date = {2022-12-02}, organization = {Github (binref)}, url = {https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x06.Qakbot.Decoder.ipynb}, language = {English}, urldate = {2022-12-02} } The Refinery Files 0x06: Qakbot Decoder
QakBot
2022-12-01splunkSplunk Threat Research Team
@online{team:20221201:from:4ac8d82, author = {Splunk Threat Research Team}, title = {{From Macros to No Macros: Continuous Malware Improvements by QakBot}}, date = {2022-12-01}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html}, language = {English}, urldate = {2022-12-05} } From Macros to No Macros: Continuous Malware Improvements by QakBot
QakBot
2022-11-30Tidal Cyber Inc.Scott Small
@online{small:20221130:identifying:ed7c4b3, author = {Scott Small}, title = {{Identifying and Defending Against QakBot's Evolving TTPs}}, date = {2022-11-30}, organization = {Tidal Cyber Inc.}, url = {https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps}, language = {English}, urldate = {2022-12-02} } Identifying and Defending Against QakBot's Evolving TTPs
QakBot
2022-11-28The DFIR ReportThe DFIR Report
@online{report:20221128:emotet:53a5fed, author = {The DFIR Report}, title = {{Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware}}, date = {2022-11-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2022-11-28} } Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
Emotet Mount Locker
2022-11-23CybereasonCybereason Global SOC Team
@online{team:20221123:threat:17093cc, author = {Cybereason Global SOC Team}, title = {{THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies}}, date = {2022-11-23}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies}, language = {English}, urldate = {2022-11-25} } THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot
2022-11-21BSides SydneyThomas Roccia
@online{roccia:20221121:xray:da154d3, author = {Thomas Roccia}, title = {{X-Ray of Malware Evasion Techniques - Analysis, Dissection, Cure?}}, date = {2022-11-21}, organization = {BSides Sydney}, url = {https://speakerdeck.com/fr0gger/x-ray-of-malware-evasion-techniques-analysis-dissection-cure}, language = {English}, urldate = {2022-12-29} } X-Ray of Malware Evasion Techniques - Analysis, Dissection, Cure?
Emotet
2022-11-16ProofpointPim Trouerbach, Axel F
@online{trouerbach:20221116:comprehensive:8278b4e, author = {Pim Trouerbach and Axel F}, title = {{A Comprehensive Look at Emotet Virus’ Fall 2022 Return}}, date = {2022-11-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return}, language = {English}, urldate = {2022-12-29} } A Comprehensive Look at Emotet Virus’ Fall 2022 Return
BumbleBee Emotet IcedID
2022-11-14Twitter (@embee_research)Matthew
@online{matthew:20221114:twitter:9b57525, author = {Matthew}, title = {{Twitter thread on Yara Signatures for Qakbot Encryption Routines}}, date = {2022-11-14}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1592067841154756610?s=20}, language = {English}, urldate = {2022-11-18} } Twitter thread on Yara Signatures for Qakbot Encryption Routines
IcedID QakBot
2022-11-10IntezerNicole Fishbein
@online{fishbein:20221110:how:6b334be, author = {Nicole Fishbein}, title = {{How LNK Files Are Abused by Threat Actors}}, date = {2022-11-10}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/}, language = {English}, urldate = {2022-11-11} } How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot
2022-11-03SentinelOneSentinelLabs
@online{sentinellabs:20221103:black:0be02f3, author = {SentinelLabs}, title = {{Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor}}, date = {2022-11-03}, organization = {SentinelOne}, url = {https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta}, language = {English}, urldate = {2022-11-03} } Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot
2022-10-31Security homeworkChristophe Rieunier
@online{rieunier:20221031:qakbot:e82f924, author = {Christophe Rieunier}, title = {{QakBot CCs prioritization and new record types}}, date = {2022-10-31}, organization = {Security homework}, url = {https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php}, language = {English}, urldate = {2022-10-31} } QakBot CCs prioritization and new record types
QakBot
2022-10-31CynetMax Malyutin
@online{malyutin:20221031:orion:49e3b5c, author = {Max Malyutin}, title = {{Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware}}, date = {2022-10-31}, organization = {Cynet}, url = {https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/}, language = {English}, urldate = {2022-11-15} } Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot
2022-10-31ElasticSeth Goodwin, Derek Ditch, Daniel Stepanic, Andrew Pease
@online{goodwin:20221031:icedids:df089be, author = {Seth Goodwin and Derek Ditch and Daniel Stepanic and Andrew Pease}, title = {{ICEDIDs network infrastructure is alive and well}}, date = {2022-10-31}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/icedids-network-infrastructure-is-alive-and-well}, language = {English}, urldate = {2022-11-02} } ICEDIDs network infrastructure is alive and well
IcedID
2022-10-28Elastic@rsprooten, Elastic Security Intelligence & Analytics Team
@online{rsprooten:20221028:emotet:ffabd03, author = {@rsprooten and Elastic Security Intelligence & Analytics Team}, title = {{EMOTET dynamic config extraction}}, date = {2022-10-28}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction}, language = {English}, urldate = {2022-10-30} } EMOTET dynamic config extraction
Emotet
2022-10-24Medium CSIS TechblogBenoît Ancel
@online{ancel:20221024:chapter:c870465, author = {Benoît Ancel}, title = {{Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.}}, date = {2022-10-24}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef}, language = {English}, urldate = {2023-05-02} } Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.
Gozi ISFB Snifula
2022-10-13SyrionRaffaele Sabato
@online{sabato:20221013:qakbot:f971585, author = {Raffaele Sabato}, title = {{QAKBOT BB Configuration and C2 IPs List}}, date = {2022-10-13}, organization = {Syrion}, url = {https://syrion.me/malware/qakbot-bb-extractor/}, language = {English}, urldate = {2022-10-24} } QAKBOT BB Configuration and C2 IPs List
QakBot
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
@online{kenefick:20221012:black:17505c9, author = {Ian Kenefick and Lucas Silva and Nicole Hernandez}, title = {{Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike}}, date = {2022-10-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html}, language = {English}, urldate = {2023-05-23} } Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-10-12NetresecErik Hjelmvik
@online{hjelmvik:20221012:icedid:ac8a79c, author = {Erik Hjelmvik}, title = {{IcedID BackConnect Protocol}}, date = {2022-10-12}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol}, language = {English}, urldate = {2023-02-16} } IcedID BackConnect Protocol
IcedID
2022-10-07Team CymruS2 Research Team
@online{team:20221007:visualizza:0ed3fe8, author = {S2 Research Team}, title = {{A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon}}, date = {2022-10-07}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns}, language = {English}, urldate = {2022-10-10} } A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon
IcedID PhotoLoader
2022-10-03vmwareThreat Analysis Unit
@techreport{unit:20221003:emotet:94323dc, author = {Threat Analysis Unit}, title = {{Emotet Exposed: A Look Inside the Cybercriminal Supply Chain}}, date = {2022-10-03}, institution = {vmware}, url = {https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf}, language = {English}, urldate = {2022-10-24} } Emotet Exposed: A Look Inside the Cybercriminal Supply Chain
Emotet
2022-09-13AdvIntelAdvanced Intelligence
@online{intelligence:20220913:advintels:ea02331, author = {Advanced Intelligence}, title = {{AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022}}, date = {2022-09-13}, organization = {AdvIntel}, url = {https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022}, language = {English}, urldate = {2022-09-19} } AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot
2022-09-12The DFIR ReportThe DFIR Report
@online{report:20220912:dead:a6b31c3, author = {The DFIR Report}, title = {{Dead or Alive? An Emotet Story}}, date = {2022-09-12}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/}, language = {English}, urldate = {2022-09-12} } Dead or Alive? An Emotet Story
Cobalt Strike Emotet
2022-09-07GooglePierre-Marc Bureau, Google Threat Analysis Group
@online{bureau:20220907:initial:d1975b3, author = {Pierre-Marc Bureau and Google Threat Analysis Group}, title = {{Initial access broker repurposing techniques in targeted attacks against Ukraine}}, date = {2022-09-07}, organization = {Google}, url = {https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/}, language = {English}, urldate = {2022-09-13} } Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID
2022-09-06ZscalerBrett Stone-Gross
@online{stonegross:20220906:ares:e7ddb5d, author = {Brett Stone-Gross}, title = {{The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA}}, date = {2022-09-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga}, language = {English}, urldate = {2022-09-07} } The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA
Ares QakBot
2022-09-01Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20220901:hunting:45c54de, author = {Michael Koczwara}, title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}}, date = {2022-09-01}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f}, language = {English}, urldate = {2023-01-19} } Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-09-01Trend MicroTrend Micro
@online{micro:20220901:ransomware:8eda6e4, author = {Trend Micro}, title = {{Ransomware Spotlight Black Basta}}, date = {2022-09-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta}, language = {English}, urldate = {2022-09-19} } Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-08-25Palo Alto Networks Unit 42Amer Elsad
@online{elsad:20220825:threat:b3514ed, author = {Amer Elsad}, title = {{Threat Assessment: Black Basta Ransomware}}, date = {2022-08-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/}, language = {English}, urldate = {2022-10-05} } Threat Assessment: Black Basta Ransomware
Black Basta QakBot
2022-08-24TrellixAdithya Chandra, Sushant Kumar Arya
@online{chandra:20220824:demystifying:77609b2, author = {Adithya Chandra and Sushant Kumar Arya}, title = {{Demystifying Qbot Malware}}, date = {2022-08-24}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html}, language = {English}, urldate = {2022-08-28} } Demystifying Qbot Malware
QakBot
2022-08-24ElasticCyril François
@online{franois:20220824:qbot:152ef8d, author = {Cyril François}, title = {{QBOT Malware Analysis}}, date = {2022-08-24}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/qbot-malware-analysis}, language = {English}, urldate = {2022-08-30} } QBOT Malware Analysis
QakBot
2022-08-23DarktraceEugene Chua, Paul Jennings, Hanah Darley
@online{chua:20220823:emotet:8e4522c, author = {Eugene Chua and Paul Jennings and Hanah Darley}, title = {{Emotet Resurgence: Cross-Industry Campaign Analysis}}, date = {2022-08-23}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis}, language = {English}, urldate = {2022-08-30} } Emotet Resurgence: Cross-Industry Campaign Analysis
Emotet
2022-08-19vmwareOleg Boyarchuk, Stefano Ortolani
@online{boyarchuk:20220819:how:a43d0e2, author = {Oleg Boyarchuk and Stefano Ortolani}, title = {{How to Replicate Emotet Lateral Movement}}, date = {2022-08-19}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html}, language = {English}, urldate = {2022-08-31} } How to Replicate Emotet Lateral Movement
Emotet
2022-08-12SANS ISCBrad Duncan
@online{duncan:20220812:monster:cbf3101, author = {Brad Duncan}, title = {{Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike}}, date = {2022-08-12}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28934}, language = {English}, urldate = {2022-08-15} } Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID
2022-08-10BitSightJoão Batista
@online{batista:20220810:emotet:2248a42, author = {João Batista}, title = {{Emotet SMB Spreader is Back}}, date = {2022-08-10}, organization = {BitSight}, url = {https://www.bitsight.com/blog/emotet-smb-spreader-back}, language = {English}, urldate = {2022-08-11} } Emotet SMB Spreader is Back
Emotet
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-04Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20220804:icedid:546c931, author = {Joshua Platt and Jason Reaves}, title = {{IcedID leverages PrivateLoader}}, date = {2022-08-04}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f}, language = {English}, urldate = {2022-08-11} } IcedID leverages PrivateLoader
IcedID PrivateLoader
2022-07-27ElasticCyril François, Derek Ditch
@online{franois:20220727:qbot:82146d1, author = {Cyril François and Derek Ditch}, title = {{QBOT Configuration Extractor}}, date = {2022-07-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/qbot-configuration-extractor}, language = {English}, urldate = {2022-08-05} } QBOT Configuration Extractor
QakBot
2022-07-27SANS ISCBrad Duncan
@online{duncan:20220727:icedid:839e33a, author = {Brad Duncan}, title = {{IcedID (Bokbot) with Dark VNC and Cobalt Strike}}, date = {2022-07-27}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884}, language = {English}, urldate = {2022-07-28} } IcedID (Bokbot) with Dark VNC and Cobalt Strike
