SYMBOLCOMMON_NAMEaka. SYNONYMS

TA505  (Back to overview)

aka: SectorJ04 Group, GRACEFUL SPIDER, GOLD TAHOE, Dudear, TEMP.Warlock, G0092, ATK103

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.


Associated Families
win.andromut win.flawedammyy win.flawedgrace win.get2 win.locky win.mirrorblast win.rms win.sdbbot win.servhelper win.tinymet win.trickbot win.clop

References
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-02EclypsiumEclypsium
@online{eclypsium:20220602:conti:abb9754, author = {Eclypsium}, title = {{Conti Targets Critical Firmware}}, date = {2022-06-02}, organization = {Eclypsium}, url = {https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/}, language = {English}, urldate = {2022-06-04} } Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate
2022-05-24The Hacker NewsFlorian Goutin
@online{goutin:20220524:malware:e85b49b, author = {Florian Goutin}, title = {{Malware Analysis: Trickbot}}, date = {2022-05-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/05/malware-analysis-trickbot.html}, language = {English}, urldate = {2022-05-29} } Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot
2022-05-17Trend MicroTrend Micro Research
@online{research:20220517:ransomware:7b86339, author = {Trend Micro Research}, title = {{Ransomware Spotlight: RansomEXX}}, date = {2022-05-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx}, language = {English}, urldate = {2022-05-25} } Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-05YouTube (Chris Greer)Chris Greer
@online{greer:20220505:malware:d2996ea, author = {Chris Greer}, title = {{MALWARE Analysis with Wireshark // TRICKBOT Infection}}, date = {2022-05-05}, organization = {YouTube (Chris Greer)}, url = {https://www.youtube.com/watch?v=Brx4cygfmg8}, language = {English}, urldate = {2022-05-05} } MALWARE Analysis with Wireshark // TRICKBOT Infection
TrickBot
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-27Medium elis531989Eli Salem
@online{salem:20220427:chronicles:c55d826, author = {Eli Salem}, title = {{The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection}}, date = {2022-04-27}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056}, language = {English}, urldate = {2022-04-29} } The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
BumbleBee TrickBot
2022-04-26Intel 471Intel 471
@online{471:20220426:conti:6bcff7d, author = {Intel 471}, title = {{Conti and Emotet: A constantly destructive duo}}, date = {2022-04-26}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks}, language = {English}, urldate = {2022-04-29} } Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-18RiskIQJennifer Grob
@online{grob:20220418:riskiq:d5109f2, author = {Jennifer Grob}, title = {{RiskIQ: Trickbot Rickroll}}, date = {2022-04-18}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/04ec92f4}, language = {English}, urldate = {2022-04-20} } RiskIQ: Trickbot Rickroll
TrickBot
2022-04-17BushidoToken BlogBushidoToken
@online{bushidotoken:20220417:lessons:d4d0595, author = {BushidoToken}, title = {{Lessons from the Conti Leaks}}, date = {2022-04-17}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html}, language = {English}, urldate = {2022-04-25} } Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-15Arctic WolfArctic Wolf
@online{wolf:20220415:karakurt:623f8e6, author = {Arctic Wolf}, title = {{The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model}}, date = {2022-04-15}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/karakurt-web}, language = {English}, urldate = {2022-05-04} } The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Conti Diavol Ryuk TrickBot
2022-04-15Bleeping ComputerIonut Ilascu
@online{ilascu:20220415:karakurt:6fc6399, author = {Ionut Ilascu}, title = {{Karakurt revealed as data extortion arm of Conti cybercrime syndicate}}, date = {2022-04-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/}, language = {English}, urldate = {2022-05-04} } Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot
2022-04-08ReversingLabsPaul Roberts
@online{roberts:20220408:conversinglabs:270c740, author = {Paul Roberts}, title = {{ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles}}, date = {2022-04-08}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles}, language = {English}, urldate = {2022-06-09} } ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot
2022-04-05Intel 471Intel 471
@online{471:20220405:move:d589859, author = {Intel 471}, title = {{Move fast and commit crimes: Conti’s development teams mirror corporate tech}}, date = {2022-04-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-leaks-ransomware-development}, language = {English}, urldate = {2022-04-07} } Move fast and commit crimes: Conti’s development teams mirror corporate tech
BazarBackdoor TrickBot
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:threat:84ad46c, author = {Counter Threat Unit ResearchTeam}, title = {{Threat Intelligence Executive Report Volume 2022, Number 2}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx}, language = {English}, urldate = {2022-03-25} } Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:gold:0f3da90, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD ULRICK Leaks Reveal Organizational Structure and Relationships}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships}, language = {English}, urldate = {2022-03-25} } GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot
2022-03-21Threat PostLisa Vaas
@online{vaas:20220321:conti:0b203c8, author = {Lisa Vaas}, title = {{Conti Ransomware V. 3, Including Decryptor, Leaked}}, date = {2022-03-21}, organization = {Threat Post}, url = {https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/}, language = {English}, urldate = {2022-03-22} } Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot
2022-03-18AvastMartin Hron
@online{hron:20220318:mris:47b15bc, author = {Martin Hron}, title = {{Mēris and TrickBot standing on the shoulders of giants}}, date = {2022-03-18}, organization = {Avast}, url = {https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/}, language = {English}, urldate = {2022-03-23} } Mēris and TrickBot standing on the shoulders of giants
