aka: SectorJ04, SectorJ04 Group, GRACEFUL SPIDER, GOLD TAHOE, Dudear, G0092, ATK103, Hive0065, CHIMBORAZO
TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.
2023-09-07 ⋅ Department of Justice ⋅ Office of Public Affairs @online{affairs:20230907:multiple:8952f60,
author = {Office of Public Affairs},
title = {{Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies}},
date = {2023-09-07},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware},
language = {English},
urldate = {2023-09-08}
}
Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies Conti Conti TrickBot |
2023-08-30 ⋅ Nisos ⋅ Vincas Čižiūnas @online{iinas:20230830:trickbot:31efb65,
author = {Vincas Čižiūnas},
title = {{Trickbot in Light of Trickleaks Data}},
date = {2023-08-30},
organization = {Nisos},
url = {https://www.nisos.com/research/trickbot-trickleaks-data-analysis/},
language = {English},
urldate = {2023-09-01}
}
Trickbot in Light of Trickleaks Data TrickBot |
2023-07-26 ⋅ Talos ⋅ Nicole Hoffman @online{hoffman:20230726:incident:4731c33,
author = {Nicole Hoffman},
title = {{Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical}},
date = {2023-07-26},
organization = {Talos},
url = {https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/},
language = {English},
urldate = {2023-08-03}
}
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical BianLian Clop LockBit Royal Ransom LockBit 8Base BianLian Clop LockBit Money Message Royal Ransom |
2023-07-13 ⋅ malware.love ⋅ Robert Giczewski @online{giczewski:20230713:truebot:784a076,
author = {Robert Giczewski},
title = {{TrueBot Analysis Part IV - Config Extraction}},
date = {2023-07-13},
organization = {malware.love},
url = {https://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html},
language = {English},
urldate = {2023-10-09}
}
TrueBot Analysis Part IV - Config Extraction Silence |
2023-07-06 ⋅ CISA ⋅ CISA @online{cisa:20230706:increased:7ff9690,
author = {CISA},
title = {{Increased Truebot Activity Infects U.S. and Canada Based Networks}},
date = {2023-07-06},
organization = {CISA},
url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a},
language = {English},
urldate = {2023-07-08}
}
Increased Truebot Activity Infects U.S. and Canada Based Networks Silence |
2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen @online{hammond:20230627:trickbotconti:5e1f20d,
author = {Charlotte Hammond and Ole Villadsen},
title = {{The Trickbot/Conti Crypters: Where Are They Now?}},
date = {2023-06-27},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/},
language = {English},
urldate = {2023-07-31}
}
The Trickbot/Conti Crypters: Where Are They Now? Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot |
2023-06-23 ⋅ Fourcore ⋅ Jones Martin @online{martin:20230623:clop:ed4b8f0,
author = {Jones Martin},
title = {{Clop Ransomware: History, Timeline, And Adversary Simulation}},
date = {2023-06-23},
organization = {Fourcore},
url = {https://fourcore.io/blogs/clop-ransomware-history-adversary-simulation},
language = {English},
urldate = {2023-07-28}
}
Clop Ransomware: History, Timeline, And Adversary Simulation Clop |
2023-06-12 ⋅ The DFIR Report ⋅ Maxime Thiebaut @online{thiebaut:20230612:truly:18a251d,
author = {Maxime Thiebaut},
title = {{A Truly Graceful Wipe Out}},
date = {2023-06-12},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/},
language = {English},
urldate = {2023-06-12}
}
A Truly Graceful Wipe Out FlawedGrace Silence |
2023-06-01 ⋅ vmware ⋅ Fae Carlisle @online{carlisle:20230601:carbon:a215566,
author = {Fae Carlisle},
title = {{Carbon Black’s TrueBot Detection}},
date = {2023-06-01},
organization = {vmware},
url = {https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html},
language = {English},
urldate = {2023-07-13}
}
Carbon Black’s TrueBot Detection Silence |
2023-05-23 ⋅ loginsoft ⋅ Saharsh Agrawal @online{agrawal:20230523:taming:7a77f19,
author = {Saharsh Agrawal},
title = {{Taming the Storm: Understanding and Mitigating the Consequences of CVE-2023-27350}},
date = {2023-05-23},
organization = {loginsoft},
url = {https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/},
language = {English},
urldate = {2023-05-30}
}
Taming the Storm: Understanding and Mitigating the Consequences of CVE-2023-27350 Clop LockBit Silence |
2023-03-31 ⋅ malware.love ⋅ Robert Giczewski @online{giczewski:20230331:truebot:ec9e860,
author = {Robert Giczewski},
title = {{TrueBot Analysis Part III - Capabilities}},
date = {2023-03-31},
organization = {malware.love},
url = {https://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html},
language = {English},
urldate = {2023-04-03}
}
TrueBot Analysis Part III - Capabilities Silence |
2023-03-30 ⋅ IBM ⋅ John Dwyer, Fred Chidsey, Joseph Lozowski @online{dwyer:20230330:xforce:75bb496,
author = {John Dwyer and Fred Chidsey and Joseph Lozowski},
title = {{X-Force Prevents Zero Day from Going Anywhere}},
date = {2023-03-30},
organization = {IBM},
url = {https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere},
language = {English},
urldate = {2023-04-06}
}
X-Force Prevents Zero Day from Going Anywhere Silence |
2023-02-27 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT @techreport{prodaft:20230227:rig:72076aa,
author = {PRODAFT},
title = {{RIG Exploit Kit: In-Depth Analysis}},
date = {2023-02-27},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf},
language = {English},
urldate = {2023-05-08}
}
RIG Exploit Kit: In-Depth Analysis Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader |
2023-02-18 ⋅ malware.love ⋅ Robert Giczewski @online{giczewski:20230218:truebot:f49edbb,
author = {Robert Giczewski},
title = {{TrueBot Analysis Part II - Static unpacker}},
date = {2023-02-18},
organization = {malware.love},
url = {https://malware.love/malware_analysis/reverse_engineering/2023/02/18/analyzing-truebot-static-unpacking.html},
language = {English},
urldate = {2023-02-21}
}
TrueBot Analysis Part II - Static unpacker Silence |
2023-02-12 ⋅ malware.love ⋅ Robert Giczewski @online{giczewski:20230212:truebot:80ae897,
author = {Robert Giczewski},
title = {{TrueBot Analysis Part I - A short glimpse into packed TrueBot samples}},
date = {2023-02-12},
organization = {malware.love},
url = {https://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html},
language = {English},
urldate = {2023-02-21}
}
TrueBot Analysis Part I - A short glimpse into packed TrueBot samples Silence |
2023-02-09 ⋅ U.S. Department of the Treasury ⋅ U.S. Department of the Treasury @online{treasury:20230209:united:fd9a5aa,
author = {U.S. Department of the Treasury},
title = {{United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang}},
date = {2023-02-09},
organization = {U.S. Department of the Treasury},
url = {https://home.treasury.gov/news/press-releases/jy1256},
language = {English},
urldate = {2023-02-13}
}
United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang TrickBot |
2023-02-08 ⋅ Huntress Labs ⋅ Joe Slowik, Matt Anderson @online{slowik:20230208:investigating:4b8fbaf,
author = {Joe Slowik and Matt Anderson},
title = {{Investigating Intrusions From Intriguing Exploits}},
date = {2023-02-08},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits},
language = {English},
urldate = {2023-04-06}
}
Investigating Intrusions From Intriguing Exploits Silence |
2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein @online{olshtein:20230130:following:e442fcc,
author = {Arie Olshtein},
title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}},
date = {2023-01-30},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/},
language = {English},
urldate = {2023-01-31}
}
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot |
2022-12-27 ⋅ Palo Alto Networks Unit 42 ⋅ Esmid Idrizovic, Bob Jung, Daniel Raygoza, Sean Hughes @online{idrizovic:20221227:navigating:4cd52c5,
author = {Esmid Idrizovic and Bob Jung and Daniel Raygoza and Sean Hughes},
title = {{Navigating the Vast Ocean of Sandbox Evasions}},
date = {2022-12-27},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/},
language = {English},
urldate = {2022-12-29}
}
Navigating the Vast Ocean of Sandbox Evasions TrickBot Zebrocy |
2022-12-08 ⋅ Cisco Talos ⋅ Tiago Pereira @online{pereira:20221208:breaking:7f00030,
author = {Tiago Pereira},
title = {{Breaking the silence - Recent Truebot activity}},
date = {2022-12-08},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/},
language = {English},
urldate = {2022-12-12}
}
Breaking the silence - Recent Truebot activity Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport |
2022-12-06 ⋅ EuRepoC ⋅ Kerstin Zettl-Schabath, Lena Rottinger, Camille Borrett @techreport{zettlschabath:20221206:contiwizard:9c3a9ba,
author = {Kerstin Zettl-Schabath and Lena Rottinger and Camille Borrett},
title = {{Conti/Wizard Spider}},
date = {2022-12-06},
institution = {EuRepoC},
url = {https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf},
language = {English},
urldate = {2023-10-16}
}
Conti/Wizard Spider BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER |
2022-11-11 ⋅ Codesec ⋅ Hugo Caron @online{caron:20221111:gracewire:7b6e68f,
author = {Hugo Caron},
title = {{GraceWire / FlawedGrace malware adventure}},
date = {2022-11-11},
organization = {Codesec},
url = {https://web.archive.org/web/20221115161556/https://blog.codsec.com/posts/malware/gracewire_adventure/},
language = {English},
urldate = {2023-07-16}
}
GraceWire / FlawedGrace malware adventure FlawedGrace |
2022-10-31 ⋅ paloalto Netoworks: Unit42 ⋅ Or Chechik @online{chechik:20221031:banking:c421ac8,
author = {Or Chechik},
title = {{Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure}},
date = {2022-10-31},
organization = {paloalto Netoworks: Unit42},
url = {https://unit42.paloaltonetworks.com/banking-trojan-techniques/},
language = {English},
urldate = {2022-10-31}
}
Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure Dridex Kronos TrickBot Zeus |
2022-10-27 ⋅ Microsoft ⋅ Microsoft Threat Intelligence @online{intelligence:20221027:raspberry:44ac615,
author = {Microsoft Threat Intelligence},
title = {{Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity}},
date = {2022-10-27},
organization = {Microsoft},
url = {http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/},
language = {English},
urldate = {2023-11-17}
}
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity FAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence |
2022-10-27 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20221027:microsoft:e274158,
author = {Sergiu Gatlan},
title = {{Microsoft links Raspberry Robin worm to Clop ransomware attacks}},
date = {2022-10-27},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/},
language = {English},
urldate = {2022-11-11}
}
Microsoft links Raspberry Robin worm to Clop ransomware attacks Clop Raspberry Robin |
2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20221013:spamhaus:43e3190,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q3 2022}},
date = {2022-10-13},
institution = {Spamhaus},
url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf},
language = {English},
urldate = {2022-12-29}
}
Spamhaus Botnet Threat Update Q3 2022 FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm |
2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence @online{intelligence:20220913:advintels:ea02331,
author = {Advanced Intelligence},
title = {{AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022}},
date = {2022-09-13},
organization = {AdvIntel},
url = {https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022},
language = {English},
urldate = {2022-09-19}
}
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022 Conti Cobalt Strike Emotet Ryuk TrickBot |
2022-09-06 ⋅ PRODAFT ⋅ PRODAFT @techreport{prodaft:20220906:ta505:ed4c7e9,
author = {PRODAFT},
title = {{TA505 Group’s TeslaGun In-Depth Analysis}},
date = {2022-09-06},
institution = {PRODAFT},
url = {https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf},
language = {English},
urldate = {2022-12-20}
}
TA505 Group’s TeslaGun In-Depth Analysis Clop ServHelper |
2022-09-05 ⋅ PRODAFT ⋅ PRODAFT @techreport{prodaft:20220905:ta505:2925f26,
author = {PRODAFT},
title = {{TA505 Group’s TeslaGun In-Depth Analysis}},
date = {2022-09-05},
institution = {PRODAFT},
url = {https://prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf},
language = {English},
urldate = {2022-09-10}
}
TA505 Group’s TeslaGun In-Depth Analysis ServHelper |
2022-09-01 ⋅ IBM ⋅ Kevin Henson, Emmy Ebanks @online{henson:20220901:raspberry:b5b5946,
author = {Kevin Henson and Emmy Ebanks},
title = {{Raspberry Robin and Dridex: Two Birds of a Feather}},
date = {2022-09-01},
organization = {IBM},
url = {https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/},
language = {English},
urldate = {2022-09-06}
}
Raspberry Robin and Dridex: Two Birds of a Feather Dridex Raspberry Robin |
2022-08-24 ⋅ Github (rad9800) ⋅ Rad Kawar @techreport{kawar:20220824:malware:2eeaafb,
author = {Rad Kawar},
title = {{Malware Madness: EXCEPTION edition}},
date = {2022-08-24},
institution = {Github (rad9800)},
url = {https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf},
language = {English},
urldate = {2022-08-28}
}
Malware Madness: EXCEPTION edition Dridex |
2022-08-18 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen @online{hammond:20220818:from:501e8ac,
author = {Charlotte Hammond and Ole Villadsen},
title = {{From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers}},
date = {2022-08-18},
organization = {IBM},
url = {https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest},
language = {English},
urldate = {2022-08-28}
}
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers BumbleBee Karius Ramnit TrickBot Vawtrak |
2022-08-15 ⋅ SentinelOne ⋅ Vikram Navali @online{navali:20220815:detecting:5abdd3d,
author = {Vikram Navali},
title = {{Detecting a Rogue Domain Controller – DCShadow Attack}},
date = {2022-08-15},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/},
language = {English},
urldate = {2022-08-18}
}
Detecting a Rogue Domain Controller – DCShadow Attack MimiKatz TrickBot |
2022-07-26 ⋅ Mandiant ⋅ Thibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden @online{berlaere:20220726:mandiant:c1c4498,
author = {Thibault van Geluwe de Berlaere and Jay Christiansen and Daniel Kapellmann Zafra and Ken Proska and Keith Lunden},
title = {{Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers}},
date = {2022-07-26},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics},
language = {English},
urldate = {2023-01-19}
}
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers Clop Industroyer MimiKatz Triton |
2022-07-09 ⋅ Artik Blue ⋅ Artik Blue @online{blue:20220709:malware:be9282b,
author = {Artik Blue},
title = {{Malware analysis with IDA/Radare2 - Basic Unpacking (Dridex first stage)}},
date = {2022-07-09},
organization = {Artik Blue},
url = {https://artik.blue/malware3},
language = {English},
urldate = {2022-07-15}
}
Malware analysis with IDA/Radare2 - Basic Unpacking (Dridex first stage) Dridex |
2022-06-23 ⋅ Kaspersky ⋅ Nikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov @techreport{nazarov:20220623:hateful:bae0681,
author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov},
title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}},
date = {2022-06-23},
institution = {Kaspersky},
url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf},
language = {English},
urldate = {2022-06-27}
}
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok |
2022-06-23 ⋅ Kaspersky ⋅ Nikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov @online{nazarov:20220623:hateful:9c6bf9a,
author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov},
title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}},
date = {2022-06-23},
organization = {Kaspersky},
url = {https://securelist.com/modern-ransomware-groups-ttps/106824/},
language = {English},
urldate = {2022-06-27}
}
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form) BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker |
2022-06-15 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team @online{wells:20220615:attack:aa9fcfb,
author = {Jackson Wells and AttackIQ Adversary Research Team},
title = {{Attack Graph Emulating the Conti Ransomware Team’s Behaviors}},
date = {2022-06-15},
organization = {AttackIQ},
url = {https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/},
language = {English},
urldate = {2022-07-01}
}
Attack Graph Emulating the Conti Ransomware Team’s Behaviors BazarBackdoor Conti TrickBot |
2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa @online{testa:20220613:killing:36e9385,
author = {Jorge Testa},
title = {{Killing The Bear - Evil Corp}},
date = {2022-06-13},
organization = {Jorge Testa},
url = {https://killingthebear.jorgetesta.tech/actors/evil-corp},
language = {English},
urldate = {2022-07-01}
}
Killing The Bear - Evil Corp FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker |
2022-06-02 ⋅ Eclypsium ⋅ Eclypsium @online{eclypsium:20220602:conti:abb9754,
author = {Eclypsium},
title = {{Conti Targets Critical Firmware}},
date = {2022-06-02},
organization = {Eclypsium},