DarkVNC IcedID
2022-07-27cybleCyble Research Labs
@online{labs:20220727:targeted:aa69498, author = {Cyble Research Labs}, title = {{Targeted Attacks Being Carried Out Via DLL SideLoading}}, date = {2022-07-27}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/}, language = {English}, urldate = {2022-08-15} } Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot
2022-07-27ElasticCyril François, Andrew Pease, Seth Goodwin
@online{franois:20220727:exploring:67dc644, author = {Cyril François and Andrew Pease and Seth Goodwin}, title = {{Exploring the QBOT Attack Pattern}}, date = {2022-07-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern}, language = {English}, urldate = {2022-08-05} } Exploring the QBOT Attack Pattern
QakBot
2022-07-24Bleeping ComputerBill Toulas
@online{toulas:20220724:qbot:f6c03d9, author = {Bill Toulas}, title = {{QBot phishing uses Windows Calculator sideloading to infect devices}}, date = {2022-07-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/}, language = {English}, urldate = {2022-07-29} } QBot phishing uses Windows Calculator sideloading to infect devices
QakBot
2022-07-19FortinetXiaopeng Zhang
@online{zhang:20220719:new:a3b1085, author = {Xiaopeng Zhang}, title = {{New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails}}, date = {2022-07-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails}, language = {English}, urldate = {2022-07-25} } New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails
QakBot
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:monster:1aaba4e, author = {Unit 42}, title = {{Monster Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/monsterlibra/}, language = {English}, urldate = {2022-07-29} } Monster Libra
Valak IcedID GOLD CABIN
2022-07-17ResecurityResecurity
@online{resecurity:20220717:shortcutbased:6cd77fb, author = {Resecurity}, title = {{Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise}}, date = {2022-07-17}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise}, language = {English}, urldate = {2022-07-28} } Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot
2022-07-12ZscalerTarun Dewan, Aditya Sharma
@online{dewan:20220712:rise:1cc657e, author = {Tarun Dewan and Aditya Sharma}, title = {{Rise in Qakbot attacks traced to evolving threat techniques}}, date = {2022-07-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques}, language = {English}, urldate = {2022-07-14} } Rise in Qakbot attacks traced to evolving threat techniques
QakBot
2022-07-12CyrenKervin Alintanahin
@online{alintanahin:20220712:example:ae62e81, author = {Kervin Alintanahin}, title = {{Example Analysis of Multi-Component Malware}}, date = {2022-07-12}, organization = {Cyren}, url = {https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware}, language = {English}, urldate = {2022-07-18} } Example Analysis of Multi-Component Malware
Emotet Formbook
2022-07-07FortinetErin Lin
@online{lin:20220707:notable:71d2df3, author = {Erin Lin}, title = {{Notable Droppers Emerge in Recent Threat Campaigns}}, date = {2022-07-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns}, language = {English}, urldate = {2022-07-15} } Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-07-07SANS ISCBrad Duncan
@online{duncan:20220707:emotet:3732ca7, author = {Brad Duncan}, title = {{Emotet infection with Cobalt Strike}}, date = {2022-07-07}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/}, language = {English}, urldate = {2022-07-12} } Emotet infection with Cobalt Strike
Cobalt Strike Emotet
2022-07-07IBMOle Villadsen, Charlotte Hammond, Kat Weinberger
@online{villadsen:20220707:unprecedented:d0a6add, author = {Ole Villadsen and Charlotte Hammond and Kat Weinberger}, title = {{Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine}}, date = {2022-07-07}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine}, language = {English}, urldate = {2022-07-12} } Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-07-05Soc InvestigationPriyadharshini Balaji
@online{balaji:20220705:qbot:75c3b14, author = {Priyadharshini Balaji}, title = {{QBot Spreads via LNK Files – Detection & Response}}, date = {2022-07-05}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/}, language = {English}, urldate = {2022-07-13} } QBot Spreads via LNK Files – Detection & Response
QakBot
2022-06-30Trend MicroKenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa
@online{apostol:20220630:black:7464953, author = {Kenneth Adrian Apostol and Paolo Ronniel Labrador and Mirah Manlapig and James Panlilio and Emmanuel Panopio and John Kenneth Reyes and Melvin Singwa}, title = {{Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit}}, date = {2022-06-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html}, language = {English}, urldate = {2022-07-05} } Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot
2022-06-27NetskopeGustavo Palazolo
@online{palazolo:20220627:emotet:e01f0fb, author = {Gustavo Palazolo}, title = {{Emotet: Still Abusing Microsoft Office Macros}}, date = {2022-06-27}, organization = {Netskope}, url = {https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros}, language = {English}, urldate = {2022-06-30} } Emotet: Still Abusing Microsoft Office Macros
Emotet
2022-06-24Soc InvestigationBalaGanesh
@online{balaganesh:20220624:icedid:2bb9d0d, author = {BalaGanesh}, title = {{IcedID Banking Trojan returns with new TTPS – Detection & Response}}, date = {2022-06-24}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/}, language = {English}, urldate = {2022-06-27} } IcedID Banking Trojan returns with new TTPS – Detection & Response
IcedID
2022-06-24Group-IBAlbert Priego
@online{priego:20220624:we:0ed77e2, author = {Albert Priego}, title = {{We see you, Gozi Hunting the latest TTPs used for delivering the Trojan}}, date = {2022-06-24}, organization = {Group-IB}, url = {https://blog.group-ib.com/gozi-latest-ttps}, language = {English}, urldate = {2022-08-17} } We see you, Gozi Hunting the latest TTPs used for delivering the Trojan
ISFB
2022-06-21McAfeeLakshya Mathur
@online{mathur:20220621:rise:71e04f0, author = {Lakshya Mathur}, title = {{Rise of LNK (Shortcut files) Malware}}, date = {2022-06-21}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/}, language = {English}, urldate = {2022-07-05} } Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot
2022-06-17Github (NtQuerySystemInformation)Twitter (@kasua02)
@techreport{kasua02:20220617:reverse:b218c67, author = {Twitter (@kasua02)}, title = {{A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.}}, date = {2022-06-17}, institution = {Github (NtQuerySystemInformation)}, url = {https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf}, language = {English}, urldate = {2022-07-01} } A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.
QakBot
2022-06-16ESET ResearchRene Holt
@online{holt:20220616:how:d3225fc, author = {Rene Holt}, title = {{How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security}}, date = {2022-06-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/}, language = {English}, urldate = {2022-06-17} } How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security
Emotet
2022-06-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220609:ta570:a51c1eb, author = {Brad Duncan}, title = {{TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)}}, date = {2022-06-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28728}, language = {English}, urldate = {2022-06-09} } TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
QakBot
2022-06-07McAfeeJyothi Naveen, Kiran Raj
@online{naveen:20220607:phishing:704f5f7, author = {Jyothi Naveen and Kiran Raj}, title = {{Phishing Campaigns featuring Ursnif Trojan on the Rise}}, date = {2022-06-07}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/}, language = {English}, urldate = {2022-06-15} } Phishing Campaigns featuring Ursnif Trojan on the Rise
ISFB
2022-06-02MandiantMandiant
@online{mandiant:20220602:trending:0bcdbc4, author = {Mandiant}, title = {{TRENDING EVIL Q2 2022}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil-2/p/1}, language = {English}, urldate = {2022-06-07} } TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-05-30Matthieu Walter
@online{walter:20220530:automatically:a02278f, author = {Matthieu Walter}, title = {{Automatically Unpacking IcedID Stage 1 with Angr}}, date = {2022-05-30}, url = {https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/}, language = {English}, urldate = {2022-05-31} } Automatically Unpacking IcedID Stage 1 with Angr
IcedID
2022-05-27KrollCole Manaster, George Glass, Elio Biasiotto
@online{manaster:20220527:emotet:77000c1, author = {Cole Manaster and George Glass and Elio Biasiotto}, title = {{Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20}}, date = {2022-05-27}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain}, language = {English}, urldate = {2022-05-31} } Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20
Emotet
2022-05-25vmwareOleg Boyarchuk, Stefano Ortolani
@online{boyarchuk:20220525:emotet:ada82ac, author = {Oleg Boyarchuk and Stefano Ortolani}, title = {{Emotet Config Redux}}, date = {2022-05-25}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/05/emotet-config-redux.html}, language = {English}, urldate = {2022-05-29} } Emotet Config Redux
Emotet
2022-05-24Deep instinctBar Block
@online{block:20220524:blame:9f45829, author = {Bar Block}, title = {{Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them}}, date = {2022-05-24}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office}, language = {English}, urldate = {2022-05-29} } Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
Dridex Emotet
2022-05-24BitSightJoão Batista, Pedro Umbelino, BitSight
@online{batista:20220524:emotet:cae57f1, author = {João Batista and Pedro Umbelino and BitSight}, title = {{Emotet Botnet Rises Again}}, date = {2022-05-24}, organization = {BitSight}, url = {https://www.bitsight.com/blog/emotet-botnet-rises-again}, language = {English}, urldate = {2022-05-25} } Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC
2022-05-19Trend MicroAdolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray
@online{silverio:20220519:bruised:f5c6775, author = {Adolph Christian Silverio and Jeric Miguel Abordo and Khristian Joseph Morales and Maria Emreen Viray}, title = {{Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware}}, date = {2022-05-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html}, language = {English}, urldate = {2022-05-25} } Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware
Emotet QakBot
2022-05-19IBMCharlotte Hammond, Ole Villadsen, Golo Mühr
@online{hammond:20220519:itg23:eab10e2, author = {Charlotte Hammond and Ole Villadsen and Golo Mühr}, title = {{ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups}}, date = {2022-05-19}, organization = {IBM}, url = {https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/}, language = {English}, urldate = {2022-05-25} } ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
IcedID ISFB Mount Locker
2022-05-17Trend MicroTrend Micro Research
@online{research:20220517:ransomware:7b86339, author = {Trend Micro Research}, title = {{Ransomware Spotlight: RansomEXX}}, date = {2022-05-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx}, language = {English}, urldate = {2022-05-25} } Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2022-05-17Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20220517:emotet:5f61714, author = {Brad Duncan}, title = {{Emotet Summary: November 2021 Through January 2022}}, date = {2022-05-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/}, language = {English}, urldate = {2022-05-29} } Emotet Summary: November 2021 Through January 2022
Emotet
2022-05-16vmwareOleg Boyarchuk, Stefano Ortolani, Jason Zhang, Threat Analysis Unit
@online{boyarchuk:20220516:emotet:6392ff3, author = {Oleg Boyarchuk and Stefano Ortolani and Jason Zhang and Threat Analysis Unit}, title = {{Emotet Moves to 64 bit and Updates its Loader}}, date = {2022-05-16}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html}, language = {English}, urldate = {2022-05-17} } Emotet Moves to 64 bit and Updates its Loader
Emotet
2022-05-12Intel 471Intel 471
@online{471:20220512:what:05369d4, author = {Intel 471}, title = {{What malware to look for if you want to prevent a ransomware attack}}, date = {2022-05-12}, organization = {Intel 471}, url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike}, language = {English}, urldate = {2022-05-13} } What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-11IronNetBlake Cahen, IronNet Threat Research
@online{cahen:20220511:detecting:c61fd63, author = {Blake Cahen and IronNet Threat Research}, title = {{Detecting a MUMMY SPIDER campaign and Emotet infection}}, date = {2022-05-11}, organization = {IronNet}, url = {https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection}, language = {English}, urldate = {2022-05-17} } Detecting a MUMMY SPIDER campaign and Emotet infection
Emotet
2022-05-11HPHP Wolf Security
@techreport{security:20220511:threat:bd460f0, author = {HP Wolf Security}, title = {{Threat Insights Report Q1 - 2022}}, date = {2022-05-11}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf}, language = {English}, urldate = {2022-05-13} } Threat Insights Report Q1 - 2022
AsyncRAT Emotet Mekotio Vjw0rm
2022-05-09NetresecErik Hjelmvik