Glupteba Proxy Glupteba TrickBot
2022-03-16MicrosoftMicrosoft Defender for IoT Research Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220316:uncovering:aae61b5, author = {Microsoft Defender for IoT Research Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure}}, date = {2022-03-16}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/}, language = {English}, urldate = {2022-03-17} } Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
TrickBot
2022-03-15RiskIQRiskIQ
@online{riskiq:20220315:riskiq:da0e578, author = {RiskIQ}, title = {{RiskIQ: Trickbot Abuse of Compromised MikroTik Routers for Command and Control}}, date = {2022-03-15}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/111d6005/description}, language = {English}, urldate = {2022-03-17} } RiskIQ: Trickbot Abuse of Compromised MikroTik Routers for Command and Control
TrickBot
2022-03-09BreachQuestMarco Figueroa, Napoleon Bing, Bernard Silvestrini
@online{figueroa:20220309:conti:d237b64, author = {Marco Figueroa and Napoleon Bing and Bernard Silvestrini}, title = {{The Conti Leaks | Insight into a Ransomware Unicorn}}, date = {2022-03-09}, organization = {BreachQuest}, url = {https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/}, language = {English}, urldate = {2022-03-14} } The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot
2022-03-09Bleeping ComputerIonut Ilascu
@online{ilascu:20220309:cisa:63f18cd, author = {Ionut Ilascu}, title = {{CISA updates Conti ransomware alert with nearly 100 domain names}}, date = {2022-03-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/}, language = {English}, urldate = {2022-03-10} } CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot
2022-03-04ReutersRaphael Satter
@online{satter:20220304:details:66f903a, author = {Raphael Satter}, title = {{Details of another big ransomware group 'Trickbot' leak online, experts say}}, date = {2022-03-04}, organization = {Reuters}, url = {https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/}, language = {English}, urldate = {2022-03-07} } Details of another big ransomware group 'Trickbot' leak online, experts say
TrickBot
2022-03-02KrebsOnSecurityBrian Krebs
@online{krebs:20220302:conti:03b0358, author = {Brian Krebs}, title = {{Conti Ransomware Group Diaries, Part II: The Office}}, date = {2022-03-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/}, language = {English}, urldate = {2022-03-07} } Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot
2022-03-02CyberArkCyberArk Labs
@online{labs:20220302:conti:52c16db, author = {CyberArk Labs}, title = {{Conti Group Leaked!}}, date = {2022-03-02}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked}, language = {English}, urldate = {2022-03-03} } Conti Group Leaked!
TeamTNT Conti TrickBot
2022-03-02ThreatpostLisa Vaas
@online{vaas:20220302:conti:ffc8271, author = {Lisa Vaas}, title = {{Conti Ransomware Decryptor, TrickBot Source Code Leaked}}, date = {2022-03-02}, organization = {Threatpost}, url = {https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/}, language = {English}, urldate = {2022-03-07} } Conti Ransomware Decryptor, TrickBot Source Code Leaked
Conti TrickBot
2022-03-01VX-Underground
@online{vxunderground:20220301:leaks:6e42f8b, author = {VX-Underground}, title = {{Leaks: Conti / Trickbot}}, date = {2022-03-01}, url = {https://share.vx-underground.org/Conti/}, language = {English}, urldate = {2022-03-07} } Leaks: Conti / Trickbot
Conti TrickBot
2022-02-25CyberScoopJoe Warminsky
@online{warminsky:20220225:trickbot:2d38470, author = {Joe Warminsky}, title = {{TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators}}, date = {2022-02-25}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/}, language = {English}, urldate = {2022-03-01} } TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators
BazarBackdoor Emotet TrickBot
2022-02-24The RecordCatalin Cimpanu
@online{cimpanu:20220224:trickbot:2f5ab4d, author = {Catalin Cimpanu}, title = {{TrickBot gang shuts down botnet after months of inactivity}}, date = {2022-02-24}, organization = {The Record}, url = {https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/}, language = {English}, urldate = {2022-03-01} } TrickBot gang shuts down botnet after months of inactivity
TrickBot
2022-02-24The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220224:trickbot:7e86d52, author = {Ravie Lakshmanan}, title = {{TrickBot Gang Likely Shifting Operations to Switch to New Malware}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html}, language = {English}, urldate = {2022-03-01} } TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot
2022-02-24The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220224:notorious:c5e1556, author = {Ravie Lakshmanan}, title = {{Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html}, language = {English}, urldate = {2022-03-04} } Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
BazarBackdoor Emotet TrickBot
2022-02-22Bankinfo SecurityMatthew J. Schwartz
@online{schwartz:20220222:cybercrime:ccc094e, author = {Matthew J. Schwartz}, title = {{Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware}}, date = {2022-02-22}, organization = {Bankinfo Security}, url = {https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573}, language = {English}, urldate = {2022-02-26} } Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware
Conti TrickBot
2022-02-22Trend MicroTrend Micro Research
@online{research:20220222:ransomware:677506b, author = {Trend Micro Research}, title = {{Ransomware Spotlight: Clop}}, date = {2022-02-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop}, language = {English}, urldate = {2022-02-26} } Ransomware Spotlight: Clop
Clop
2022-02-20Security AffairsPierluigi Paganini
@online{paganini:20220220:conti:a6d57b1, author = {Pierluigi Paganini}, title = {{The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.}}, date = {2022-02-20}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html}, language = {English}, urldate = {2022-02-26} } The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.