url = {https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/},
language = {English},
urldate = {2022-06-04}
}
Conti Targets Critical Firmware Conti HermeticWiper TrickBot WhisperGate |
2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence @online{intelligence:20220602:to:e15831c,
author = {Mandiant Intelligence},
title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions},
language = {English},
urldate = {2022-06-04}
}
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker |
2022-05-28 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20220528:clop:bb8abda,
author = {Sergiu Gatlan},
title = {{Clop ransomware gang is back, hits 21 victims in a single month}},
date = {2022-05-28},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/},
language = {English},
urldate = {2022-07-13}
}
Clop ransomware gang is back, hits 21 victims in a single month Clop |
2022-05-24 ⋅ Deep instinct ⋅ Bar Block @online{block:20220524:blame:9f45829,
author = {Bar Block},
title = {{Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them}},
date = {2022-05-24},
organization = {Deep instinct},
url = {https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office},
language = {English},
urldate = {2022-05-29}
}
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them Dridex Emotet |
2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin @online{goutin:20220524:malware:e85b49b,
author = {Florian Goutin},
title = {{Malware Analysis: Trickbot}},
date = {2022-05-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/05/malware-analysis-trickbot.html},
language = {English},
urldate = {2022-05-29}
}
Malware Analysis: Trickbot Cobalt Strike Conti Ryuk TrickBot |
2022-05-19 ⋅ Palo Alto Networks Unit 42 ⋅ Saqib Khanzada @online{khanzada:20220519:weaponization:969a179,
author = {Saqib Khanzada},
title = {{Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies}},
date = {2022-05-19},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain},
language = {English},
urldate = {2022-05-23}
}
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies Dridex |
2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220517:ransomware:7b86339,
author = {Trend Micro Research},
title = {{Ransomware Spotlight: RansomEXX}},
date = {2022-05-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx},
language = {English},
urldate = {2022-05-25}
}
Ransomware Spotlight: RansomEXX LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot |
2022-05-10 ⋅ RiskIQ ⋅ RiskIQ @online{riskiq:20220510:riskiq:0de1fcf,
author = {RiskIQ},
title = {{RiskIQ: Identifying Dridex C2 via SSL Certificate Patterns}},
date = {2022-05-10},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/e4fb7245},
language = {English},
urldate = {2022-05-17}
}
RiskIQ: Identifying Dridex C2 via SSL Certificate Patterns Dridex |
2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20220509:ransomwareasaservice:13ec472,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}},
date = {2022-05-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself},
language = {English},
urldate = {2022-05-17}
}
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
2022-05-09 ⋅ Microsoft Security ⋅ Microsoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team @online{center:20220509:ransomwareasaservice:3dac44d,
author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team},
title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}},
date = {2022-05-09},
organization = {Microsoft Security},
url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/},
language = {English},
urldate = {2022-06-02}
}
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot |
2022-05-05 ⋅ YouTube (Chris Greer) ⋅ Chris Greer @online{greer:20220505:malware:d2996ea,
author = {Chris Greer},
title = {{MALWARE Analysis with Wireshark // TRICKBOT Infection}},
date = {2022-05-05},
organization = {YouTube (Chris Greer)},
url = {https://www.youtube.com/watch?v=Brx4cygfmg8},
language = {English},
urldate = {2022-05-05}
}
MALWARE Analysis with Wireshark // TRICKBOT Infection TrickBot |
2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble @online{kasiviswanathan:20220428:ransomware:95feafb,
author = {Karthikeyan C Kasiviswanathan and Vishal Kamble},
title = {{Ransomware: How Attackers are Breaching Corporate Networks}},
date = {2022-04-28},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker},
language = {English},
urldate = {2022-05-04}
}
Ransomware: How Attackers are Breaching Corporate Networks AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot |
2022-04-27 ⋅ Medium elis531989 ⋅ Eli Salem @online{salem:20220427:chronicles:c55d826,
author = {Eli Salem},
title = {{The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection}},
date = {2022-04-27},
organization = {Medium elis531989},
url = {https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056},
language = {English},
urldate = {2022-04-29}
}
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection BumbleBee TrickBot |
2022-04-27 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20220427:le:5d47343,
author = {ANSSI},
title = {{LE GROUPE CYBERCRIMINEL FIN7}},
date = {2022-04-27},
institution = {ANSSI},
url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf},
language = {French},
urldate = {2022-05-05}
}
LE GROUPE CYBERCRIMINEL FIN7 Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot |
2022-04-26 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220426:conti:6bcff7d,
author = {Intel 471},
title = {{Conti and Emotet: A constantly destructive duo}},
date = {2022-04-26},
organization = {Intel 471},
url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks},
language = {English},
urldate = {2022-04-29}
}
Conti and Emotet: A constantly destructive duo Cobalt Strike Conti Emotet IcedID QakBot TrickBot |
2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA) @techreport{cisa:20220420:aa22110a:4fde5d6,
author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)},
title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
institution = {CISA},
url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf},
language = {English},
urldate = {2022-04-25}
}
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader |
2022-04-20 ⋅ CISA ⋅ CISA @online{cisa:20220420:alert:529e28c,
author = {CISA},
title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a},
language = {English},
urldate = {2022-04-25}
}
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet |
2022-04-18 ⋅ RiskIQ ⋅ Jennifer Grob @online{grob:20220418:riskiq:d5109f2,
author = {Jennifer Grob},
title = {{RiskIQ: Trickbot Rickroll}},
date = {2022-04-18},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/04ec92f4},
language = {English},
urldate = {2022-04-20}
}
RiskIQ: Trickbot Rickroll TrickBot |
2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken @online{bushidotoken:20220417:lessons:d4d0595,
author = {BushidoToken},
title = {{Lessons from the Conti Leaks}},
date = {2022-04-17},
organization = {BushidoToken Blog},
url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html},
language = {English},
urldate = {2022-04-25}
}
Lessons from the Conti Leaks BazarBackdoor Conti Emotet IcedID Ryuk TrickBot |
2022-04-15 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20220415:karakurt:6fc6399,
author = {Ionut Ilascu},
title = {{Karakurt revealed as data extortion arm of Conti cybercrime syndicate}},
date = {2022-04-15},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/},
language = {English},
urldate = {2022-05-04}
}
Karakurt revealed as data extortion arm of Conti cybercrime syndicate Anchor BazarBackdoor Conti TrickBot |
2022-04-15 ⋅ Arctic Wolf ⋅ Arctic Wolf @online{wolf:20220415:karakurt:623f8e6,
author = {Arctic Wolf},
title = {{The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model}},
date = {2022-04-15},
organization = {Arctic Wolf},
url = {https://arcticwolf.com/resources/blog/karakurt-web},
language = {English},
urldate = {2022-05-04}
}
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model Conti Diavol Ryuk TrickBot |
2022-04-08 ⋅ ReversingLabs ⋅ Paul Roberts @online{roberts:20220408:conversinglabs:270c740,
author = {Paul Roberts},
title = {{ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles}},
date = {2022-04-08},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles},
language = {English},
urldate = {2022-06-09}
}
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles Conti Emotet TrickBot |
2022-04-05 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220405:move:d589859,
author = {Intel 471},
title = {{Move fast and commit crimes: Conti’s development teams mirror corporate tech}},
date = {2022-04-05},
organization = {Intel 471},
url = {https://intel471.com/blog/conti-leaks-ransomware-development},
language = {English},
urldate = {2022-04-07}
}
Move fast and commit crimes: Conti’s development teams mirror corporate tech BazarBackdoor TrickBot |
2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov @online{fokker:20220331:conti:3bc2974,
author = {John Fokker and Jambul Tologonov},
title = {{Conti Leaks: Examining the Panama Papers of Ransomware}},
date = {2022-03-31},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html},
language = {English},
urldate = {2022-04-07}
}
Conti Leaks: Examining the Panama Papers of Ransomware LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot |
2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220323:gold:0f3da90,
author = {Counter Threat Unit ResearchTeam},
title = {{GOLD ULRICK Leaks Reveal Organizational Structure and Relationships}},
date = {2022-03-23},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships},
language = {English},
urldate = {2022-03-25}
}
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships Conti Emotet IcedID TrickBot |
2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220323:threat:84ad46c,
author = {Counter Threat Unit ResearchTeam},
title = {{Threat Intelligence Executive Report Volume 2022, Number 2}},
date = {2022-03-23},
organization = {Secureworks},
url = {https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx},
language = {English},
urldate = {2022-03-25}
}
Threat Intelligence Executive Report Volume 2022, Number 2 Conti Emotet IcedID TrickBot |
2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas @online{vaas:20220321:conti:0b203c8,
author = {Lisa Vaas},
title = {{Conti Ransomware V. 3, Including Decryptor, Leaked}},
date = {2022-03-21},
organization = {Threat Post},
url = {https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/},
language = {English},
urldate = {2022-03-22}
}
Conti Ransomware V. 3, Including Decryptor, Leaked Cobalt Strike Conti TrickBot |
2022-03-18 ⋅ Avast ⋅ Martin Hron @online{hron:20220318:mris:47b15bc,
author = {Martin Hron},
title = {{Mēris and TrickBot standing on the shoulders of giants}},
date = {2022-03-18},
organization = {Avast},
url = {https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/},
language = {English},
urldate = {2022-03-23}
}
Mēris and TrickBot standing on the shoulders of giants Glupteba Proxy Glupteba TrickBot |
2022-03-16 ⋅ Microsoft ⋅ Microsoft Defender for IoT Research Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20220316:uncovering:aae61b5,
author = {Microsoft Defender for IoT Research Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure}},
date = {2022-03-16},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/},
language = {English},
urldate = {2022-03-17}
}
Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure TrickBot |
2022-03-15 ⋅ RiskIQ ⋅ RiskIQ @online{riskiq:20220315:riskiq:da0e578,
author = {RiskIQ},
title = {{RiskIQ: Trickbot Abuse of Compromised MikroTik Routers for Command and Control}},
date = {2022-03-15},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/111d6005/description},
language = {English},
urldate = {2022-03-17}
}
RiskIQ: Trickbot Abuse of Compromised MikroTik Routers for Command and Control TrickBot |
2022-03-13 ⋅ Malcat ⋅ malcat team @online{team:20220313:cutting:f4878c8,
author = {malcat team},
title = {{Cutting corners against a Dridex downloader}},
date = {2022-03-13},
organization = {Malcat},
url = {https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/},
language = {English},
urldate = {2022-03-14}
}
Cutting corners against a Dridex downloader Dridex |
2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini @online{figueroa:20220309:conti:d237b64,
author = {Marco Figueroa and Napoleon Bing and Bernard Silvestrini},
title = {{The Conti Leaks | Insight into a Ransomware Unicorn}},
date = {2022-03-09},
organization = {BreachQuest},
url = {https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/},
language = {English},
urldate = {2022-03-14}
}
The Conti Leaks | Insight into a Ransomware Unicorn Cobalt Strike MimiKatz TrickBot |
2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20220309:cisa:63f18cd,
author = {Ionut Ilascu},
title = {{CISA updates Conti ransomware alert with nearly 100 domain names}},
date = {2022-03-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/},
language = {English},
urldate = {2022-03-10}
}
CISA updates Conti ransomware alert with nearly 100 domain names BazarBackdoor Cobalt Strike Conti TrickBot |
2022-03-04 ⋅ Reuters ⋅ Raphael Satter @online{satter:20220304:details:66f903a,
author = {Raphael Satter},
title = {{Details of another big ransomware group 'Trickbot' leak online, experts say}},
date = {2022-03-04},
organization = {Reuters},
url = {https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/},
language = {English},
urldate = {2022-03-07}
}
Details of another big ransomware group 'Trickbot' leak online, experts say TrickBot |
2022-03-04 ⋅ Thales ⋅ Thales @online{thales:20220304:atk103:1d916bb,
author = {Thales},
title = {{ATK103}},
date = {2022-03-04},
organization = {Thales},
url = {https://cyberthreat.thalesgroup.com/attackers/ATK103},
language = {English},
urldate = {2022-10-06}
}
ATK103 TA505 |
2022-03-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20220302:conti:03b0358,
author = {Brian Krebs},
title = {{Conti Ransomware Group Diaries, Part II: The Office}},
date = {2022-03-02},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/},
language = {English},
urldate = {2022-03-07}
}
Conti Ransomware Group Diaries, Part II: The Office Conti Emotet Ryuk TrickBot |
2022-03-02 ⋅ Threatpost ⋅ Lisa Vaas @online{vaas:20220302:conti:ffc8271,
author = {Lisa Vaas},
title = {{Conti Ransomware Decryptor, TrickBot Source Code Leaked}},
date = {2022-03-02},
organization = {Threatpost},
url = {https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/},
language = {English},
urldate = {2022-03-07}
}
Conti Ransomware Decryptor, TrickBot Source Code Leaked Conti TrickBot |
2022-03-02 ⋅ CyberArk ⋅ CyberArk Labs @online{labs:20220302:conti:52c16db,
author = {CyberArk Labs},
title = {{Conti Group Leaked!}},
date = {2022-03-02},
organization = {CyberArk},
url = {https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked},
language = {English},
urldate = {2022-03-03}
}
Conti Group Leaked! TeamTNT Conti TrickBot |
2022-03-01 ⋅ VX-Underground @online{vxunderground:20220301:leaks:6e42f8b,
author = {VX-Underground},
title = {{Leaks: Conti / Trickbot}},
date = {2022-03-01},
url = {https://share.vx-underground.org/Conti/},
language = {English},
urldate = {2022-03-07}
}
Leaks: Conti / Trickbot Conti TrickBot |
2022-03 ⋅ VirusTotal ⋅ VirusTotal @techreport{virustotal:202203:virustotals:c6af9c1,
author = {VirusTotal},
title = {{VirusTotal's 2021 Malware Trends Report}},
date = {2022-03},
institution = {VirusTotal},
url = {https://assets.virustotal.com/reports/2021trends.pdf},
language = {English},
urldate = {2022-04-13}
}
VirusTotal's 2021 Malware Trends Report Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT |
2022-02-25 ⋅ CyberScoop ⋅ Joe Warminsky @online{warminsky:20220225:trickbot:2d38470,
author = {Joe Warminsky},
title = {{TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators}},
date = {2022-02-25},
organization = {CyberScoop},
url = {https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/},
language = {English},
urldate = {2022-03-01}
}
TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators BazarBackdoor Emotet TrickBot |
2022-02-24 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20220224:trickbot:2f5ab4d,
author = {Catalin Cimpanu},
title = {{TrickBot gang shuts down botnet after months of inactivity}},
date = {2022-02-24},
organization = {The Record},
url = {https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/},
language = {English},
urldate = {2022-03-01}
}
TrickBot gang shuts down botnet after months of inactivity TrickBot |
2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220224:notorious:c5e1556,
author = {Ravie Lakshmanan},
title = {{Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure}},
date = {2022-02-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html},
language = {English},
urldate = {2022-03-04}
}
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure BazarBackdoor Emotet TrickBot |
2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220224:trickbot:7e86d52,
author = {Ravie Lakshmanan},
title = {{TrickBot Gang Likely Shifting Operations to Switch to New Malware}},
