SYMBOLCOMMON_NAMEaka. SYNONYMS

TA505  (Back to overview)

aka: SectorJ04 Group, GRACEFUL SPIDER, GOLD TAHOE

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.


Associated Families
win.andromut win.servhelper win.flawedammyy win.trickbot win.tinymet win.flawedgrace win.rms win.locky win.clop win.sdbbot win.get2 win.dridex

References
2020-08-03The DFIR Report
@online{report:20200803:dridex:165cf39, author = {The DFIR Report}, title = {{Dridex – From Word to Domain Dominance}}, date = {2020-08-03}, url = {https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/}, language = {English}, urldate = {2020-08-05} } Dridex – From Word to Domain Dominance
Dridex
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-22SentinelOneJason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038, author = {Jason Reaves and Joshua Platt}, title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}}, date = {2020-07-22}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/}, language = {English}, urldate = {2020-07-23} } Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-20Bleeping ComputerLawrence Abrams
@online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } Emotet-TrickBot malware duo is back infecting Windows machines
Emotet TrickBot
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-07-15Intel 471Intel 471
@online{471:20200715:flowspec:683a5a1, author = {Intel 471}, title = {{Flowspec – TA505’s bulletproof hoster of choice}}, date = {2020-07-15}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/}, language = {English}, urldate = {2020-07-16} } Flowspec – TA505’s bulletproof hoster of choice
Get2
2020-07-13JoeSecurityJoe Security
@online{security:20200713:trickbots:a164ba5, author = {Joe Security}, title = {{TrickBot's new API-Hammering explained}}, date = {2020-07-13}, organization = {JoeSecurity}, url = {https://www.joesecurity.org/blog/498839998833561473}, language = {English}, urldate = {2020-07-15} } TrickBot's new API-Hammering explained
TrickBot
2020-07-11BleepingComputerLawrence Abrams
@online{abrams:20200711:trickbot:7e70ad3, author = {Lawrence Abrams}, title = {{TrickBot malware mistakenly warns victims that they are infected}}, date = {2020-07-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/}, language = {English}, urldate = {2020-07-15} } TrickBot malware mistakenly warns victims that they are infected
TrickBot
2020-07-11Advanced IntelligenceVitali Kremez
@online{kremez:20200711:trickbot:602fd73, author = {Vitali Kremez}, title = {{TrickBot Group Launches Test Module Alerting on Fraud Activity}}, date = {2020-07-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity}, language = {English}, urldate = {2020-07-13} } TrickBot Group Launches Test Module Alerting on Fraud Activity
TrickBot
2020-07-09GdataG DATA Security Lab
@online{lab:20200709:servhelper:13899fd, author = {G DATA Security Lab}, title = {{ServHelper: Hidden Miners}}, date = {2020-07-09}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners}, language = {English}, urldate = {2020-07-16} } ServHelper: Hidden Miners
ServHelper
2020-07-07HornetsecurityHornetsecurity Security Lab
@online{lab:20200707:clop:12bb60d, author = {Hornetsecurity Security Lab}, title = {{Clop, Clop! It’s a TA505 HTML malspam analysis}}, date = {2020-07-07}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/}, language = {English}, urldate = {2020-07-30} } Clop, Clop! It’s a TA505 HTML malspam analysis
Clop Get2
2020-07-06NTTSecurity division of NTT Ltd.
@online{ltd:20200706:trickbot:9612912, author = {Security division of NTT Ltd.}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2020-07-06}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns}, language = {English}, urldate = {2020-07-30} } TrickBot variant “Anchor_DNS” communicating over DNS
Anchor_DNS TrickBot
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-22BleepingComputerLawrence Abrams
@online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Clop
2020-06-22Sentinel LABSJoshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5, author = {Joshua Platt and Jason Reaves}, title = {{Inside a TrickBot Cobalt Strike Attack Server}}, date = {2020-06-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}, language = {English}, urldate = {2020-06-23} } Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot
2020-06-19ReaqtaReaqta
@online{reaqta:20200619:dridex:54f4dd5, author = {Reaqta}, title = {{Dridex: the secret in a PostMessage()}}, date = {2020-06-19}, organization = {Reaqta}, url = {https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/}, language = {English}, urldate = {2020-06-22} } Dridex: the secret in a PostMessage()
Dridex
2020-06-17Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace
2020-06-17Youtube (Red Canary)Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
@online{noerenberg:20200617:attck:934d73c, author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan}, title = {{ATT&CK® Deep Dive: Process Injection}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/}, language = {English}, urldate = {2020-06-19} } ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot
2020-06-17Twitter (@VK_intel)Vitali Kremez, malwrhunterteam
@online{kremez:20200617:signed:f8eecc6, author = {Vitali Kremez and malwrhunterteam}, title = {{Tweet on signed Tinymet payload (V.02) used by TA505}}, date = {2020-06-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1273292957429510150}, language = {English}, urldate = {2020-06-18} } Tweet on signed Tinymet payload (V.02) used by TA505
TinyMet
2020-06-16TelekomThomas Barabosch
@online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } TA505 returns with a new bag of tricks
Clop Get2 SDBbot TA505
2020-06-15FortinetVal Saengphaibul, Fred Gutierrez
@online{saengphaibul:20200615:global:5c4be18, author = {Val Saengphaibul and Fred Gutierrez}, title = {{Global Malicious Spam Campaign Using Black Lives Matter as a Lure}}, date = {2020-06-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure}, language = {English}, urldate = {2020-06-16} } Global Malicious Spam Campaign Using Black Lives Matter as a Lure
TrickBot
2020-06-12HornetsecuritySecurity Lab
@online{lab:20200612:trickbot:2bf54ef, author = {Security Lab}, title = {{Trickbot Malspam Leveraging Black Lives Matter as Lure}}, date = {2020-06-12}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/}, language = {English}, urldate = {2020-07-01} } Trickbot Malspam Leveraging Black Lives Matter as Lure
TrickBot
2020-06-11CofenseJason Meurer
@online{meurer:20200611:all:cc2e167, author = {Jason Meurer}, title = {{All You Need Is Text: Second Wave}}, date = {2020-06-11}, organization = {Cofense}, url = {https://cofenselabs.com/all-you-need-is-text-second-wave/}, language = {English}, urldate = {2020-06-12} } All You Need Is Text: Second Wave
TrickBot
2020-06-05VotiroVotiro’s Research Team