@online{hjelmvik:20220509:emotet:ce90938, author = {Erik Hjelmvik}, title = {{Emotet C2 and Spam Traffic Video}}, date = {2022-05-09}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video}, language = {English}, urldate = {2022-05-09} } Emotet C2 and Spam Traffic Video
Emotet
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09CybereasonLior Rochberger
@online{rochberger:20220509:cybereason:9178f63, author = {Lior Rochberger}, title = {{Cybereason vs. Quantum Locker Ransomware}}, date = {2022-05-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware}, language = {English}, urldate = {2022-05-11} } Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker
2022-05-08QualysAmit Gadhave
@online{gadhave:20220508:ursnif:4e8605b, author = {Amit Gadhave}, title = {{Ursnif Malware Banks on News Events for Phishing Attacks}}, date = {2022-05-08}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks}, language = {English}, urldate = {2022-05-17} } Ursnif Malware Banks on News Events for Phishing Attacks
ISFB
2022-05-06NetskopeGustavo Palazolo
@online{palazolo:20220506:emotet:44a2595, author = {Gustavo Palazolo}, title = {{Emotet: New Delivery Mechanism to Bypass VBA Protection}}, date = {2022-05-06}, organization = {Netskope}, url = {https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection}, language = {English}, urldate = {2022-05-09} } Emotet: New Delivery Mechanism to Bypass VBA Protection
Emotet
2022-05-04Twitter (@felixw3000)Felix
@online{felix:20220504:twitter:0fb7e35, author = {Felix}, title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}}, date = {2022-05-04}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1521816045769662468}, language = {English}, urldate = {2022-05-09} } Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-05-04SophosAndreas Klopsch
@online{klopsch:20220504:attacking:750e07f, author = {Andreas Klopsch}, title = {{Attacking Emotet’s Control Flow Flattening}}, date = {2022-05-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/}, language = {English}, urldate = {2022-05-05} } Attacking Emotet’s Control Flow Flattening
Emotet
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-27CybleincCyble
@online{cyble:20220427:emotet:a8c919a, author = {Cyble}, title = {{Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims}}, date = {2022-04-27}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/}, language = {English}, urldate = {2022-05-04} } Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims
Emotet
2022-04-26ProofpointAxel F
@online{f:20220426:emotet:afb4f87, author = {Axel F}, title = {{Emotet Tests New Delivery Techniques}}, date = {2022-04-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques}, language = {English}, urldate = {2022-04-29} } Emotet Tests New Delivery Techniques
Emotet
2022-04-26Intel 471Intel 471
@online{471:20220426:conti:6bcff7d, author = {Intel 471}, title = {{Conti and Emotet: A constantly destructive duo}}, date = {2022-04-26}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks}, language = {English}, urldate = {2022-04-29} } Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-26Bleeping ComputerIonut Ilascu
@online{ilascu:20220426:emotet:d0b6f50, author = {Ionut Ilascu}, title = {{Emotet malware now installs via PowerShell in Windows shortcut files}}, date = {2022-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/}, language = {English}, urldate = {2022-04-29} } Emotet malware now installs via PowerShell in Windows shortcut files
Emotet
2022-04-25The DFIR ReportThe DFIR Report
@online{report:20220425:quantum:128d2b3, author = {The DFIR Report}, title = {{Quantum Ransomware}}, date = {2022-04-25}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/}, language = {English}, urldate = {2022-04-25} } Quantum Ransomware
Cobalt Strike IcedID
2022-04-24forensicitguyTony Lambert
@online{lambert:20220424:shortcut:b1a00dd, author = {Tony Lambert}, title = {{Shortcut to Emotet, an odd TTP change}}, date = {2022-04-24}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/}, language = {English}, urldate = {2022-04-25} } Shortcut to Emotet, an odd TTP change
Emotet
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20SANS ISCBrad Duncan
@online{duncan:20220420:aa:eb304fb, author = {Brad Duncan}, title = {{'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic}}, date = {2022-04-20}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28568}, language = {English}, urldate = {2022-04-25} } 'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic
QakBot
2022-04-20cocomelonccocomelonc
@online{cocomelonc:20220420:malware:b20963e, author = {cocomelonc}, title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}}, date = {2022-04-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-19Twitter (@Cryptolaemus1)Cryptolaemus
@online{cryptolaemus:20220419:emotet:c68608b, author = {Cryptolaemus}, title = {{#Emotet Update: 64 bit upgrade of Epoch 5}}, date = {2022-04-19}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1516535343281025032}, language = {English}, urldate = {2022-04-20} } #Emotet Update: 64 bit upgrade of Epoch 5
Emotet
2022-04-19Bleeping ComputerBill Toulas
@online{toulas:20220419:emotet:a7e392d, author = {Bill Toulas}, title = {{Emotet botnet switches to 64-bit modules, increases activity}}, date = {2022-04-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/}, language = {English}, urldate = {2022-04-20} } Emotet botnet switches to 64-bit modules, increases activity
Emotet
2022-04-18FortinetErin Lin
@online{lin:20220418:trends:fab9950, author = {Erin Lin}, title = {{Trends in the Recent Emotet Maldoc Outbreak}}, date = {2022-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak}, language = {English}, urldate = {2022-04-20} } Trends in the Recent Emotet Maldoc Outbreak
Emotet
2022-04-17MalwarologyGaetano Pellegrino
@online{pellegrino:20220417:qakbot:6af138c, author = {Gaetano Pellegrino}, title = {{Qakbot Series: API Hashing}}, date = {2022-04-17}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-api-hashing/}, language = {English}, urldate = {2022-05-29} } Qakbot Series: API Hashing
QakBot
2022-04-17BushidoToken BlogBushidoToken
@online{bushidotoken:20220417:lessons:d4d0595, author = {BushidoToken}, title = {{Lessons from the Conti Leaks}}, date = {2022-04-17}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html}, language = {English}, urldate = {2022-04-25} } Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-16MalwarologyGaetano Pellegrino
@online{pellegrino:20220416:qakbot:0b60d1c, author = {Gaetano Pellegrino}, title = {{Qakbot Series: Process Injection}}, date = {2022-04-16}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-process-injection/}, language = {English}, urldate = {2022-05-31} } Qakbot Series: Process Injection
QakBot
2022-04-14Cert-UACert-UA
@online{certua:20220414:cyberattack:915dfa7, author = {Cert-UA}, title = {{Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)}}, date = {2022-04-14}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39609}, language = {Ukrainian}, urldate = {2022-04-20} } Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)
IcedID
2022-04-14Avast DecodedVladimir Martyanov
@online{martyanov:20220414:zloader:23c520a, author = {Vladimir Martyanov}, title = {{Zloader 2: The Silent Night}}, date = {2022-04-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/}, language = {English}, urldate = {2022-04-15} } Zloader 2: The Silent Night
ISFB Raccoon Zloader
2022-04-14Bleeping ComputerBill Toulas
@online{toulas:20220414:hackers:2b1153c, author = {Bill Toulas}, title = {{Hackers target Ukrainian govt with IcedID malware, Zimbra exploits}}, date = {2022-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/}, language = {English}, urldate = {2022-04-15} } Hackers target Ukrainian govt with IcedID malware, Zimbra exploits
IcedID
2022-04-13KasperskyAMR
@online{amr:20220413:emotet:113c0db, author = {AMR}, title = {{Emotet modules and recent attacks}}, date = {2022-04-13}, organization = {Kaspersky}, url = {https://securelist.com/emotet-modules-and-recent-attacks/106290/}, language = {English}, urldate = {2022-04-15} } Emotet modules and recent attacks
Emotet
2022-04-13MalwarologyGaetano Pellegrino
@online{pellegrino:20220413:qakbot:4bc5d74, author = {Gaetano Pellegrino}, title = {{Qakbot Series: Configuration Extraction}}, date = {2022-04-13}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/}, language = {English}, urldate = {2022-05-29} } Qakbot Series: Configuration Extraction
QakBot
2022-04-12AhnLabASEC Analysis Team
@online{team:20220412:systembc:7bdd20c, author = {ASEC Analysis Team}, title = {{SystemBC Being Used by Various Attackers}}, date = {2022-04-12}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/33600/}, language = {English}, urldate = {2022-04-15} } SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC
2022-04-12Tech TimesJoseph Henry
@online{henry:20220412:qbot:9dd8d54, author = {Joseph Henry}, title = {{Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers}}, date = {2022-04-12}, organization = {Tech Times}, url = {https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm}, language = {English}, urldate = {2022-05-04} } Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers
QakBot
2022-04-12Check PointCheck Point Research
@online{research:20220412:march:2c56dc6, author = {Check Point Research}, title = {{March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance}}, date = {2022-04-12}, organization = {Check Point}, url = {https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/}, language = {English}, urldate = {2022-04-20} } March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
Alien FluBot Agent Tesla Emotet
2022-04-11Bleeping ComputerSergiu Gatlan
@online{gatlan:20220411:qbot:7f1ddc7, author = {Sergiu Gatlan}, title = {{Qbot malware switches to new Windows Installer infection vector}}, date = {2022-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/}, language = {English}, urldate = {2022-05-04} } Qbot malware switches to new Windows Installer infection vector
QakBot
2022-04-10MalwarologyGaetano Pellegrino
@online{pellegrino:20220410:qakbot:d46c1cc, author = {Gaetano Pellegrino}, title = {{Qakbot Series: String Obfuscation}}, date = {2022-04-10}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/}, language = {English}, urldate = {2022-05-29} } Qakbot Series: String Obfuscation
QakBot
2022-04-08ReversingLabsPaul Roberts
@online{roberts:20220408:conversinglabs:270c740, author = {Paul Roberts}, title = {{ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles}}, date = {2022-04-08}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles}, language = {English}, urldate = {2022-06-09} } ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot
2022-04-04The DFIR Report@0xtornado, @yatinwad, @MettalicHack, @_pete_0
@online{0xtornado:20220404:stolen:3df91a7, author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0}, title = {{Stolen Images Campaign Ends in Conti Ransomware}}, date = {2022-04-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/}, language = {English}, urldate = {2022-04-04} } Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID
2022-04-02Github (pl-v)Player-V
@online{playerv:20220402:emotet:712f2ab, author = {Player-V}, title = {{Emotet Analysis Part 1: Unpacking}}, date = {2022-04-02}, organization = {Github (pl-v)}, url = {https://pl-v.github.io/plv/posts/Emotet-unpacking/}, language = {English}, urldate = {2022-04-08} } Emotet Analysis Part 1: Unpacking
Emotet
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-31nccgroupNikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
@online{pantazopoulos:20220331:continuation:b38514d, author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team}, title = {{Conti-nuation: methods and techniques observed in operations post the leaks}}, date = {2022-03-31}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/}, language = {English}, urldate = {2022-03-31} } Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot
2022-03-30PrevailionPrevailion
@online{prevailion:20220330:wizard:6eb38a7, author = {Prevailion}, title = {{Wizard Spider continues to confound}}, date = {2022-03-30}, organization = {Prevailion}, url = {https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903}, language = {English}, urldate = {2022-03-31} } Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet
2022-03-29vmwareOleg Boyarchuk, Jason Zhang, Threat Analysis Unit
@online{boyarchuk:20220329:emotet:18b143b, author = {Oleg Boyarchuk and Jason Zhang and Threat Analysis Unit}, title = {{Emotet C2 Configuration Extraction and Analysis}}, date = {2022-03-29}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html}, language = {English}, urldate = {2022-04-04} } Emotet C2 Configuration Extraction and Analysis
Emotet
2022-03-29Threat PostElizabeth Montalbano
@online{montalbano:20220329:exchange:ff88f41, author = {Elizabeth Montalbano}, title = {{Exchange Servers Speared in IcedID Phishing Campaign}}, date = {2022-03-29}, organization = {Threat Post}, url = {https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/}, language = {English}, urldate = {2022-03-31} } Exchange Servers Speared in IcedID Phishing Campaign
IcedID
2022-03-28FortinetJames Slaughter, Val Saengphaibul, Fred Gutierrez
@online{slaughter:20220328:spoofed:0cd6f0e, author = {James Slaughter and Val Saengphaibul and Fred Gutierrez}, title = {{Spoofed Invoice Used to Drop IcedID}}, date = {2022-03-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id}, language = {English}, urldate = {2022-03-31} } Spoofed Invoice Used to Drop IcedID