date = {2022-02-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html},
language = {English},
urldate = {2022-03-01}
}
TrickBot Gang Likely Shifting Operations to Switch to New Malware BazarBackdoor Emotet QakBot TrickBot |
2022-02-23 ⋅ SophosLabs Uncut ⋅ Andrew Brandt @online{brandt:20220223:dridex:c1d4784,
author = {Andrew Brandt},
title = {{Dridex bots deliver Entropy ransomware in recent attacks}},
date = {2022-02-23},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/},
language = {English},
urldate = {2022-03-01}
}
Dridex bots deliver Entropy ransomware in recent attacks Cobalt Strike Dridex Entropy |
2022-02-23 ⋅ Sentinel LABS ⋅ Antonio Pirozzi, Antonis Terefos, Idan Weizman @online{pirozzi:20220223:sanctions:aae1c98,
author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman},
title = {{Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp}},
date = {2022-02-23},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/},
language = {English},
urldate = {2022-02-26}
}
Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp Dridex WastedLocker |
2022-02-22 ⋅ Bankinfo Security ⋅ Matthew J. Schwartz @online{schwartz:20220222:cybercrime:ccc094e,
author = {Matthew J. Schwartz},
title = {{Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware}},
date = {2022-02-22},
organization = {Bankinfo Security},
url = {https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573},
language = {English},
urldate = {2022-02-26}
}
Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware Conti TrickBot |
2022-02-22 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220222:ransomware:677506b,
author = {Trend Micro Research},
title = {{Ransomware Spotlight: Clop}},
date = {2022-02-22},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop},
language = {English},
urldate = {2022-02-26}
}
Ransomware Spotlight: Clop Clop |
2022-02-20 ⋅ Security Affairs ⋅ Pierluigi Paganini @online{paganini:20220220:conti:a6d57b1,
author = {Pierluigi Paganini},
title = {{The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.}},
date = {2022-02-20},
organization = {Security Affairs},
url = {https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html},
language = {English},
urldate = {2022-02-26}
}
The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware. Conti TrickBot |
2022-02-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20220218:conti:9a7f82b,
author = {Ionut Ilascu},
title = {{Conti ransomware gang takes over TrickBot malware operation}},
date = {2022-02-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/},
language = {English},
urldate = {2022-02-19}
}
Conti ransomware gang takes over TrickBot malware operation Conti TrickBot |
2022-02-16 ⋅ Check Point Research ⋅ Aliaksandr Trafimchuk, Raman Ladutska @online{trafimchuk:20220216:modern:a6f60a5,
author = {Aliaksandr Trafimchuk and Raman Ladutska},
title = {{A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies}},
date = {2022-02-16},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/},
language = {English},
urldate = {2022-02-18}
}
A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies TrickBot |
2022-02-16 ⋅ Threat Post ⋅ Tara Seals @online{seals:20220216:trickbot:a1c11b3,
author = {Tara Seals},
title = {{TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands}},
date = {2022-02-16},
organization = {Threat Post},
url = {https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/},
language = {English},
urldate = {2022-02-17}
}
TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands TrickBot |
2022-02-16 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy @online{boguslavskiy:20220216:trickbot:a431e84,
author = {Yelisey Boguslavskiy},
title = {{The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works}},
date = {2022-02-16},
organization = {Advanced Intelligence},
url = {https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works},
language = {English},
urldate = {2022-02-19}
}
The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works TrickBot |
2022-02-08 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220208:privateloader:5e226cd,
author = {Intel 471},
title = {{PrivateLoader: The first step in many malware schemes}},
date = {2022-02-08},
organization = {Intel 471},
url = {https://intel471.com/blog/privateloader-malware},
language = {English},
urldate = {2022-05-09}
}
PrivateLoader: The first step in many malware schemes Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar |
2022-02-02 ⋅ IBM ⋅ Kevin Henson @online{henson:20220202:trickbot:fd4964d,
author = {Kevin Henson},
title = {{TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware}},
date = {2022-02-02},
organization = {IBM},
url = {https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/},
language = {English},
urldate = {2022-02-04}
}
TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware BazarBackdoor TrickBot |
2022-02-01 ⋅ Wired ⋅ Matt Burgess @online{burgess:20220201:inside:bb20f12,
author = {Matt Burgess},
title = {{Inside Trickbot, Russia’s Notorious Ransomware Gang}},
date = {2022-02-01},
organization = {Wired},
url = {https://www.wired.com/story/trickbot-malware-group-internal-messages/},
language = {English},
urldate = {2022-02-02}
}
Inside Trickbot, Russia’s Notorious Ransomware Gang TrickBot |
2022-02 ⋅ Sentinel LABS ⋅ Antonio Pirozzi, Antonis Terefos, Idan Weizman @techreport{pirozzi:202202:sanctions:2213742,
author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman},
title = {{Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp}},
date = {2022-02},
institution = {Sentinel LABS},
url = {https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf},
language = {English},
urldate = {2022-05-17}
}
Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp Dridex FriedEx Hades Phoenix Locker WastedLocker |
2022-02-01 ⋅ Wired ⋅ Matt Burgess @online{burgess:20220201:inside:0e154c3,
author = {Matt Burgess},
title = {{Inside Trickbot, Russia’s Notorious Ransomware Gang}},
date = {2022-02-01},
organization = {Wired},
url = {https://www.wired.co.uk/article/trickbot-malware-group-internal-messages},
language = {English},
urldate = {2022-02-09}
}
Inside Trickbot, Russia’s Notorious Ransomware Gang TrickBot |
2022-01-24 ⋅ IBM ⋅ Michael Gal, Segev Fogel, Itzik Chimino, Limor Kessem, Charlotte Hammond @online{gal:20220124:trickbot:8a030b3,
author = {Michael Gal and Segev Fogel and Itzik Chimino and Limor Kessem and Charlotte Hammond},
title = {{TrickBot Bolsters Layered Defenses to Prevent Injection Research}},
date = {2022-01-24},
organization = {IBM},
url = {https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/},
language = {English},
urldate = {2022-01-25}
}
TrickBot Bolsters Layered Defenses to Prevent Injection Research TrickBot |
2022-01-24 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team @online{team:20220124:deep:bb877d2,
author = {Kryptos Logic Vantage Team},
title = {{Deep Dive into Trickbot's Web Injection}},
date = {2022-01-24},
organization = {Kryptos Logic},
url = {https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/},
language = {English},
urldate = {2022-01-25}
}
Deep Dive into Trickbot's Web Injection TrickBot |
2022-01-19 ⋅ FBI ⋅ FBI @techreport{fbi:20220119:cu000161mw:19f7d2b,
author = {FBI},
title = {{CU-000161-MW: Indicators of Compromise Associated with Diavol Ransomware}},
date = {2022-01-19},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2022/220120.pdf},
language = {English},
urldate = {2022-01-24}
}
CU-000161-MW: Indicators of Compromise Associated with Diavol Ransomware Diavol TrickBot |
2022-01-18 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20220118:2021:9cff6fc,
author = {Insikt Group®},
title = {{2021 Adversary Infrastructure Report}},
date = {2022-01-18},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf},
language = {English},
urldate = {2022-01-24}
}
2021 Adversary Infrastructure Report BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot |
2022-01-14 ⋅ RiskIQ ⋅ Jordan Herman @online{herman:20220114:riskiq:f4f5b68,
author = {Jordan Herman},
title = {{RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers}},
date = {2022-01-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/2cd1c003},
language = {English},
urldate = {2022-01-18}
}
RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers Dridex Emotet |
2022-01-11 ⋅ muha2xmad ⋅ Muhammad Hasan Ali @online{ali:20220111:unpacking:2fe091c,
author = {Muhammad Hasan Ali},
title = {{Unpacking Dridex malware}},
date = {2022-01-11},
organization = {muha2xmad},
url = {https://muha2xmad.github.io/unpacking/dridex/},
language = {English},
urldate = {2022-01-25}
}
Unpacking Dridex malware Dridex |
2022-01-09 ⋅ Atomic Matryoshka ⋅ z3r0day_504 @online{z3r0day504:20220109:malware:81e38aa,
author = {z3r0day_504},
title = {{Malware Headliners: Dridex}},
date = {2022-01-09},
organization = {Atomic Matryoshka},
url = {https://www.atomicmatryoshka.com/post/malware-headliners-dridex},
language = {English},
urldate = {2022-02-01}
}
Malware Headliners: Dridex Dridex |
2021-12-23 ⋅ Symantec ⋅ Siddhesh Chandrayan @online{chandrayan:20211223:log4j:58ea562,
author = {Siddhesh Chandrayan},
title = {{Log4j Vulnerabilities: Attack Insights}},
date = {2021-12-23},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks},
language = {English},
urldate = {2022-01-25}
}
Log4j Vulnerabilities: Attack Insights Tsunami Conti Dridex Khonsari Orcus RAT TellYouThePass |
2021-12-20 ⋅ InQuest ⋅ Nick Chalard @online{chalard:20211220:dont:0aad3db,
author = {Nick Chalard},
title = {{(Don't) Bring Dridex Home for the Holidays}},
date = {2021-12-20},
organization = {InQuest},
url = {https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays},
language = {English},
urldate = {2021-12-22}
}
(Don't) Bring Dridex Home for the Holidays DoppelDridex Dridex |
2021-12-08 ⋅ Check Point Research ⋅ Raman Ladutska, Aliaksandr Trafimchuk, David Driker, Yali Magiel @online{ladutska:20211208:when:16ee92b,
author = {Raman Ladutska and Aliaksandr Trafimchuk and David Driker and Yali Magiel},
title = {{When old friends meet again: why Emotet chose Trickbot for rebirth}},
date = {2021-12-08},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/},
language = {English},
urldate = {2022-02-18}
}
When old friends meet again: why Emotet chose Trickbot for rebirth Emotet TrickBot |
2021-12-03 ⋅ GoSecure ⋅ GoSecure Titan Labs @online{labs:20211203:trickbot:9dd4feb,
author = {GoSecure Titan Labs},
title = {{TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?}},
date = {2021-12-03},
organization = {GoSecure},
url = {https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/},
language = {English},
urldate = {2022-02-26}
}
TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus? TrickBot |
2021-12-01 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Michael Sandee @online{pantazopoulos:20211201:tracking:b67c8f7,
author = {Nikolaos Pantazopoulos and Michael Sandee},
title = {{Tracking a P2P network related to TA505}},
date = {2021-12-01},
organization = {NCC Group},
url = {https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/},
language = {English},
urldate = {2021-12-01}
}
Tracking a P2P network related to TA505 FlawedGrace Necurs |
2021-11-21 ⋅ Cyber-Anubis ⋅ Nidal Fikri @online{fikri:20211121:dridex:b9218fa,
author = {Nidal Fikri},
title = {{Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction}},
date = {2021-11-21},
organization = {Cyber-Anubis},
url = {https://cyber-anubis.github.io/malware%20analysis/dridex/},
language = {English},
urldate = {2021-12-01}
}
Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction DoppelDridex Dridex |
2021-11-16 ⋅ Yoroi ⋅ Luigi Martire, Carmelo Ragusa, Luca Mella @online{martire:20211116:office:2dba65a,
author = {Luigi Martire and Carmelo Ragusa and Luca Mella},
title = {{Office Documents: May the XLL technique change the threat Landscape in 2022?}},
date = {2021-11-16},
organization = {Yoroi},
url = {https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/},
language = {English},
urldate = {2021-11-17}
}
Office Documents: May the XLL technique change the threat Landscape in 2022? Agent Tesla Dridex Formbook |
2021-11-16 ⋅ Malwarebytes ⋅ Malwarebytes Threat Intelligence Team @online{team:20211116:trickbot:b624694,
author = {Malwarebytes Threat Intelligence Team},
title = {{TrickBot helps Emotet come back from the dead}},
date = {2021-11-16},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/},
language = {English},
urldate = {2021-11-17}
}
TrickBot helps Emotet come back from the dead Emotet TrickBot |
2021-11-16 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20211116:global:5b996d3,
author = {Trend Micro},
title = {{Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels}},
date = {2021-11-16},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html},
language = {English},
urldate = {2021-11-18}
}
Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels REvil Clop Gandcrab REvil |
2021-11-12 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20211112:business:6d6cffa,
author = {Insikt Group®},
title = {{The Business of Fraud: Botnet Malware Dissemination}},
date = {2021-11-12},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf},
language = {English},
urldate = {2021-11-17}
}
The Business of Fraud: Botnet Malware Dissemination Mozi Dridex IcedID QakBot TrickBot |
2021-11-04 ⋅ Security Service of Ukraine ⋅ Security Service of Ukraine @techreport{ukraine:20211104:gamaredon:7be7543,
author = {Security Service of Ukraine},
title = {{Gamaredon / Armageddon Group: FSB RF Cyber attacks against Ukraine}},
date = {2021-11-04},
institution = {Security Service of Ukraine},
url = {https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf},
language = {English},
urldate = {2022-03-01}
}
Gamaredon / Armageddon Group: FSB RF Cyber attacks against Ukraine EvilGnome Pteranodon RMS |
2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України @online{:20211029:cyberpolice:fc43b20,
author = {Національна поліція України},
title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}},
date = {2021-10-29},
organization = {Національна поліція України},
url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/},
language = {Ukrainian},
urldate = {2021-11-02}
}
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-29 ⋅ Europol ⋅ Europol @online{europol:20211029:12:5c0fd59,
author = {Europol},
title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}},
date = {2021-10-29},
organization = {Europol},
url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure},
language = {English},
urldate = {2021-11-02}
}
12 targeted for involvement in ransomware attacks against critical infrastructure Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-28 ⋅ Department of Justice ⋅ Department of Justice @online{justice:20211028:russian:52deb25,
author = {Department of Justice},
title = {{Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization}},
date = {2021-10-28},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal},
language = {English},
urldate = {2021-11-02}
}
Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization TrickBot |
2021-10-28 ⋅ Department of Justice ⋅ Department of Justice @online{justice:20211028:indictment:24d4225,
author = {Department of Justice},
title = {{Indictment: Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization}},
date = {2021-10-28},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/press-release/file/1445241/download},
language = {English},
urldate = {2021-11-03}
}
Indictment: Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization TrickBot |
2021-10-27 ⋅ VinCSS ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20211027:re025:52c8a55,
author = {m4n0w4r and Tran Trung Kien},
title = {{[RE025] TrickBot ... many tricks}},
date = {2021-10-27},
organization = {VinCSS},
url = {https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html},
language = {English},
urldate = {2021-11-02}
}
[RE025] TrickBot ... many tricks TrickBot |
2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson @online{clinton:20211021:stopping:3c26152,
author = {Alex Clinton and Tasha Robinson},
title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}},
date = {2021-10-21},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/},
language = {English},
urldate = {2021-11-02}
}
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign Cobalt Strike FlawedGrace TinyMet |
2021-10-19 ⋅ Proofpoint ⋅ Zydeca Cass, Axel F, Crista Giering, Matthew Mesa, Georgi Mladenov, Brandon Murphy @online{cass:20211019:whatta:4d969e1,
author = {Zydeca Cass and Axel F and Crista Giering and Matthew Mesa and Georgi Mladenov and Brandon Murphy},
title = {{Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant}},
date = {2021-10-19},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant},
language = {English},
urldate = {2021-10-24}
}
Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant FlawedGrace MirrorBlast |
2021-10-19 ⋅ Kaspersky ⋅ Oleg Kupreev @online{kupreev:20211019:trickbot:f7cfc04,
author = {Oleg Kupreev},
title = {{Trickbot module descriptions}},
date = {2021-10-19},
organization = {Kaspersky},