Conti TrickBot
2022-02-18Bleeping ComputerIonut Ilascu
@online{ilascu:20220218:conti:9a7f82b, author = {Ionut Ilascu}, title = {{Conti ransomware gang takes over TrickBot malware operation}}, date = {2022-02-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/}, language = {English}, urldate = {2022-02-19} } Conti ransomware gang takes over TrickBot malware operation
Conti TrickBot
2022-02-16Advanced IntelligenceYelisey Boguslavskiy
@online{boguslavskiy:20220216:trickbot:a431e84, author = {Yelisey Boguslavskiy}, title = {{The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works}}, date = {2022-02-16}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works}, language = {English}, urldate = {2022-02-19} } The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works
TrickBot
2022-02-16Threat PostTara Seals
@online{seals:20220216:trickbot:a1c11b3, author = {Tara Seals}, title = {{TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands}}, date = {2022-02-16}, organization = {Threat Post}, url = {https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/}, language = {English}, urldate = {2022-02-17} } TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands
TrickBot
2022-02-16Check Point ResearchAliaksandr Trafimchuk, Raman Ladutska
@online{trafimchuk:20220216:modern:a6f60a5, author = {Aliaksandr Trafimchuk and Raman Ladutska}, title = {{A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies}}, date = {2022-02-16}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/}, language = {English}, urldate = {2022-02-18} } A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies
TrickBot
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022-02-02IBMKevin Henson
@online{henson:20220202:trickbot:fd4964d, author = {Kevin Henson}, title = {{TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware}}, date = {2022-02-02}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/}, language = {English}, urldate = {2022-02-04} } TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware
BazarBackdoor TrickBot
2022-02-01WiredMatt Burgess
@online{burgess:20220201:inside:bb20f12, author = {Matt Burgess}, title = {{Inside Trickbot, Russia’s Notorious Ransomware Gang}}, date = {2022-02-01}, organization = {Wired}, url = {https://www.wired.com/story/trickbot-malware-group-internal-messages/}, language = {English}, urldate = {2022-02-02} } Inside Trickbot, Russia’s Notorious Ransomware Gang
TrickBot
2022-02-01WiredMatt Burgess
@online{burgess:20220201:inside:0e154c3, author = {Matt Burgess}, title = {{Inside Trickbot, Russia’s Notorious Ransomware Gang}}, date = {2022-02-01}, organization = {Wired}, url = {https://www.wired.co.uk/article/trickbot-malware-group-internal-messages}, language = {English}, urldate = {2022-02-09} } Inside Trickbot, Russia’s Notorious Ransomware Gang
TrickBot
2022-01-24Kryptos LogicKryptos Logic Vantage Team
@online{team:20220124:deep:bb877d2, author = {Kryptos Logic Vantage Team}, title = {{Deep Dive into Trickbot's Web Injection}}, date = {2022-01-24}, organization = {Kryptos Logic}, url = {https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/}, language = {English}, urldate = {2022-01-25} } Deep Dive into Trickbot's Web Injection
TrickBot
2022-01-24IBMMichael Gal, Segev Fogel, Itzik Chimino, Limor Kessem, Charlotte Hammond
@online{gal:20220124:trickbot:8a030b3, author = {Michael Gal and Segev Fogel and Itzik Chimino and Limor Kessem and Charlotte Hammond}, title = {{TrickBot Bolsters Layered Defenses to Prevent Injection Research}}, date = {2022-01-24}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/}, language = {English}, urldate = {2022-01-25} } TrickBot Bolsters Layered Defenses to Prevent Injection Research
TrickBot
2022-01-19FBIFBI
@techreport{fbi:20220119:cu000161mw:19f7d2b, author = {FBI}, title = {{CU-000161-MW: Indicators of Compromise Associated with Diavol Ransomware}}, date = {2022-01-19}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220120.pdf}, language = {English}, urldate = {2022-01-24} } CU-000161-MW: Indicators of Compromise Associated with Diavol Ransomware
Diavol TrickBot
2022-01-18Recorded FutureInsikt Group®
@techreport{group:20220118:2021:9cff6fc, author = {Insikt Group®}, title = {{2021 Adversary Infrastructure Report}}, date = {2022-01-18}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf}, language = {English}, urldate = {2022-01-24} } 2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2021-12-08Check Point ResearchRaman Ladutska, Aliaksandr Trafimchuk, David Driker, Yali Magiel
@online{ladutska:20211208:when:16ee92b, author = {Raman Ladutska and Aliaksandr Trafimchuk and David Driker and Yali Magiel}, title = {{When old friends meet again: why Emotet chose Trickbot for rebirth}}, date = {2021-12-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/}, language = {English}, urldate = {2022-02-18} } When old friends meet again: why Emotet chose Trickbot for rebirth
Emotet TrickBot
2021-12-03GoSecureGoSecure Titan Labs
@online{labs:20211203:trickbot:9dd4feb, author = {GoSecure Titan Labs}, title = {{TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?}}, date = {2021-12-03}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/}, language = {English}, urldate = {2022-02-26} } TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?