IcedID
2022-03-28Bleeping ComputerBill Toulas
@online{toulas:20220328:microsoft:5bc32d1, author = {Bill Toulas}, title = {{Microsoft Exchange targeted for IcedID reply-chain hijacking attacks}}, date = {2022-03-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/}, language = {English}, urldate = {2022-03-30} } Microsoft Exchange targeted for IcedID reply-chain hijacking attacks
IcedID
2022-03-28CiscoMaría José Erquiaga, Onur Erdogan, Adela Jezkova
@online{erquiaga:20220328:emotet:d36774a, author = {María José Erquiaga and Onur Erdogan and Adela Jezkova}, title = {{Emotet is Back}}, date = {2022-03-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/emotet-is-back}, language = {English}, urldate = {2022-03-30} } Emotet is Back
Emotet
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
@online{kennedy:20220328:new:cede4da, author = {Joakim Kennedy and Ryan Robinson}, title = {{New Conversation Hijacking Campaign Delivering IcedID}}, date = {2022-03-28}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/}, language = {English}, urldate = {2022-04-05} } New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-03-25SANS ISCXavier Mertens
@online{mertens:20220325:xlsb:21fdeaf, author = {Xavier Mertens}, title = {{XLSB Files: Because Binary is Stealthier Than XML}}, date = {2022-03-25}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/}, language = {English}, urldate = {2022-03-25} } XLSB Files: Because Binary is Stealthier Than XML
QakBot
2022-03-23FortinetShunichi Imano, Val Saengphaibul
@online{imano:20220323:bad:06c3501, author = {Shunichi Imano and Val Saengphaibul}, title = {{Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams}}, date = {2022-03-23}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams}, language = {English}, urldate = {2022-03-25} } Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams
Emotet
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:gold:0f3da90, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD ULRICK Leaks Reveal Organizational Structure and Relationships}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships}, language = {English}, urldate = {2022-03-25} } GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot
2022-03-23NVISO LabsBart Parys
@online{parys:20220323:hunting:1610697, author = {Bart Parys}, title = {{Hunting Emotet campaigns with Kusto}}, date = {2022-03-23}, organization = {NVISO Labs}, url = {https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/}, language = {English}, urldate = {2022-03-24} } Hunting Emotet campaigns with Kusto
Emotet
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:threat:84ad46c, author = {Counter Threat Unit ResearchTeam}, title = {{Threat Intelligence Executive Report Volume 2022, Number 2}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx}, language = {English}, urldate = {2022-03-25} } Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot
2022-03-23FortinetXiaopeng Zhang
@online{zhang:20220323:ms:946096e, author = {Xiaopeng Zhang}, title = {{MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II}}, date = {2022-03-23}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii}, language = {English}, urldate = {2022-03-25} } MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II
Emotet
2022-03-21Info SecurityVinugayathri Chinnasamy
@online{chinnasamy:20220321:emotet:2d27f06, author = {Vinugayathri Chinnasamy}, title = {{Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware}}, date = {2022-03-21}, organization = {Info Security}, url = {https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/}, language = {English}, urldate = {2022-03-22} } Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware
Emotet
2022-03-21eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220321:conti:507fdf9, author = {eSentire Threat Response Unit (TRU)}, title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire}, language = {English}, urldate = {2022-05-23} } Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2022-03-17Github (eln0ty)Abdallah Elnoty
@online{elnoty:20220317:icedid:0b8ef27, author = {Abdallah Elnoty}, title = {{IcedID Analysis}}, date = {2022-03-17}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/IcedID/}, language = {English}, urldate = {2022-03-22} } IcedID Analysis
IcedID
2022-03-17Trend MicroTrend Micro Research
@techreport{research:20220317:navigating:5ad631e, author = {Trend Micro Research}, title = {{Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report}}, date = {2022-03-17}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf}, language = {English}, urldate = {2022-03-22} } Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil
2022-03-16SANS ISCBrad Duncan
@online{duncan:20220316:qakbot:7fe703f, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/}, language = {English}, urldate = {2022-03-17} } Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03-16DragosJosh Hanrahan
@online{hanrahan:20220316:suspected:325fc01, author = {Josh Hanrahan}, title = {{Suspected Conti Ransomware Activity in the Auto Manufacturing Sector}}, date = {2022-03-16}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/}, language = {English}, urldate = {2022-03-17} } Suspected Conti Ransomware Activity in the Auto Manufacturing Sector
Conti Emotet
2022-03-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220316:qakbot:ff11e1e, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28448}, language = {English}, urldate = {2022-03-17} } Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-09nikpxxors
@online{xors:20220309:bokbot:925e438, author = {xors}, title = {{BokBot Technical Analysis}}, date = {2022-03-09}, organization = {nikpx}, url = {https://nikpx.github.io/malware/analysis/2022/03/09/BokBot}, language = {English}, urldate = {2022-03-10} } BokBot Technical Analysis
IcedID
2022-03-08LumenBlack Lotus Labs
@online{labs:20220308:what:c99735b, author = {Black Lotus Labs}, title = {{What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets}}, date = {2022-03-08}, organization = {Lumen}, url = {https://blog.lumen.com/emotet-redux/}, language = {English}, urldate = {2022-03-10} } What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets
Emotet
2022-03-07FortinetXiaopeng Zhang
@online{zhang:20220307:ms:b388372, author = {Xiaopeng Zhang}, title = {{MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I}}, date = {2022-03-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one}, language = {English}, urldate = {2022-03-08} } MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I
Emotet
2022-03-03Trend MicroTrend Micro Research
@online{research:20220303:cyberattacks:d961eb0, author = {Trend Micro Research}, title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}}, date = {2022-03-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html}, language = {English}, urldate = {2022-03-04} } Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-03-02KrebsOnSecurityBrian Krebs
@online{krebs:20220302:conti:03b0358, author = {Brian Krebs}, title = {{Conti Ransomware Group Diaries, Part II: The Office}}, date = {2022-03-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/}, language = {English}, urldate = {2022-03-07} } Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot
2022-03-01Twitter (@ContiLeaks)ContiLeaks
@online{contileaks:20220301:emotet:b68be9c, author = {ContiLeaks}, title = {{Tweet on Emotet final server scheme}}, date = {2022-03-01}, organization = {Twitter (@ContiLeaks)}, url = {https://twitter.com/ContiLeaks/status/1498614197202079745}, language = {English}, urldate = {2022-03-02} } Tweet on Emotet final server scheme
Emotet
2022-02-26LinkedIn (Zayed AlJaberi)Zayed AlJaberi
@online{aljaberi:20220226:hunting:270b30c, author = {Zayed AlJaberi}, title = {{Hunting Recent QakBot Malware}}, date = {2022-02-26}, organization = {LinkedIn (Zayed AlJaberi)}, url = {https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4}, language = {English}, urldate = {2022-03-01} } Hunting Recent QakBot Malware
QakBot
2022-02-26MandiantMandiant
@online{mandiant:20220226:trending:a445d4a, author = {Mandiant}, title = {{TRENDING EVIL Q1 2022}}, date = {2022-02-26}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil/p/1}, language = {English}, urldate = {2022-03-14} } TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot
2022-02-25CyberScoopJoe Warminsky
@online{warminsky:20220225:trickbot:2d38470, author = {Joe Warminsky}, title = {{TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators}}, date = {2022-02-25}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/}, language = {English}, urldate = {2022-03-01} } TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators
BazarBackdoor Emotet TrickBot
2022-02-24The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220224:notorious:c5e1556, author = {Ravie Lakshmanan}, title = {{Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html}, language = {English}, urldate = {2022-03-04} } Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
BazarBackdoor Emotet TrickBot
2022-02-24CynetMax Malyutin
@online{malyutin:20220224:new:014251e, author = {Max Malyutin}, title = {{New Wave of Emotet – When Project X Turns Into Y}}, date = {2022-02-24}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/}, language = {English}, urldate = {2022-05-04} } New Wave of Emotet – When Project X Turns Into Y
Cobalt Strike Emotet
2022-02-24The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220224:trickbot:7e86d52, author = {Ravie Lakshmanan}, title = {{TrickBot Gang Likely Shifting Operations to Switch to New Malware}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html}, language = {English}, urldate = {2022-03-01} } TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot
2022-02-23cyber.wtf blogLuca Ebach
@online{ebach:20220223:what:0a4496e, author = {Luca Ebach}, title = {{What the Pack(er)?}}, date = {2022-02-23}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2022/03/23/what-the-packer/}, language = {English}, urldate = {2022-03-25} } What the Pack(er)?
Cobalt Strike Emotet
2022-02-22eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220222:icedid:67f870d, author = {eSentire Threat Response Unit (TRU)}, title = {{IcedID to Cobalt Strike In Under 20 Minutes}}, date = {2022-02-22}, organization = {eSentire}, url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes}, language = {English}, urldate = {2022-05-23} } IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2022-02-21The DFIR Report
@online{report:20220221:qbot:8b10b52, author = {The DFIR Report}, title = {{Qbot and Zerologon Lead To Full Domain Compromise}}, date = {2022-02-21}, url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/}, language = {English}, urldate = {2022-02-26} } Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot
2022-02-16Threat PostElizabeth Montalbano
@online{montalbano:20220216:emotet:a1297ac, author = {Elizabeth Montalbano}, title = {{Emotet Now Spreading Through Malicious Excel Files}}, date = {2022-02-16}, organization = {Threat Post}, url = {https://threatpost.com/emotet-spreading-malicious-excel-files/178444/}, language = {English}, urldate = {2022-02-18} } Emotet Now Spreading Through Malicious Excel Files
Emotet
2022-02-16SOC PrimeAlla Yurchenko
@online{yurchenko:20220216:qbot:db07ba5, author = {Alla Yurchenko}, title = {{QBot Malware Detection: Old Dog New Tricks}}, date = {2022-02-16}, organization = {SOC Prime}, url = {https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/}, language = {English}, urldate = {2022-02-17} } QBot Malware Detection: Old Dog New Tricks
QakBot
2022-02-16Security OnionDoug Burks
@online{burks:20220216:quick:e515983, author = {Doug Burks}, title = {{Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08}}, date = {2022-02-16}, organization = {Security Onion}, url = {https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html}, language = {English}, urldate = {2022-02-17} } Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08
Cobalt Strike Emotet
2022-02-15eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220215:increase:a4de9ce, author = {eSentire Threat Response Unit (TRU)}, title = {{Increase in Emotet Activity and Cobalt Strike Deployment}}, date = {2022-02-15}, organization = {eSentire}, url = {https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment}, language = {English}, urldate = {2022-05-23} } Increase in Emotet Activity and Cobalt Strike Deployment
Cobalt Strike Emotet
2022-02-15Palo Alto Networks Unit 42Saqib Khanzada, Tyler Halfpop, Micah Yates, Brad Duncan
@online{khanzada:20220215:new:822e8f9, author = {Saqib Khanzada and Tyler Halfpop and Micah Yates and Brad Duncan}, title = {{New Emotet Infection Method}}, date = {2022-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-emotet-infection-method/}, language = {English}, urldate = {2022-02-17} } New Emotet Infection Method
Emotet
2022-02-13NetbyteSECTaqi, Rosamira, Fareed
@online{taqi:20220213:technical:50aa099, author = {Taqi and Rosamira and Fareed}, title = {{Technical Malware Analysis: The Return of Emotet}}, date = {2022-02-13}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html}, language = {English}, urldate = {2022-02-14} } Technical Malware Analysis: The Return of Emotet
Emotet
2022-02-10CybereasonCybereason Global SOC Team