url = {https://securelist.com/trickbot-module-descriptions/104603/},
language = {English},
urldate = {2021-10-24}
}
Trickbot module descriptions TrickBot |
2021-10-14 ⋅ Morphisec ⋅ Arnold Osipov @online{osipov:20211014:explosive:d6c6eb7,
author = {Arnold Osipov},
title = {{Explosive New MirrorBlast Campaign Targets Financial Companies}},
date = {2021-10-14},
organization = {Morphisec},
url = {https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies},
language = {English},
urldate = {2021-10-24}
}
Explosive New MirrorBlast Campaign Targets Financial Companies MirrorBlast |
2021-10-13 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond @online{villadsen:20211013:trickbot:e0d4233,
author = {Ole Villadsen and Charlotte Hammond},
title = {{Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds}},
date = {2021-10-13},
organization = {IBM},
url = {https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/},
language = {English},
urldate = {2021-10-25}
}
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds BazarBackdoor TrickBot |
2021-10-08 ⋅ Zscaler ⋅ Tarun Dewan, Lenart Brave @online{dewan:20211008:new:b97c20c,
author = {Tarun Dewan and Lenart Brave},
title = {{New Trickbot and BazarLoader campaigns use multiple delivery vectorsi}},
date = {2021-10-08},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors},
language = {English},
urldate = {2021-10-14}
}
New Trickbot and BazarLoader campaigns use multiple delivery vectorsi BazarBackdoor TrickBot |
2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team @online{team:20211007:fin12:505a3a8,
author = {Mandiant Research Team},
title = {{FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets}},
date = {2021-10-07},
organization = {Mandiant},
url = {https://www.mandiant.com/media/12596/download},
language = {English},
urldate = {2021-11-27}
}
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets Cobalt Strike Empire Downloader TrickBot |
2021-10-05 ⋅ Trend Micro ⋅ Fyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana @online{yarochkin:20211005:ransomware:e5f5375,
author = {Fyodor Yarochkin and Janus Agcaoili and Byron Gelera and Nikko Tamana},
title = {{Ransomware as a Service: Enabler of Widespread Attacks}},
date = {2021-10-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks},
language = {English},
urldate = {2021-10-20}
}
Ransomware as a Service: Enabler of Widespread Attacks Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk |
2021-10-05 ⋅ FRSecure ⋅ Oscar Minks @online{minks:20211005:rebol:53830a0,
author = {Oscar Minks},
title = {{The REBOL Yell: A New Novel REBOL Exploit}},
date = {2021-10-05},
organization = {FRSecure},
url = {https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/},
language = {English},
urldate = {2021-10-14}
}
The REBOL Yell: A New Novel REBOL Exploit MirrorBlast |
2021-10-04 ⋅ Cisco ⋅ Tiago Pereira @online{pereira:20211004:threat:9f493e1,
author = {Tiago Pereira},
title = {{Threat hunting in large datasets by clustering security events}},
date = {2021-10-04},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html},
language = {English},
urldate = {2021-10-20}
}
Threat hunting in large datasets by clustering security events BazarBackdoor TrickBot |
2021-10 ⋅ HP ⋅ HP Wolf Security @techreport{security:202110:threat:49f8fc2,
author = {HP Wolf Security},
title = {{Threat Insights Report Q3 - 2021}},
date = {2021-10},
institution = {HP},
url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf},
language = {English},
urldate = {2021-10-25}
}
Threat Insights Report Q3 - 2021 STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm |
2021-09-24 ⋅ Proofpoint ⋅ Proofpoint @online{proofpoint:20210924:daily:403b8bd,
author = {Proofpoint},
title = {{Daily Ruleset Update Summary 2021/09/24}},
date = {2021-09-24},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924},
language = {English},
urldate = {2021-10-05}
}
Daily Ruleset Update Summary 2021/09/24 MirrorBlast |
2021-09-19 ⋅ HP ⋅ Patrick Schläpfer @online{schlpfer:20210919:mirrorblast:a81e63c,
author = {Patrick Schläpfer},
title = {{MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures}},
date = {2021-09-19},
organization = {HP},
url = {https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/},
language = {English},
urldate = {2021-10-24}
}
MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures MirrorBlast |
2021-09-15 ⋅ Palo Alto Networks Unit 42 ⋅ Anna Chung, Swetha Balla @online{chung:20210915:phishing:15f054e,
author = {Anna Chung and Swetha Balla},
title = {{Phishing Eager Travelers}},
date = {2021-09-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/travel-themed-phishing/},
language = {English},
urldate = {2021-09-19}
}
Phishing Eager Travelers Dridex |
2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team @online{team:20210914:big:b345561,
author = {CrowdStrike Intelligence Team},
title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}},
date = {2021-09-14},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/},
language = {English},
urldate = {2021-09-19}
}
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil |
2021-09-06 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20210906:trickbot:652a467,
author = {Lawrence Abrams},
title = {{TrickBot gang developer arrested when trying to leave Korea}},
date = {2021-09-06},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/},
language = {English},
urldate = {2021-09-10}
}
TrickBot gang developer arrested when trying to leave Korea Diavol TrickBot |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel @techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-08-19 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @online{team:20210819:blackberry:2eec433,
author = {BlackBerry Research & Intelligence Team},
title = {{BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware}},
date = {2021-08-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware},
language = {English},
urldate = {2021-08-23}
}
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware Cobalt Strike Dridex |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team @techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-12 ⋅ Cisco Talos ⋅ Vanja Svajcer @online{svajcer:20210812:signed:728ea8f,
author = {Vanja Svajcer},
title = {{Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT}},
date = {2021-08-12},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html},
language = {English},
urldate = {2021-08-20}
}
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT Amadey Raccoon ServHelper |
2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210801:bazarcall:bb6829b,
author = {The DFIR Report},
title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}},
date = {2021-08-01},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/},
language = {English},
urldate = {2021-08-02}
}
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike BazarBackdoor Cobalt Strike Conti TrickBot |
2021-07-30 ⋅ HP ⋅ Patrick Schläpfer @online{schlpfer:20210730:detecting:2291323,
author = {Patrick Schläpfer},
title = {{Detecting TA551 domains}},
date = {2021-07-30},
organization = {HP},
url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/},
language = {English},
urldate = {2021-08-02}
}
Detecting TA551 domains Valak Dridex IcedID ISFB QakBot |
2021-07-21 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20210721:detecting:ceb179f,
author = {Splunk Threat Research Team},
title = {{Detecting Trickbot with Splunk}},
date = {2021-07-21},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/detecting-trickbots.html},
language = {English},
urldate = {2021-07-22}
}
Detecting Trickbot with Splunk TrickBot |
2021-07-12 ⋅ Bitdefender ⋅ Radu Tudorica, Bogdan Botezatu @techreport{tudorica:20210712:fresh:d1d9d75,
author = {Radu Tudorica and Bogdan Botezatu},
title = {{A Fresh Look at Trickbot’s Ever-Improving VNC Module}},
date = {2021-07-12},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf},
language = {English},
urldate = {2021-07-19}
}
A Fresh Look at Trickbot’s Ever-Improving VNC Module TrickBot |
2021-07-06 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20210706:ta505:35e0dbc,
author = {Jason Reaves and Joshua Platt},
title = {{TA505 adds GoLang crypter for delivering miners and ServHelper}},
date = {2021-07-06},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56},
language = {English},
urldate = {2021-07-11}
}
TA505 adds GoLang crypter for delivering miners and ServHelper ServHelper |
2021-07-02 ⋅ MalwareBookReports ⋅ muzi @online{muzi:20210702:skip:09c3cd8,
author = {muzi},
title = {{Skip the Middleman: Dridex Document to Cobalt Strike}},
date = {2021-07-02},
organization = {MalwareBookReports},
url = {https://malwarebookreports.com/cryptone-cobalt-strike/},
language = {English},
urldate = {2021-07-06}
}
Skip the Middleman: Dridex Document to Cobalt Strike Cobalt Strike Dridex |
2021-07-02 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210702:trickbot:7d2b9f7,
author = {Catalin Cimpanu},
title = {{TrickBot: New attacks see the botnet deploy new banking module, new ransomware}},
date = {2021-07-02},
organization = {The Record},
url = {https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/},
language = {English},
urldate = {2021-07-05}
}
TrickBot: New attacks see the botnet deploy new banking module, new ransomware TrickBot |
2021-07-01 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team @online{team:20210701:trickbot:1df5ec3,
author = {Kryptos Logic Vantage Team},
title = {{TrickBot and Zeus}},
date = {2021-07-01},
organization = {Kryptos Logic},
url = {https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/},
language = {English},
urldate = {2021-07-11}
}
TrickBot and Zeus TrickBot Zeus |
2021-06-30 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy, Brandon Rudisel, AdvIntel Security & Development Team @online{boguslavskiy:20210630:ransomwarecve:deae6a7,
author = {Yelisey Boguslavskiy and Brandon Rudisel and AdvIntel Security & Development Team},
title = {{Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets}},
date = {2021-06-30},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities},
language = {English},
urldate = {2021-07-01}
}
Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets BlackKingdom Ransomware Clop dearcry Hades REvil |
2021-06-25 ⋅ KrCert ⋅ Kayoung Kim, Dongwook Kim, Taewoo Lee, Seulgi Lee @techreport{kim:20210625:attack:d4ae440,
author = {Kayoung Kim and Dongwook Kim and Taewoo Lee and Seulgi Lee},
title = {{Attack patterns in AD environment}},
date = {2021-06-25},
institution = {KrCert},
url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf},
language = {English},
urldate = {2021-06-29}
}
Attack patterns in AD environment Clop |
2021-06-24 ⋅ Binance ⋅ Binance @online{binance:20210624:binance:afde1e5,
author = {Binance},
title = {{Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks}},
date = {2021-06-24},
organization = {Binance},
url = {https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks},
language = {English},
urldate = {2021-06-29}
}
Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks Clop |
2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si @online{cryptolaemus:20210622:ta575:895ac37,
author = {Cryptolaemus and Kirk Sayre and dao ming si},
title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}},
date = {2021-06-22},
organization = {Twitter (@Cryptolaemus1)},
url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680},
language = {English},
urldate = {2021-06-22}
}
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs Cobalt Strike Dridex |
2021-06-16 ⋅ Youtube (Національна поліція України) ⋅ Національна поліція України @online{:20210616:clop:28caf8c,
author = {Національна поліція України},
title = {{Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)}},
date = {2021-06-16},
organization = {Youtube (Національна поліція України)},
url = {https://www.youtube.com/watch?v=PqGaZgepNTE},
language = {Ukrainian},
urldate = {2021-06-21}
}
Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators) Clop |
2021-06-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20210616:ukrainian:e0e117f,
author = {Brian Krebs},
title = {{Ukrainian Police Nab Six Tied to CLOP Ransomware}},
date = {2021-06-16},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/},
language = {English},
urldate = {2021-06-21}
}
Ukrainian Police Nab Six Tied to CLOP Ransomware Clop |
2021-06-16 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210616:ukrainian:141533c,
author = {Catalin Cimpanu},
title = {{Ukrainian police arrest Clop ransomware members, seize server infrastructure}},
date = {2021-06-16},
organization = {The Record},
url = {https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/},
language = {English},
urldate = {2021-06-21}
}
Ukrainian police arrest Clop ransomware members, seize server infrastructure Clop |
2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff @online{larson:20210616:first:2e436a0,
author = {Selena Larson and Daniel Blackford and Garrett M. Graff},
title = {{The First Step: Initial Access Leads to Ransomware}},
date = {2021-06-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware},
language = {English},
urldate = {2021-06-21}
}
The First Step: Initial Access Leads to Ransomware BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker |
2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України @online{:20210616:cyberpolice:f455d86,
author = {Національна поліція України},
title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}},
date = {2021-06-16},
organization = {Національної поліції України},
url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/},
language = {Ukrainian},
urldate = {2021-06-21}
}
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies Clop Cobalt Strike FlawedAmmyy |
2021-06-15 ⋅ Trend Micro ⋅ Janus Agcaoili, Miguel Ang, Earle Earnshaw, Byron Gelera, Nikko Tamana @online{agcaoili:20210615:ransomware:41013af,
author = {Janus Agcaoili and Miguel Ang and Earle Earnshaw and Byron Gelera and Nikko Tamana},
title = {{Ransomware Double Extortion and Beyond: REvil, Clop, and Conti}},
date = {2021-06-15},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti},
language = {English},
urldate = {2021-06-21}
}
Ransomware Double Extortion and Beyond: REvil, Clop, and Conti Clop Conti REvil |
2021-06-08 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210608:blurry:5b278e5,
author = {Intel 471},
title = {{The blurry boundaries between nation-state actors and the cybercrime underground}},
date = {2021-06-08},
organization = {Intel 471},
url = {https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state},
language = {English},
urldate = {2021-06-16}
}
The blurry boundaries between nation-state actors and the cybercrime underground Dridex Gameover P2P |
2021-06-07 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves @online{platt:20210607:inside:6c363a7,
author = {Joshua Platt and Jason Reaves},
title = {{Inside the SystemBC Malware-As-A-Service}},
date = {2021-06-07},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6},
language = {English},
urldate = {2021-06-08}
}
Inside the SystemBC Malware-As-A-Service Ryuk SystemBC TrickBot |
2021-06-04 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210604:us:20a6d26,
author = {Catalin Cimpanu},
title = {{US arrests Latvian woman who worked on Trickbot malware source code}},
date = {2021-06-04},
organization = {The Record},
url = {https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/},
language = {English},
urldate = {2021-06-16}
}
US arrests Latvian woman who worked on Trickbot malware source code TrickBot |
2021-06-04 ⋅ Department of Justice ⋅ Office of Public Affairs @online{affairs:20210604:latvian:4403f09,
author = {Office of Public Affairs},
title = {{Latvian National Charged for Alleged Role in Transnational Cybercrime Organization}},
date = {2021-06-04},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization},
language = {English},
urldate = {2021-06-16}
}
Latvian National Charged for Alleged Role in Transnational Cybercrime Organization TrickBot |
2021-06-03 ⋅ YouTube (FIRST) ⋅ Felipe Domingues, Gustavo Palazolo @online{domingues:20210603:breaking:69967e5,
author = {Felipe Domingues and Gustavo Palazolo},
title = {{Breaking Dridex Malware}},
date = {2021-06-03},
organization = {YouTube (FIRST)},
url = {https://www.youtube.com/watch?v=1VB15_HgUkg},
language = {English},
urldate = {2021-06-16}
}
Breaking Dridex Malware Dridex |
2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak @online{yizhak:20210526:deep:c123a19,
author = {Ron Ben Yizhak},
title = {{A Deep Dive into Packing Software CryptOne}},
date = {2021-05-26},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/},
language = {English},
urldate = {2021-06-22}
}
A Deep Dive into Packing Software CryptOne Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
2021-05-19 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210519:look:5ba9516,
author = {Intel 471},
title = {{Look how many cybercriminals love Cobalt Strike}},
date = {2021-05-19},
organization = {Intel 471},
url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor},