@online{team:20200605:anatomy:3047f6e, author = {Votiro’s Research Team}, title = {{Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19}}, date = {2020-06-05}, organization = {Votiro}, url = {https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/}, language = {English}, urldate = {2020-06-10} } Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19
Dridex
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-28Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200528:goodbye:87a0245, author = {Brad Duncan}, title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}}, date = {2020-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/}, language = {English}, urldate = {2020-05-29} } Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
TrickBot
2020-05-27GAIS-CERTGAIS-CERT
@techreport{gaiscert:20200527:dridex:90bd3bd, author = {GAIS-CERT}, title = {{Dridex Banking Trojan Technical Analysis Report}}, date = {2020-05-27}, institution = {GAIS-CERT}, url = {https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf}, language = {English}, urldate = {2020-06-24} } Dridex Banking Trojan Technical Analysis Report
Dridex
2020-05-25CERT-FRCERT-FR
@online{certfr:20200525:indicateurs:642332f, author = {CERT-FR}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}}, date = {2020-05-25}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/}, language = {French}, urldate = {2020-06-03} } INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex
Dridex
2020-05-25CERT-FRCERT-FR
@techreport{certfr:20200525:le:ac94f72, author = {CERT-FR}, title = {{Le Code Malveillant Dridex: Origines et Usages}}, date = {2020-05-25}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf}, language = {French}, urldate = {2020-05-26} } Le Code Malveillant Dridex: Origines et Usages
Dridex
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-20PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-05-18ThreatpostTara Seals
@online{seals:20200518:ransomware:265e1f4, author = {Tara Seals}, title = {{Ransomware Gang Arrested for Spreading Locky to Hospitals}}, date = {2020-05-18}, organization = {Threatpost}, url = {https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/}, language = {English}, urldate = {2020-07-06} } Ransomware Gang Arrested for Spreading Locky to Hospitals
Locky
2020-05-14SentinelOneJason Reaves
@online{reaves:20200514:deep:1ee83b6, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant}}, date = {2020-05-14}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/}, language = {English}, urldate = {2020-05-18} } Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant
TrickBot
2020-04-14Intel 471Intel 471
@online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-04-09ZscalerAtinderpal Singh, Abhay Yadav
@online{singh:20200409:trickbot:9db52c2, author = {Atinderpal Singh and Abhay Yadav}, title = {{TrickBot Emerges with a Few New Tricks}}, date = {2020-04-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks}, language = {English}, urldate = {2020-07-01} } TrickBot Emerges with a Few New Tricks
TrickBot
2020-04-09Github (Tera0017)Tera0017
@online{tera0017:20200409:sdbbot:a6c333e, author = {Tera0017}, title = {{SDBbot Unpacker}}, date = {2020-04-09}, organization = {Github (Tera0017)}, url = {https://github.com/Tera0017/SDBbot-Unpacker}, language = {English}, urldate = {2020-04-13} } SDBbot Unpacker
SDBbot
2020-04-08SentinelOneJason Reaves
@online{reaves:20200408:deep:87b83bb, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}}, date = {2020-04-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/}, language = {English}, urldate = {2020-04-13} } Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-07SecurityIntelligenceOle Villadsen
@online{villadsen:20200407:itg08:b0b782d, author = {Ole Villadsen}, title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}}, date = {2020-04-07}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/}, language = {English}, urldate = {2020-04-13} } ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-03-31FireEyeVan Ta, Aaron Stephens
@online{ta:20200331:its:632dfca, author = {Van Ta and Aaron Stephens}, title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}}, date = {2020-03-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html}, language = {English}, urldate = {2020-04-06} } It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot
2020-03-31Cisco TalosChris Neal
@online{neal:20200331:trickbot:dcf5314, author = {Chris Neal}, title = {{Trickbot: A primer}}, date = {2020-03-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/03/trickbot-primer.html}, language = {English}, urldate = {2020-04-01} } Trickbot: A primer
TrickBot
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-25Wilbur SecurityJW
@online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-18BitdefenderLiviu Arsene, Radu Tudorica, Alexandru Maximciuc, Cristina Vatamanu
@techreport{arsene:20200318:new:2d895da, author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu}, title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}}, date = {2020-03-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf}, language = {English}, urldate = {2020-03-19} } New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong
TrickBot
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2020-03-09FortinetXiaopeng Zhang
@online{zhang:20200309:new:ff60491, author = {Xiaopeng Zhang}, title = {{New Variant of TrickBot Being Spread by Word Document}}, date = {2020-03-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html}, language = {English}, urldate = {2020-04-26} } New Variant of TrickBot Being Spread by Word Document
TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-04Bleeping ComputerLawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot
2020-03-04SentinelOneJason Reaves
@online{reaves:20200304:breaking:8262e7e, author = {Jason Reaves}, title = {{Breaking TA505’s Crypter with an SMT Solver}}, date = {2020-03-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/}, language = {English}, urldate = {2020-03-04} } Breaking TA505’s Crypter with an SMT Solver
Clop CryptoMix MINEBIDGE
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-28MorphisecMichael Gorelik
@online{gorelik:20200228:trickbot:678683b, author = {Michael Gorelik}, title = {{Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10}}, date = {2020-02-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows}, language = {English}, urldate = {2020-03-03} } Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10
TrickBot
2020-02-26SentinelOneJason Reaves
@online{reaves:20200226:revealing:2c3fc63, author = {Jason Reaves}, title = {{Revealing the Trick | A Deep Dive into TrickLoader Obfuscation}}, date = {2020-02-26}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/}, language = {English}, urldate = {2020-02-27} } Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
TrickBot
2020-02-20ZDNetCatalin Cimpanu
@online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } Croatia's largest petrol station chain impacted by cyber-attack
