aka: Twisted Kitten, Cobalt Gypsy, Crambus, Helix Kitten, APT 34, APT34, IRN2, ATK40, G0049, Evasive Serpens
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.
OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:
-Organized evasion testing used the during development of their tools.
-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.
-Custom web-shells and backdoors used to persistently access servers.
OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.
Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.
2023-08-30 ⋅ NSFOCUS ⋅ NSFOCUS
@online{nsfocus:20230830:apt34:0be5a70,
author = {NSFOCUS},
title = {{APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan}},
date = {2023-08-30},
organization = {NSFOCUS},
url = {https://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/},
language = {English},
urldate = {2023-09-07}
}
APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
SideTwist |
2023-07-31 ⋅ Cleafy ⋅ Francesco Iubatti
@online{iubatti:20230731:spynote:6507c5a,
author = {Francesco Iubatti},
title = {{SpyNote continues to attack financial institutions}},
date = {2023-07-31},
organization = {Cleafy},
url = {https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions},
language = {English},
urldate = {2023-07-31}
}
SpyNote continues to attack financial institutions
SpyNote |
2023-05-10 ⋅ K7 Security ⋅ Baran S
@online{s:20230510:spynote:6170e66,
author = {Baran S},
title = {{spynote}},
date = {2023-05-10},
organization = {K7 Security},
url = {https://labs.k7computing.com/index.php/spynote-targets-irctc-users/},
language = {English},
urldate = {2023-05-21}
}
spynote
SpyNote |
2023-02-02 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Mahmoud Zohdy
@online{fahmy:20230202:new:7d997ea,
author = {Mohamed Fahmy and Sherif Magdy and Mahmoud Zohdy},
title = {{New APT34 Malware Targets The Middle East}},
date = {2023-02-02},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html},
language = {English},
urldate = {2023-02-03}
}
New APT34 Malware Targets The Middle East
Karkoff RedCap Saitama Backdoor |
2023-01-05 ⋅ ThreatFabric ⋅ ThreatFabric
@online{threatfabric:20230105:spynote:a1e8256,
author = {ThreatFabric},
title = {{SpyNote: Spyware with RAT capabilities targeting Financial Institutions}},
date = {2023-01-05},
organization = {ThreatFabric},
url = {https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions},
language = {English},
urldate = {2023-06-05}
}
SpyNote: Spyware with RAT capabilities targeting Financial Institutions
SpyMax SpyNote |
2023-01-05 ⋅ Bleeping Computer ⋅ Bill Toulas
@online{toulas:20230105:spynote:54f5a05,
author = {Bill Toulas},
title = {{SpyNote Android malware infections surge after source code leak}},
date = {2023-01-05},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/},
language = {English},
urldate = {2023-01-06}
}
SpyNote Android malware infections surge after source code leak
SpyNote |
2023-01-04 ⋅ K7 Security ⋅ Saikumaravel
@online{saikumaravel:20230104:pupy:f6eacce,
author = {Saikumaravel},
title = {{Pupy RAT hiding under WerFault’s cover}},
date = {2023-01-04},
organization = {K7 Security},
url = {https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/},
language = {English},
urldate = {2023-01-05}
}
Pupy RAT hiding under WerFault’s cover
pupy |
2022-12-06 ⋅ 360 Threat Intelligence Center ⋅ 360 Beacon Lab
@online{lab:20221206:analysis:d045827,
author = {360 Beacon Lab},
title = {{Analysis of suspected APT-C-56 (Transparent Tribe) attacks against terrorism}},
date = {2022-12-06},
organization = {360 Threat Intelligence Center},
url = {https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w},
language = {Chinese},
urldate = {2022-12-24}
}
Analysis of suspected APT-C-56 (Transparent Tribe) attacks against terrorism
AhMyth Meterpreter SpyNote AsyncRAT |
2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff,
author = {Ioan Iacob and Iulian Madalin Ionita},
title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}},
date = {2022-09-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/},
language = {English},
urldate = {2022-09-29}
}
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare |
2022-09-08 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence
@online{intelligence:20220908:microsoft:66fa6e4,
author = {Microsoft Security Threat Intelligence},
title = {{Microsoft investigates Iranian attacks against the Albanian government}},
date = {2022-09-08},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government},
language = {English},
urldate = {2022-09-13}
}
Microsoft investigates Iranian attacks against the Albanian government
ZeroCleare |
2022-08-17 ⋅ 360 ⋅ 360 Threat Intelligence Center
@online{center:20220817:kasablanka:2a28570,
author = {360 Threat Intelligence Center},
title = {{Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East}},
date = {2022-08-17},
organization = {360},
url = {https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA},
language = {Chinese},
urldate = {2022-08-19}
}
Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East
SpyNote Loda Nanocore RAT NjRAT |
2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32,
author = {Ioan Iacob and Iulian Madalin Ionita},
title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}},
date = {2022-08-12},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/},
language = {English},
urldate = {2023-01-19}
}
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare |
2022-08-10 ⋅ K7 Security ⋅ Baran S
@online{s:20220810:spynote:277e9ab,
author = {Baran S},
title = {{spynote}},
date = {2022-08-10},
organization = {K7 Security},
url = {https://labs.k7computing.com/index.php/spynote-an-android-snooper/},
language = {English},
urldate = {2022-08-17}
}
spynote
SpyNote |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20220718:evasive:ccfb062,
author = {Unit 42},
title = {{Evasive Serpens}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/evasive-serpens/},
language = {English},
urldate = {2022-07-29}
}
Evasive Serpens
TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig |
2022-06-24 ⋅ XJunior ⋅ Mohamed Ashraf
@online{ashraf:20220624:apt34:92c90d5,
author = {Mohamed Ashraf},
title = {{APT34 - Saitama Agent}},
date = {2022-06-24},
organization = {XJunior},