language = {English},
urldate = {2021-05-19}
}
Look how many cybercriminals love Cobalt Strike BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot |
2021-05-13 ⋅ AWAKE ⋅ Kieran Evans @online{evans:20210513:catching:eaa13e2,
author = {Kieran Evans},
title = {{Catching the White Stork in Flight}},
date = {2021-05-13},
organization = {AWAKE},
url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/},
language = {English},
urldate = {2021-09-19}
}
Catching the White Stork in Flight Cobalt Strike MimiKatz RMS |
2021-05-11 ⋅ Mal-Eats ⋅ mal_eats @online{maleats:20210511:campo:0305ab9,
author = {mal_eats},
title = {{Campo, a New Attack Campaign Targeting Japan}},
date = {2021-05-11},
organization = {Mal-Eats},
url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-06-01}
}
Campo, a New Attack Campaign Targeting Japan AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader |
2021-05-11 ⋅ CrowdStrike ⋅ The Falcon Complete Team @online{team:20210511:response:7e4cf2d,
author = {The Falcon Complete Team},
title = {{Response When Minutes Matter: Rising Up Against Ransomware}},
date = {2021-05-11},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/},
language = {English},
urldate = {2021-05-13}
}
Response When Minutes Matter: Rising Up Against Ransomware TinyMet |
2021-05-10 ⋅ DarkTracer ⋅ DarkTracer @online{darktracer:20210510:intelligence:b9d1c3f,
author = {DarkTracer},
title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}},
date = {2021-05-10},
organization = {DarkTracer},
url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3},
language = {English},
urldate = {2021-05-13}
}
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX |
2021-05-10 ⋅ Mal-Eats ⋅ mal_eats @online{maleats:20210510:overview:50ff3b3,
author = {mal_eats},
title = {{Overview of Campo, a new attack campaign targeting Japan}},
date = {2021-05-10},
organization = {Mal-Eats},
url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-05-13}
}
Overview of Campo, a new attack campaign targeting Japan AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
2021-05-05 ⋅ RiskIQ ⋅ Kelsey Clapp @online{clapp:20210505:viruses:aab7c1a,
author = {Kelsey Clapp},
title = {{Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic}},
date = {2021-05-05},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/298c9fc9},
language = {English},
urldate = {2021-05-26}
}
Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic TrickBot |
2021-05-03 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20210503:clop:1d24527,
author = {Splunk Threat Research Team},
title = {{Clop Ransomware Detection: Threat Research Release, April 2021}},
date = {2021-05-03},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html},
language = {English},
urldate = {2021-05-07}
}
Clop Ransomware Detection: Threat Research Release, April 2021 Clop |
2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210502:trickbot:242b786,
author = {The DFIR Report},
title = {{Trickbot Brief: Creds and Beacons}},
date = {2021-05-02},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/},
language = {English},
urldate = {2021-05-04}
}
Trickbot Brief: Creds and Beacons Cobalt Strike TrickBot |
2021-04-26 ⋅ CoveWare ⋅ CoveWare @online{coveware:20210426:ransomware:12586d5,
author = {CoveWare},
title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}},
date = {2021-04-26},
organization = {CoveWare},
url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound},
language = {English},
urldate = {2021-05-13}
}
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt |
2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel @online{camichel:20210425:ransomware:1a1ee7f,
author = {Corsin Camichel},
title = {{Ransomware and Data Leak Site Publication Time Analysis}},
date = {2021-04-25},
organization = {Vulnerability.ch Blog},
url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/},
language = {English},
urldate = {2021-04-29}
}
Ransomware and Data Leak Site Publication Time Analysis Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil |
2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt @online{gallagher:20210421:nearly:53964a7,
author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt},
title = {{Nearly half of malware now use TLS to conceal communications}},
date = {2021-04-21},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/},
language = {English},
urldate = {2021-04-28}
}
Nearly half of malware now use TLS to conceal communications Agent Tesla Cobalt Strike Dridex SystemBC |
2021-04-15 ⋅ Proofpoint ⋅ Selena Larson @online{larson:20210415:threat:cdfef32,
author = {Selena Larson},
title = {{Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes}},
date = {2021-04-15},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes},
language = {English},
urldate = {2021-08-23}
}
Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes Dridex TrickBot |
2021-04-15 ⋅ Twitter (@felixw3000) ⋅ Felix @online{felix:20210415:dridexs:a39e123,
author = {Felix},
title = {{Tweet on Dridex's evasion technique}},
date = {2021-04-15},
organization = {Twitter (@felixw3000)},
url = {https://twitter.com/felixw3000/status/1382614469713530883?s=20},
language = {English},
urldate = {2021-05-25}
}
Tweet on Dridex's evasion technique Dridex |
2021-04-14 ⋅ Vice ⋅ Lorenzo Franceschi-Bicchierai @online{franceschibicchierai:20210414:meet:0a23d2a,
author = {Lorenzo Franceschi-Bicchierai},
title = {{Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever}},
date = {2021-04-14},
organization = {Vice},
url = {https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever},
language = {English},
urldate = {2021-04-14}
}
Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever Clop |
2021-04-13 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos @online{santos:20210413:threat:7154f80,
author = {Doel Santos},
title = {{Threat Assessment: Clop Ransomware}},
date = {2021-04-13},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/clop-ransomware/},
language = {English},
urldate = {2021-04-14}
}
Threat Assessment: Clop Ransomware Clop |
2021-04-13 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20210413:detecting:83655d0,
author = {Splunk Threat Research Team},
title = {{Detecting Clop Ransomware}},
date = {2021-04-13},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html},
language = {English},
urldate = {2021-04-14}
}
Detecting Clop Ransomware Clop |
2021-04-12 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20210412:paas:1d06836,
author = {PTSecurity},
title = {{PaaS, or how hackers evade antivirus software}},
date = {2021-04-12},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/},
language = {English},
urldate = {2021-04-12}
}
PaaS, or how hackers evade antivirus software Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader |
2021-04-06 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210406:ettersilent:b591f59,
author = {Intel 471},
title = {{EtterSilent: the underground’s new favorite maldoc builder}},
date = {2021-04-06},
organization = {Intel 471},
url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/},
language = {English},
urldate = {2021-04-06}
}
EtterSilent: the underground’s new favorite maldoc builder BazarBackdoor ISFB QakBot TrickBot |
2021-04-06 ⋅ Lexfo ⋅ Lexfo @online{lexfo:20210406:dridex:a3b6f4f,
author = {Lexfo},
title = {{Dridex Loader Analysis}},
date = {2021-04-06},
organization = {Lexfo},
url = {https://blog.lexfo.fr/dridex-malware.html},
language = {English},
urldate = {2021-04-09}
}
Dridex Loader Analysis Dridex |
2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20210405:trickbot:a6b0592,
author = {Jason Reaves and Joshua Platt},
title = {{TrickBot Crews New CobaltStrike Loader}},
date = {2021-04-05},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c},
language = {English},
urldate = {2021-04-06}
}
TrickBot Crews New CobaltStrike Loader Cobalt Strike TrickBot |
2021-03-31 ⋅ Kaspersky ⋅ Kaspersky @online{kaspersky:20210331:financial:3371aa0,
author = {Kaspersky},
title = {{Financial Cyberthreats in 2020}},
date = {2021-03-31},
organization = {Kaspersky},
url = {https://securelist.com/financial-cyberthreats-in-2020/101638/},
language = {English},
urldate = {2021-04-06}
}
Financial Cyberthreats in 2020 BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus |
2021-03-31 ⋅ Red Canary ⋅ Red Canary @techreport{canary:20210331:2021:cd81f2d,
author = {Red Canary},
title = {{2021 Threat Detection Report}},
date = {2021-03-31},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf},
language = {English},
urldate = {2021-04-06}
}
2021 Threat Detection Report Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
2021-03-29 ⋅ VMWare Carbon Black ⋅ Jason Zhang, Oleg Boyarchuk, Giovanni Vigna @online{zhang:20210329:dridex:7692f65,
author = {Jason Zhang and Oleg Boyarchuk and Giovanni Vigna},
title = {{Dridex Reloaded: Analysis of a New Dridex Campaign}},
date = {2021-03-29},
organization = {VMWare Carbon Black},
url = {https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/},
language = {English},
urldate = {2021-04-09}
}
Dridex Reloaded: Analysis of a New Dridex Campaign Dridex |
2021-03-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20210326:ransomware:bc58d85,
author = {Lawrence Abrams},
title = {{Ransomware gang urges victims’ customers to demand a ransom payment}},
date = {2021-03-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/},
language = {English},
urldate = {2021-03-31}
}
Ransomware gang urges victims’ customers to demand a ransom payment Clop |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT @techreport{prodaft:20210318:silverfish:f203208,
author = {PRODAFT},
title = {{SilverFish GroupThreat Actor Report}},
date = {2021-03-18},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf},
language = {English},
urldate = {2021-04-06}
}
SilverFish GroupThreat Actor Report Cobalt Strike Dridex Koadic |
2021-03-17 ⋅ HP ⋅ HP Bromium @techreport{bromium:20210317:threat:3aed551,
author = {HP Bromium},
title = {{Threat Insights Report Q4-2020}},
date = {2021-03-17},
institution = {HP},
url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf},
language = {English},
urldate = {2021-03-19}
}
Threat Insights Report Q4-2020 Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader |
2021-03-17 ⋅ CISA ⋅ US-CERT @online{uscert:20210317:alert:5d25361,
author = {US-CERT},
title = {{Alert (AA21-076A): TrickBot Malware}},
date = {2021-03-17},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-076a},
language = {English},
urldate = {2021-03-19}
}
Alert (AA21-076A): TrickBot Malware TrickBot |
2021-03-11 ⋅ Flashpoint ⋅ Flashpoint @online{flashpoint:20210311:cl0p:666bd6f,
author = {Flashpoint},
title = {{CL0P and REvil Escalate Their Ransomware Tactics}},
date = {2021-03-11},
organization = {Flashpoint},
url = {https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/},
language = {English},
urldate = {2021-03-12}
}
CL0P and REvil Escalate Their Ransomware Tactics Clop REvil |
2021-03-11 ⋅ IBM ⋅ Dave McMillen, Limor Kessem @online{mcmillen:20210311:dridex:1140b01,
author = {Dave McMillen and Limor Kessem},
title = {{Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts}},
date = {2021-03-11},
organization = {IBM},
url = {https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/},
language = {English},
urldate = {2021-03-12}
}
Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts Cutwail Dridex |
2021-03-02 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles @online{rolles:20210302:exhaustivelyanalyzed:ea1e91f,
author = {Rolf Rolles},
title = {{An Exhaustively-Analyzed IDB for FlawedGrace}},
date = {2021-03-02},
organization = {Möbius Strip Reverse Engineering},
url = {https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace},
language = {English},
urldate = {2021-03-04}
}
An Exhaustively-Analyzed IDB for FlawedGrace FlawedGrace |
2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev @techreport{skulkin:202103:ransomware:992ca10,
author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev},
title = {{Ransomware Uncovered 2020/2021}},
date = {2021-03},
institution = {Group-IB},
url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf},
language = {English},
urldate = {2021-06-16}
}
Ransomware Uncovered 2020/2021 RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
2021-02-25 ⋅ ANSSI ⋅ CERT-FR @techreport{certfr:20210225:ryuk:7895e12,
author = {CERT-FR},
title = {{Ryuk Ransomware}},
date = {2021-02-25},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf},
language = {English},
urldate = {2021-03-02}
}
Ryuk Ransomware BazarBackdoor Buer Conti Emotet Ryuk TrickBot |
2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE @online{xforce:20210224:xforce:ac9a90e,
author = {IBM SECURITY X-FORCE},
title = {{X-Force Threat Intelligence Index 2021}},
date = {2021-02-24},
organization = {IBM},
url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89},
language = {English},
urldate = {2021-03-02}
}
X-Force Threat Intelligence Index 2021 Emotet QakBot Ramnit REvil TrickBot |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-22 ⋅ FireEye ⋅ Andrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody @online{moore:20210222:cyber:a641e26,
author = {Andrew Moore and Genevieve Stark and Isif Ibrahima and Van Ta and Kimberly Goody},
title = {{Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion}},
date = {2021-02-22},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html},
language = {English},
urldate = {2021-02-25}
}
Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion DEWMODE Clop |
2021-02-15 ⋅ Medium s2wlab ⋅ Sojun Ryu @online{ryu:20210215:operation:b0712b0,
author = {Sojun Ryu},
title = {{Operation SyncTrek}},
date = {2021-02-15},
organization = {Medium s2wlab},
url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167},
language = {English},
urldate = {2021-09-02}
}
Operation SyncTrek AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker |
2021-02-08 ⋅ ESET Research ⋅ ESET Research @techreport{research:20210208:threat:fc2b885,
author = {ESET Research},
title = {{THREAT REPORT Q4 2020}},
date = {2021-02-08},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf},
language = {English},
urldate = {2021-02-09}
}
THREAT REPORT Q4 2020 TrickBot |
2021-02-07 ⋅ Technical Blog of Ali Aqeel ⋅ Ali Aqeel @online{aqeel:20210207:dridex:871b7d0,
author = {Ali Aqeel},
title = {{Dridex Malware Analysis}},
date = {2021-02-07},
organization = {Technical Blog of Ali Aqeel},
url = {https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/},
language = {English},
urldate = {2021-02-09}
}
Dridex Malware Analysis Dridex |
2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210202:recent:5272ed0,
author = {The DFIR Report},
title = {{Tweet on recent dridex post infection activity}},
date = {2021-02-02},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1356729371931860992},
language = {English},
urldate = {2021-02-04}
}
Tweet on recent dridex post infection activity Cobalt Strike Dridex |
2021-02-02 ⋅ CRONUP ⋅ Germán Fernández @online{fernndez:20210202:de:6ff4f3a,
author = {Germán Fernández},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-03-02}
}
De ataque con Malware a incidente de Ransomware Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-01 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team @online{team:20210201:trickbot:8ae2189,
author = {Kryptos Logic Vantage Team},
title = {{Trickbot masrv Module}},
date = {2021-02-01},
organization = {Kryptos Logic},
url = {https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/},
language = {English},
urldate = {2021-02-02}
}
Trickbot masrv Module TrickBot |
2021-02-01 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20210201:what:2e12897,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}},
date = {2021-02-01},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/},
language = {English},
urldate = {2021-02-02}
}
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations Dridex Emotet Makop Ransomware SmokeLoader TrickBot |
2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel @online{ancel:20210128:bagsu:7de60de,
author = {Benoît Ancel},
title = {{The Bagsu banker case}},
date = {2021-01-28},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=EyDiIAt__dI},
language = {English},
urldate = {2021-02-01}
}
The Bagsu banker case Azorult DreamBot Emotet Pony TrickBot ZeusAction |
2021-01-26 ⋅ IBM ⋅ Nir Shwarts @online{shwarts:20210126:trickbots:a200e92,
author = {Nir Shwarts},
title = {{TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?}},
date = {2021-01-26},
organization = {IBM},
url = {https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/},
language = {English},
urldate = {2021-01-27}
}
TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version? TrickBot |
2021-01-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20210120:anchor:b1e153f,
author = {Jason Reaves and Joshua Platt},
title = {{Anchor and Lazarus together again?}},
date = {2021-01-20},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607},
language = {English},
urldate = {2021-01-21}
}
Anchor and Lazarus together again? Anchor TrickBot |