TrickBot
2021-12-01NCC GroupNikolaos Pantazopoulos, Michael Sandee
@online{pantazopoulos:20211201:tracking:b67c8f7, author = {Nikolaos Pantazopoulos and Michael Sandee}, title = {{Tracking a P2P network related to TA505}}, date = {2021-12-01}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/}, language = {English}, urldate = {2021-12-01} } Tracking a P2P network related to TA505
FlawedGrace Necurs
2021-11-16Trend MicroTrend Micro
@online{micro:20211116:global:5b996d3, author = {Trend Micro}, title = {{Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels}}, date = {2021-11-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html}, language = {English}, urldate = {2021-11-18} } Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels
REvil Clop Gandcrab REvil
2021-11-16MalwarebytesMalwarebytes Threat Intelligence Team
@online{team:20211116:trickbot:b624694, author = {Malwarebytes Threat Intelligence Team}, title = {{TrickBot helps Emotet come back from the dead}}, date = {2021-11-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/}, language = {English}, urldate = {2021-11-17} } TrickBot helps Emotet come back from the dead
Emotet TrickBot
2021-11-12Recorded FutureInsikt Group®
@techreport{group:20211112:business:6d6cffa, author = {Insikt Group®}, title = {{The Business of Fraud: Botnet Malware Dissemination}}, date = {2021-11-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf}, language = {English}, urldate = {2021-11-17} } The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot
2021-11-04Security Service of UkraineSecurity Service of Ukraine
@techreport{ukraine:20211104:gamaredon:7be7543, author = {Security Service of Ukraine}, title = {{Gamaredon / Armageddon Group: FSB RF Cyber attacks against Ukraine}}, date = {2021-11-04}, institution = {Security Service of Ukraine}, url = {https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf}, language = {English}, urldate = {2022-03-01} } Gamaredon / Armageddon Group: FSB RF Cyber attacks against Ukraine
EvilGnome Pteranodon RMS
2021-10-29Національна поліція УкраїниНаціональна поліція України
@online{:20211029:cyberpolice:fc43b20, author = {Національна поліція України}, title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}}, date = {2021-10-29}, organization = {Національна поліція України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-11-02} } Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-29EuropolEuropol
@online{europol:20211029:12:5c0fd59, author = {Europol}, title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}}, date = {2021-10-29}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure}, language = {English}, urldate = {2021-11-02} } 12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-28Department of JusticeDepartment of Justice
@online{justice:20211028:indictment:24d4225, author = {Department of Justice}, title = {{Indictment: Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization}}, date = {2021-10-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1445241/download}, language = {English}, urldate = {2021-11-03} } Indictment: Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization
TrickBot
2021-10-28Department of JusticeDepartment of Justice
@online{justice:20211028:russian:52deb25, author = {Department of Justice}, title = {{Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization}}, date = {2021-10-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal}, language = {English}, urldate = {2021-11-02} } Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization
TrickBot
2021-10-27VinCSSm4n0w4r, Tran Trung Kien
@online{m4n0w4r:20211027:re025:52c8a55, author = {m4n0w4r and Tran Trung Kien}, title = {{[RE025] TrickBot ... many tricks}}, date = {2021-10-27}, organization = {VinCSS}, url = {https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html}, language = {English}, urldate = {2021-11-02} } [RE025] TrickBot ... many tricks
TrickBot
2021-10-21CrowdStrikeAlex Clinton, Tasha Robinson
@online{clinton:20211021:stopping:3c26152, author = {Alex Clinton and Tasha Robinson}, title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}}, date = {2021-10-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/}, language = {English}, urldate = {2021-11-02} } Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet
2021-10-19ProofpointZydeca Cass, Axel F, Crista Giering, Matthew Mesa, Georgi Mladenov, Brandon Murphy
@online{cass:20211019:whatta:4d969e1, author = {Zydeca Cass and Axel F and Crista Giering and Matthew Mesa and Georgi Mladenov and Brandon Murphy}, title = {{Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant}}, date = {2021-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant}, language = {English}, urldate = {2021-10-24} } Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant
FlawedGrace MirrorBlast
2021-10-19KasperskyOleg Kupreev
@online{kupreev:20211019:trickbot:f7cfc04, author = {Oleg Kupreev}, title = {{Trickbot module descriptions}}, date = {2021-10-19}, organization = {Kaspersky}, url = {https://securelist.com/trickbot-module-descriptions/104603/}, language = {English}, urldate = {2021-10-24} } Trickbot module descriptions
TrickBot
2021-10-14MorphisecArnold Osipov
@online{osipov:20211014:explosive:d6c6eb7, author = {Arnold Osipov}, title = {{Explosive New MirrorBlast Campaign Targets Financial Companies}}, date = {2021-10-14}, organization = {Morphisec}, url = {https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies}, language = {English}, urldate = {2021-10-24} } Explosive New MirrorBlast Campaign Targets Financial Companies
MirrorBlast
2021-10-13IBMOle Villadsen, Charlotte Hammond
@online{villadsen:20211013:trickbot:e0d4233, author = {Ole Villadsen and Charlotte Hammond}, title = {{Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds}}, date = {2021-10-13}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/}, language = {English}, urldate = {2021-10-25} } Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
BazarBackdoor TrickBot
2021-10-08ZscalerTarun Dewan, Lenart Brave
@online{dewan:20211008:new:b97c20c, author = {Tarun Dewan and Lenart Brave}, title = {{New Trickbot and BazarLoader campaigns use multiple delivery vectorsi}}, date = {2021-10-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors}, language = {English}, urldate = {2021-10-14} } New Trickbot and BazarLoader campaigns use multiple delivery vectorsi