url = {https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html},
language = {English},
urldate = {2022-07-01}
}
APT34 - Saitama Agent
Saitama Backdoor |
2022-06-20 ⋅ Infinitum IT ⋅ infinitum IT
@online{it:20220620:charming:b356ff2,
author = {infinitum IT},
title = {{Charming Kitten (APT35)}},
date = {2022-06-20},
organization = {Infinitum IT},
url = {https://www.infinitumit.com.tr/apt-35/},
language = {Turkish},
urldate = {2022-06-22}
}
Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy |
2022-06-15 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20220615:driftingcloud:58322a8,
author = {Steven Adair and Thomas Lancaster and Volexity Threat Research},
title = {{DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach}},
date = {2022-06-15},
organization = {Volexity},
url = {https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/},
language = {English},
urldate = {2022-06-17}
}
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
pupy Sliver |
2022-06-13 ⋅ SANS ISC ⋅ Renato Marinho
@online{marinho:20220613:translating:633e46a,
author = {Renato Marinho},
title = {{Translating Saitama's DNS tunneling messages}},
date = {2022-06-13},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738},
language = {English},
urldate = {2022-06-16}
}
Translating Saitama's DNS tunneling messages
Saitama Backdoor |
2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220523:operation:e3c402b,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Earth Berberoka}},
date = {2022-05-23},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka |
2022-05-11 ⋅ Fortinet ⋅ Fred Gutierrez
@online{gutierrez:20220511:please:f67f45c,
author = {Fred Gutierrez},
title = {{Please Confirm You Received Our APT}},
date = {2022-05-11},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt},
language = {English},
urldate = {2022-05-17}
}
Please Confirm You Received Our APT
Saitama Backdoor |
2022-05-10 ⋅ Malwarebytes Labs ⋅ Threat Intelligence Team
@online{team:20220510:apt34:b733b84,
author = {Threat Intelligence Team},
title = {{APT34 targets Jordan Government using new Saitama backdoor}},
date = {2022-05-10},
organization = {Malwarebytes Labs},
url = {https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/},
language = {English},
urldate = {2022-05-13}
}
APT34 targets Jordan Government using new Saitama backdoor
Saitama Backdoor |
2022-04-28 ⋅ Fortinet ⋅ Gergely Revay
@online{revay:20220428:overview:0ac963f,
author = {Gergely Revay},
title = {{An Overview of the Increasing Wiper Malware Threat}},
date = {2022-04-28},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat},
language = {English},
urldate = {2022-04-29}
}
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare |
2022-04-27 ⋅ Trendmicro ⋅ Trendmicro
@online{trendmicro:20220427:iocs:b6d7ab5,
author = {Trendmicro},
title = {{IOCs for Earth Berberoka - Linux}},
date = {2022-04-27},
organization = {Trendmicro},
url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt},
language = {English},
urldate = {2022-07-25}
}
IOCs for Earth Berberoka - Linux
Rekoobe pupy Earth Berberoka |
2022-03-30 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20220330:social:e36c4e5,
author = {Insikt Group},
title = {{Social Engineering Remains Key Tradecraft for Iranian APTs}},
date = {2022-03-30},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf},
language = {English},
urldate = {2022-04-05}
}
Social Engineering Remains Key Tradecraft for Iranian APTs
Liderc pupy |
2021-12-14 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20211214:full:5bf0cac,
author = {Insikt Group®},
title = {{Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE}},
date = {2021-12-14},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/},
language = {English},
urldate = {2022-01-24}
}
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE
TwoFace |
2021-09-21 ⋅ civilsphereproject ⋅ civilsphereproject
@online{civilsphereproject:20210921:capturing:60e5728,
author = {civilsphereproject},
title = {{Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN}},
date = {2021-09-21},
organization = {civilsphereproject},
url = {https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn},
language = {English},
urldate = {2021-09-22}
}
Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN
SpyNote |
2021-06-16 ⋅ Venustech ⋅ ADLab
@online{adlab:20210616:apt34:4697e7c,
author = {ADLab},
title = {{APT34 organization latest in-depth analysis report on attack activities}},
date = {2021-06-16},
organization = {Venustech},
url = {https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ},
language = {Chinese},
urldate = {2021-06-21}
}
APT34 organization latest in-depth analysis report on attack activities
Karkoff |
2021-04-21 ⋅ Facebook ⋅ Mike Dvilyanski, David Agranovich
@online{dvilyanski:20210421:taking:23e0fb2,
author = {Mike Dvilyanski and David Agranovich},
title = {{Taking Action Against Hackers in Palestine}},
date = {2021-04-21},
organization = {Facebook},
url = {https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/},
language = {English},
urldate = {2021-04-28}
}
Taking Action Against Hackers in Palestine
SpyNote Houdini NjRAT |
2021-04-08 ⋅ Checkpoint ⋅ Check Point Research
@online{research:20210408:irans:127f349,
author = {Check Point Research},
title = {{Iran’s APT34 Returns with an Updated Arsenal}},
date = {2021-04-08},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/},
language = {English},
urldate = {2021-04-09}
}
Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
2021-02-18 ⋅ PTSecurity ⋅ PTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f,
author = {PTSecurity},
title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}},
date = {2021-02-18},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/},
language = {English},
urldate = {2021-02-25}
}
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-01 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
@online{center:20201201:blade:1b3519c,
author = {Qi Anxin Threat Intelligence Center},
title = {{Blade Eagle Group - Targeted attack group activities circling the Middle East and West Asia's cyberspace revealed}},
date = {2020-12-01},
organization = {Qianxin},
url = {https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/},