2021-01-19 ⋅ HP ⋅ Patrick Schläpfer @online{schlpfer:20210119:dridex:a8b3da4,
author = {Patrick Schläpfer},
title = {{Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs}},
date = {2021-01-19},
organization = {HP},
url = {https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/},
language = {English},
urldate = {2021-01-21}
}
Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs Dridex |
2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20210119:wireshark:be0c831,
author = {Brad Duncan},
title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}},
date = {2021-01-19},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/},
language = {English},
urldate = {2021-01-21}
}
Wireshark Tutorial: Examining Emotet Infection Traffic Emotet GootKit IcedID QakBot TrickBot |
2021-01-19 ⋅ Medium elis531989 ⋅ Eli Salem @online{salem:20210119:funtastic:42f9250,
author = {Eli Salem},
title = {{Funtastic Packers And Where To Find Them}},
date = {2021-01-19},
organization = {Medium elis531989},
url = {https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7},
language = {English},
urldate = {2021-01-21}
}
Funtastic Packers And Where To Find Them Get2 IcedID QakBot |
2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210111:trickbot:d1011f9,
author = {The DFIR Report},
title = {{Trickbot Still Alive and Well}},
date = {2021-01-11},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/},
language = {English},
urldate = {2021-01-11}
}
Trickbot Still Alive and Well Cobalt Strike TrickBot |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-06 ⋅ DomainTools ⋅ Joe Slowik @online{slowik:20210106:holiday:6ef0c9d,
author = {Joe Slowik},
title = {{Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident}},
date = {2021-01-06},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident},
language = {English},
urldate = {2021-01-10}
}
Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident BazarBackdoor TrickBot |
2021-01-05 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team @online{team:20210105:threat:6541fd7,
author = {AhnLab ASEC Analysis Team},
title = {{[Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant}},
date = {2021-01-05},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/19542/},
language = {English},
urldate = {2021-06-16}
}
[Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant Clop |
2021-01-04 ⋅ SentinelOne ⋅ Marco Figueroa @online{figueroa:20210104:building:37407a6,
author = {Marco Figueroa},
title = {{Building a Custom Malware Analysis Lab Environment}},
date = {2021-01-04},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/},
language = {English},
urldate = {2021-01-13}
}
Building a Custom Malware Analysis Lab Environment TrickBot |
2021-01-04 ⋅ Check Point ⋅ Check Point Research @online{research:20210104:dridex:2741eba,
author = {Check Point Research},
title = {{DRIDEX Stopping Serial Killer: Catching the Next Strike}},
date = {2021-01-04},
organization = {Check Point},
url = {https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/},
language = {English},
urldate = {2021-01-05}
}
DRIDEX Stopping Serial Killer: Catching the Next Strike Dridex |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:4e7c443,
author = {SecureWorks},
title = {{Threat Profile: GOLD BLACKBURN}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-blackburn},
language = {English},
urldate = {2021-05-28}
}
Threat Profile: GOLD BLACKBURN Buer Dyre TrickBot WIZARD SPIDER |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:98f1049,
author = {SecureWorks},
title = {{Threat Profile: GOLD HERON}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-heron},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD HERON DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER |
2021 ⋅ SecureWorks @online{secureworks:2021:threat:dbd7ed7,
author = {SecureWorks},
title = {{Threat Profile: GOLD DRAKE}},
date = {2021},
url = {http://www.secureworks.com/research/threat-profiles/gold-drake},
language = {English},
urldate = {2021-05-28}
}
Threat Profile: GOLD DRAKE Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp |
2020-12-21 ⋅ KEYSIGHT TECHNOLOGIES ⋅ Edsel Valle @online{valle:20201221:trickbot:425da88,
author = {Edsel Valle},
title = {{TrickBot: A Closer Look}},
date = {2020-12-21},
organization = {KEYSIGHT TECHNOLOGIES},
url = {https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html},
language = {English},
urldate = {2021-01-01}
}
TrickBot: A Closer Look TrickBot |
2020-12-18 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201218:ta505s:8fb97af,
author = {Intel 471},
title = {{TA505’s modified loader means new attack campaign could be coming}},
date = {2020-12-18},
organization = {Intel 471},
url = {https://intel471.com/blog/ta505-get2-loader-malware-december-2020/},
language = {English},
urldate = {2020-12-19}
}
TA505’s modified loader means new attack campaign could be coming Get2 |
2020-12-15 ⋅ Twitter (@darb0ng) ⋅ Minhee Lee @online{lee:20201215:symrise:e60ff65,
author = {Minhee Lee},
title = {{Tweet on Symrise group hit by Clop Ransomware}},
date = {2020-12-15},
organization = {Twitter (@darb0ng)},
url = {https://twitter.com/darb0ng/status/1338692764121251840},
language = {English},
urldate = {2020-12-15}
}
Tweet on Symrise group hit by Clop Ransomware Clop |
2020-12-14 ⋅ Blueliv ⋅ Alberto Marín, Carlos Rubio, Blueliv Labs Team @online{marn:20201214:using:e81621e,
author = {Alberto Marín and Carlos Rubio and Blueliv Labs Team},
title = {{Using Qiling Framework to Unpack TA505 packed samples}},
date = {2020-12-14},
organization = {Blueliv},
url = {https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/},
language = {English},
urldate = {2023-08-03}
}
Using Qiling Framework to Unpack TA505 packed samples AndroMut Azorult Silence TinyMet |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC @online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
2020-12-10 ⋅ Cybereason ⋅ Joakim Kandefelt @online{kandefelt:20201210:cybereason:0267d5e,
author = {Joakim Kandefelt},
title = {{Cybereason vs. Ryuk Ransomware}},
date = {2020-12-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware},
language = {English},
urldate = {2020-12-14}
}
Cybereason vs. Ryuk Ransomware BazarBackdoor Ryuk TrickBot |
2020-12-10 ⋅ CyberInt ⋅ CyberInt @online{cyberint:20201210:ryuk:e74b8f6,
author = {CyberInt},
title = {{Ryuk Crypto-Ransomware}},
date = {2020-12-10},
organization = {CyberInt},
url = {https://blog.cyberint.com/ryuk-crypto-ransomware},
language = {English},
urldate = {2020-12-14}
}
Ryuk Crypto-Ransomware Ryuk TrickBot |
2020-12-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201203:ransomware:186759f,
author = {Lawrence Abrams},
title = {{Ransomware gang says they stole 2 million credit cards from E-Land}},
date = {2020-12-03},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/},
language = {English},
urldate = {2020-12-08}
}
Ransomware gang says they stole 2 million credit cards from E-Land Clop |
2020-12-03 ⋅ Eclypsium ⋅ Eclypsium @online{eclypsium:20201203:trickbot:7b5b0eb,
author = {Eclypsium},
title = {{TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit}},
date = {2020-12-03},
organization = {Eclypsium},
url = {https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/},
language = {English},
urldate = {2020-12-03}
}
TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit TrickBot |
2020-12-02 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team @techreport{team:20201202:clop:2df3556,
author = {AhnLab ASEC Analysis Team},
title = {{CLOP Ransomware Report}},
date = {2020-12-02},
institution = {AhnLab},
url = {https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf},
language = {Korean},
urldate = {2021-07-02}
}
CLOP Ransomware Report Clop |
2020-11-23 ⋅ S2W LAB Inc. ⋅ TALON @online{talon:20201123:s2w:97212ec,
author = {TALON},
title = {{[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident}},
date = {2020-11-23},
organization = {S2W LAB Inc.},
url = {https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e},
language = {English},
urldate = {2020-12-03}
}
[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident Clop |
2020-11-23 ⋅ Bitdefender ⋅ Liviu Arsene, Radu Tudorica @online{arsene:20201123:trickbot:bcf3c42,
author = {Liviu Arsene and Radu Tudorica},
title = {{TrickBot is Dead. Long Live TrickBot!}},
date = {2020-11-23},
organization = {Bitdefender},
url = {https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/},
language = {English},
urldate = {2020-11-25}
}
TrickBot is Dead. Long Live TrickBot! TrickBot |
2020-11-22 ⋅ malware.love ⋅ Robert Giczewski @online{giczewski:20201122:trickbot:06baa84,
author = {Robert Giczewski},
title = {{Trickbot tricks again [UPDATE]}},
date = {2020-11-22},
organization = {malware.love},
url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html},
language = {English},
urldate = {2020-11-23}
}
Trickbot tricks again [UPDATE] TrickBot |
2020-11-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201120:lightbot:473b7c3,
author = {Lawrence Abrams},
title = {{LightBot: TrickBot’s new reconnaissance malware for high-value targets}},
date = {2020-11-20},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/},
language = {English},
urldate = {2020-11-23}
}
LightBot: TrickBot’s new reconnaissance malware for high-value targets LightBot TrickBot |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-18 ⋅ Sophos ⋅ Sophos @techreport{sophos:20201118:sophos:8fd201e,
author = {Sophos},
title = {{SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world}},
date = {2020-11-18},
institution = {Sophos},
url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf},
language = {English},
urldate = {2020-11-19}
}
SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world Agent Tesla Dridex TrickBot Zloader |
2020-11-17 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez @online{kremez:20201117:new:2098c0a,
author = {Vitali Kremez},
title = {{Tweet on a new fileless TrickBot loading method using code from MemoryModule}},
date = {2020-11-17},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1328578336021483522},
language = {English},
urldate = {2020-12-14}
}
Tweet on a new fileless TrickBot loading method using code from MemoryModule TrickBot |
2020-11-17 ⋅ malware.love ⋅ Robert Giczewski @online{giczewski:20201117:trickbot:1bbf92a,
author = {Robert Giczewski},
title = {{Trickbot tricks again}},
date = {2020-11-17},
organization = {malware.love},
url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html},
language = {English},
urldate = {2020-11-19}
}
Trickbot tricks again TrickBot |
2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse @online{althouse:20201117:easily:172bd6d,
author = {John Althouse},
title = {{Easily Identify Malicious Servers on the Internet with JARM}},
date = {2020-11-17},
organization = {Salesforce Engineering},
url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a},
language = {English},
urldate = {2020-12-03}
}
Easily Identify Malicious Servers on the Internet with JARM Cobalt Strike TrickBot |
2020-11-16 ⋅ Fox-IT ⋅ Antonis Terefos, Anne Postma, Tera0017 @online{terefos:20201116:ta505:8449383,
author = {Antonis Terefos and Anne Postma and Tera0017},
title = {{TA505: A Brief History Of Their Time}},
date = {2020-11-16},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/},
language = {English},
urldate = {2020-11-23}
}
TA505: A Brief History Of Their Time Clop Get2 SDBbot TA505 |
2020-11-16 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201116:ransomwareasaservice:11a5a8b,
author = {Intel 471},
title = {{Ransomware-as-a-service: The pandemic within a pandemic}},
date = {2020-11-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/},
language = {English},
urldate = {2020-11-17}
}
Ransomware-as-a-service: The pandemic within a pandemic Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX |
2020-11-12 ⋅ Hurricane Labs ⋅ Dusty Miller @online{miller:20201112:splunking:26a0bd8,
author = {Dusty Miller},
title = {{Splunking with Sysmon Part 4: Detecting Trickbot}},
date = {2020-11-12},
organization = {Hurricane Labs},
url = {https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/},
language = {English},
urldate = {2021-01-18}
}
Splunking with Sysmon Part 4: Detecting Trickbot TrickBot |
2020-11-12 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC) @online{acsc:20201112:biotech:edf0f4a,
author = {Australian Cyber Security Centre (ACSC)},
title = {{Biotech research firm Miltenyi Biotec hit by ransomware, data leaked}},
date = {2020-11-12},
organization = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector},
language = {English},
urldate = {2020-11-18}
}
Biotech research firm Miltenyi Biotec hit by ransomware, data leaked SDBbot |
2020-11-10 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201110:trickbot:5db76db,
author = {Intel 471},
title = {{Trickbot down, but is it out?}},
date = {2020-11-10},
organization = {Intel 471},
url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/},
language = {English},
urldate = {2020-11-11}
}
Trickbot down, but is it out? BazarBackdoor TrickBot |
2020-11-05 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT, Vyacheslav Kopeytsev @techreport{cert:20201105:attackson:62f1e26,
author = {Kaspersky Lab ICS CERT and Vyacheslav Kopeytsev},
title = {{Attackson industrial enterprises using RMS and TeamViewer: new data}},
date = {2020-11-05},
institution = {Kaspersky Labs},
url = {https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf},
language = {English},
urldate = {2020-11-06}
}
Attackson industrial enterprises using RMS and TeamViewer: new data RMS |
2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna @online{vigna:20201104:trick:a59a333,
author = {Giovanni Vigna},
title = {{Trick or Threat: Ryuk ransomware targets the health care industry}},
date = {2020-11-04},
organization = {VMRay},
url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/},
language = {English},
urldate = {2020-11-06}
}
Trick or Threat: Ryuk ransomware targets the health care industry BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20201029:bazar:1846b93,
author = {The Red Canary Team},
title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}},
date = {2020-10-29},
organization = {Red Canary},
url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/},
language = {English},
urldate = {2020-11-02}
}
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak Cobalt Strike Ryuk TrickBot |
2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brittany Barbehenn, Doel Santos, Brad Duncan @online{barbehenn:20201029:threat:de33a6d,
author = {Brittany Barbehenn and Doel Santos and Brad Duncan},
title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}},
date = {2020-10-29},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/},
language = {English},
urldate = {2020-11-02}
}
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector Anchor BazarBackdoor Ryuk TrickBot |
2020-10-29 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20201029:le:d296223,
author = {CERT-FR},
title = {{LE MALWARE-AS-A-SERVICE EMOTET}},
date = {2020-10-29},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf},
language = {English},
urldate = {2020-11-04}
}
LE MALWARE-AS-A-SERVICE EMOTET Dridex Emotet ISFB QakBot |
2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Andrew Thompson @online{thompson:20201029:unc1878:26c88d4,
author = {Andrew Thompson},
title = {{Tweet on UNC1878 activity}},
date = {2020-10-29},
organization = {Twitter (@anthomsec)},
url = {https://twitter.com/anthomsec/status/1321865315513520128},
language = {English},
urldate = {2020-11-04}
}
Tweet on UNC1878 activity BazarBackdoor Ryuk TrickBot UNC1878 |
2020-10-26 ⋅ Arbor Networks ⋅ Suweera De Souza @online{souza:20201026:dropping:8ac1e1d,
author = {Suweera De Souza},
title = {{Dropping the Anchor}},
date = {2020-10-26},
organization = {Arbor Networks},
url = {https://www.netscout.com/blog/asert/dropping-anchor},
language = {English},
urldate = {2020-10-29}
}
Dropping the Anchor AnchorDNS Anchor TrickBot |
2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab @online{lab:20201023:leakwareransomwarehybrid:ae1de8e,
author = {Hornetsecurity Security Lab},
title = {{Leakware-Ransomware-Hybrid Attacks}},
date = {2020-10-23},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/},
language = {English},
urldate = {2020-12-08}
}
Leakware-Ransomware-Hybrid Attacks Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt |
2020-10-20 ⋅ Microsoft ⋅ Tom Burt @online{burt:20201020:update:12549c2,
author = {Tom Burt},
title = {{An update on disruption of Trickbot}},
date = {2020-10-20},
organization = {Microsoft},
url = {https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/},
language = {English},
urldate = {2020-10-23}
}
An update on disruption of Trickbot TrickBot |
2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI @online{bsi:20201020:die:0683ad4,
author = {BSI},
title = {{Die Lage der IT-Sicherheit in Deutschland 2020}},
date = {2020-10-20},
organization = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2},
language = {German},
urldate = {2020-10-21}
}
Die Lage der IT-Sicherheit in Deutschland 2020 Clop Emotet REvil Ryuk TrickBot |