BazarBackdoor TrickBot
2021-10-07MandiantMandiant Research Team
@online{team:20211007:fin12:505a3a8, author = {Mandiant Research Team}, title = {{FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets}}, date = {2021-10-07}, organization = {Mandiant}, url = {https://www.mandiant.com/media/12596/download}, language = {English}, urldate = {2021-11-27} } FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot
2021-10-05FRSecureOscar Minks
@online{minks:20211005:rebol:53830a0, author = {Oscar Minks}, title = {{The REBOL Yell: A New Novel REBOL Exploit}}, date = {2021-10-05}, organization = {FRSecure}, url = {https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/}, language = {English}, urldate = {2021-10-14} } The REBOL Yell: A New Novel REBOL Exploit
MirrorBlast
2021-10-05Trend MicroFyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
@online{yarochkin:20211005:ransomware:e5f5375, author = {Fyodor Yarochkin and Janus Agcaoili and Byron Gelera and Nikko Tamana}, title = {{Ransomware as a Service: Enabler of Widespread Attacks}}, date = {2021-10-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks}, language = {English}, urldate = {2021-10-20} } Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-10-04CiscoTiago Pereira
@online{pereira:20211004:threat:9f493e1, author = {Tiago Pereira}, title = {{Threat hunting in large datasets by clustering security events}}, date = {2021-10-04}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html}, language = {English}, urldate = {2021-10-20} } Threat hunting in large datasets by clustering security events
BazarBackdoor TrickBot
2021-10HPHP Wolf Security
@techreport{security:202110:threat:49f8fc2, author = {HP Wolf Security}, title = {{Threat Insights Report Q3 - 2021}}, date = {2021-10}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf}, language = {English}, urldate = {2021-10-25} } Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm
2021-09-24ProofpointProofpoint
@online{proofpoint:20210924:daily:403b8bd, author = {Proofpoint}, title = {{Daily Ruleset Update Summary 2021/09/24}}, date = {2021-09-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924}, language = {English}, urldate = {2021-10-05} } Daily Ruleset Update Summary 2021/09/24
MirrorBlast
2021-09-19HPPatrick Schläpfer
@online{schlpfer:20210919:mirrorblast:a81e63c, author = {Patrick Schläpfer}, title = {{MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures}}, date = {2021-09-19}, organization = {HP}, url = {https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/}, language = {English}, urldate = {2021-10-24} } MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures
MirrorBlast
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210914:big:b345561, author = {CrowdStrike Intelligence Team}, title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}}, date = {2021-09-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/}, language = {English}, urldate = {2021-09-19} } Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-09-06Bleeping ComputerLawrence Abrams
@online{abrams:20210906:trickbot:652a467, author = {Lawrence Abrams}, title = {{TrickBot gang developer arrested when trying to leave Korea}}, date = {2021-09-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/}, language = {English}, urldate = {2021-09-10} } TrickBot gang developer arrested when trying to leave Korea
Diavol TrickBot
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-12Cisco TalosVanja Svajcer
@online{svajcer:20210812:signed:728ea8f, author = {Vanja Svajcer}, title = {{Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT}}, date = {2021-08-12}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html}, language = {English}, urldate = {2021-08-20} } Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper
2021-08-01The DFIR ReportThe DFIR Report
@online{report:20210801:bazarcall:bb6829b, author = {The DFIR Report}, title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}}, date = {2021-08-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/}, language = {English}, urldate = {2021-08-02} } BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-21splunkSplunk Threat Research Team
@online{team:20210721:detecting:ceb179f, author = {Splunk Threat Research Team}, title = {{Detecting Trickbot with Splunk}}, date = {2021-07-21}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-trickbots.html}, language = {English}, urldate = {2021-07-22} } Detecting Trickbot with Splunk
TrickBot
2021-07-12BitdefenderRadu Tudorica, Bogdan Botezatu
@techreport{tudorica:20210712:fresh:d1d9d75, author = {Radu Tudorica and Bogdan Botezatu}, title = {{A Fresh Look at Trickbot’s Ever-Improving VNC Module}}, date = {2021-07-12}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf}, language = {English}, urldate = {2021-07-19} } A Fresh Look at Trickbot’s Ever-Improving VNC Module
TrickBot
2021-07-06Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20210706:ta505:35e0dbc, author = {Jason Reaves and Joshua Platt}, title = {{TA505 adds GoLang crypter for delivering miners and ServHelper}}, date = {2021-07-06}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56}, language = {English}, urldate = {2021-07-11} } TA505 adds GoLang crypter for delivering miners and ServHelper
ServHelper
2021-07-02The RecordCatalin Cimpanu
@online{cimpanu:20210702:trickbot:7d2b9f7, author = {Catalin Cimpanu}, title = {{TrickBot: New attacks see the botnet deploy new banking module, new ransomware}}, date = {2021-07-02}, organization = {The Record}, url = {https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/}, language = {English}, urldate = {2021-07-05} } TrickBot: New attacks see the botnet deploy new banking module, new ransomware
TrickBot
2021-07-01Kryptos LogicKryptos Logic Vantage Team
@online{team:20210701:trickbot:1df5ec3, author = {Kryptos Logic Vantage Team}, title = {{TrickBot and Zeus}}, date = {2021-07-01}, organization = {Kryptos Logic}, url = {https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/}, language = {English}, urldate = {2021-07-11} } TrickBot and Zeus
TrickBot Zeus