language = {English},
urldate = {2022-04-15}
}
Blade Eagle Group - Targeted attack group activities circling the Middle East and West Asia's cyberspace revealed
SpyNote BladeHawk |
2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee,
author = {Denis Goydenko and Alexey Vishnyakov},
title = {{Investigation with a twist: an accidental APT attack and averted data destruction}},
date = {2020-11-27},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/},
language = {English},
urldate = {2020-12-01}
}
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
2020-09-25 ⋅ Emanuele De Lucia
@online{lucia:20200925:vs:5b8c949,
author = {Emanuele De Lucia},
title = {{APT vs Internet Service Providers}},
date = {2020-09-25},
url = {https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view},
language = {English},
urldate = {2020-10-02}
}
APT vs Internet Service Providers
TwoFace RGDoor |
2020-09-15 ⋅ CrowdStrike ⋅ CrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e,
author = {CrowdStrike Overwatch Team},
title = {{Nowhere to Hide - 2020 Threat Hunting Report}},
date = {2020-09-15},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf},
language = {English},
urldate = {2020-09-21}
}
Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN |
2020-07-22 ⋅ Threatpost ⋅ Tara Seals
@online{seals:20200722:oilrig:a81ae8d,
author = {Tara Seals},
title = {{OilRig APT Drills into Malware Innovation with Unique Backdoor}},
date = {2020-07-22},
organization = {Threatpost},
url = {https://threatpost.com/oilrig-apt-unique-backdoor/157646/},
language = {English},
urldate = {2020-07-23}
}
OilRig APT Drills into Malware Innovation with Unique Backdoor
OilRig |
2020-07-22 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
@online{falcone:20200722:oilrig:4c26a7f,
author = {Robert Falcone},
title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}},
date = {2020-07-22},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/},
language = {English},
urldate = {2020-07-23}
}
OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
RDAT OilRig |
2020-07-15 ⋅ Relativity ⋅ Bartlomiej Czyż
@online{czy:20200715:indepth:9a7c4dd,
author = {Bartlomiej Czyż},
title = {{An in-depth analysis of SpyNote remote access trojan}},
date = {2020-07-15},
organization = {Relativity},
url = {https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan},
language = {English},
urldate = {2020-11-06}
}
An in-depth analysis of SpyNote remote access trojan
SpyNote |
2020-07-13 ⋅ FireEye ⋅ Andrew Thompson, Aaron Stephens
@online{thompson:20200713:scandalous:15d59a2,
author = {Andrew Thompson and Aaron Stephens},
title = {{SCANdalous! (External Detection Using Network Scan Data and Automation)}},
date = {2020-07-13},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html},
language = {English},
urldate = {2020-07-15}
}
SCANdalous! (External Detection Using Network Scan Data and Automation)
POWERTON QUADAGENT PoshC2 |
2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)
@techreport{acsc:20200618:advisory:ed0f53c,
author = {Australian Cyber Security Centre (ACSC)},
title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}},
date = {2020-06-18},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf},
language = {English},
urldate = {2020-06-19}
}
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader |
2020-05-19 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
@online{team:20200519:sophisticated:023b1bd,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia}},
date = {2020-05-19},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia},
language = {English},
urldate = {2020-05-20}
}
Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
ISMAgent ISMDoor |
2020-03-31 ⋅ Volexity ⋅ Volexity Threat Research
@online{research:20200331:storm:b491e72,
author = {Volexity Threat Research},
title = {{Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign}},
date = {2020-03-31},
organization = {Volexity},
url = {https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/},
language = {English},
urldate = {2020-04-07}
}
Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign
SpyNote Stitch Godlike12 |
2020-03-12 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20200312:swallowing:2ec2856,
author = {Insikt Group},
title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}},
date = {2020-03-12},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf},
language = {English},
urldate = {2023-01-19}
}
Swallowing the Snake’s Tail: Tracking Turla Infrastructure
TwoFace Mosquito |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
2020-03-02 ⋅ Yoroi ⋅ ZLAB-Yoroi
@online{zlabyoroi:20200302:karkoff:a43fe0f,
author = {ZLAB-Yoroi},
title = {{Karkoff 2020: a new APT34 espionage operation involves Lebanon Government}},
date = {2020-03-02},
organization = {Yoroi},
url = {https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/},
language = {English},
urldate = {2020-03-03}
}
Karkoff 2020: a new APT34 espionage operation involves Lebanon Government
Karkoff |
2020-03-02 ⋅ Telsy ⋅ Telsy
@online{telsy:20200302:apt34:ded8bcd,
author = {Telsy},
title = {{APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants}},
date = {2020-03-02},
organization = {Telsy},
url = {https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/},
language = {English},
urldate = {2020-03-03}
}
APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants
Karkoff |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020-01-30 ⋅ Intezer ⋅ Paul Litvak, Michael Kajiloti
@online{litvak:20200130:new:e013fd0,
author = {Paul Litvak and Michael Kajiloti},
title = {{New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset}},
date = {2020-01-30},
organization = {Intezer},
url = {https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/},
language = {English},
urldate = {2020-02-03}
}
New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset
TONEDEAF VALUEVAULT |
2020-01-23 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20200123:european:c3ca9e3,
author = {Insikt Group},
title = {{European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019}},
date = {2020-01-23},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf},
language = {English},
urldate = {2020-01-27}
}