2020-10-20 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201020:global:570e26f,
author = {Intel 471},
title = {{Global Trickbot disruption operation shows promise}},
date = {2020-10-20},
organization = {Intel 471},
url = {https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/},
language = {English},
urldate = {2020-10-21}
}
Global Trickbot disruption operation shows promise TrickBot |
2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team @online{team:20201016:wizard:12b648a,
author = {The Crowdstrike Intel Team},
title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}},
date = {2020-10-16},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/},
language = {English},
urldate = {2020-10-21}
}
WIZARD SPIDER Update: Resilient, Reactive and Resolute BazarBackdoor Conti Ryuk TrickBot |
2020-10-16 ⋅ Duo ⋅ Dennis Fisher @online{fisher:20201016:trickbot:be18c46,
author = {Dennis Fisher},
title = {{Trickbot Up to Its Old Tricks}},
date = {2020-10-16},
organization = {Duo},
url = {https://duo.com/decipher/trickbot-up-to-its-old-tricks},
language = {English},
urldate = {2020-10-23}
}
Trickbot Up to Its Old Tricks TrickBot |
2020-10-15 ⋅ Department of Justice ⋅ Department of Justice @online{justice:20201015:officials:b340951,
author = {Department of Justice},
title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}},
date = {2020-10-15},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization},
language = {English},
urldate = {2020-10-23}
}
Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals Dridex ISFB TrickBot |
2020-10-15 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201015:that:2d4b495,
author = {Intel 471},
title = {{That was quick: Trickbot is back after disruption attempts}},
date = {2020-10-15},
organization = {Intel 471},
url = {https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/},
language = {English},
urldate = {2020-10-15}
}
That was quick: Trickbot is back after disruption attempts TrickBot |
2020-10-12 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20201012:trickbot:e4f086f,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Trickbot disrupted}},
date = {2020-10-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/},
language = {English},
urldate = {2020-10-12}
}
Trickbot disrupted TrickBot |
2020-10-12 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20201012:trickbot:5c1e5bf,
author = {Threat Hunter Team},
title = {{Trickbot: U.S. Court Order Hits Botnet’s Infrastructure}},
date = {2020-10-12},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption},
language = {English},
urldate = {2020-10-12}
}
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure Ryuk TrickBot |
2020-10-12 ⋅ ESET Research ⋅ Jean-Ian Boutin @online{boutin:20201012:eset:a7eeb51,
author = {Jean-Ian Boutin},
title = {{ESET takes part in global operation to disrupt Trickbot}},
date = {2020-10-12},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/},
language = {English},
urldate = {2020-10-12}
}
ESET takes part in global operation to disrupt Trickbot TrickBot |
2020-10-12 ⋅ Lumen ⋅ Black Lotus Labs @online{labs:20201012:look:7b422f7,
author = {Black Lotus Labs},
title = {{A Look Inside The TrickBot Botnet}},
date = {2020-10-12},
organization = {Lumen},
url = {https://blog.lumen.com/a-look-inside-the-trickbot-botnet/},
language = {English},
urldate = {2020-10-12}
}
A Look Inside The TrickBot Botnet TrickBot |
2020-10-12 ⋅ Tenable ⋅ Satnam Narang @online{narang:20201012:cve20201472:ab699e9,
author = {Satnam Narang},
title = {{CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities}},
date = {2020-10-12},
organization = {Tenable},
url = {https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain},
language = {English},
urldate = {2023-02-17}
}
CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities TA505 |
2020-10-12 ⋅ Microsoft ⋅ Tom Burt @online{burt:20201012:new:045c1c3,
author = {Tom Burt},
title = {{New action to combat ransomware ahead of U.S. elections}},
date = {2020-10-12},
organization = {Microsoft},
url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/},
language = {English},
urldate = {2020-10-12}
}
New action to combat ransomware ahead of U.S. elections Ryuk TrickBot |
2020-10-12 ⋅ US District Court for the Eastern District of Virginia @techreport{virginia:20201012:trickbot:f3af852,
author = {US District Court for the Eastern District of Virginia},
title = {{TRICKBOT complaint}},
date = {2020-10-12},
institution = {},
url = {https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf},
language = {English},
urldate = {2020-10-13}
}
TRICKBOT complaint TrickBot |
2020-10-10 ⋅ The Washington Post ⋅ Ellen Nakashima @online{nakashima:20201010:cyber:9f29985,
author = {Ellen Nakashima},
title = {{Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election}},
date = {2020-10-10},
organization = {The Washington Post},
url = {https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html},
language = {English},
urldate = {2020-10-12}
}
Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election TrickBot |
2020-10-08 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20201008:german:7b88550,
author = {Catalin Cimpanu},
title = {{German tech giant Software AG down after ransomware attack}},
date = {2020-10-08},
organization = {ZDNet},
url = {https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/},
language = {English},
urldate = {2020-10-12}
}
German tech giant Software AG down after ransomware attack Clop |
2020-10-08 ⋅ Bromium ⋅ Alex Holland @online{holland:20201008:droppers:b8a580e,
author = {Alex Holland},
title = {{Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks}},
date = {2020-10-08},
organization = {Bromium},
url = {https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/},
language = {English},
urldate = {2020-10-29}
}
Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks TrickBot |
2020-10-06 ⋅ Telekom ⋅ Thomas Barabosch @online{barabosch:20201006:eager:54da318,
author = {Thomas Barabosch},
title = {{Eager Beaver: A Short Overview of the Restless Threat Actor TA505}},
date = {2020-10-06},
organization = {Telekom},
url = {https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546},
language = {English},
urldate = {2020-10-08}
}
Eager Beaver: A Short Overview of the Restless Threat Actor TA505 Clop Get2 SDBbot TA505 |
2020-10-03 ⋅ Avira ⋅ Avira Protection Labs @online{labs:20201003:ta505:b03fbee,
author = {Avira Protection Labs},
title = {{TA505 targets the Americas in a new campaign}},
date = {2020-10-03},
organization = {Avira},
url = {https://insights.oem.avira.com/ta505-apt-group-targets-americas/},
language = {English},
urldate = {2020-10-05}
}
TA505 targets the Americas in a new campaign ServHelper |
2020-10-03 ⋅ Wikipedia ⋅ Wikpedia @online{wikpedia:20201003:wikipedia:70dbf1e,
author = {Wikpedia},
title = {{Wikipedia Page: Maksim Yakubets}},
date = {2020-10-03},
organization = {Wikipedia},
url = {https://en.wikipedia.org/wiki/Maksim_Yakubets},
language = {English},
urldate = {2020-11-02}
}
Wikipedia Page: Maksim Yakubets Dridex Feodo Evil Corp |
2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3) @techreport{hc3:20201002:report:0ca373f,
author = {Health Sector Cybersecurity Coordination Center (HC3)},
title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}},
date = {2020-10-02},
institution = {Health Sector Cybersecurity Coordination Center (HC3)},
url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf},
language = {English},
urldate = {2020-11-02}
}
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20201002:attacks:a6dc6e3,
author = {Brian Krebs},
title = {{Attacks Aimed at Disrupting the Trickbot Botnet}},
date = {2020-10-02},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/},
language = {English},
urldate = {2020-10-05}
}
Attacks Aimed at Disrupting the Trickbot Botnet TrickBot |
2020-09-30 ⋅ CERT-XLM ⋅ Paul Jung @techreport{jung:20200930:another:5edbad3,
author = {Paul Jung},
title = {{Another Threat Actor day...}},
date = {2020-09-30},
institution = {CERT-XLM},
url = {https://vblocalhost.com/uploads/VB2020-Jung.pdf},
language = {English},
urldate = {2020-12-08}
}
Another Threat Actor day... SDBbot |
2020-09-29 ⋅ PWC UK ⋅ Andy Auld @online{auld:20200929:whats:2782a62,
author = {Andy Auld},
title = {{What's behind the increase in ransomware attacks this year?}},
date = {2020-09-29},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html},
language = {English},
urldate = {2021-05-25}
}
What's behind the increase in ransomware attacks this year? DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker |
2020-09-29 ⋅ Microsoft ⋅ Microsoft @techreport{microsoft:20200929:microsoft:6e5d7b0,
author = {Microsoft},
title = {{Microsoft Digital Defense Report}},
date = {2020-09-29},
institution = {Microsoft},
url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf},
language = {English},
urldate = {2020-10-05}
}
Microsoft Digital Defense Report Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot |
2020-09-22 ⋅ OSINT Fans ⋅ Gabor Szathmari @online{szathmari:20200922:what:60d1e26,
author = {Gabor Szathmari},
title = {{What Service NSW has to do with Russia?}},
date = {2020-09-22},
organization = {OSINT Fans},
url = {https://osint.fans/service-nsw-russia-association},
language = {English},
urldate = {2020-09-23}
}
What Service NSW has to do with Russia? TrickBot |
2020-09-18 ⋅ AppGate ⋅ Gustavo Palazolo, Felipe Duarte @online{palazolo:20200918:reverse:689e4cb,
author = {Gustavo Palazolo and Felipe Duarte},
title = {{Reverse Engineering Dridex and Automating IOC Extraction}},
date = {2020-09-18},
organization = {AppGate},
url = {https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction},
language = {English},
urldate = {2020-09-25}
}
Reverse Engineering Dridex and Automating IOC Extraction Dridex |
2020-09-16 ⋅ Intel 471 ⋅ Intel 471 @online{471:20200916:partners:c65839f,
author = {Intel 471},
title = {{Partners in crime: North Koreans and elite Russian-speaking cybercriminals}},
date = {2020-09-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/},
language = {English},
urldate = {2020-09-23}
}
Partners in crime: North Koreans and elite Russian-speaking cybercriminals TrickBot |
2020-09-10 ⋅ SANS ISC InfoSec Forums ⋅ Brad Duncan @online{duncan:20200910:recent:f9e103f,
author = {Brad Duncan},
title = {{Recent Dridex activity}},
date = {2020-09-10},
organization = {SANS ISC InfoSec Forums},
url = {https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/},
language = {English},
urldate = {2020-09-15}
}
Recent Dridex activity Dridex |
2020-09-07 ⋅ Github (pan-unit42) ⋅ Brad Duncan @online{duncan:20200907:collection:09ab7be,
author = {Brad Duncan},
title = {{Collection of recent Dridex IOCs}},
date = {2020-09-07},
organization = {Github (pan-unit42)},
url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt},
language = {English},
urldate = {2020-09-15}
}
Collection of recent Dridex IOCs Cutwail Dridex |
2020-08-31 ⋅ cyber.wtf blog ⋅ Luca Ebach @online{ebach:20200831:trickbot:c975ec5,
author = {Luca Ebach},
title = {{Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers}},
date = {2020-08-31},
organization = {cyber.wtf blog},
url = {https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/},
language = {English},
urldate = {2020-08-31}
}
Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers TrickBot |
2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20200825:how:5db6a82,
author = {Victoria Kivilevich},
title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}},
date = {2020-08-25},
organization = {KELA},
url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/},
language = {English},
urldate = {2021-05-07}
}
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet |
2020-08-21 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20200821:wireshark:d98d5ed,
author = {Brad Duncan},
title = {{Wireshark Tutorial: Decrypting HTTPS Traffic}},
date = {2020-08-21},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/},
language = {English},
urldate = {2020-08-25}
}
Wireshark Tutorial: Decrypting HTTPS Traffic Dridex |
2020-08-20 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20200820:development:d518522,
author = {CERT-FR},
title = {{Development of the Activity of the TA505 Cybercriminal Group}},
date = {2020-08-20},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf},
language = {English},
urldate = {2020-08-28}
}
Development of the Activity of the TA505 Cybercriminal Group AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot |
2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider @online{cyberthreatinsider:20200820:global:34ee2ea,
author = {cyberthreatinsider},
title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}},
date = {2020-08-20},
organization = {sensecy},
url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/},
language = {English},
urldate = {2020-11-04}
}
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities Clop Maze REvil Ryuk |
2020-08-09 ⋅ F5 Labs ⋅ Remi Cohen, Debbie Walkowski @online{cohen:20200809:banking:8718999,
author = {Remi Cohen and Debbie Walkowski},
title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}},
date = {2020-08-09},
organization = {F5 Labs},
url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree},
language = {English},
urldate = {2021-06-29}
}
Banking Trojans: A Reference Guide to the Malware Family Tree BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus |
2020-08-03 ⋅ The DFIR Report @online{report:20200803:dridex:165cf39,
author = {The DFIR Report},
title = {{Dridex – From Word to Domain Dominance}},
date = {2020-08-03},
url = {https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/},
language = {English},
urldate = {2020-08-05}
}
Dridex – From Word to Domain Dominance Dridex |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
2020-07-22 ⋅ SentinelOne ⋅ Jason Reaves, Joshua Platt @online{reaves:20200722:enter:71d9038,
author = {Jason Reaves and Joshua Platt},
title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}},
date = {2020-07-22},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/},
language = {English},
urldate = {2020-07-23}
}
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW) ISFB Maze TrickBot Zloader |
2020-07-21 ⋅ YouTube ( OPCDE with Matt Suiche) ⋅ Mohamad Mokbel @online{mokbel:20200721:vopcde:26d48d0,
author = {Mohamad Mokbel},
title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}},
date = {2020-07-21},
organization = {YouTube ( OPCDE with Matt Suiche)},
url = {https://www.youtube.com/watch?v=FttiysUZmDw},
language = {English},
urldate = {2021-10-24}
}
vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel) Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence |
2020-07-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200720:emotettrickbot:a8e84d2,
author = {Lawrence Abrams},
title = {{Emotet-TrickBot malware duo is back infecting Windows machines}},
date = {2020-07-20},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/},
language = {English},
urldate = {2020-07-21}
}
Emotet-TrickBot malware duo is back infecting Windows machines Emotet TrickBot |
2020-07-17 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20200717:malware:5c58cdf,
author = {CERT-FR},
title = {{The Malware Dridex: Origins and Uses}},
date = {2020-07-17},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf},
language = {English},
urldate = {2020-07-20}
}
The Malware Dridex: Origins and Uses Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus |
2020-07-15 ⋅ Intel 471 ⋅ Intel 471 @online{471:20200715:flowspec:683a5a1,
author = {Intel 471},
title = {{Flowspec – TA505’s bulletproof hoster of choice}},
date = {2020-07-15},
organization = {Intel 471},
url = {https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/},
language = {English},
urldate = {2020-07-16}
}
Flowspec – TA505’s bulletproof hoster of choice Get2 |
2020-07-15 ⋅ Mandiant ⋅ Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt @online{brubaker:20200715:financially:f217555,
author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt},
title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}},
date = {2020-07-15},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot},
language = {English},
urldate = {2022-07-28}
}
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake |
2020-07-13 ⋅ JoeSecurity ⋅ Joe Security @online{security:20200713:trickbots:a164ba5,
author = {Joe Security},
title = {{TrickBot's new API-Hammering explained}},
date = {2020-07-13},
organization = {JoeSecurity},
url = {https://www.joesecurity.org/blog/498839998833561473},
language = {English},
urldate = {2020-07-15}
}
TrickBot's new API-Hammering explained TrickBot |
2020-07-11 ⋅ BleepingComputer ⋅ Lawrence Abrams @online{abrams:20200711:trickbot:7e70ad3,
author = {Lawrence Abrams},
title = {{TrickBot malware mistakenly warns victims that they are infected}},
date = {2020-07-11},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/},
language = {English},
urldate = {2020-07-15}
}
TrickBot malware mistakenly warns victims that they are infected TrickBot |
2020-07-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez @online{kremez:20200711:trickbot:602fd73,