2021-06-30Advanced IntelligenceYelisey Boguslavskiy, Brandon Rudisel, AdvIntel Security & Development Team
@online{boguslavskiy:20210630:ransomwarecve:deae6a7, author = {Yelisey Boguslavskiy and Brandon Rudisel and AdvIntel Security & Development Team}, title = {{Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets}}, date = {2021-06-30}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities}, language = {English}, urldate = {2021-07-01} } Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets
BlackKingdom Ransomware Clop dearcry Hades REvil
2021-06-25KrCertKayoung Kim, Dongwook Kim, Taewoo Lee, Seulgi Lee
@techreport{kim:20210625:attack:d4ae440, author = {Kayoung Kim and Dongwook Kim and Taewoo Lee and Seulgi Lee}, title = {{Attack patterns in AD environment}}, date = {2021-06-25}, institution = {KrCert}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf}, language = {English}, urldate = {2021-06-29} } Attack patterns in AD environment
Clop
2021-06-24BinanceBinance
@online{binance:20210624:binance:afde1e5, author = {Binance}, title = {{Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks}}, date = {2021-06-24}, organization = {Binance}, url = {https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks}, language = {English}, urldate = {2021-06-29} } Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks
Clop
2021-06-16Youtube (Національна поліція України)Національна поліція України
@online{:20210616:clop:28caf8c, author = {Національна поліція України}, title = {{Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)}}, date = {2021-06-16}, organization = {Youtube (Національна поліція України)}, url = {https://www.youtube.com/watch?v=PqGaZgepNTE}, language = {Ukrainian}, urldate = {2021-06-21} } Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)
Clop
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-06-16The RecordCatalin Cimpanu
@online{cimpanu:20210616:ukrainian:141533c, author = {Catalin Cimpanu}, title = {{Ukrainian police arrest Clop ransomware members, seize server infrastructure}}, date = {2021-06-16}, organization = {The Record}, url = {https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/}, language = {English}, urldate = {2021-06-21} } Ukrainian police arrest Clop ransomware members, seize server infrastructure
Clop
2021-06-16KrebsOnSecurityBrian Krebs
@online{krebs:20210616:ukrainian:e0e117f, author = {Brian Krebs}, title = {{Ukrainian Police Nab Six Tied to CLOP Ransomware}}, date = {2021-06-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/}, language = {English}, urldate = {2021-06-21} } Ukrainian Police Nab Six Tied to CLOP Ransomware
Clop
2021-06-16Національної поліції УкраїниНаціональна поліція України
@online{:20210616:cyberpolice:f455d86, author = {Національна поліція України}, title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}}, date = {2021-06-16}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-06-21} } Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2021-06-15Trend MicroJanus Agcaoili, Miguel Ang, Earle Earnshaw, Byron Gelera, Nikko Tamana
@online{agcaoili:20210615:ransomware:41013af, author = {Janus Agcaoili and Miguel Ang and Earle Earnshaw and Byron Gelera and Nikko Tamana}, title = {{Ransomware Double Extortion and Beyond: REvil, Clop, and Conti}}, date = {2021-06-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti}, language = {English}, urldate = {2021-06-21} } Ransomware Double Extortion and Beyond: REvil, Clop, and Conti
Clop Conti REvil
2021-06-07Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210607:inside:6c363a7, author = {Joshua Platt and Jason Reaves}, title = {{Inside the SystemBC Malware-As-A-Service}}, date = {2021-06-07}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6}, language = {English}, urldate = {2021-06-08} } Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot
2021-06-04The RecordCatalin Cimpanu
@online{cimpanu:20210604:us:20a6d26, author = {Catalin Cimpanu}, title = {{US arrests Latvian woman who worked on Trickbot malware source code}}, date = {2021-06-04}, organization = {The Record}, url = {https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/}, language = {English}, urldate = {2021-06-16} } US arrests Latvian woman who worked on Trickbot malware source code
TrickBot
2021-06-04Department of JusticeOffice of Public Affairs
@online{affairs:20210604:latvian:4403f09, author = {Office of Public Affairs}, title = {{Latvian National Charged for Alleged Role in Transnational Cybercrime Organization}}, date = {2021-06-04}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization}, language = {English}, urldate = {2021-06-16} } Latvian National Charged for Alleged Role in Transnational Cybercrime Organization
TrickBot
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-13AWAKEKieran Evans
@online{evans:20210513:catching:eaa13e2, author = {Kieran Evans}, title = {{Catching the White Stork in Flight}}, date = {2021-05-13}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/}, language = {English}, urldate = {2021-09-19} } Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS
2021-05-11Mal-Eatsmal_eats
@online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-11CrowdStrikeThe Falcon Complete Team
@online{team:20210511:response:7e4cf2d, author = {The Falcon Complete Team}, title = {{Response When Minutes Matter: Rising Up Against Ransomware}}, date = {2021-05-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/}, language = {English}, urldate = {2021-05-13} } Response When Minutes Matter: Rising Up Against Ransomware
TinyMet
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-05-05RiskIQKelsey Clapp
@online{clapp:20210505:viruses:aab7c1a, author = {Kelsey Clapp}, title = {{Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic}}, date = {2021-05-05}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/298c9fc9}, language = {English}, urldate = {2021-05-26} } Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic
TrickBot
2021-05-03splunkSplunk Threat Research Team
@online{team:20210503:clop:1d24527, author = {Splunk Threat Research Team}, title = {{Clop Ransomware Detection: Threat Research Release, April 2021}}, date = {2021-05-03}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html}, language = {English}, urldate = {2021-05-07} } Clop Ransomware Detection: Threat Research Release, April 2021