European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019
pupy pupy pupy |
2020-01-17 ⋅ FireEye ⋅ FireEye
@online{fireeye:20200117:state:c000016,
author = {FireEye},
title = {{State of the Hack: Spotlight Iran - from Cain & Abel to full SANDSPY}},
date = {2020-01-17},
organization = {FireEye},
url = {https://youtu.be/pBDu8EGWRC4?t=2492},
language = {English},
urldate = {2020-09-18}
}
State of the Hack: Spotlight Iran - from Cain & Abel to full SANDSPY
QUADAGENT Fox Kitten |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:iron:de2007f,
author = {SecureWorks},
title = {{IRON HUNTER}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/iron-hunter},
language = {English},
urldate = {2020-05-23}
}
IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:cobalt:4d136fa,
author = {SecureWorks},
title = {{COBALT EDGEWATER}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/cobalt-edgewater},
language = {English},
urldate = {2020-05-23}
}
COBALT EDGEWATER
DNSpionage Karkoff DNSpionage |
2020-01 ⋅ FireEye ⋅ Tom Hall, Mitchell Clarke, Mandiant
@techreport{hall:202001:mandiant:25e38ef,
author = {Tom Hall and Mitchell Clarke and Mandiant},
title = {{Mandiant IR Grab Bag of Attacker Activity}},
date = {2020-01},
institution = {FireEye},
url = {https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf},
language = {English},
urldate = {2021-04-16}
}
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:cobalt:ce31320,
author = {SecureWorks},
title = {{COBALT GYPSY}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/cobalt-gypsy},
language = {English},
urldate = {2020-05-23}
}
COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig |
2019-12-09 ⋅ IBM Security ⋅ IBM IRIS
@online{iris:20191209:new:cc73a24,
author = {IBM IRIS},
title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}},
date = {2019-12-09},
organization = {IBM Security},
url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ},
language = {English},
urldate = {2020-01-09}
}
New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare |
2019-11-20 ⋅ ClearSky ⋅ ClearSky Cyber Security
@online{security:20191120:muddywater:5c4adfd,
author = {ClearSky Cyber Security},
title = {{MuddyWater Uses New Attack Methods in a Recent Attack Wave}},
date = {2019-11-20},
organization = {ClearSky},
url = {https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca},
language = {English},
urldate = {2019-12-16}
}
MuddyWater Uses New Attack Methods in a Recent Attack Wave
QUADAGENT RogueRobin |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-11-09 ⋅ NSFOCUS ⋅ Mina Hao
@online{hao:20191109:apt34:550c673,
author = {Mina Hao},
title = {{APT34 Event Analysis Report}},
date = {2019-11-09},
organization = {NSFOCUS},
url = {https://nsfocusglobal.com/apt34-event-analysis-report/},
language = {English},
urldate = {2020-03-09}
}
APT34 Event Analysis Report
BONDUPDATER DNSpionage |
2019-10-21 ⋅ NCSC UK ⋅ NCSC UK
@online{uk:20191021:advisory:8f9f0e8,
author = {NCSC UK},
title = {{Advisory: Turla group exploits Iranian APT to expand coverage of victims}},
date = {2019-10-21},
organization = {NCSC UK},
url = {https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims},
language = {English},
urldate = {2020-01-06}
}
Advisory: Turla group exploits Iranian APT to expand coverage of victims
Nautilus Neuron |
2019-09-18 ⋅ IronNet ⋅ Jonathan Lepore
@online{lepore:20190918:chirp:44c11e9,
author = {Jonathan Lepore},
title = {{Chirp of the PoisonFrog}},
date = {2019-09-18},
organization = {IronNet},
url = {https://ironnet.com/blog/chirp-of-the-poisonfrog/},
language = {English},
urldate = {2020-01-09}
}
Chirp of the PoisonFrog
BONDUPDATER |
2019-08-22 ⋅ Cyware ⋅ Cyware
@online{cyware:20190822:apt34:3439fde,
author = {Cyware},
title = {{APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations}},
date = {2019-08-22},
organization = {Cyware},
url = {https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae},
language = {English},
urldate = {2021-06-29}
}
APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations
TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT |
2019-08-22 ⋅ Github (n1nj4sec) ⋅ n1nj4sec
@online{n1nj4sec:20190822:pupy:a822ccd,
author = {n1nj4sec},
title = {{Pupy RAT}},
date = {2019-08-22},
organization = {Github (n1nj4sec)},
url = {https://github.com/n1nj4sec/pupy},
language = {English},
urldate = {2020-01-07}
}
Pupy RAT
pupy pupy pupy |
2019-07-18 ⋅ FireEye ⋅ Matt Bromiley, Noah Klapprodt, Nick Schroeder, Jessica Rocchio
@online{bromiley:20190718:hard:7a6144e,
author = {Matt Bromiley and Noah Klapprodt and Nick Schroeder and Jessica Rocchio},
title = {{Hard Pass: Declining APT34’s Invite to Join Their Professional Network}},
date = {2019-07-18},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html},
language = {English},
urldate = {2019-12-20}
}
Hard Pass: Declining APT34’s Invite to Join Their Professional Network
LONGWATCH PICKPOCKET TONEDEAF VALUEVAULT |
2019-07-08 ⋅ SANS ⋅ Josh M. Bryant, Robert Falcone
@techreport{bryant:20190708:hunting:7ce53d5,
author = {Josh M. Bryant and Robert Falcone},
title = {{Hunting Webshells: Tracking TwoFace}},
date = {2019-07-08},
institution = {SANS},
url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf},
language = {English},
urldate = {2020-01-09}
}
Hunting Webshells: Tracking TwoFace
TwoFace |
2019-06-06 ⋅ Marco Ramilli
@online{ramilli:20190606:apt34:e2dbe80,
author = {Marco Ramilli},
title = {{APT34: Jason project}},
date = {2019-06-06},
url = {https://marcoramilli.com/2019/06/06/apt34-jason-project/},
language = {English},
urldate = {2020-01-07}
}
APT34: Jason project
jason |
2019-06-03 ⋅ Twitter (@P3pperP0tts) ⋅ Pepper Potts
@online{potts:20190603:apt34:d5442c2,
author = {Pepper Potts},
title = {{Tweet on APT34}},
date = {2019-06-03},
organization = {Twitter (@P3pperP0tts)},
url = {https://twitter.com/P3pperP0tts/status/1135503765287657472},
language = {English},
urldate = {2020-01-13}
}
Tweet on APT34
jason |
2019-05-02 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
@online{ramilli:20190502:apt34:06f5d53,
author = {Marco Ramilli},
title = {{APT34: Glimpse project}},
date = {2019-05-02},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2019/05/02/apt34-glimpse-project/},
language = {English},
urldate = {2020-01-13}
}