author = {Vitali Kremez},
title = {{TrickBot Group Launches Test Module Alerting on Fraud Activity}},
date = {2020-07-11},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity},
language = {English},
urldate = {2020-07-13}
}
TrickBot Group Launches Test Module Alerting on Fraud Activity TrickBot |
2020-07-09 ⋅ Gdata ⋅ G DATA Security Lab @online{lab:20200709:servhelper:13899fd,
author = {G DATA Security Lab},
title = {{ServHelper: Hidden Miners}},
date = {2020-07-09},
organization = {Gdata},
url = {https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners},
language = {English},
urldate = {2020-07-16}
}
ServHelper: Hidden Miners ServHelper |
2020-07-07 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab @online{lab:20200707:clop:12bb60d,
author = {Hornetsecurity Security Lab},
title = {{Clop, Clop! It’s a TA505 HTML malspam analysis}},
date = {2020-07-07},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/},
language = {English},
urldate = {2020-07-30}
}
Clop, Clop! It’s a TA505 HTML malspam analysis Clop Get2 |
2020-07-06 ⋅ NTT ⋅ Security division of NTT Ltd. @online{ltd:20200706:trickbot:9612912,
author = {Security division of NTT Ltd.},
title = {{TrickBot variant “Anchor_DNS” communicating over DNS}},
date = {2020-07-06},
organization = {NTT},
url = {https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns},
language = {English},
urldate = {2020-07-30}
}
TrickBot variant “Anchor_DNS” communicating over DNS AnchorDNS TrickBot |
2020-06-24 ⋅ Morphisec ⋅ Arnold Osipov @online{osipov:20200624:obfuscated:74bfeed,
author = {Arnold Osipov},
title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}},
date = {2020-06-24},
organization = {Morphisec},
url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex},
language = {English},
urldate = {2020-06-25}
}
Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex Dridex ISFB QakBot Zloader |
2020-06-22 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20200622:volution:fba1cfa,
author = {CERT-FR},
title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}},
date = {2020-06-22},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf},
language = {French},
urldate = {2020-06-24}
}
Évolution De Lactivité du Groupe Cybercriminel TA505 Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot |
2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves @online{platt:20200622:inside:b381dd5,
author = {Joshua Platt and Jason Reaves},
title = {{Inside a TrickBot Cobalt Strike Attack Server}},
date = {2020-06-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/},
language = {English},
urldate = {2020-06-23}
}
Inside a TrickBot Cobalt Strike Attack Server Cobalt Strike TrickBot |
2020-06-22 ⋅ BleepingComputer ⋅ Lawrence Abrams @online{abrams:20200622:indiabulls:ce0fcdb,
author = {Lawrence Abrams},
title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}},
date = {2020-06-22},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/},
language = {English},
urldate = {2020-06-23}
}
Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline Clop |
2020-06-19 ⋅ Reaqta ⋅ Reaqta @online{reaqta:20200619:dridex:54f4dd5,
author = {Reaqta},
title = {{Dridex: the secret in a PostMessage()}},
date = {2020-06-19},
organization = {Reaqta},
url = {https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/},
language = {English},
urldate = {2020-06-22}
}
Dridex: the secret in a PostMessage() Dridex |
2020-06-17 ⋅ Youtube (Red Canary) ⋅ Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan @online{noerenberg:20200617:attck:934d73c,
author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan},
title = {{ATT&CK® Deep Dive: Process Injection}},
date = {2020-06-17},
organization = {Youtube (Red Canary)},
url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/},
language = {English},
urldate = {2020-06-19}
}
ATT&CK® Deep Dive: Process Injection ISFB Ramnit TrickBot |
2020-06-17 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez, malwrhunterteam @online{kremez:20200617:signed:f8eecc6,
author = {Vitali Kremez and malwrhunterteam},
title = {{Tweet on signed Tinymet payload (V.02) used by TA505}},
date = {2020-06-17},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1273292957429510150},
language = {English},
urldate = {2020-06-18}
}
Tweet on signed Tinymet payload (V.02) used by TA505 TinyMet |
2020-06-17 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence @online{intelligence:20200617:thread:b4b74d5,
author = {Microsoft Security Intelligence},
title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}},
date = {2020-06-17},
organization = {Twitter (@MsftSecIntel)},
url = {https://twitter.com/MsftSecIntel/status/1273359829390655488},
language = {English},
urldate = {2020-06-18}
}
A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace FlawedGrace |
2020-06-16 ⋅ Telekom ⋅ Thomas Barabosch @online{barabosch:20200616:ta505:619f2c6,
author = {Thomas Barabosch},
title = {{TA505 returns with a new bag of tricks}},
date = {2020-06-16},
organization = {Telekom},
url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104},
language = {English},
urldate = {2020-06-18}
}
TA505 returns with a new bag of tricks Clop Get2 SDBbot TA505 |
2020-06-15 ⋅ Fortinet ⋅ Val Saengphaibul, Fred Gutierrez @online{saengphaibul:20200615:global:5c4be18,
author = {Val Saengphaibul and Fred Gutierrez},
title = {{Global Malicious Spam Campaign Using Black Lives Matter as a Lure}},
date = {2020-06-15},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure},
language = {English},
urldate = {2020-06-16}
}
Global Malicious Spam Campaign Using Black Lives Matter as a Lure TrickBot |
2020-06-12 ⋅ Hornetsecurity ⋅ Security Lab @online{lab:20200612:trickbot:2bf54ef,
author = {Security Lab},
title = {{Trickbot Malspam Leveraging Black Lives Matter as Lure}},
date = {2020-06-12},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/},
language = {English},
urldate = {2020-07-01}
}
Trickbot Malspam Leveraging Black Lives Matter as Lure TrickBot |
2020-06-11 ⋅ Cofense ⋅ Jason Meurer @online{meurer:20200611:all:cc2e167,
author = {Jason Meurer},
title = {{All You Need Is Text: Second Wave}},
date = {2020-06-11},
organization = {Cofense},
url = {https://cofenselabs.com/all-you-need-is-text-second-wave/},
language = {English},
urldate = {2020-06-12}
}
All You Need Is Text: Second Wave TrickBot |
2020-06-05 ⋅ Votiro ⋅ Votiro’s Research Team @online{team:20200605:anatomy:3047f6e,
author = {Votiro’s Research Team},
title = {{Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19}},
date = {2020-06-05},
organization = {Votiro},
url = {https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/},
language = {English},
urldate = {2020-06-10}
}
Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19 Dridex |
2020-06-02 ⋅ Lastline Labs ⋅ James Haughom, Stefano Ortolani @online{haughom:20200602:evolution:3286d87,
author = {James Haughom and Stefano Ortolani},
title = {{Evolution of Excel 4.0 Macro Weaponization}},
date = {2020-06-02},
organization = {Lastline Labs},
url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/},
language = {English},
urldate = {2020-06-03}
}
Evolution of Excel 4.0 Macro Weaponization Agent Tesla DanaBot ISFB TrickBot Zloader |
2020-05-31 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20200531:wastedloader:c37b988,
author = {Jason Reaves and Joshua Platt},
title = {{WastedLoader or DridexLoader?}},
date = {2020-05-31},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77},
language = {English},
urldate = {2021-06-09}
}
WastedLoader or DridexLoader? Dridex WastedLocker |
2020-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20200528:goodbye:87a0245,
author = {Brad Duncan},
title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}},
date = {2020-05-28},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/},
language = {English},
urldate = {2020-05-29}
}
Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module TrickBot |
2020-05-27 ⋅ GAIS-CERT ⋅ GAIS-CERT @techreport{gaiscert:20200527:dridex:90bd3bd,
author = {GAIS-CERT},
title = {{Dridex Banking Trojan Technical Analysis Report}},
date = {2020-05-27},
institution = {GAIS-CERT},
url = {https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf},
language = {English},
urldate = {2020-06-24}
}
Dridex Banking Trojan Technical Analysis Report Dridex |
2020-05-25 ⋅ CERT-FR ⋅ CERT-FR @online{certfr:20200525:indicateurs:642332f,
author = {CERT-FR},
title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}},
date = {2020-05-25},
organization = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/},
language = {French},
urldate = {2020-06-03}
}
INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex Dridex |
2020-05-25 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20200525:le:ac94f72,
author = {CERT-FR},
title = {{Le Code Malveillant Dridex: Origines et Usages}},
date = {2020-05-25},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf},
language = {French},
urldate = {2020-05-26}
}
Le Code Malveillant Dridex: Origines et Usages Dridex |
2020-05-24 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence @online{intelligence:20200524:operation:2ce432b,
author = {PT ESC Threat Intelligence},
title = {{Operation TA505: network infrastructure. Part 3.}},
date = {2020-05-24},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/},
language = {English},
urldate = {2020-11-23}
}
Operation TA505: network infrastructure. Part 3. AndroMut Buhtrap SmokeLoader |
2020-05-22 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence @online{intelligence:20200522:operation:6e4f978,
author = {PT ESC Threat Intelligence},
title = {{Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.}},
date = {2020-05-22},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/},
language = {English},
urldate = {2020-11-23}
}
Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2. NetSupportManager RAT ServHelper |
2020-05-21 ⋅ Intel 471 ⋅ Intel 471 @online{471:20200521:brief:048d164,
author = {Intel 471},
title = {{A brief history of TA505}},
date = {2020-05-21},
organization = {Intel 471},
url = {https://intel471.com/blog/a-brief-history-of-ta505},
language = {English},
urldate = {2022-02-14}
}
A brief history of TA505 AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot |
2020-05-20 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20200520:operation:7f6282e,
author = {PT ESC Threat Intelligence},
title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}},
date = {2020-05-20},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/},
language = {English},
urldate = {2020-06-05}
}
Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet FlawedAmmyy |
2020-05-19 ⋅ AlienLabs ⋅ Ofer Caspi @online{caspi:20200519:trickbot:50c2a51,
author = {Ofer Caspi},
title = {{TrickBot BazarLoader In-Depth}},
date = {2020-05-19},
organization = {AlienLabs},
url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth},
language = {English},
urldate = {2020-05-20}
}
TrickBot BazarLoader In-Depth Anchor BazarBackdoor TrickBot |
2020-05-18 ⋅ Threatpost ⋅ Tara Seals @online{seals:20200518:ransomware:265e1f4,
author = {Tara Seals},
title = {{Ransomware Gang Arrested for Spreading Locky to Hospitals}},
date = {2020-05-18},
organization = {Threatpost},
url = {https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/},
language = {English},
urldate = {2020-07-06}
}
Ransomware Gang Arrested for Spreading Locky to Hospitals Locky |
2020-05-14 ⋅ SentinelOne ⋅ Jason Reaves @online{reaves:20200514:deep:1ee83b6,
author = {Jason Reaves},
title = {{Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant}},
date = {2020-05-14},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/},
language = {English},
urldate = {2020-05-18}
}
Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant TrickBot |
2020-04-23 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20200423:le:4dbca96,
author = {CERT-FR},
title = {{LE GROUPE CYBERCRIMINEL SILENCE}},
date = {2020-04-23},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf},
language = {French},
urldate = {2020-05-07}
}
LE GROUPE CYBERCRIMINEL SILENCE Silence |
2020-04-14 ⋅ Intrinsec ⋅ Jean Bichet @online{bichet:20200414:deobfuscating:d7320ab,
author = {Jean Bichet},
title = {{Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend}},
date = {2020-04-14},
organization = {Intrinsec},
url = {https://www.intrinsec.com/deobfuscating-hunting-ostap/},
language = {English},
urldate = {2021-01-11}
}
Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend ostap TrickBot |
2020-04-14 ⋅ Intel 471 ⋅ Intel 471 @online{471:20200414:understanding:ca95961,
author = {Intel 471},
title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}},
date = {2020-04-14},
organization = {Intel 471},
url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/},
language = {English},
urldate = {2020-04-26}
}
Understanding the relationship between Emotet, Ryuk and TrickBot Emotet Ryuk TrickBot |
2020-04-14 ⋅ SecurityIntelligence ⋅ Melissa Frydrych @online{frydrych:20200414:ta505:9b31f77,
author = {Melissa Frydrych},
title = {{TA505 Continues to Infect Networks With SDBbot RAT}},
date = {2020-04-14},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/},
language = {English},
urldate = {2023-02-17}
}
TA505 Continues to Infect Networks With SDBbot RAT SDBbot TinyMet TA505 |
2020-04-09 ⋅ Zscaler ⋅ Atinderpal Singh, Abhay Yadav @online{singh:20200409:trickbot:9db52c2,
author = {Atinderpal Singh and Abhay Yadav},
title = {{TrickBot Emerges with a Few New Tricks}},
date = {2020-04-09},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks},
language = {English},
urldate = {2020-07-01}
}
TrickBot Emerges with a Few New Tricks TrickBot |
2020-04-09 ⋅ Github (Tera0017) ⋅ Tera0017 @online{tera0017:20200409:sdbbot:a6c333e,
author = {Tera0017},
title = {{SDBbot Unpacker}},
date = {2020-04-09},
organization = {Github (Tera0017)},
url = {https://github.com/Tera0017/SDBbot-Unpacker},
language = {English},
urldate = {2020-04-13}
}
SDBbot Unpacker SDBbot |
2020-04-08 ⋅ SentinelOne ⋅ Jason Reaves @online{reaves:20200408:deep:87b83bb,
author = {Jason Reaves},
title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}},
date = {2020-04-08},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/},
language = {English},
urldate = {2020-04-13}
}
Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations Anchor TrickBot |
2020-04-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20200408:how:192d583,
author = {Counter Threat Unit ResearchTeam},
title = {{How Cyber Adversaries are Adapting to Exploit the Global Pandemic}},
date = {2020-04-08},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic},
language = {English},
urldate = {2021-05-28}
}
How Cyber Adversaries are Adapting to Exploit the Global Pandemic GOLD SOUTHFIELD TA2101 TA505 WIZARD SPIDER |
2020-04-07 ⋅ SecurityIntelligence ⋅ Ole Villadsen @online{villadsen:20200407:itg08:b0b782d,
author = {Ole Villadsen},
title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}},
date = {2020-04-07},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/},
language = {English},
urldate = {2020-04-13}
}
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework More_eggs Anchor TrickBot |
2020-04-01 ⋅ Cisco ⋅ Shyam Sundar Ramaswami, Andrea Kaiser @online{ramaswami:20200401:navigating:965952a,
author = {Shyam Sundar Ramaswami and Andrea Kaiser},
title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}},
date = {2020-04-01},
organization = {Cisco},
url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors},
language = {English},
urldate = {2020-08-19}
}
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot |
2020-03-31 ⋅ Cisco Talos ⋅ Chris Neal @online{neal:20200331:trickbot:dcf5314,
author = {Chris Neal},
title = {{Trickbot: A primer}},
date = {2020-03-31},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/03/trickbot-primer.html},
language = {English},
urldate = {2020-04-01}
}
Trickbot: A primer TrickBot |
2020-03-31 ⋅ FireEye ⋅ Van Ta, Aaron Stephens @online{ta:20200331:its:632dfca,
author = {Van Ta and Aaron Stephens},
title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}},
date = {2020-03-31},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html},
language = {English},
urldate = {2020-04-06}
}
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit Ryuk TrickBot UNC1878 |
2020-03-30 ⋅ Intezer ⋅ Michael Kajiloti @online{kajiloti:20200330:fantastic:c01db60,
author = {Michael Kajiloti},
title = {{Fantastic payloads and where we find them}},
date = {2020-03-30},
organization = {Intezer},
url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them},
language = {English},
urldate = {2020-04-07}
}
Fantastic payloads and where we find them Dridex Emotet ISFB TrickBot |
2020-03-26 ⋅ Telekom ⋅ Thomas Barabosch @online{barabosch:20200326:ta505s:24d9805,
author = {Thomas Barabosch},
title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}},
date = {2020-03-26},
organization = {Telekom},
url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672},
language = {English},
urldate = {2020-03-27}
}
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer Amadey Azorult Clop |