Clop
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10viXraJason Reaves
@techreport{reaves:20200210:case:3f668be, author = {Jason Reaves}, title = {{A Case Study into solving Crypters/Packers in Malware Obfuscation using an SMT approach}}, date = {2020-02-10}, institution = {viXra}, url = {https://vixra.org/pdf/2002.0183v1.pdf}, language = {English}, urldate = {2020-02-27} } A Case Study into solving Crypters/Packers in Malware Obfuscation using an SMT approach
Locky
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-07Bleeping ComputerSergiu Gatlan
@online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } TA505 Hackers Behind Maastricht University Ransomware Attack
Clop
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020-01-30MorphisecArnold Osipov
@online{osipov:20200130:trickbot:da5c80d, author = {Arnold Osipov}, title = {{Trickbot Trojan Leveraging a New Windows 10 UAC Bypass}}, date = {2020-01-30}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass}, language = {English}, urldate = {2020-02-03} } Trickbot Trojan Leveraging a New Windows 10 UAC Bypass
TrickBot
2020-01-30Bleeping ComputerLawrence Abrams
@online{abrams:20200130:trickbot:22db786, author = {Lawrence Abrams}, title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}}, date = {2020-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/}, language = {English}, urldate = {2020-02-03} } TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly
TrickBot
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-29Bleeping ComputerLawrence Abrams
@online{abrams:20200129:malware:920dc7e, author = {Lawrence Abrams}, title = {{Malware Tries to Trump Security Software With POTUS Impeachment}}, date = {2020-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/}, language = {English}, urldate = {2020-02-03} } Malware Tries to Trump Security Software With POTUS Impeachment
TrickBot
2020-01-27T-SystemsT-Systems
@techreport{tsystems:20200127:vorlufiger:39dc989, author = {T-Systems}, title = {{Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht}}, date = {2020-01-27}, institution = {T-Systems}, url = {https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf}, language = {German}, urldate = {2020-01-28} } Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht
Emotet TrickBot
2020-01-23Bleeping ComputerLawrence Abrams
@online{abrams:20200123:trickbot:5ca7827, author = {Lawrence Abrams}, title = {{TrickBot Now Steals Windows Active Directory Credentials}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/}, language = {English}, urldate = {2020-01-27} } TrickBot Now Steals Windows Active Directory Credentials
TrickBot
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020-01-16Bleeping ComputerLawrence Abrams
@online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
TrickBot
2020-01-13Github (Tera0017)Tera0017
@online{tera0017:20200113:tafof:d939bc6, author = {Tera0017}, title = {{TAFOF Unpacker}}, date = {2020-01-13}, organization = {Github (Tera0017)}, url = {https://github.com/Tera0017/TAFOF-Unpacker}, language = {English}, urldate = {2020-03-30} } TAFOF Unpacker
Clop Get2 Silence
2020-01-10CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-09SentinelOneVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20200109:toptier:4f8de90, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}}, date = {2020-01-09}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/}, language = {English}, urldate = {2020-01-13} } Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
TrickBot WIZARD SPIDER
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:3e7202e, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md}, language = {English}, urldate = {2020-02-01} } Clop ransomware Notes
Clop
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:07d2a90, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md}, language = {English}, urldate = {2020-01-09} } Clop ransomware Notes
Clop
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak
2020SecureworksSecureWorks
@online{secureworks:2020:gold:b12ae49, author = {SecureWorks}, title = {{GOLD HERON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2020-05-23} } GOLD HERON
DoppelPaymer Dridex Empire Downloader
2020SecureworksSecureWorks
@online{secureworks:2020:gold:d8faa3e, author = {SecureWorks}, title = {{GOLD ULRICK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick}, language = {English}, urldate = {2020-05-23} } GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2020SecureworksSecureWorks
@online{secureworks:2020:gold:21c4d39, author = {SecureWorks}, title = {{GOLD BLACKBURN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-blackburn}, language = {English}, urldate = {2020-05-23} } GOLD BLACKBURN
Dyre TrickBot
2019-12-20Binary DefenseJames Quinn
@online{quinn:20191220:updated:2408ee7, author = {James Quinn}, title = {{An Updated ServHelper Tunnel Variant}}, date = {2019-12-20}, organization = {Binary Defense}, url = {https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/}, language = {English}, urldate = {2020-01-13} } An Updated ServHelper Tunnel Variant
ServHelper
2019-12-17BluelivAdrián Ruiz, Jose Miguel Esparza, Blueliv Labs Team
@online{ruiz:20191217:ta505:1c1204e, author = {Adrián Ruiz and Jose Miguel Esparza and Blueliv Labs Team}, title = {{TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking}}, date = {2019-12-17}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/}, language = {English}, urldate = {2020-01-09} } TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
ServHelper TA505
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-09Palo Alto Networks Unit 42Bryan Lee, Brittany Ash, Mike Harbison
@online{lee:20191209:trickbot:48d9da3, author = {Bryan Lee and Brittany Ash and Mike Harbison}, title = {{TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks}}, date = {2019-12-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/}, language = {English}, urldate = {2020-01-22} } TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
TrickBot
2019-11-24Jacob Pimental
@online{pimental:20191124:ta505:fb32d29, author = {Jacob Pimental}, title = {{TA505 Get2 Analysis}}, date = {2019-11-24}, url = {https://www.goggleheadedhacker.com/blog/post/13}, language = {English}, urldate = {2019-12-17} } TA505 Get2 Analysis
Get2
2019-11-22CERT-FRCERT-FR
@online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } RAPPORT MENACES ET INCIDENTS DU CERT-FR
Clop
2019-11-22Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } Trickbot Updates Password Grabber Module
TrickBot
2019-11-19ACTURédaction Normandie
@online{normandie:20191119:une:d09ec98, author = {Rédaction Normandie}, title = {{Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates}}, date = {2019-11-19}, organization = {ACTU}, url = {https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html}, language = {French}, urldate = {2019-12-05} } Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates
Clop
2019-11-13CrowdStrikeJen Ayers, Jason Rivera
@techreport{ayers:20191113:through:70cc3b3, author = {Jen Ayers and Jason Rivera}, title = {{Through the Eyes of the Adversary}}, date = {2019-11-13}, institution = {CrowdStrike}, url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf}, language = {English}, urldate = {2020-03-22} } Through the Eyes of the Adversary
TrickBot CLOCKWORD SPIDER
2019-11-08Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } Wireshark Tutorial: Examining Trickbot Infections
TrickBot
2019-11-06Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-10-29SneakyMonkey BlogSneakyMonkey
@online{sneakymonkey:20191029:trickbot:bd7249c, author = {SneakyMonkey}, title = {{TRICKBOT - Analysis Part II}}, date = {2019-10-29}, organization = {SneakyMonkey Blog}, url = {https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/}, language = {English}, urldate = {2019-12-17} } TRICKBOT - Analysis Part II
TrickBot
2019-10-24Sentinel LABSVitali Kremez
@online{kremez:20191024:how:e6d838d, author = {Vitali Kremez}, title = {{How TrickBot Malware Hooking Engine Targets Windows 10 Browsers}}, date = {2019-10-24}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/}, language = {English}, urldate = {2020-07-03} } How TrickBot Malware Hooking Engine Targets Windows 10 Browsers
TrickBot
2019-10-16ProofpointProofpoint
@online{proofpoint:20191016:ta505:9bca8d0, author = {Proofpoint}, title = {{TA505 Timeline}}, date = {2019-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png}, language = {English}, urldate = {2020-01-08} } TA505 Timeline
TA505
2019-10-16ProofpointDennis Schwarz, Kafeine, Matthew Mesa, Axel F, Proofpoint Threat Insight Team
@online{schwarz:20191016:ta505:9d7155a, author = {Dennis Schwarz and Kafeine and Matthew Mesa and Axel F and Proofpoint Threat Insight Team}, title = {{TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader}}, date = {2019-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader}, language = {English}, urldate = {2020-01-10} } TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader
Get2 SDBbot TA505
2019-10-10AhnLabASEC
@techreport{asec:20191010:asec:6452cd4, author = {ASEC}, title = {{ASEC Report Vol. 96}}, date = {2019-10-10}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf}, language = {English}, urldate = {2020-01-13} } ASEC Report Vol. 96
SDBbot
2019-10-10Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20191010:analysis:45d6c09, author = {StrangerealIntel}, title = {{Analysis of the new TA505 campaign}}, date = {2019-10-10}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md}, language = {English}, urldate = {2020-01-13} } Analysis of the new TA505 campaign
Get2
2019-09-25GovCERT.chGovCERT.ch
@online{govcertch:20190925:trickbot:8346dd7, author = {GovCERT.ch}, title = {{Trickbot - An analysis of data collected from the botnet}}, date = {2019-09-25}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet}, language = {English}, urldate = {2020-01-08} } Trickbot - An analysis of data collected from the botnet
TrickBot
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-01-10} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-08-29ThreatReconThreatRecon Team
@online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
@online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-08-27SecureworksCTU Research Team
@online{team:20190827:trickbot:fa5f95b, author = {CTU Research Team}, title = {{TrickBot Modifications Target U.S. Mobile Users}}, date = {2019-08-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users}, language = {English}, urldate = {2020-01-09} } TrickBot Modifications Target U.S. Mobile Users
TrickBot
2019-08-26InQuestJosiah Smith
@online{smith:20190826:memory:c4cea9b, author = {Josiah Smith}, title = {{Memory Analysis of TrickBot}}, date = {2019-08-26}, organization = {InQuest}, url = {https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis}, language = {English}, urldate = {2020-01-10} } Memory Analysis of TrickBot
TrickBot
2019-08-20Github (SherifEldeeb)Sherif Eldeeb
@online{eldeeb:20190820:source:66124bb, author = {Sherif Eldeeb}, title = {{Source code: TinyMet}}, date = {2019-08-20}, organization = {Github (SherifEldeeb)}, url = {https://github.com/SherifEldeeb/TinyMet}, language = {English}, urldate = {2020-02-13} } Source code: TinyMet
TinyMet
2019-08-13AdalogicsDavid Korczynski
@online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } The state of advanced code injections
Dridex Emotet Tinba
2019-08-05Trend MicroNoel Anthony Llimos, Michael Jhon Ofiaza
@online{llimos:20190805:latest:62ba94b, author = {Noel Anthony Llimos and Michael Jhon Ofiaza}, title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}}, date = {2019-08-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/}, language = {English}, urldate = {2020-01-23} } Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot
2019-08-01McAfeeAlexandre Mundo, Marc Rivero López
@online{mundo:20190801:clop:fa3429f, author = {Alexandre Mundo and Marc Rivero López}, title = {{Clop Ransomware}}, date = {2019-08-01}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/}, language = {English}, urldate = {2020-01-06} } Clop Ransomware
Clop
2019-07-30Dissecting MalwareMarius Genheimer
@online{genheimer:20190730:picking:cea78ea, author = {Marius Genheimer}, title = {{Picking Locky}}, date = {2019-07-30}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/picking-locky.html}, language = {English}, urldate = {2020-03-27} } Picking Locky
Locky
2019-07-12CrowdStrikeBrett Stone-Gross, Sergei Frankoff, Bex Hartley
@online{stonegross:20190712:bitpaymer:113a037, author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley}, title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}}, date = {2019-07-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/}, language = {English}, urldate = {2020-04-25} } BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx
2019-07-11NTT SecurityNTT Security
@online{security:20190711:targeted:a48e692, author = {NTT Security}, title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}}, date = {2019-07-11}, organization = {NTT Security}, url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor}, language = {English}, urldate = {2019-12-18} } Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot
2019-07-04Trend MicroTrend Micro
@techreport{micro:20190704:latest:dd6099a, author = {Trend Micro}, title = {{Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi}}, date = {2019-07-04}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf}, language = {English}, urldate = {2020-01-13} } Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
2019-06-04SlideShareVitali Kremez
@online{kremez:20190604:inside:d633c6f, author = {Vitali Kremez}, title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}}, date = {2019-06-04}, organization = {SlideShare}, url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez}, language = {English}, urldate = {2020-01-13} } Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