APT34: Glimpse project
BONDUPDATER |
2019-04-30 ⋅ ClearSky ⋅ ClearSky Cyber Security
@online{security:20190430:raw:327940f,
author = {ClearSky Cyber Security},
title = {{Raw Threat Intelligence 2019-04-30: Oilrig data dump link analysis}},
date = {2019-04-30},
organization = {ClearSky},
url = {https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr},
language = {English},
urldate = {2019-10-23}
}
Raw Threat Intelligence 2019-04-30: Oilrig data dump link analysis
SpyNote OopsIE |
2019-04-30 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone
@online{lee:20190430:behind:01b3010,
author = {Bryan Lee and Robert Falcone},
title = {{Behind the Scenes with OilRig}},
date = {2019-04-30},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/},
language = {English},
urldate = {2020-01-06}
}
Behind the Scenes with OilRig
BONDUPDATER |
2019-04-23 ⋅ Talos ⋅ Warren Mercer, Paul Rascagnères
@online{mercer:20190423:dnspionage:509e055,
author = {Warren Mercer and Paul Rascagnères},
title = {{DNSpionage brings out the Karkoff}},
date = {2019-04-23},
organization = {Talos},
url = {https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html},
language = {English},
urldate = {2019-12-20}
}
DNSpionage brings out the Karkoff
DNSpionage Karkoff DNSpionage |
2019-04-19 ⋅ Medium ⋅ x0rz
@online{x0rz:20190419:hacking:682f038,
author = {x0rz},
title = {{Hacking (Back) and Influence Operations}},
date = {2019-04-19},
organization = {Medium},
url = {https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933},
language = {English},
urldate = {2020-01-13}
}
Hacking (Back) and Influence Operations
BONDUPDATER |
2019-04-16 ⋅ Robert Falcone
@online{falcone:20190416:dns:fed953e,
author = {Robert Falcone},
title = {{DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling}},
date = {2019-04-16},
url = {https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/},
language = {English},
urldate = {2019-12-03}
}
DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
BONDUPDATER QUADAGENT Alma Communicator Helminth ISMAgent |
2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}},
date = {2019-03-27},
organization = {Symantec},
url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage},
language = {English},
urldate = {2020-04-21}
}
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33 |
2019-03-27 ⋅ Symantec ⋅ Security Response Attack Investigation Team
@online{team:20190327:elfin:836cc39,
author = {Security Response Attack Investigation Team},
title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}},
date = {2019-03-27},
organization = {Symantec},
url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage},
language = {English},
urldate = {2020-01-06}
}
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33 |
2019-02-13 ⋅ Youtube (SANS Digital Forensics & Incident Response) ⋅ Josh Bryant, Robert Falcone
@online{bryant:20190213:hunting:8c671bf,
author = {Josh Bryant and Robert Falcone},
title = {{Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018}},
date = {2019-02-13},
organization = {Youtube (SANS Digital Forensics & Incident Response)},
url = {https://www.youtube.com/watch?v=GjquFKa4afU},
language = {English},
urldate = {2020-01-13}
}
Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018
TwoFace |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:2019:oilrig:c3cfb7a,
author = {Cyber Operations Tracker},
title = {{OilRig}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/oilrig},
language = {English},
urldate = {2019-12-20}
}
OilRig
OilRig |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:oilrig:40b5deb,
author = {MITRE ATT&CK},
title = {{Group description: OilRig}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0049/},
language = {English},
urldate = {2019-12-20}
}
Group description: OilRig
OilRig |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:2019:34:2da0658,
author = {Cyber Operations Tracker},
title = {{APT 34}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/apt-34},
language = {English},
urldate = {2019-12-20}
}
APT 34
OilRig |
2018-12-21 ⋅ FireEye ⋅ Geoff Ackerman, Rick Cole, Andrew Thompson, Alex Orleans, Nick Carr
@online{ackerman:20181221:overruled:74ac7b4,
author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr},
title = {{OVERRULED: Containing a Potentially Destructive Adversary}},
date = {2018-12-21},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html},
language = {English},
urldate = {2019-12-20}
}
OVERRULED: Containing a Potentially Destructive Adversary
POWERTON PoshC2 pupy |
2018-12-19 ⋅ Thomas Roccia, Jessica Saavedra-Morales, Christiaan Beek
@online{roccia:20181219:shamoon:a69d9d2,
author = {Thomas Roccia and Jessica Saavedra-Morales and Christiaan Beek},
title = {{Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems}},
date = {2018-12-19},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/},
language = {English},
urldate = {2019-11-08}
}
Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems
OilRig |
2018-12-17 ⋅ Twitter (@MJDutch) ⋅ Justin
@online{justin:20181217:apt39:6e13cad,
author = {Justin},
title = {{Tweet on APT39}},
date = {2018-12-17},
organization = {Twitter (@MJDutch)},
url = {https://twitter.com/MJDutch/status/1074820959784321026?s=19},
language = {English},
urldate = {2020-01-08}
}
Tweet on APT39
OilRig |
2018-12-14 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}},
date = {2018-12-14},
organization = {Symantec},
url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail},
language = {English},
urldate = {2020-04-21}
}
Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig |
2018-12-14 ⋅ Symantec ⋅ Security Response Attack Investigation Team
@online{team:20181214:shamoon:5c1ab4d,
author = {Security Response Attack Investigation Team},
title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}},
date = {2018-12-14},
organization = {Symantec},
url = {https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail},
language = {English},
urldate = {2020-01-13}
}
Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
OilRig |
2018-11-27 ⋅ CrowdStrike ⋅ Adam Meyers
@online{meyers:20181127:meet:d6b13f0,
author = {Adam Meyers},
title = {{Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN}},
date = {2018-11-27},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/},