@online{team:20220210:threat:320574f, author = {Cybereason Global SOC Team}, title = {{Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot}}, date = {2022-02-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot}, language = {English}, urldate = {2022-02-10} } Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot
2022-02-08BleepingComputerBill Toulas
@online{toulas:20220208:qbot:a40ed5c, author = {Bill Toulas}, title = {{Qbot needs only 30 minutes to steal your credentials, emails}}, date = {2022-02-08}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/}, language = {English}, urldate = {2022-02-09} } Qbot needs only 30 minutes to steal your credentials, emails
QakBot
2022-02-07The DFIR ReportThe DFIR Report
@online{report:20220207:qbot:35410a9, author = {The DFIR Report}, title = {{Qbot Likes to Move It, Move It}}, date = {2022-02-07}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/}, language = {English}, urldate = {2022-02-09} } Qbot Likes to Move It, Move It
QakBot
2022-02-07vmwareJason Zhang, Threat Analysis Unit
@online{zhang:20220207:emotet:e89deeb, author = {Jason Zhang and Threat Analysis Unit}, title = {{Emotet Is Not Dead (Yet) – Part 2}}, date = {2022-02-07}, organization = {vmware}, url = {https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/}, language = {English}, urldate = {2022-02-10} } Emotet Is Not Dead (Yet) – Part 2
Emotet
2022-02-02VMRayVMRay Labs Team, Mateusz Lukaszewski
@online{team:20220202:malware:0eef3c2, author = {VMRay Labs Team and Mateusz Lukaszewski}, title = {{Malware Analysis Spotlight: Emotet’s Use of Cryptography}}, date = {2022-02-02}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/}, language = {English}, urldate = {2022-02-09} } Malware Analysis Spotlight: Emotet’s Use of Cryptography
Emotet
2022-01-27Threat Lab IndonesiaThreat Lab Indonesia
@online{indonesia:20220127:malware:8bcfff1, author = {Threat Lab Indonesia}, title = {{Malware Analysis Emotet Infection}}, date = {2022-01-27}, organization = {Threat Lab Indonesia}, url = {https://blog.threatlab.info/malware-analysis-emotet-infection/}, language = {Indonesian}, urldate = {2022-02-02} } Malware Analysis Emotet Infection
Emotet
2022-01-25SANS ISCBrad Duncan
@online{duncan:20220125:emotet:9c62525, author = {Brad Duncan}, title = {{Emotet Stops Using 0.0.0.0 in Spambot Traffic}}, date = {2022-01-25}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/}, language = {English}, urldate = {2022-02-01} } Emotet Stops Using 0.0.0.0 in Spambot Traffic
Emotet
2022-01-23kienmanowar Blogm4n0w4r, Tran Trung Kien
@online{m4n0w4r:20220123:quicknote:852995b, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Emotet epoch4 & epoch5 tactics}}, date = {2022-01-23}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/}, language = {English}, urldate = {2022-01-25} } [QuickNote] Emotet epoch4 & epoch5 tactics
Emotet
2022-01-22Atomic Matryoshkaz3r0day_504
@online{z3r0day504:20220122:malware:1ec08ef, author = {z3r0day_504}, title = {{Malware Headliners: Emotet}}, date = {2022-01-22}, organization = {Atomic Matryoshka}, url = {https://www.atomicmatryoshka.com/post/malware-headliners-emotet}, language = {English}, urldate = {2022-02-01} } Malware Headliners: Emotet
Emotet
2022-01-21Trend MicroIan Kenefick
@online{kenefick:20220121:emotet:daddaf1, author = {Ian Kenefick}, title = {{Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware}}, date = {2022-01-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html}, language = {English}, urldate = {2022-01-25} } Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware
Emotet
2022-01-21vmwareJason Zhang, Threat Analysis Unit
@online{zhang:20220121:emotet:bdb4508, author = {Jason Zhang and Threat Analysis Unit}, title = {{Emotet Is Not Dead (Yet)}}, date = {2022-01-21}, organization = {vmware}, url = {https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/}, language = {English}, urldate = {2022-02-10} } Emotet Is Not Dead (Yet)
Emotet
2022-01-19InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220119:0000:cdac125, author = {Brad Duncan}, title = {{0.0.0.0 in Emotet Spambot Traffic}}, date = {2022-01-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28254}, language = {English}, urldate = {2022-01-24} } 0.0.0.0 in Emotet Spambot Traffic
Emotet
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17, author = {The BlackBerry Research & Intelligence Team}, title = {{Kraken the Code on Prometheus}}, date = {2022-01-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus}, language = {English}, urldate = {2022-05-25} } Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2022-01-19GdataKarsten Hahn
@online{hahn:20220119:malware:293c00c, author = {Karsten Hahn}, title = {{Malware vaccines can prevent pandemics, yet are rarely used}}, date = {2022-01-19}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2022/01/malware-vaccines}, language = {English}, urldate = {2023-03-24} } Malware vaccines can prevent pandemics, yet are rarely used
Emotet STOP
2022-01-18Recorded FutureInsikt Group®
@techreport{group:20220118:2021:9cff6fc, author = {Insikt Group®}, title = {{2021 Adversary Infrastructure Report}}, date = {2022-01-18}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf}, language = {English}, urldate = {2022-01-24} } 2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-17forensicitguyTony Lambert
@online{lambert:20220117:emotets:85bf9d4, author = {Tony Lambert}, title = {{Emotet's Excel 4.0 Macros Dropping DLLs}}, date = {2022-01-17}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/emotet-excel4-macro-analysis/}, language = {English}, urldate = {2022-01-25} } Emotet's Excel 4.0 Macros Dropping DLLs
Emotet
2022-01-15Atomic Matryoshkaz3r0day_504
@online{z3r0day504:20220115:malware:ce94f8c, author = {z3r0day_504}, title = {{Malware Headliners: Qakbot}}, date = {2022-01-15}, organization = {Atomic Matryoshka}, url = {https://www.atomicmatryoshka.com/post/malware-headliners-qakbot}, language = {English}, urldate = {2022-02-01} } Malware Headliners: Qakbot
QakBot
2022-01-14RiskIQJordan Herman
@online{herman:20220114:riskiq:f4f5b68, author = {Jordan Herman}, title = {{RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers}}, date = {2022-01-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2cd1c003}, language = {English}, urldate = {2022-01-18} } RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers
Dridex Emotet
2022-01-13TrustwaveLloyd Macrohon, Rodel Mendrez
@online{macrohon:20220113:decrypting:274747e, author = {Lloyd Macrohon and Rodel Mendrez}, title = {{Decrypting Qakbot’s Encrypted Registry Keys}}, date = {2022-01-13}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/}, language = {English}, urldate = {2022-01-25} } Decrypting Qakbot’s Encrypted Registry Keys
QakBot
2022-01-11CybereasonOmri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
@online{refaeli:20220111:threat:fd22089, author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro}, title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}}, date = {2022-01-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike}, language = {English}, urldate = {2022-01-18} } Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2022-01-11Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220111:signed:0f32583, author = {Jason Reaves and Joshua Platt}, title = {{Signed DLL campaigns as a service}}, date = {2022-01-11}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489}, language = {English}, urldate = {2023-01-31} } Signed DLL campaigns as a service
BATLOADER Cobalt Strike ISFB Zloader
2022-01-07muha2xmadMuhammad Hasan Ali
@online{ali:20220107:unpacking:e59d104, author = {Muhammad Hasan Ali}, title = {{Unpacking Emotet malware part 02}}, date = {2022-01-07}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/emotet-part-2/}, language = {English}, urldate = {2022-02-14} } Unpacking Emotet malware part 02
Emotet
2022-01-06muha2xmadMuhammad Hasan Ali
@online{ali:20220106:unpacking:57cdd55, author = {Muhammad Hasan Ali}, title = {{Unpacking Emotet malware part 01}}, date = {2022-01-06}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/emotet-part-1/}, language = {English}, urldate = {2022-02-14} } Unpacking Emotet malware part 01
Emotet
2022-01-01forensicitguyTony Lambert
@online{lambert:20220101:analyzing:1512a76, author = {Tony Lambert}, title = {{Analyzing an IcedID Loader Document}}, date = {2022-01-01}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-icedid-document/}, language = {English}, urldate = {2022-01-25} } Analyzing an IcedID Loader Document
IcedID
2021-12-22CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20211222:emotet:29082b3, author = {Anandeshwar Unnikrishnan}, title = {{Emotet 2.0: Everything you need to know about the new Variant of the Banking Trojan}}, date = {2021-12-22}, organization = {Cloudsek}, url = {https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/}, language = {English}, urldate = {2022-05-25} } Emotet 2.0: Everything you need to know about the new Variant of the Banking Trojan
Emotet
2021-12-17Trend MicroAbraham Camba, Jonna Santos, Gilbert Sison, Jay Yaneza
@online{camba:20211217:staging:0ec37d9, author = {Abraham Camba and Jonna Santos and Gilbert Sison and Jay Yaneza}, title = {{Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager}}, date = {2021-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html}, language = {English}, urldate = {2021-12-31} } Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager
QakBot
2021-12-16Red CanaryThe Red Canary Team
@online{team:20211216:intelligence:f7bad55, author = {The Red Canary Team}, title = {{Intelligence Insights: December 2021}}, date = {2021-12-16}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-december-2021}, language = {English}, urldate = {2021-12-31} } Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle
2021-12-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20211216:how:6fd0b06, author = {Brad Duncan}, title = {{How the "Contact Forms" campaign tricks people}}, date = {2021-12-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/}, language = {English}, urldate = {2021-12-31} } How the "Contact Forms" campaign tricks people
IcedID
2021-12-13ZscalerDennis Schwarz, Avinash Kumar
@online{schwarz:20211213:return:94bdbce, author = {Dennis Schwarz and Avinash Kumar}, title = {{Return of Emotet: Malware Analysis}}, date = {2021-12-13}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis}, language = {English}, urldate = {2021-12-20} } Return of Emotet: Malware Analysis
Emotet
2021-12-11YouTube (AGDC Services)AGDC Services
@online{services:20211211:how:358bd74, author = {AGDC Services}, title = {{How To Extract & Decrypt Qbot Configs Across Variants}}, date = {2021-12-11}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=M22c1JgpG-U}, language = {English}, urldate = {2021-12-20} } How To Extract & Decrypt Qbot Configs Across Variants
QakBot
2021-12-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20211209:closer:bace4ec, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{A closer look at Qakbot’s latest building blocks (and how to knock them down)}}, date = {2021-12-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/}, language = {English}, urldate = {2021-12-13} } A closer look at Qakbot’s latest building blocks (and how to knock them down)
QakBot
2021-12-09HPPatrick Schläpfer
@online{schlpfer:20211209:emotets:aa090a7, author = {Patrick Schläpfer}, title = {{Emotet’s Return: What’s Different?}}, date = {2021-12-09}, organization = {HP}, url = {https://threatresearch.ext.hp.com/emotets-return-whats-different/}, language = {English}, urldate = {2022-01-18} } Emotet’s Return: What’s Different?
Emotet
2021-12-08Check Point ResearchRaman Ladutska, Aliaksandr Trafimchuk, David Driker, Yali Magiel
@online{ladutska:20211208:when:16ee92b, author = {Raman Ladutska and Aliaksandr Trafimchuk and David Driker and Yali Magiel}, title = {{When old friends meet again: why Emotet chose Trickbot for rebirth}}, date = {2021-12-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/}, language = {English}, urldate = {2022-02-18} } When old friends meet again: why Emotet chose Trickbot for rebirth
Emotet TrickBot
2021-12-07Bleeping ComputerLawrence Abrams
@online{abrams:20211207:emotet:f33c999, author = {Lawrence Abrams}, title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}}, date = {2021-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/}, language = {English}, urldate = {2021-12-08} } Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet
2021-12-03SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20211203:ta551:f71be57, author = {Brad Duncan}, title = {{TA551 (Shathak) pushes IcedID (Bokbot)}}, date = {2021-12-03}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/}, language = {English}, urldate = {2021-12-06} } TA551 (Shathak) pushes IcedID (Bokbot)
IcedID
2021-11-30Deep instinctRon Ben Yizhak
@online{yizhak:20211130:reemergence:3f232d5, author = {Ron Ben Yizhak}, title = {{The Re-Emergence of Emotet}}, date = {2021-11-30}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/the-re-emergence-of-emotet}, language = {English}, urldate = {2022-07-18} } The Re-Emergence of Emotet
Emotet
2021-11-25DSIHCharles Blanc-Rolin
@online{blancrolin:20211125:emotet:b02b32b, author = {Charles Blanc-Rolin}, title = {{Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine?}}, date = {2021-11-25}, organization = {DSIH}, url = {https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html}, language = {French}, urldate = {2021-12-06} } Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine?