TrickBot
2019-05-31Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-05-29YoroiZLAB-Yoroi
@online{zlabyoroi:20190529:ta505:07b59dd, author = {ZLAB-Yoroi}, title = {{TA505 is Expanding its Operations}}, date = {2019-05-29}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/ta505-is-expanding-its-operations/}, language = {English}, urldate = {2020-01-13} } TA505 is Expanding its Operations
RMS
2019-05-28MITREMITRE
@online{mitre:20190528:flawedammyy:c4f6363, author = {MITRE}, title = {{FlawedAmmyy}}, date = {2019-05-28}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0381/}, language = {English}, urldate = {2020-01-13} } FlawedAmmyy
FlawedAmmyy
2019-05-22sneakymonk3y (Mark)
@online{mark:20190522:trickbot:277256b, author = {sneakymonk3y (Mark)}, title = {{TRICKBOT - Analysis}}, date = {2019-05-22}, url = {https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/}, language = {English}, urldate = {2020-01-06} } TRICKBOT - Analysis
TrickBot
2019-05-16YoroiLuigi Martire, Davide Testa, Antonio Pirozzi, Luca Mella
@online{martire:20190516:stealthy:930aa98, author = {Luigi Martire and Davide Testa and Antonio Pirozzi and Luca Mella}, title = {{The Stealthy Email Stealer in the TA505 Arsenal}}, date = {2019-05-16}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/}, language = {English}, urldate = {2019-10-14} } The Stealthy Email Stealer in the TA505 Arsenal
TA505
2019-05-14GovCERT.chGovCERT.ch
@online{govcertch:20190514:rise:8fd8ef4, author = {GovCERT.ch}, title = {{The Rise of Dridex and the Role of ESPs}}, date = {2019-05-14}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps}, language = {English}, urldate = {2020-01-09} } The Rise of Dridex and the Role of ESPs
Dridex
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-02CERT.PLMichał Praszmo
@online{praszmo:20190502:detricking:43a7dc1, author = {Michał Praszmo}, title = {{Detricking TrickBot Loader}}, date = {2019-05-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/detricking-trickbot-loader/}, language = {English}, urldate = {2020-01-08} } Detricking TrickBot Loader
TrickBot
2019-04-25CybereasonCybereason Nocturnus
@online{nocturnus:20190425:threat:63e7d51, author = {Cybereason Nocturnus}, title = {{Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware}}, date = {2019-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware}, language = {English}, urldate = {2020-01-08} } Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware
ServHelper TA505
2019-04-22SANSMike Downey
@online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy
2019-04-05Medium vishal_thakurVishal Thakur
@online{thakur:20190405:trickbot:d1c4891, author = {Vishal Thakur}, title = {{Trickbot — a concise treatise}}, date = {2019-04-05}, organization = {Medium vishal_thakur}, url = {https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737}, language = {English}, urldate = {2020-01-13} } Trickbot — a concise treatise
TrickBot
2019-04-02DeepInstinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20190402:new:4dbdc56, author = {Shaul Vilkomir-Preisman}, title = {{New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload}}, date = {2019-04-02}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/}, language = {English}, urldate = {2019-07-11} } New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload
ServHelper
2019-04-02CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-20FlashpointJoshua Platt, Jason Reaves
@online{platt:20190320:fin7:bac265f, author = {Joshua Platt and Jason Reaves}, title = {{FIN7 Revisited: Inside Astra Panel and SQLRat Malware}}, date = {2019-03-20}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/}, language = {English}, urldate = {2019-12-18} } FIN7 Revisited: Inside Astra Panel and SQLRat Malware
DNSRat TinyMet
2019-03-05Bleeping ComputerLawrence Abrams
@online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers
Clop
2019-03-05PepperMalware BlogPepper Potts
@online{potts:20190305:quick:773aabc, author = {Pepper Potts}, title = {{Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework}}, date = {2019-03-05}, organization = {PepperMalware Blog}, url = {http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html}, language = {English}, urldate = {2019-12-19} } Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
TrickBot
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER
2019-02-12Trend MicroTrend Micro
@online{micro:20190212:trickbot:73576ba, author = {Trend Micro}, title = {{Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire}}, date = {2019-02-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/}, language = {English}, urldate = {2020-01-12} } Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
TrickBot
2019-02-02Medium SebdravenSébastien Larinier
@online{larinier:20190202:unpacking:894335d, author = {Sébastien Larinier}, title = {{Unpacking Clop}}, date = {2019-02-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f}, language = {English}, urldate = {2020-01-06} } Unpacking Clop
Clop
2019-01-24奇安信威胁情报中心事件追踪
@online{:20190124:excel:2dd401c, author = {事件追踪}, title = {{Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently}}, date = {2019-01-24}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/}, language = {English}, urldate = {2019-12-02} } Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently
ServHelper
2019-01-14Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20190114:quick:42a2552, author = {Rolf Rolles}, title = {{A Quick Solution to an Ugly Reverse Engineering Problem}}, date = {2019-01-14}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem}, language = {English}, urldate = {2020-01-13} } A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace
2019-01-11FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-11ThreatpostTara Seals
@online{seals:20190111:ta505:48e9745, author = {Tara Seals}, title = {{TA505 Crime Gang Debuts Brand-New ServHelper Backdoor}}, date = {2019-01-11}, organization = {Threatpost}, url = {https://threatpost.com/ta505-servhelper-malware/140792/}, language = {English}, urldate = {2020-01-08} } TA505 Crime Gang Debuts Brand-New ServHelper Backdoor
TA505
2019-01-10Bleeping ComputerIonut Ilascu
@online{ilascu:20190110:ta505:12f4881, author = {Ionut Ilascu}, title = {{TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT}}, date = {2019-01-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/}, language = {English}, urldate = {2019-12-20} } TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT
TA505
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
@online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
2019CyberIntCyberInt
@techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } Legit Remote Admin Tools Turn into Threat Actors' Tools