language = {English},
urldate = {2019-12-20}
}
Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN
OilRig |
2018-11-16 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Kyle Wilhoit
@online{falcone:20181116:analyzing:037fccb,
author = {Robert Falcone and Kyle Wilhoit},
title = {{Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery}},
date = {2018-11-16},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/},
language = {English},
urldate = {2020-01-09}
}
Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery
OilRig |
2018-09-14 ⋅ NetScout ⋅ ASERT Team
@online{team:20180914:tunneling:c41e0f2,
author = {ASERT Team},
title = {{Tunneling Under the Sands}},
date = {2018-09-14},
organization = {NetScout},
url = {https://www.netscout.com/blog/asert/tunneling-under-sands},
language = {English},
urldate = {2020-01-13}
}
Tunneling Under the Sands
BONDUPDATER |
2018-09-12 ⋅ Palo Alto Networks Unit 42 ⋅ Kyle Wilhoit, Robert Falcone
@online{wilhoit:20180912:oilrig:5c64e44,
author = {Kyle Wilhoit and Robert Falcone},
title = {{OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government}},
date = {2018-09-12},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/},
language = {English},
urldate = {2019-12-20}
}
OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
BONDUPDATER |
2018-09-12 ⋅ Palo Alto Networks Unit 42 ⋅ Kyle Wilhoit, Robert Falcone
@online{wilhoit:20180912:oilrig:5892017,
author = {Kyle Wilhoit and Robert Falcone},
title = {{OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government}},
date = {2018-09-12},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/},
language = {English},
urldate = {2020-01-13}
}
OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
OilRig |
2018-08-03 ⋅ Github (Unit42) ⋅ Unit42
@online{unit42:20180803:oilrig:ecb9dec,
author = {Unit42},
title = {{OilRig Playbook}},
date = {2018-08-03},
organization = {Github (Unit42)},
url = {https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json},
language = {English},
urldate = {2020-01-08}
}
OilRig Playbook
OilRig |
2018-07-25 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone
@online{lee:20180725:oilrig:d332c68,
author = {Bryan Lee and Robert Falcone},
title = {{OilRig Targets Technology Service Provider and Government Agency with QUADAGENT}},
date = {2018-07-25},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/},
language = {English},
urldate = {2019-11-29}
}
OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
OilRig |
2018-07-07 ⋅ Youtube (SteelCon) ⋅ Dan Caban, Muks Hirani
@online{caban:20180707:youve:b02f5ff,
author = {Dan Caban and Muks Hirani},
title = {{You’ve Got Mail!}},
date = {2018-07-07},
organization = {Youtube (SteelCon)},
url = {https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI},
language = {English},
urldate = {2020-01-08}
}
You’ve Got Mail!
TwoFace |
2018-04-20 ⋅ Booz Allen Hamilton ⋅ Jay Novak, Matthew Pennington
@online{novak:20180420:researchers:6764b0e,
author = {Jay Novak and Matthew Pennington},
title = {{Researchers Discover New variants of APT34 Malware}},
date = {2018-04-20},
organization = {Booz Allen Hamilton},
url = {https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2},
language = {English},
urldate = {2020-01-06}
}
Researchers Discover New variants of APT34 Malware
BONDUPDATER POWRUNER |
2018-03-25 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
@online{kremez:20180325:lets:070366d,
author = {Vitali Kremez},
title = {{Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence}},
date = {2018-03-25},
organization = {Vitali Kremez Blog},
url = {https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html},
language = {English},
urldate = {2019-10-13}
}
Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence
OilRig |
2018-03 ⋅ Nyotron ⋅ NYOTRON ATTACK RESPONSE CENTER
@techreport{center:201803:oilrig:b3c95ff,
author = {NYOTRON ATTACK RESPONSE CENTER},
title = {{OilRig is Back with Next-Generation Tools and Techniques}},
date = {2018-03},
institution = {Nyotron},
url = {https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf},
language = {English},
urldate = {2019-10-13}
}
OilRig is Back with Next-Generation Tools and Techniques
GoogleDrive RAT |
2018-02-23 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone
@online{lee:20180223:oopsie:f09d30f,
author = {Bryan Lee and Robert Falcone},
title = {{OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan}},
date = {2018-02-23},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/},
language = {English},
urldate = {2019-12-20}
}
OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
OopsIE |
2018-02-23 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone
@online{lee:20180223:oopsie:3a5deb8,
author = {Bryan Lee and Robert Falcone},
title = {{OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan}},
date = {2018-02-23},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/},
language = {English},
urldate = {2020-01-13}
}
OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
OilRig |
2018-01-25 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
@online{falcone:20180125:oilrig:80920f0,
author = {Robert Falcone},
title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}},
date = {2018-01-25},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/},
language = {English},
urldate = {2020-01-08}
}
OilRig uses RGDoor IIS Backdoor on Targets in the Middle East
OilRig |
2018-01-17 ⋅ NCSC UK ⋅ NCSC UK
@online{uk:20180117:turla:7563012,
author = {NCSC UK},
title = {{Turla group malware}},
date = {2018-01-17},
organization = {NCSC UK},
url = {https://www.ncsc.gov.uk/alerts/turla-group-malware},
language = {English},
urldate = {2020-01-06}
}
Turla group malware
Nautilus Neuron |
2018 ⋅ FireEye ⋅ FireEye
@techreport{fireeye:2018:mtrends2018:f07ca60,
author = {FireEye},
title = {{M-TRENDS2018}},
date = {2018},
institution = {FireEye},
url = {https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf},
language = {English},
urldate = {2020-01-08}
}
M-TRENDS2018
APT35 OilRig |
2017-12-15 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Olson
@online{olson:20171215:introducing:5d2ce88,
author = {Ryan Olson},
title = {{Introducing the Adversary Playbook: First up, OilRig}},