Clop
2021-05-02The DFIR ReportThe DFIR Report
@online{report:20210502:trickbot:242b786, author = {The DFIR Report}, title = {{Trickbot Brief: Creds and Beacons}}, date = {2021-05-02}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/}, language = {English}, urldate = {2021-05-04} } Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-15ProofpointSelena Larson
@online{larson:20210415:threat:cdfef32, author = {Selena Larson}, title = {{Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes}}, date = {2021-04-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes}, language = {English}, urldate = {2021-08-23} } Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes
Dridex TrickBot
2021-04-14ViceLorenzo Franceschi-Bicchierai
@online{franceschibicchierai:20210414:meet:0a23d2a, author = {Lorenzo Franceschi-Bicchierai}, title = {{Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever}}, date = {2021-04-14}, organization = {Vice}, url = {https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever}, language = {English}, urldate = {2021-04-14} } Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever
Clop
2021-04-13splunkSplunk Threat Research Team
@online{team:20210413:detecting:83655d0, author = {Splunk Threat Research Team}, title = {{Detecting Clop Ransomware}}, date = {2021-04-13}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html}, language = {English}, urldate = {2021-04-14} } Detecting Clop Ransomware
Clop
2021-04-13Palo Alto Networks Unit 42Doel Santos
@online{santos:20210413:threat:7154f80, author = {Doel Santos}, title = {{Threat Assessment: Clop Ransomware}}, date = {2021-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/clop-ransomware/}, language = {English}, urldate = {2021-04-14} } Threat Assessment: Clop Ransomware
Clop
2021-04-06Intel 471Intel 471
@online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-04-05Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20210405:trickbot:a6b0592, author = {Jason Reaves and Joshua Platt}, title = {{TrickBot Crews New CobaltStrike Loader}}, date = {2021-04-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c}, language = {English}, urldate = {2021-04-06} } TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-26Bleeping ComputerLawrence Abrams
@online{abrams:20210326:ransomware:bc58d85, author = {Lawrence Abrams}, title = {{Ransomware gang urges victims’ customers to demand a ransom payment}}, date = {2021-03-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/}, language = {English}, urldate = {2021-03-31} } Ransomware gang urges victims’ customers to demand a ransom payment
Clop
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-17CISAUS-CERT
@online{uscert:20210317:alert:5d25361, author = {US-CERT}, title = {{Alert (AA21-076A): TrickBot Malware}}, date = {2021-03-17}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-076a}, language = {English}, urldate = {2021-03-19} } Alert (AA21-076A): TrickBot Malware
TrickBot
2021-03-11FlashpointFlashpoint
@online{flashpoint:20210311:cl0p:666bd6f, author = {Flashpoint}, title = {{CL0P and REvil Escalate Their Ransomware Tactics}}, date = {2021-03-11}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/}, language = {English}, urldate = {2021-03-12} } CL0P and REvil Escalate Their Ransomware Tactics
Clop REvil
2021-03-02Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20210302:exhaustivelyanalyzed:ea1e91f, author = {Rolf Rolles}, title = {{An Exhaustively-Analyzed IDB for FlawedGrace}}, date = {2021-03-02}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace}, language = {English}, urldate = {2021-03-04} } An Exhaustively-Analyzed IDB for FlawedGrace
FlawedGrace
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-24IBMIBM SECURITY X-FORCE
@online{xforce:20210224:xforce:ac9a90e, author = {IBM SECURITY X-FORCE}, title = {{X-Force Threat Intelligence Index 2021}}, date = {2021-02-24}, organization = {IBM}, url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89}, language = {English}, urldate = {2021-03-02} } X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-22FireEyeAndrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody
@online{moore:20210222:cyber:a641e26, author = {Andrew Moore and Genevieve Stark and Isif Ibrahima and Van Ta and Kimberly Goody}, title = {{Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion}}, date = {2021-02-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html}, language = {English}, urldate = {2021-02-25} } Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
DEWMODE Clop
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-08ESET ResearchESET Research
@techreport{research:20210208:threat:fc2b885, author = {ESET Research}, title = {{THREAT REPORT Q4 2020}}, date = {2021-02-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf}, language = {English}, urldate = {2021-02-09} } THREAT REPORT Q4 2020
TrickBot
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210201:what:2e12897, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}}, date = {2021-02-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/}, language = {English}, urldate = {2021-02-02} } What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot
2021-02-01Kryptos LogicKryptos Logic Vantage Team
@online{team:20210201:trickbot:8ae2189, author = {Kryptos Logic Vantage Team}, title = {{Trickbot masrv Module}}, date = {2021-02-01}, organization = {Kryptos Logic}, url = {https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/}, language = {English}, urldate = {2021-02-02} } Trickbot masrv Module
TrickBot
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
@online{ancel:20210128:bagsu:7de60de, author = {Benoît Ancel}, title = {{The Bagsu banker case}}, date = {2021-01-28}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=EyDiIAt__dI}, language = {English}, urldate = {2021-02-01} } The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2021-01-26IBMNir Shwarts
@online{shwarts:20210126:trickbots:a200e92, author = {Nir Shwarts}, title = {{TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?}}, date = {2021-01-26}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/}, language = {English}, urldate = {2021-01-27} } TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?