RMS ServHelper TA505
2018-12-18Trend MicroTrendmicro
@online{trendmicro:20181218:ursnif:cc5ce31, author = {Trendmicro}, title = {{URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader}}, date = {2018-12-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/}, language = {English}, urldate = {2020-01-07} } URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-12-12SecureDataWicus Ross
@online{ross:20181212:trickbot:7a0e2a6, author = {Wicus Ross}, title = {{The TrickBot and MikroTik connection}}, date = {2018-12-12}, organization = {SecureData}, url = {https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/}, language = {English}, urldate = {2020-05-18} } The TrickBot and MikroTik connection
TrickBot
2018-12-05VIPREVIPRE Labs
@online{labs:20181205:trickbots:b45d588, author = {VIPRE Labs}, title = {{Trickbot’s Tricks}}, date = {2018-12-05}, organization = {VIPRE}, url = {https://labs.vipre.com/trickbots-tricks/}, language = {English}, urldate = {2020-01-09} } Trickbot’s Tricks
TrickBot
2018-11-12Malwarebyteshasherezade
@online{hasherezade:20181112:whats:e44d5f3, author = {hasherezade}, title = {{What’s new in TrickBot? Deobfuscating elements}}, date = {2018-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/}, language = {English}, urldate = {2019-12-20} } What’s new in TrickBot? Deobfuscating elements
TrickBot
2018-11-08FortinetXiaopeng Zhang
@online{zhang:20181108:deep:fca360c, author = {Xiaopeng Zhang}, title = {{Deep Analysis of TrickBot New Module pwgrab}}, date = {2018-11-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html}, language = {English}, urldate = {2019-11-17} } Deep Analysis of TrickBot New Module pwgrab
TrickBot
2018-11-01Trend MicroNoel Anthony Llimos, Carl Maverick Pascual
@online{llimos:20181101:trickbot:7d0ea94, author = {Noel Anthony Llimos and Carl Maverick Pascual}, title = {{Trickbot Shows Off New Trick: Password Grabber Module}}, date = {2018-11-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module}, language = {English}, urldate = {2020-01-06} } Trickbot Shows Off New Trick: Password Grabber Module
TrickBot
2018-08-14CyberbitHod Gavriel
@online{gavriel:20180814:latest:7df6364, author = {Hod Gavriel}, title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}}, date = {2018-08-14}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/}, language = {English}, urldate = {2019-11-26} } Latest Trickbot Variant has New Tricks Up Its Sleeve
TrickBot
2018-07-19ProofpointProofpoint Staff
@online{staff:20180719:ta505:3c29d5a, author = {Proofpoint Staff}, title = {{TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT}}, date = {2018-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy
2018-07-03Talos IntelligenceBen Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-06-28Secrary BlogLasha Khasaia
@online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy
2018-06-20OALabs
@online{oalabs:20180620:unpacking:e4d59a4, author = {OALabs}, title = {{Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python}}, date = {2018-06-20}, url = {https://www.youtube.com/watch?v=EdchPEHnohw}, language = {English}, urldate = {2019-12-24} } Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
TrickBot
2018-06-13Github (JR0driguezB)Jorge Rodriguez
@online{rodriguez:20180613:trickbot:e004ae8, author = {Jorge Rodriguez}, title = {{TrickBot config files}}, date = {2018-06-13}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot}, language = {English}, urldate = {2019-07-11} } TrickBot config files
TrickBot
2018-04-16Random REsysopfb
@online{sysopfb:20180416:trickbot:5305f46, author = {sysopfb}, title = {{TrickBot & UACME}}, date = {2018-04-16}, organization = {Random RE}, url = {https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html}, language = {English}, urldate = {2020-01-09} } TrickBot & UACME
TrickBot
2018-04-03Vitali Kremez BlogVitali Kremez
@online{kremez:20180403:lets:b45dd50, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}}, date = {2018-04-03}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html}, language = {English}, urldate = {2019-07-27} } Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
TrickBot
2018-03-31Youtube (hasherezade)hasherezade
@online{hasherezade:20180331:deobfuscating:39c1be0, author = {hasherezade}, title = {{Deobfuscating TrickBot's strings with libPeConv}}, date = {2018-03-31}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KMcSAlS9zGE}, language = {English}, urldate = {2020-01-13} } Deobfuscating TrickBot's strings with libPeConv
TrickBot
2018-03-27Trend MicroTrendmicro
@online{trendmicro:20180327:evolving:faa2e54, author = {Trendmicro}, title = {{Evolving Trickbot Adds Detection Evasion and Screen-Locking Features}}, date = {2018-03-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features}, language = {English}, urldate = {2020-01-07} } Evolving Trickbot Adds Detection Evasion and Screen-Locking Features
TrickBot
2018-03-21WebrootJason Davison
@online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } TrickBot Banking Trojan Adapts with New Module
TrickBot
2018-03-20StormshieldMehdi Talbi
@online{talbi:20180320:deobfuscating:7ac7605, author = {Mehdi Talbi}, title = {{De-obfuscating Jump Chains with Binary Ninja}}, date = {2018-03-20}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/}, language = {English}, urldate = {2020-03-16} } De-obfuscating Jump Chains with Binary Ninja
Locky
2018-03-07ProofpointProofpoint Staff
@online{staff:20180307:leaked:5e33f64, author = {Proofpoint Staff}, title = {{Leaked Ammyy Admin Source Code Turned into Malware}}, date = {2018-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader
2018-02-15SecurityIntelligenceOphir Harpaz, Magal Baz, Limor Kessem
@online{harpaz:20180215:trickbots:2cf1b53, author = {Ophir Harpaz and Magal Baz and Limor Kessem}, title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}}, date = {2018-02-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/}, language = {English}, urldate = {2020-01-06} } TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
TrickBot
2018-02-01Malware Traffic AnalysisBrad Duncan
@online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } Quick Test Drive of Trickbot (It now has a Monero Module)
TrickBot
2018-01-26ESET ResearchMichal Poslušný
@online{poslun:20180126:friedex:3c3f46b, author = {Michal Poslušný}, title = {{FriedEx: BitPaymer ransomware the work of Dridex authors}}, date = {2018-01-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/}, language = {English}, urldate = {2019-11-14} } FriedEx: BitPaymer ransomware the work of Dridex authors
Dridex FriedEx
2017-12-30Youtube (hasherezade)hasherezade
@online{hasherezade:20171230:unpacking:5477bb2, author = {hasherezade}, title = {{Unpacking TrickBot with PE-sieve}}, date = {2017-12-30}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=lTywPmZEU1A}, language = {English}, urldate = {2020-01-06} } Unpacking TrickBot with PE-sieve
TrickBot