date = {2017-12-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/},
language = {English},
urldate = {2020-01-08}
}
Introducing the Adversary Playbook: First up, OilRig
OilRig |
2017-12-11 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
@online{falcone:20171211:oilrig:8d7f26f,
author = {Robert Falcone},
title = {{OilRig Performs Tests on the TwoFace Webshell}},
date = {2017-12-11},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/},
language = {English},
urldate = {2020-01-10}
}
OilRig Performs Tests on the TwoFace Webshell
TwoFace |
2017-12-07 ⋅ FireEye ⋅ Vincent Cannon, Nalani Fraser, Yogesh Londhe, Manish Sardiwal, Nick Richard, Jacqueline O’Leary
@online{cannon:20171207:new:035f809,
author = {Vincent Cannon and Nalani Fraser and Yogesh Londhe and Manish Sardiwal and Nick Richard and Jacqueline O’Leary},
title = {{New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit}},
date = {2017-12-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html},
language = {English},
urldate = {2019-12-20}
}
New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
OilRig |
2017-11-08 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
@online{falcone:20171108:oilrig:a8a3089,
author = {Robert Falcone},
title = {{OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan}},
date = {2017-11-08},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/},
language = {English},
urldate = {2019-12-20}
}
OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
Alma Communicator |
2017-10-09 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Bryan Lee
@online{falcone:20171009:oilrig:71ea256,
author = {Robert Falcone and Bryan Lee},
title = {{OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan}},
date = {2017-10-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/},
language = {English},
urldate = {2019-10-14}
}
OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
OilRig |
2017-09-26 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Bryan Lee
@online{falcone:20170926:striking:45926d9,
author = {Robert Falcone and Bryan Lee},
title = {{Striking Oil: A Closer Look at Adversary Infrastructure}},
date = {2017-09-26},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/},
language = {English},
urldate = {2020-01-08}
}
Striking Oil: A Closer Look at Adversary Infrastructure
OilRig |
2017-08-28 ⋅ ClearSky ⋅ ClearSky Research Team
@online{team:20170828:recent:fab1e53,
author = {ClearSky Research Team},
title = {{Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug}},
date = {2017-08-28},
organization = {ClearSky},
url = {http://www.clearskysec.com/ismagent/},
language = {English},
urldate = {2019-12-19}
}
Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
ISMAgent |
2017-07-31 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Bryan Lee
@online{falcone:20170731:twoface:8fe5f2d,
author = {Robert Falcone and Bryan Lee},
title = {{TwoFace Webshell: Persistent Access Point for Lateral Movement}},
date = {2017-07-31},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/},
language = {English},
urldate = {2020-01-07}
}
TwoFace Webshell: Persistent Access Point for Lateral Movement
TwoFace OilRig |
2017-07-12 ⋅ Wired ⋅ Lily Hay Newman
@online{newman:20170712:iranian:5dd7386,
author = {Lily Hay Newman},
title = {{Iranian Hackers Have Been Infiltrating Critical Infrastructure Companies}},
date = {2017-07-12},
organization = {Wired},
url = {https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/},
language = {English},
urldate = {2020-01-08}
}
Iranian Hackers Have Been Infiltrating Critical Infrastructure Companies
OilRig |
2017-04-27 ⋅ Morphisec ⋅ Michael Gorelik
@online{gorelik:20170427:iranian:4ab7f08,
author = {Michael Gorelik},
title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}},
date = {2017-04-27},
organization = {Morphisec},
url = {https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability},
language = {English},
urldate = {2020-07-30}
}
Iranian Fileless Attack Infiltrates Israeli Organizations
Helminth OilRig |
2017-04-27 ⋅ Morphisec ⋅ Michael Gorelik
@online{gorelik:20170427:iranian:827f6f3,
author = {Michael Gorelik},
title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}},
date = {2017-04-27},
organization = {Morphisec},
url = {http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability},
language = {English},
urldate = {2019-12-04}
}
Iranian Fileless Attack Infiltrates Israeli Organizations
OilRig |
2017-04-27 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
@online{falcone:20170427:oilrig:fd3e813,
author = {Robert Falcone},
title = {{OilRig Actors Provide a Glimpse into Development and Testing Efforts}},
date = {2017-04-27},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/},
language = {English},
urldate = {2020-01-07}
}
OilRig Actors Provide a Glimpse into Development and Testing Efforts
OilRig |
2017-04-24 ⋅ CERT-IL ⋅ CERT-IL
@techreport{certil:20170424:wave:d0c610f,
author = {CERT-IL},
title = {{Wave attacks against government agencies, academia and business entities in Israel}},
date = {2017-04-24},
institution = {CERT-IL},
url = {https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf},
language = {Hebrew},
urldate = {2020-05-18}
}
Wave attacks against government agencies, academia and business entities in Israel
OilRig |
2017-02-16 ⋅ SecurityAffairs ⋅ Pierluigi Paganini
@online{paganini:20170216:iranian:917f46c,
author = {Pierluigi Paganini},
title = {{Iranian hackers behind the Magic Hound campaign linked to Shamoon}},
date = {2017-02-16},
organization = {SecurityAffairs},
url = {https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html},
language = {English},
urldate = {2022-07-29}
}
Iranian hackers behind the Magic Hound campaign linked to Shamoon
pupy APT35 |
2017-02-15 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone
@online{lee:20170215:magic:e0b1b72,
author = {Bryan Lee and Robert Falcone},
title = {{Magic Hound Campaign Attacks Saudi Targets}},
date = {2017-02-15},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/},
language = {English},
urldate = {2019-09-22}
}
Magic Hound Campaign Attacks Saudi Targets
Leash MPKBot pupy Rocket Kitten |
2017-02-15 ⋅ Secureworks ⋅ SecureWorks' Counter Threat Unit Research Team
@online{team:20170215:iranian:004ec5a,