Emotet
2021-11-23AnomaliAnomali Threat Research
@online{research:20211123:mummy:8cffd4e, author = {Anomali Threat Research}, title = {{Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return}}, date = {2021-11-23}, organization = {Anomali}, url = {https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return}, language = {English}, urldate = {2021-11-26} } Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return
Emotet
2021-11-21Twitter (@tylabs)Tyler McLellan, Twitter (@ffforward)
@online{mclellan:20211121:twitter:018d4b1, author = {Tyler McLellan and Twitter (@ffforward)}, title = {{Twitter Thread about UNC1500 phishing using QAKBOT}}, date = {2021-11-21}, organization = {Twitter (@tylabs)}, url = {https://twitter.com/tylabs/status/1462195377277476871}, language = {English}, urldate = {2021-11-29} } Twitter Thread about UNC1500 phishing using QAKBOT
QakBot
2021-11-20Twitter (@eduardfir)Eduardo Mattos
@online{mattos:20211120:velociraptor:bc6d897, author = {Eduardo Mattos}, title = {{Tweet on Velociraptor artifact analysis for Emotet}}, date = {2021-11-20}, organization = {Twitter (@eduardfir)}, url = {https://twitter.com/eduardfir/status/1461856030292422659}, language = {English}, urldate = {2021-11-25} } Tweet on Velociraptor artifact analysis for Emotet
Emotet
2021-11-20Youtube (HEXORCIST)Nicolas Brulez
@online{brulez:20211120:unpacking:b26d2fb, author = {Nicolas Brulez}, title = {{Unpacking Emotet and Reversing Obfuscated Word Document}}, date = {2021-11-20}, organization = {Youtube (HEXORCIST)}, url = {https://www.youtube.com/watch?v=AkZ5TYBqcU4}, language = {English}, urldate = {2021-12-20} } Unpacking Emotet and Reversing Obfuscated Word Document
Emotet
2021-11-20Advanced IntelligenceYelisey Boguslavskiy, Vitali Kremez
@online{boguslavskiy:20211120:corporate:a8b0a1c, author = {Yelisey Boguslavskiy and Vitali Kremez}, title = {{Corporate Loader "Emotet": History of "X" Project Return for Ransomware}}, date = {2021-11-20}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware}, language = {English}, urldate = {2021-11-25} } Corporate Loader "Emotet": History of "X" Project Return for Ransomware
Emotet
2021-11-19CRONUPGermán Fernández
@online{fernndez:20211119:la:2cbc6a0, author = {Germán Fernández}, title = {{La Botnet de EMOTET reinicia ataques en Chile y LATAM}}, date = {2021-11-19}, organization = {CRONUP}, url = {https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/}, language = {Spanish}, urldate = {2021-11-25} } La Botnet de EMOTET reinicia ataques en Chile y LATAM
Emotet
2021-11-19Trend MicroMohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
@online{fahmy:20211119:squirrelwaffle:1e8fa78, author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar}, title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}}, date = {2021-11-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html}, language = {English}, urldate = {2021-11-25} } Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle
2021-11-19LAC WATCHLAC WATCH
@online{watch:20211119:malware:c504e6f, author = {LAC WATCH}, title = {{Malware Emotet resumes its activities for the first time in 10 months, and Japan is also the target of the attack}}, date = {2021-11-19}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/alert/20211119_002801.html}, language = {English}, urldate = {2021-11-25} } Malware Emotet resumes its activities for the first time in 10 months, and Japan is also the target of the attack
Emotet
2021-11-18NetskopeGustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211118:netskope:39d2098, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{Netskope Threat Coverage: The Return of Emotet}}, date = {2021-11-18}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet}, language = {English}, urldate = {2021-11-25} } Netskope Threat Coverage: The Return of Emotet
Emotet
2021-11-18eSentireeSentire
@online{esentire:20211118:emotet:ded09a3, author = {eSentire}, title = {{Emotet Activity Identified}}, date = {2021-11-18}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/emotet-activity-identified}, language = {English}, urldate = {2021-11-19} } Emotet Activity Identified
Emotet
2021-11-18Red CanaryThe Red Canary Team
@online{team:20211118:intelligence:7b00cb9, author = {The Red Canary Team}, title = {{Intelligence Insights: November 2021}}, date = {2021-11-18}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-november-2021/}, language = {English}, urldate = {2021-11-19} } Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle
2021-11-17Twitter (@Unit42_Intel)Unit 42
@online{42:20211117:matanbuchus:9e3556c, author = {Unit 42}, title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}}, date = {2021-11-17}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1461004489234829320}, language = {English}, urldate = {2021-11-25} } Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot
2021-11-16Twitter (@kienbigmummy)m4n0w4r
@online{m4n0w4r:20211116:short:97d45fa, author = {m4n0w4r}, title = {{Tweet on short analysis of QakBot}}, date = {2021-11-16}, organization = {Twitter (@kienbigmummy)}, url = {https://twitter.com/kienbigmummy/status/1460537501676802051}, language = {English}, urldate = {2021-11-19} } Tweet on short analysis of QakBot
QakBot
2021-11-16MalwarebytesMalwarebytes Threat Intelligence Team
@online{team:20211116:trickbot:b624694, author = {Malwarebytes Threat Intelligence Team}, title = {{TrickBot helps Emotet come back from the dead}}, date = {2021-11-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/}, language = {English}, urldate = {2021-11-17} } TrickBot helps Emotet come back from the dead
Emotet TrickBot
2021-11-16ZscalerDeepen Desai
@online{desai:20211116:return:936dad6, author = {Deepen Desai}, title = {{Return of Emotet malware}}, date = {2021-11-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware}, language = {English}, urldate = {2021-11-19} } Return of Emotet malware
Emotet
2021-11-16HornetsecuritySecurity Lab
@online{lab:20211116:comeback:7f2b540, author = {Security Lab}, title = {{Comeback of Emotet}}, date = {2021-11-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/comeback-emotet/}, language = {English}, urldate = {2021-11-25} } Comeback of Emotet
Emotet
2021-11-16IronNetIronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
@online{research:20211116:how:d7fdaf8, author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski}, title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}}, date = {2021-11-16}, organization = {IronNet}, url = {https://www.ironnet.com/blog/ransomware-graphic-blog}, language = {English}, urldate = {2021-11-25} } How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil
2021-11-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20211116:emotet:3545954, author = {Brad Duncan}, title = {{Emotet Returns}}, date = {2021-11-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28044}, language = {English}, urldate = {2021-11-17} } Emotet Returns
Emotet
2021-11-15Bleeping ComputerLawrence Abrams
@online{abrams:20211115:emotet:8de6d81, author = {Lawrence Abrams}, title = {{Emotet malware is back and rebuilding its botnet via TrickBot}}, date = {2021-11-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/}, language = {English}, urldate = {2021-11-17} } Emotet malware is back and rebuilding its botnet via TrickBot
Emotet
2021-11-15cyber.wtf blogLuca Ebach
@online{ebach:20211115:guess:81c7df8, author = {Luca Ebach}, title = {{Guess who’s back}}, date = {2021-11-15}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2021/11/15/guess-whos-back/}, language = {English}, urldate = {2021-11-17} } Guess who’s back
Emotet
2021-11-15TRUESECFabio Viggiani
@online{viggiani:20211115:proxyshell:bf17c6d, author = {Fabio Viggiani}, title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}}, date = {2021-11-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks}, language = {English}, urldate = {2021-11-17} } ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot
2021-11-13Trend MicroIan Kenefick, Vladimir Kropotov
@online{kenefick:20211113:qakbot:3138b93, author = {Ian Kenefick and Vladimir Kropotov}, title = {{QAKBOT Loader Returns With New Techniques and Tools}}, date = {2021-11-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html}, language = {English}, urldate = {2021-11-17} } QAKBOT Loader Returns With New Techniques and Tools
QakBot
2021-11-13YouTube (AGDC Services)AGDC Services
@online{services:20211113:automate:487e01f, author = {AGDC Services}, title = {{Automate Qbot Malware String Decryption With Ghidra Script}}, date = {2021-11-13}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=4I0LF8Vm7SI}, language = {English}, urldate = {2021-11-19} } Automate Qbot Malware String Decryption With Ghidra Script
QakBot
2021-11-12Recorded FutureInsikt Group®
@techreport{group:20211112:business:6d6cffa, author = {Insikt Group®}, title = {{The Business of Fraud: Botnet Malware Dissemination}}, date = {2021-11-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf}, language = {English}, urldate = {2021-11-17} } The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot
2021-11-12Trend MicroIan Kenefick, Vladimir Kropotov
@techreport{kenefick:20211112:prelude:781d4d7, author = {Ian Kenefick and Vladimir Kropotov}, title = {{The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities}}, date = {2021-11-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf}, language = {English}, urldate = {2021-11-17} } The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities
QakBot
2021-11-11CynetMax Malyutin
@online{malyutin:20211111:duck:897cc6f, author = {Max Malyutin}, title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}}, date = {2021-11-11}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/}, language = {English}, urldate = {2021-11-25} } A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot
2021-11-11vmwareJason Zhang, Stefano Ortolani, Giovanni Vigna, Threat Analysis Unit
@online{zhang:20211111:research:b254ed6, author = {Jason Zhang and Stefano Ortolani and Giovanni Vigna and Threat Analysis Unit}, title = {{Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer}}, date = {2021-11-11}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html}, language = {English}, urldate = {2022-03-22} } Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer
Phorpiex QakBot
2021-11-10CIRCLCIRCL
@online{circl:20211110:tr64:37ab4d8, author = {CIRCL}, title = {{TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders}}, date = {2021-11-10}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-64/}, language = {English}, urldate = {2021-11-25} } TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders
QakBot
2021-11-09MinervaLabsMinerva Labs
@online{labs:20211109:new:411a8fd, author = {Minerva Labs}, title = {{A New DatopLoader Delivers QakBot Trojan}}, date = {2021-11-09}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan}, language = {English}, urldate = {2021-11-17} } A New DatopLoader Delivers QakBot Trojan
QakBot Squirrelwaffle
2021-11-04splunkSplunk Threat Research Team
@online{team:20211104:detecting:d8aba5b, author = {Splunk Threat Research Team}, title = {{Detecting IcedID... Could It Be A Trickbot Copycat?}}, date = {2021-11-04}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html}, language = {English}, urldate = {2021-11-08} } Detecting IcedID... Could It Be A Trickbot Copycat?