2017-12-19Vitali Kremez BlogVitali Kremez
@online{kremez:20171219:lets:030e09a, author = {Vitali Kremez}, title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}}, date = {2017-12-19}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html}, language = {English}, urldate = {2019-11-23} } Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module
TrickBot
2017-11-22FlashpointVitali Kremez
@online{kremez:20171122:trickbot:faea11e, author = {Vitali Kremez}, title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}}, date = {2017-11-22}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/}, language = {English}, urldate = {2019-12-10} } Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
TrickBot
2017-11-21Vitali Kremez
@online{kremez:20171121:lets:5fb17b0, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}}, date = {2017-11-21}, url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html}, language = {English}, urldate = {2019-11-22} } Let's Learn: Trickbot Socks5 Backconnect Module In Detail
TrickBot
2017-11-07ThreatVectorCylance Threat Research Team
@online{team:20171107:locky:a38e9b5, author = {Cylance Threat Research Team}, title = {{Locky Ransomware}}, date = {2017-11-07}, organization = {ThreatVector}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html}, language = {English}, urldate = {2020-01-07} } Locky Ransomware
Locky
2017-10-06BluelivBlueliv
@online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } TrickBot banking trojan using EFLAGS as an anti-hook technique
TrickBot
2017-09-27ProofpointProofpoint Staff
@online{staff:20170927:threat:272e6ac, author = {Proofpoint Staff}, title = {{Threat Actor Profile: TA505, From Dridex to GlobeImposter}}, date = {2017-09-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter}, language = {English}, urldate = {2019-12-20} } Threat Actor Profile: TA505, From Dridex to GlobeImposter
TA505
2017-09-21MalwarebytesJérôme Segura
@online{segura:20170921:fake:5f5963f, author = {Jérôme Segura}, title = {{Fake IRS notice delivers customized spying tool}}, date = {2017-09-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/}, language = {English}, urldate = {2019-12-20} } Fake IRS notice delivers customized spying tool
RMS
2017-08-16Bleeping ComputerLawrence Abrams
@online{abrams:20170816:locky:7445bd0, author = {Lawrence Abrams}, title = {{Locky Ransomware switches to the Lukitus extension for Encrypted Files}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/}, language = {English}, urldate = {2019-12-20} } Locky Ransomware switches to the Lukitus extension for Encrypted Files
Locky
2017-08-10botfrei BlogTom Berchem
@online{berchem:20170810:weltweite:5df6bfa, author = {Tom Berchem}, title = {{Weltweite Spamwelle verbreitet teuflische Variante des Locky}}, date = {2017-08-10}, organization = {botfrei Blog}, url = {https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/}, language = {German}, urldate = {2019-12-10} } Weltweite Spamwelle verbreitet teuflische Variante des Locky
Locky
2017-08-01Panda SecurityPanda Security
@techreport{security:20170801:malware:e92cd36, author = {Panda Security}, title = {{Malware Report: Dridex Version 4}}, date = {2017-08-01}, institution = {Panda Security}, url = {https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf}, language = {English}, urldate = {2020-04-14} } Malware Report: Dridex Version 4
Dridex
2017-08-01MalwarebytesMalwarebytes Labs
@online{labs:20170801:trickbot:222d8bc, author = {Malwarebytes Labs}, title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}}, date = {2017-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/}, language = {English}, urldate = {2019-12-20} } TrickBot comes up with new tricks: attacking Outlook and browsing data
TrickBot
2017-07-27FlashpointFlashpoint
@online{flashpoint:20170727:new:bb5c883, author = {Flashpoint}, title = {{New Version of “Trickbot” Adds Worm Propagation Module}}, date = {2017-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/}, language = {English}, urldate = {2020-01-13} } New Version of “Trickbot” Adds Worm Propagation Module
TrickBot
2017-07-25Github (viql)Johannes Bader
@online{bader:20170725:dridex:44f64d8, author = {Johannes Bader}, title = {{Dridex Loot}}, date = {2017-07-25}, organization = {Github (viql)}, url = {https://viql.github.io/dridex/}, language = {English}, urldate = {2020-01-07} } Dridex Loot
Dridex
2017-07-18ElasticAshkan Hosseini
@online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2017-07Ring Zero LabsRing Zero Labs
@online{labs:201707:trickbot:e738eaf, author = {Ring Zero Labs}, title = {{TrickBot Banking Trojan - DOC00039217.doc}}, date = {2017-07}, organization = {Ring Zero Labs}, url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html}, language = {English}, urldate = {2020-01-10} } TrickBot Banking Trojan - DOC00039217.doc
TrickBot
2017-06-22Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20170622:locky:4a088f0, author = {Catalin Cimpanu}, title = {{Locky Ransomware Returns, but Targets Only Windows XP & Vista}}, date = {2017-06-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/}, language = {English}, urldate = {2019-12-20} } Locky Ransomware Returns, but Targets Only Windows XP & Vista
Locky
2017-06-21CiscoAlex Chiu, Warren Mercer, Jaeson Schultz, Sean Baird, Matthew Molyett
@online{chiu:20170621:player:b44064a, author = {Alex Chiu and Warren Mercer and Jaeson Schultz and Sean Baird and Matthew Molyett}, title = {{Player 1 Limps Back Into the Ring - Hello again, Locky!}}, date = {2017-06-21}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html}, language = {English}, urldate = {2019-12-17} } Player 1 Limps Back Into the Ring - Hello again, Locky!
Locky
2017-06-15F5Sara Boddy, Jesse Smith, Doron Voolf
@online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs
TrickBot
2017-06-12Security Art WorkMarc Salinas, JoséMiguel Holguín
@techreport{salinas:20170612:evolucin:9930231, author = {Marc Salinas and JoséMiguel Holguín}, title = {{Evolución de Trickbot}}, date = {2017-06-12}, institution = {Security Art Work}, url = {https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf}, language = {Spanish}, urldate = {2020-01-10} } Evolución de Trickbot
TrickBot
2017-05-26PWCBart Parys
@online{parys:20170526:trickbots:c1b84e1, author = {Bart Parys}, title = {{TrickBot’s bag of tricks}}, date = {2017-05-26}, organization = {PWC}, url = {http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html}, language = {English}, urldate = {2020-06-18} } TrickBot’s bag of tricks
TrickBot
2017-03-01FraudWatch InternationalFraudWatch International
@online{international:20170301:how:fb75ef9, author = {FraudWatch International}, title = {{How Does the Trickbot Malware Work?}}, date = {2017-03-01}, organization = {FraudWatch International}, url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works}, language = {English}, urldate = {2020-01-08} } How Does the Trickbot Malware Work?