author = {SecureWorks' Counter Threat Unit Research Team},
title = {{Iranian PupyRAT Bites Middle Eastern Organizations}},
date = {2017-02-15},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations},
language = {English},
urldate = {2019-10-23}
}
Iranian PupyRAT Bites Middle Eastern Organizations
pupy Cleaver |
2017-02-15 ⋅ Forbes ⋅ Thomas Brewster
@online{brewster:20170215:inside:8b5faed,
author = {Thomas Brewster},
title = {{Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage}},
date = {2017-02-15},
organization = {Forbes},
url = {https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a},
language = {English},
urldate = {2020-01-13}
}
Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage
OilRig |
2017-02-10 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20170210:malware:4f2c9aa,
author = {Shusei Tomonaga},
title = {{Malware that infects using PowerSploit}},
date = {2017-02-10},
organization = {JPCERT/CC},
url = {https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/},
language = {Japanese},
urldate = {2020-01-08}
}
Malware that infects using PowerSploit
pupy |
2017-01-05 ⋅ ClearSky ⋅ ClearSky Research Team
@online{team:20170105:iranian:da7cfef,
author = {ClearSky Research Team},
title = {{Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford}},
date = {2017-01-05},
organization = {ClearSky},
url = {http://www.clearskysec.com/oilrig/},
language = {English},
urldate = {2020-01-13}
}
Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford
OilRig |
2017-01-05 ⋅ ClearSky ⋅ ClearSky Research Team
@online{team:20170105:iranian:8a44c55,
author = {ClearSky Research Team},
title = {{Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford}},
date = {2017-01-05},
organization = {ClearSky},
url = {https://www.clearskysec.com/oilrig/},
language = {English},
urldate = {2019-12-03}
}
Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford
OilRig |
2016-11-30 ⋅ Symantec ⋅ A L Johnson
@online{johnson:20161130:shamoon:50feb7c,
author = {A L Johnson},
title = {{Shamoon: Back from the dead and destructive as ever}},
date = {2016-11-30},
organization = {Symantec},
url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments},
language = {English},
urldate = {2020-04-21}
}
Shamoon: Back from the dead and destructive as ever
DistTrack OilRig |
2016-11-30 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20161130:shamoon:23a43b0,
author = {Symantec Security Response},
title = {{Shamoon: Back from the dead and destructive as ever}},
date = {2016-11-30},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever},
language = {English},
urldate = {2020-01-13}
}
Shamoon: Back from the dead and destructive as ever
OilRig |
2016-10-04 ⋅ Palo Alto Networks Unit 42 ⋅ Josh Grunzweig, Robert Falcone
@online{grunzweig:20161004:oilrig:72c4b0e,
author = {Josh Grunzweig and Robert Falcone},
title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}},
date = {2016-10-04},
organization = {Palo Alto Networks Unit 42},
url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/},
language = {English},
urldate = {2019-12-20}
}
OilRig Malware Campaign Updates Toolset and Expands Targets
Helminth |
2016-10-04 ⋅ Palo Alto Networks Unit 42 ⋅ Josh Grunzweig, Robert Falcone
@online{grunzweig:20161004:oilrig:2e3b9e0,
author = {Josh Grunzweig and Robert Falcone},
title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}},
date = {2016-10-04},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/},
language = {English},
urldate = {2019-10-22}
}
OilRig Malware Campaign Updates Toolset and Expands Targets
OilRig |
2016-05-26 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Bryan Lee
@online{falcone:20160526:oilrig:89b6b4d,
author = {Robert Falcone and Bryan Lee},
title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}},
date = {2016-05-26},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/},
language = {English},
urldate = {2019-12-20}
}
The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor
Helminth |
2016-05-26 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Bryan Lee
@online{falcone:20160526:oilrig:99f488f,
author = {Robert Falcone and Bryan Lee},
title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}},
date = {2016-05-26},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/},
language = {English},
urldate = {2020-01-13}
}
The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor
OilRig |
2016-05-22 ⋅ FireEye ⋅ Sudeep Singh, Yin Hong Chang
@online{singh:20160522:targeted:5baf70d,
author = {Sudeep Singh and Yin Hong Chang},
title = {{Targeted Attacks against Banks in the Middle East}},
date = {2016-05-22},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html},
language = {English},
urldate = {2019-12-20}
}
Targeted Attacks against Banks in the Middle East
Helminth OilRig |
2016 ⋅ Palo Alto Networks Unit 42 ⋅ paloalto Networks: Unit42
@online{unit42:2016:unit:38f5c2e,
author = {paloalto Networks: Unit42},
title = {{Unit 42 Playbook Viewer}},
date = {2016},
organization = {Palo Alto Networks Unit 42},
url = {https://pan-unit42.github.io/playbook_viewer/},
language = {English},
urldate = {2020-04-06}
}
Unit 42 Playbook Viewer
OilRig |
2015-09-17 ⋅ F-Secure ⋅ F-Secure Global
@online{global:20150917:dukes:5dc47f5,
author = {F-Secure Global},
title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}},
date = {2015-09-17},
organization = {F-Secure},
url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/},
language = {English},
urldate = {2020-01-09}
}
The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage |
2012-08-16 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20120816:shamoon:8f8fe97,
author = {Symantec Security Response},
title = {{The Shamoon Attacks}},
date = {2012-08-16},
organization = {Symantec},
url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks},
language = {English},
urldate = {2020-04-21}
}
The Shamoon Attacks
DistTrack OilRig |
2012-08-16 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20120816:shamoon:7eedf8f,
author = {Symantec Security Response},
title = {{The Shamoon Attacks}},
date = {2012-08-16},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/shamoon-attacks},
language = {English},
urldate = {2020-01-13}
}
The Shamoon Attacks
OilRig |