IcedID
2021-11-03Twitter (@Corvid_Cyber)CORVID
@online{corvid:20211103:unique:3709f32, author = {CORVID}, title = {{Tweet on a unique Qbot debugger dropped by an actor after compromise}}, date = {2021-11-03}, organization = {Twitter (@Corvid_Cyber)}, url = {https://twitter.com/Corvid_Cyber/status/1455844008081641472}, language = {English}, urldate = {2021-11-08} } Tweet on a unique Qbot debugger dropped by an actor after compromise
QakBot
2021-11-03Team Cymrutcblogposts
@online{tcblogposts:20211103:webinject:f4d41bb, author = {tcblogposts}, title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}}, date = {2021-11-03}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/}, language = {English}, urldate = {2021-11-08} } Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader
2021-10-26ANSSI
@techreport{anssi:20211026:identification:9444ac3, author = {ANSSI}, title = {{Identification of a new cyber criminal group: Lockean}}, date = {2021-10-26}, institution = {}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf}, language = {English}, urldate = {2022-01-25} } Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-10-26Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Mavis
@online{brumaghin:20211026:squirrelwaffle:88c5943, author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis}, title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}}, date = {2021-10-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html}, language = {English}, urldate = {2021-11-02} } SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-10-25CleafyCleafy
@online{cleafy:20211025:digital:48fbdf8, author = {Cleafy}, title = {{Digital banking fraud: how the Gozi malware works}}, date = {2021-10-25}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work}, language = {English}, urldate = {2021-11-02} } Digital banking fraud: how the Gozi malware works
ISFB
2021-10-18The DFIR ReportThe DFIR Report
@online{report:20211018:icedid:0b574b0, author = {The DFIR Report}, title = {{IcedID to XingLocker Ransomware in 24 hours}}, date = {2021-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/}, language = {English}, urldate = {2021-10-22} } IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-15Trend MicroFernando Mercês
@online{mercs:20211015:ransomware:c944933, author = {Fernando Mercês}, title = {{Ransomware Operators Found Using New "Franchise" Business Model}}, date = {2021-10-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html}, language = {English}, urldate = {2021-10-24} } Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-10-07NetskopeGustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211007:squirrelwaffle:3506816, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}}, date = {2021-10-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot}, language = {English}, urldate = {2021-10-11} } SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-09-29ProofpointSelena Larson, Proofpoint Staff
@online{larson:20210929:ta544:ab2f0d3, author = {Selena Larson and Proofpoint Staff}, title = {{TA544 Targets Italian Organizations with Ursnif Malware}}, date = {2021-09-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware}, language = {English}, urldate = {2021-10-11} } TA544 Targets Italian Organizations with Ursnif Malware
ISFB
2021-09-03IBMCamille Singleton, Andrew Gorecki, John Dwyer
@online{singleton:20210903:dissecting:4d56786, author = {Camille Singleton and Andrew Gorecki and John Dwyer}, title = {{Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight}}, date = {2021-09-03}, organization = {IBM}, url = {https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/}, language = {English}, urldate = {2021-09-09} } Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
Valak QakBot REvil
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-02KasperskyAnton Kuzmenko, Oleg Kupreev, Haim Zigel
@online{kuzmenko:20210902:qakbot:219d23c, author = {Anton Kuzmenko and Oleg Kupreev and Haim Zigel}, title = {{QakBot Technical Analysis}}, date = {2021-09-02}, organization = {Kaspersky}, url = {https://securelist.com/qakbot-technical-analysis/103931/}, language = {English}, urldate = {2021-09-06} } QakBot Technical Analysis
QakBot
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05Group-IBViktor Okorokov, Nikita Rostovcev
@online{okorokov:20210805:prometheus:38ab6a6, author = {Viktor Okorokov and Nikita Rostovcev}, title = {{Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot}}, date = {2021-08-05}, organization = {Group-IB}, url = {https://blog.group-ib.com/prometheus-tds}, language = {English}, urldate = {2021-08-06} } Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot
2021-08-05The RecordCatalin Cimpanu
@online{cimpanu:20210805:meet:bce8310, author = {Catalin Cimpanu}, title = {{Meet Prometheus, the secret TDS behind some of today’s malware campaigns}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/}, language = {English}, urldate = {2021-08-06} } Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot
2021-07-30HPPatrick Schläpfer
@online{schlpfer:20210730:detecting:2291323, author = {Patrick Schläpfer}, title = {{Detecting TA551 domains}}, date = {2021-07-30}, organization = {HP}, url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/}, language = {English}, urldate = {2021-08-02} } Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-07-26vmwareQuentin Fois, Pavankumar Chaudhari
@online{fois:20210726:hunting:ff1181b, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{Hunting IcedID and unpacking automation with Qiling}}, date = {2021-07-26}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html}, language = {English}, urldate = {2021-07-27} } Hunting IcedID and unpacking automation with Qiling
IcedID
2021-07-240ffset BlogDaniel Bunce
@online{bunce:20210724:quack:ddda5cd, author = {Daniel Bunce}, title = {{Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1}}, date = {2021-07-24}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/}, language = {English}, urldate = {2021-08-02} } Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1
QakBot
2021-07-23Github (Lastline-Inc)Quentin Fois, Pavankumar Chaudhari
@online{fois:20210723:yara:e9a8a22, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{YARA rules, IOCs and Scripts for extracting IcedID C2s}}, date = {2021-07-23}, organization = {Github (Lastline-Inc)}, url = {https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2}, language = {English}, urldate = {2021-07-27} } YARA rules, IOCs and Scripts for extracting IcedID C2s
IcedID
2021-07-19The DFIR ReportThe DFIR Report
@online{report:20210719:icedid:0365384, author = {The DFIR Report}, title = {{IcedID and Cobalt Strike vs Antivirus}}, date = {2021-07-19}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/}, language = {English}, urldate = {2021-07-20} } IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID
2021-07-14Cerium NetworksBlumira
@online{blumira:20210714:threat:614d084, author = {Blumira}, title = {{Threat of the Month: IcedID Malware}}, date = {2021-07-14}, organization = {Cerium Networks}, url = {https://ceriumnetworks.com/threat-of-the-month-icedid-malware/}, language = {English}, urldate = {2021-07-20} } Threat of the Month: IcedID Malware
IcedID
2021-07-12The RecordCatalin Cimpanu
@online{cimpanu:20210712:over:c88e351, author = {Catalin Cimpanu}, title = {{Over 780,000 email accounts compromised by Emotet have been secured}}, date = {2021-07-12}, organization = {The Record}, url = {https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/}, language = {English}, urldate = {2021-07-20} } Over 780,000 email accounts compromised by Emotet have been secured
Emotet
2021-07-08vmwareQuentin Fois, Pavankumar Chaudhari
@online{fois:20210708:icedid:47da76d, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{IcedID: Analysis and Detection}}, date = {2021-07-08}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html}, language = {English}, urldate = {2021-07-20} } IcedID: Analysis and Detection
IcedID
2021-06-30CynetMax Malyutin
@online{malyutin:20210630:shelob:1c93f5d, author = {Max Malyutin}, title = {{Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration}}, date = {2021-06-30}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/}, language = {English}, urldate = {2021-07-20} } Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID
2021-06-30The RecordCatalin Cimpanu
@online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-06-24KasperskyAnton Kuzmenko
@online{kuzmenko:20210624:malicious:83a5c83, author = {Anton Kuzmenko}, title = {{Malicious spam campaigns delivering banking Trojans}}, date = {2021-06-24}, organization = {Kaspersky}, url = {https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917}, language = {English}, urldate = {2021-06-25} } Malicious spam campaigns delivering banking Trojans
IcedID QakBot
2021-06-24SentinelOneMarco Figueroa
@online{figueroa:20210624:evasive:7f0d507, author = {Marco Figueroa}, title = {{Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros}}, date = {2021-06-24}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/}, language = {English}, urldate = {2021-06-29} } Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
IcedID
2021-06-23IBMItzik Chimino
@online{chimino:20210623:ursnif:700b0a7, author = {Itzik Chimino}, title = {{Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy}}, date = {2021-06-23}, organization = {IBM}, url = {https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/}, language = {English}, urldate = {2021-06-24} } Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy
ISFB
2021-06-20The DFIR ReportThe DFIR Report
@online{report:20210620:from:aadb7e8, author = {The DFIR Report}, title = {{From Word to Lateral Movement in 1 Hour}}, date = {2021-06-20}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/}, language = {English}, urldate = {2021-06-22} } From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID
2021-06-16S2 GrupoCSIRT-CV (the ICT Security Center of the Valencian Community)
@online{community:20210616:emotet:7e0fafe, author = {CSIRT-CV (the ICT Security Center of the Valencian Community)}, title = {{Emotet campaign analysis}}, date = {2021-06-16}, organization = {S2 Grupo}, url = {https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/}, language = {Spanish}, urldate = {2021-06-21} } Emotet campaign analysis
Emotet QakBot
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-06-16Twitter (@ChouchWard)ch0uch ward
@online{ward:20210616:qbot:1adaa08, author = {ch0uch ward}, title = {{Tweet on Qbot operators left their web server's access.log file unsecured}}, date = {2021-06-16}, organization = {Twitter (@ChouchWard)}, url = {https://twitter.com/ChouchWard/status/1405168040254316547}, language = {English}, urldate = {2021-06-21} } Tweet on Qbot operators left their web server's access.log file unsecured
QakBot
2021-06-15Perception PointShai Golderman
@online{golderman:20210615:insights:d3fc7b6, author = {Shai Golderman}, title = {{Insights Into an Excel 4.0 Macro Attack using Qakbot Malware}}, date = {2021-06-15}, organization = {Perception Point}, url = {https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware}, language = {English}, urldate = {2021-06-21} } Insights Into an Excel 4.0 Macro Attack using Qakbot Malware
QakBot
2021-06-10ZEIT OnlineVon Kai Biermann, Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Zachary Kamel
@online{biermann:20210610:trail:42969a8, author = {Von Kai Biermann and Astrid Geisler and Herwig G. Höller and Karsten Polke-Majewski and Zachary Kamel}, title = {{On the Trail of the Internet Extortionists}}, date = {2021-06-10}, organization = {ZEIT Online}, url = {https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers}, language = {English}, urldate = {2021-07-02} } On the Trail of the Internet Extortionists
Emotet Mailto
2021-06-10ZAYOTEMİlker Verimoğlu, Emre Doğan, Kaan Binen, Abdulkadir Binan, Emrah Sarıdağ
@online{verimolu:20210610:qakbot:4896852, author = {İlker Verimoğlu and Emre Doğan and Kaan Binen and Abdulkadir Binan and Emrah Sarıdağ}, title = {{QakBot Technical Analysis Report}}, date = {2021-06-10}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view}, language = {English}, urldate = {2021-06-16} } QakBot Technical Analysis Report
QakBot
2021-06-10TagesschauHakan Tanriverdi, Maximilian Zierer
@online{tanriverdi:20210610:schadsoftware:834b3fd, author = {Hakan Tanriverdi and Maximilian Zierer}, title = {{Schadsoftware Emotet: BKA befragt Schlüsselfigur}}, date = {2021-06-10}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html}, language = {English}, urldate = {2021-07-02} } Schadsoftware Emotet: BKA befragt Schlüsselfigur
Emotet
2021-06-08Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210608:from:62f4d20, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{From QBot...with REvil Ransomware: Initial Attack Exposure of JBS}}, date = {2021-06-08}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs}, language = {English}, urldate = {2021-06-09} } From QBot...with REvil Ransomware: Initial Attack Exposure of JBS
QakBot REvil
2021-06-02Bleeping ComputerLawrence Abrams
@online{abrams:20210602:fujifilm:eced96f, author = {Lawrence Abrams}, title = {{FUJIFILM shuts down network after suspected ransomware attack}}, date = {2021-06-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } FUJIFILM shuts down network after suspected ransomware attack
QakBot
2021-05-29Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210529:analysis:96b0902, author = {AhmedS Kasmani}, title = {{Analysis of ICEID Malware Installer DLL}}, date = {2021-05-29}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=wMXD4Sv1Alw}, language = {English}, urldate = {2021-06-04} } Analysis of ICEID Malware Installer DLL
IcedID
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-26Check PointAlex Ilgayev
@online{ilgayev:20210526:melting:40f5caf, author = {Alex Ilgayev}, title = {{Melting Ice – Tracking IcedID Servers with a few simple steps}}, date = {2021-05-26}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/}, language = {English}, urldate = {2021-06-09} } Melting Ice – Tracking IcedID Servers with a few simple steps
IcedID
2021-05-19Team CymruJosh Hopkins, Andy Kraus, Nick Byers
@online{hopkins:20210519:tracking:45749be, author = {Josh Hopkins and Andy Kraus and Nick Byers}, title = {{Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network}}, date = {2021-05-19}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/}, language = {English}, urldate = {2021-05-26} } Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network
IcedID
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-18RECON INFOSECAndrew Cook
@online{cook:20210518:encounter:c4ef6d9, author = {Andrew Cook}, title = {{An Encounter With TA551/Shathak}}, date = {2021-05-18}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/an-encounter-with-ta551-shathak}, language = {English}, urldate = {2021-05-25} } An Encounter With TA551/Shathak
IcedID