TrickBot
2017-02-28Security IntelligenceMagal Baz, Or Safran
@online{baz:20170228:dridexs:f72a5ec, author = {Magal Baz and Or Safran}, title = {{Dridex’s Cold War: Enter AtomBombing}}, date = {2017-02-28}, organization = {Security Intelligence}, url = {https://securityintelligence.com/dridexs-cold-war-enter-atombombing/}, language = {English}, urldate = {2019-12-16} } Dridex’s Cold War: Enter AtomBombing
Dridex
2017-01-31MalwarebytesMalwarebytes Labs
@online{labs:20170131:locky:92db484, author = {Malwarebytes Labs}, title = {{Locky Bart ransomware and backend server analysis}}, date = {2017-01-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/}, language = {English}, urldate = {2019-12-20} } Locky Bart ransomware and backend server analysis
Locky
2017-01-26FlashpointFlashpoint
@online{flashpoint:20170126:dridex:2ca4920, author = {Flashpoint}, title = {{Dridex Banking Trojan Returns, Leverages New UAC Bypass Method}}, date = {2017-01-26}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/}, language = {English}, urldate = {2020-01-08} } Dridex Banking Trojan Returns, Leverages New UAC Bypass Method
Dridex
2016-12-07BotconfJoshua Adams
@techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } The TrickBot Evolution
TrickBot
2016-12-06FortinetXiaopeng Zhang
@online{zhang:20161206:deep:1f1521f, author = {Xiaopeng Zhang}, title = {{Deep Analysis of the Online Banking Botnet TrickBot}}, date = {2016-12-06}, organization = {Fortinet}, url = {http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot}, language = {English}, urldate = {2020-01-08} } Deep Analysis of the Online Banking Botnet TrickBot
TrickBot
2016-11-09Lior Keshet
@online{keshet:20161109:tricks:c3ab510, author = {Lior Keshet}, title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}}, date = {2016-11-09}, url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/}, language = {English}, urldate = {2019-10-17} } Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
TrickBot
2016-11-07F5 LabsJulia Karpin, Shaul Vilkomir-Preisman, Anna Dorfman
@online{karpin:20161107:little:598f939, author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman}, title = {{Little Trickbot Growing Up: New Campaign}}, date = {2016-11-07}, organization = {F5 Labs}, url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412}, language = {English}, urldate = {2020-01-06} } Little Trickbot Growing Up: New Campaign
TrickBot
2016-10-25NetScoutASERT Team
@online{team:20161025:trickbot:dd465d9, author = {ASERT Team}, title = {{TrickBot Banker Insights}}, date = {2016-10-25}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/}, language = {English}, urldate = {2019-07-11} } TrickBot Banker Insights
TrickBot
2016-10-24MalwarebytesMalwarebytes Labs
@online{labs:20161024:introducing:e59ac27, author = {Malwarebytes Labs}, title = {{Introducing TrickBot, Dyreza’s successor}}, date = {2016-10-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/}, language = {English}, urldate = {2019-12-20} } Introducing TrickBot, Dyreza’s successor
TrickBot
2016-10-15Fidelis CybersecurityThreat Research Team
@online{team:20161015:trickbot:cc9f48f, author = {Threat Research Team}, title = {{TrickBot: We Missed you, Dyre}}, date = {2016-10-15}, organization = {Fidelis Cybersecurity}, url = {https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre}, language = {English}, urldate = {2019-11-28} } TrickBot: We Missed you, Dyre
TrickBot
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:bdd6f10, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2020-04-21} } Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS Anunak
2016-07-07Pierluigi Paganini
@online{paganini:20160707:new:7c765a2, author = {Pierluigi Paganini}, title = {{New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware.}}, date = {2016-07-07}, url = {http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html}, language = {English}, urldate = {2019-11-22} } New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware.
Locky
2016-03-01Malwarebyteshasherezade
@online{hasherezade:20160301:look:fe35696, author = {hasherezade}, title = {{Look Into Locky Ransomware}}, date = {2016-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/}, language = {English}, urldate = {2019-12-20} } Look Into Locky Ransomware
Locky
2016-02-16SymantecDick O'Brien
@techreport{obrien:20160216:dridex:7abdc31, author = {Dick O'Brien}, title = {{Dridex: Tidal waves of spam pushing dangerous financial Trojan}}, date = {2016-02-16}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf}, language = {English}, urldate = {2020-01-08} } Dridex: Tidal waves of spam pushing dangerous financial Trojan
Dridex
2015-11-10CERT.PLCERT.PL
@online{certpl:20151110:talking:d93cf24, author = {CERT.PL}, title = {{Talking to Dridex (part 0) – inside the dropper}}, date = {2015-11-10}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/}, language = {English}, urldate = {2020-01-06} } Talking to Dridex (part 0) – inside the dropper
Dridex
2015-10-26BluelivBlueliv
@techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers
Dridex Dyre
2015-10-15BitSightAnubisLabs
@techreport{anubislabs:20151015:dridex:4dafca8, author = {AnubisLabs}, title = {{Dridex: Chasing a botnet from the inside}}, date = {2015-10-15}, institution = {BitSight}, url = {https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf}, language = {English}, urldate = {2020-08-06} } Dridex: Chasing a botnet from the inside
Dridex
2015-10-13SecureworksBrett Stone-Gross
@online{stonegross:20151013:dridex:46d9a58, author = {Brett Stone-Gross}, title = {{Dridex (Bugat v5) Botnet Takeover Operation}}, date = {2015-10-13}, organization = {Secureworks}, url = {https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation}, language = {English}, urldate = {2020-01-08} } Dridex (Bugat v5) Botnet Takeover Operation
Dridex

Credits: MISP Project