2021-05-17Github (telekom-security)Deutsche Telekom Security GmbH
@online{gmbh:20210517:icedidanalysis:e985983, author = {Deutsche Telekom Security GmbH}, title = {{icedid_analysis}}, date = {2021-05-17}, organization = {Github (telekom-security)}, url = {https://github.com/telekom-security/icedid_analysis}, language = {English}, urldate = {2021-05-17} } icedid_analysis
IcedID
2021-05-17TelekomThomas Barabosch
@online{barabosch:20210517:lets:04a8b63, author = {Thomas Barabosch}, title = {{Let’s set ice on fire: Hunting and detecting IcedID infections}}, date = {2021-05-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240}, language = {English}, urldate = {2021-05-17} } Let’s set ice on fire: Hunting and detecting IcedID infections
IcedID
2021-05-12The DFIR Report
@online{report:20210512:conti:598c5f2, author = {The DFIR Report}, title = {{Conti Ransomware}}, date = {2021-05-12}, url = {https://thedfirreport.com/2021/05/12/conti-ransomware/}, language = {English}, urldate = {2021-05-13} } Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-10WirtschaftswocheThomas Kuhn
@online{kuhn:20210510:how:5f1953b, author = {Thomas Kuhn}, title = {{How one of the largest hacker networks in the world was paralyzed}}, date = {2021-05-10}, organization = {Wirtschaftswoche}, url = {https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html}, language = {German}, urldate = {2021-05-13} } How one of the largest hacker networks in the world was paralyzed
Emotet
2021-05-10MALWATIONmalwation
@online{malwation:20210510:icedid:0637539, author = {malwation}, title = {{IcedID Malware Technical Analysis Report}}, date = {2021-05-10}, organization = {MALWATION}, url = {https://malwation.com/icedid-malware-technical-analysis-report/}, language = {English}, urldate = {2021-07-02} } IcedID Malware Technical Analysis Report
IcedID
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-05-04NCC Groupfumik0, NCC RIFT
@online{fumik0:20210504:rm3:cd994e6, author = {fumik0 and NCC RIFT}, title = {{RM3 – Curiosities of the wildest banking malware}}, date = {2021-05-04}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/}, language = {English}, urldate = {2021-05-19} } RM3 – Curiosities of the wildest banking malware
ISFB RM3
2021-05-04Seguranca InformaticaPedro Tavares
@online{tavares:20210504:taste:b6a3380, author = {Pedro Tavares}, title = {{A taste of the latest release of QakBot}}, date = {2021-05-04}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot}, language = {English}, urldate = {2021-05-07} } A taste of the latest release of QakBot
QakBot
2021-05-04Fox-ITfumik0, the RIFT Team, Fox IT
@online{fumik0:20210504:rm3:41d6969, author = {fumik0 and the RIFT Team and Fox IT}, title = {{RM3 – Curiosities of the wildest banking malware}}, date = {2021-05-04}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/}, language = {English}, urldate = {2021-05-04} } RM3 – Curiosities of the wildest banking malware
ISFB
2021-04-30MADRID LabsOdin Bernstein
@online{bernstein:20210430:qbot:104bad4, author = {Odin Bernstein}, title = {{Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server}}, date = {2021-04-30}, organization = {MADRID Labs}, url = {https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/}, language = {English}, urldate = {2021-05-08} } Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server
QakBot
2021-04-28IBMDavid Bisson
@online{bisson:20210428:qbot:dcbcd50, author = {David Bisson}, title = {{QBot Malware Spotted Using Windows Defender Antivirus Lure}}, date = {2021-04-28}, organization = {IBM}, url = {https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/}, language = {English}, urldate = {2021-05-03} } QBot Malware Spotted Using Windows Defender Antivirus Lure
QakBot
2021-04-28Reversing LabsKarlo Zanki
@online{zanki:20210428:spotting:61ba0f6, author = {Karlo Zanki}, title = {{Spotting malicious Excel4 macros}}, date = {2021-04-28}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros}, language = {English}, urldate = {2021-05-03} } Spotting malicious Excel4 macros
QakBot
2021-04-22Github (@cecio)@red5heep
@online{red5heep:20210422:emotet:44c2798, author = {@red5heep}, title = {{EMOTET: a State-Machine reversing exercise}}, date = {2021-04-22}, organization = {Github (@cecio)}, url = {https://github.com/cecio/EMOTET-2020-Reversing}, language = {English}, urldate = {2021-11-12} } EMOTET: a State-Machine reversing exercise
Emotet
2021-04-22SpamhausSpamhaus Malware Labs
@techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-19NetresecErik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49, author = {Erik Hjelmvik}, title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}}, date = {2021-04-19}, organization = {Netresec}, url = {https://netresec.com/?b=214d7ff}, language = {English}, urldate = {2021-04-20} } Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-19Twitter (@_alex_il_)Alex Ilgayev
@online{ilgayev:20210419:qakbots:b3b929c, author = {Alex Ilgayev}, title = {{Tweet on QakBot's additional decryption mechanism}}, date = {2021-04-19}, organization = {Twitter (@_alex_il_)}, url = {https://twitter.com/_alex_il_/status/1384094623270727685}, language = {English}, urldate = {2021-04-20} } Tweet on QakBot's additional decryption mechanism
QakBot
2021-04-17YouTube (Worcester DEFCON Group)Joel Snape, Nettitude
@online{snape:20210417:inside:2c3ae5c, author = {Joel Snape and Nettitude}, title = {{Inside IcedID: Anatomy Of An Infostealer}}, date = {2021-04-17}, organization = {YouTube (Worcester DEFCON Group)}, url = {https://www.youtube.com/watch?v=YEqLIR6hfOM}, language = {English}, urldate = {2021-04-20} } Inside IcedID: Anatomy Of An Infostealer
IcedID
2021-04-15AT&TDax Morrow, Ofer Caspi
@online{morrow:20210415:rise:73d9a21, author = {Dax Morrow and Ofer Caspi}, title = {{The rise of QakBot}}, date = {2021-04-15}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot}, language = {English}, urldate = {2021-04-16} } The rise of QakBot
QakBot
2021-04-13Silent PushMartijn Grooten
@online{grooten:20210413:malicious:094869a, author = {Martijn Grooten}, title = {{Malicious infrastructure as a service}}, date = {2021-04-13}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/malicious-infrastructure-as-a-service}, language = {English}, urldate = {2022-06-09} } Malicious infrastructure as a service
IcedID PhotoLoader QakBot
2021-04-12Trend MicroRaphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
@online{centeno:20210412:spike:d67dcb0, author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy}, title = {{A Spike in BazarCall and IcedID Activity Detected in March}}, date = {2021-04-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html}, language = {English}, urldate = {2021-04-14} } A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID
2021-04-12Twitter (@elisalem9)Eli Salem
@online{salem:20210412:tweets:7b7280e, author = {Eli Salem}, title = {{Tweets on QakBot}}, date = {2021-04-12}, organization = {Twitter (@elisalem9)}, url = {https://twitter.com/elisalem9/status/1381859965875462144}, language = {English}, urldate = {2021-04-14} } Tweets on QakBot
QakBot
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-114rchibld4rchibld
@online{4rchibld:20210411:icedid:4135c21, author = {4rchibld}, title = {{IcedID on my neck I’m the coolest}}, date = {2021-04-11}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/}, language = {English}, urldate = {2021-05-11} } IcedID on my neck I’m the coolest
IcedID
2021-04-10Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210410:malware:e2000de, author = {AhmedS Kasmani}, title = {{Malware Analysis: IcedID Banking Trojan JavaScript Dropper}}, date = {2021-04-10}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=oZ4bwnjcXWg}, language = {English}, urldate = {2021-04-12} } Malware Analysis: IcedID Banking Trojan JavaScript Dropper
IcedID
2021-04-09aaqeel01Ali Aqeel
@online{aqeel:20210409:icedid:a6e3243, author = {Ali Aqeel}, title = {{IcedID Analysis}}, date = {2021-04-09}, organization = {aaqeel01}, url = {https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/}, language = {English}, urldate = {2021-04-12} } IcedID Analysis
IcedID
2021-04-09MicrosoftEmily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team
@online{hacker:20210409:investigating:2b6f30a, author = {Emily Hacker and Justin Carroll and Microsoft 365 Defender Threat Intelligence Team}, title = {{Investigating a unique “form” of email delivery for IcedID malware}}, date = {2021-04-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/}, language = {English}, urldate = {2021-04-12} } Investigating a unique “form” of email delivery for IcedID malware
IcedID
2021-04-09Palo Alto Networks Unit 42Yanhui Jia, Chris Navarrete
@online{jia:20210409:emotet:c376dd2, author = {Yanhui Jia and Chris Navarrete}, title = {{Emotet Command and Control Case Study}}, date = {2021-04-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emotet-command-and-control/}, language = {English}, urldate = {2021-04-12} } Emotet Command and Control Case Study
Emotet
2021-04-07UptycsAshwin Vamshi, Abhijit Mohanta
@online{vamshi:20210407:icedid:bbda303, author = {Ashwin Vamshi and Abhijit Mohanta}, title = {{IcedID campaign spotted being spiced with Excel 4 Macros}}, date = {2021-04-07}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros}, language = {English}, urldate = {2021-04-09} } IcedID campaign spotted being spiced with Excel 4 Macros
IcedID
2021-04-07MinervaMinerva Labs
@online{labs:20210407:icedid:d178d16, author = {Minerva Labs}, title = {{IcedID - A New Threat In Office Attachments}}, date = {2021-04-07}, organization = {Minerva}, url = {https://blog.minerva-labs.com/icedid-maas}, language = {English}, urldate = {2021-04-09} } IcedID - A New Threat In Office Attachments
IcedID
2021-04-06Intel 471Intel 471
@online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-04-01Reversing LabsRobert Simmons
@online{simmons:20210401:code:885c081, author = {Robert Simmons}, title = {{Code Reuse Across Packers and DLL Loaders}}, date = {2021-04-01}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders}, language = {English}, urldate = {2021-04-09} } Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-03-31Silent PushMartijn Grooten
@online{grooten:20210331:icedid:42c6051, author = {Martijn Grooten}, title = {{IcedID Command and Control Infrastructure}}, date = {2021-03-31}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/icedid-command-and-control-infrastructure}, language = {English}, urldate = {2022-06-09} } IcedID Command and Control Infrastructure
IcedID PhotoLoader
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-29The DFIR ReportThe DFIR Report
@online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-26Trend MicroTrend Micro
@online{micro:20210326:alleged:ce2115c, author = {Trend Micro}, title = {{Alleged Members of Egregor Ransomware Cartel Arrested}}, date = {2021-03-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html}, language = {English}, urldate = {2021-04-28} } Alleged Members of Egregor Ransomware Cartel Arrested
Egregor QakBot
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-19MITREMITRE ATT&CK
@online{attck:20210319:ta551:48627e5, author = {MITRE ATT&CK}, title = {{TA551}}, date = {2021-03-19}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0127/}, language = {English}, urldate = {2022-07-13} } TA551
GOLD CABIN
2021-03-18VinCSSTran Trung Kien
@online{kien:20210318:re021:00caf5b, author = {Tran Trung Kien}, title = {{[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade}}, date = {2021-03-18}, organization = {VinCSS}, url = {https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html}, language = {English}, urldate = {2021-03-19} } [RE021] Qakbot analysis – Dangerous malware has been around for more than a decade
QakBot
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-03-12Binary DefenseJames Quinn
@online{quinn:20210312:icedid:3e6db43, author = {James Quinn}, title = {{IcedID GZIPLOADER Analysis}}, date = {2021-03-12}, organization = {Binary Defense}, url = {https://www.binarydefense.com/icedid-gziploader-analysis/}, language = {English}, urldate = {2021-03-16} } IcedID GZIPLOADER Analysis
IcedID
2021-03-08Palo Alto Networks Unit 42Chris Navarrete, Yanhui Jia, Matthew Tennis, Durgesh Sangvikar, Rongbo Shao
@online{navarrete:20210308:attack:6238643, author = {Chris Navarrete and Yanhui Jia and Matthew Tennis and Durgesh Sangvikar and Rongbo Shao}, title = {{Attack Chain Overview: Emotet in December 2020 and January 2021}}, date = {2021-03-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/}, language = {English}, urldate = {2021-03-11} } Attack Chain Overview: Emotet in December 2020 and January 2021
Emotet
2021-03-04F5Dor Nizar, Roy Moshailov
@online{nizar:20210304:icedid:bfcc689, author = {Dor Nizar and Roy Moshailov}, title = {{IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims}}, date = {2021-03-04}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims}, language = {English}, urldate = {2021-03-06} } IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims
IcedID
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-28NetbyteSEC
@online{netbytesec:20210228:deobfuscating:a975d4c, author = {NetbyteSEC}, title = {{Deobfuscating Emotet Macro Document and Powershell Command}}, date = {2021-02-28}, url = {https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html}, language = {English}, urldate = {2022-02-14} } Deobfuscating Emotet Macro Document and Powershell Command
Emotet
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-25JPCERT/CCKen Sajo
@online{sajo:20210225:emotet:f78fb4e, author = {Ken Sajo}, title = {{Emotet Disruption and Outreach to Affected Users}}, date = {2021-02-25}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html}, language = {English}, urldate = {2021-02-25} } Emotet Disruption and Outreach to Affected Users
Emotet
2021-02-24IBMIBM SECURITY X-FORCE
@online{xforce:20210224:xforce:ac9a90e, author = {IBM SECURITY X-FORCE}, title = {{X-Force Threat Intelligence Index 2021}}, date = {2021-02-24}, organization = {IBM}, url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89}, language = {English}, urldate = {2021-03-02} } X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021-02-24AllsafeShota Nakajima, Hara Hiroaki
@techreport{nakajima:20210224:malware:0f5ff88, author = {Shota Nakajima and Hara Hiroaki}, title = {{Malware Analysis at Scale - Defeating Emotet by Ghidra}}, date = {2021-02-24}, institution = {Allsafe}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf}, language = {English}, urldate = {2021-02-26} } Malware Analysis at Scale - Defeating Emotet by Ghidra
Emotet
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-17Politie NLPolitie NL
@online{nl:20210217:politie:a27a279, author = {Politie NL}, title = {{Politie bestrijdt cybercrime via Nederlandse infrastructuur}}, date = {2021-02-17}, organization = {Politie NL}, url = {https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html},