TrickBot
2021-01-20Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20210120:anchor:b1e153f, author = {Jason Reaves and Joshua Platt}, title = {{Anchor and Lazarus together again?}}, date = {2021-01-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607}, language = {English}, urldate = {2021-01-21} } Anchor and Lazarus together again?
Anchor TrickBot
2021-01-19Medium elis531989Eli Salem
@online{salem:20210119:funtastic:42f9250, author = {Eli Salem}, title = {{Funtastic Packers And Where To Find Them}}, date = {2021-01-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7}, language = {English}, urldate = {2021-01-21} } Funtastic Packers And Where To Find Them
Get2 IcedID QakBot
2021-01-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2021-01-11The DFIR ReportThe DFIR Report
@online{report:20210111:trickbot:d1011f9, author = {The DFIR Report}, title = {{Trickbot Still Alive and Well}}, date = {2021-01-11}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/}, language = {English}, urldate = {2021-01-11} } Trickbot Still Alive and Well
Cobalt Strike TrickBot
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-06DomainToolsJoe Slowik
@online{slowik:20210106:holiday:6ef0c9d, author = {Joe Slowik}, title = {{Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident}}, date = {2021-01-06}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident}, language = {English}, urldate = {2021-01-10} } Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot
2021-01-05AhnLabAhnLab ASEC Analysis Team
@online{team:20210105:threat:6541fd7, author = {AhnLab ASEC Analysis Team}, title = {{[Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant}}, date = {2021-01-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/19542/}, language = {English}, urldate = {2021-06-16} } [Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant
Clop
2021-01-04SentinelOneMarco Figueroa
@online{figueroa:20210104:building:37407a6, author = {Marco Figueroa}, title = {{Building a Custom Malware Analysis Lab Environment}}, date = {2021-01-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/}, language = {English}, urldate = {2021-01-13} } Building a Custom Malware Analysis Lab Environment
TrickBot
2021SecureworksSecureWorks
@online{secureworks:2021:threat:4e7c443, author = {SecureWorks}, title = {{Threat Profile: GOLD BLACKBURN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-blackburn}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD BLACKBURN
Buer Dyre TrickBot WIZARD SPIDER
2020-12-21KEYSIGHT TECHNOLOGIESEdsel Valle
@online{valle:20201221:trickbot:425da88, author = {Edsel Valle}, title = {{TrickBot: A Closer Look}}, date = {2020-12-21}, organization = {KEYSIGHT TECHNOLOGIES}, url = {https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html}, language = {English}, urldate = {2021-01-01} } TrickBot: A Closer Look
TrickBot
2020-12-18Intel 471Intel 471
@online{471:20201218:ta505s:8fb97af, author = {Intel 471}, title = {{TA505’s modified loader means new attack campaign could be coming}}, date = {2020-12-18}, organization = {Intel 471}, url = {https://intel471.com/blog/ta505-get2-loader-malware-december-2020/}, language = {English}, urldate = {2020-12-19} } TA505’s modified loader means new attack campaign could be coming
Get2
2020-12-15Twitter (@darb0ng)Minhee Lee
@online{lee:20201215:symrise:e60ff65, author = {Minhee Lee}, title = {{Tweet on Symrise group hit by Clop Ransomware}}, date = {2020-12-15}, organization = {Twitter (@darb0ng)}, url = {https://twitter.com/darb0ng/status/1338692764121251840}, language = {English}, urldate = {2020-12-15} } Tweet on Symrise group hit by Clop Ransomware
Clop
2020-12-14BluelivAlberto Marín, Carlos Rubio, Blueliv Labs Team
@online{marn:20201214:using:e81621e, author = {Alberto Marín and Carlos Rubio and Blueliv Labs Team}, title = {{Using Qiling Framework to Unpack TA505 packed samples}}, date = {2020-12-14}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/}, language = {English}, urldate = {2020-12-15} } Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-12-10CybereasonJoakim Kandefelt
@online{kandefelt:20201210:cybereason:0267d5e, author = {Joakim Kandefelt}, title = {{Cybereason vs. Ryuk Ransomware}}, date = {2020-12-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware}, language = {English}, urldate = {2020-12-14} } Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot
2020-12-10CyberIntCyberInt
@online{cyberint:20201210:ryuk:e74b8f6, author = {CyberInt}, title = {{Ryuk Crypto-Ransomware}}, date = {2020-12-10}, organization = {CyberInt}, url = {https://blog.cyberint.com/ryuk-crypto-ransomware}, language = {English}, urldate = {2020-12-14} } Ryuk Crypto-Ransomware
Ryuk TrickBot
2020-12-03Bleeping ComputerLawrence Abrams
@online{abrams:20201203:ransomware:186759f, author = {Lawrence Abrams}, title = {{Ransomware gang says they stole 2 million credit cards from E-Land}}, date = {2020-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/}, language = {English}, urldate = {2020-12-08} } Ransomware gang says they stole 2 million credit cards from E-Land
Clop
2020-12-03EclypsiumEclypsium
@online{eclypsium:20201203:trickbot:7b5b0eb, author = {Eclypsium}, title = {{TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit}}, date = {2020-12-03}, organization = {Eclypsium}, url = {https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/}, language = {English}, urldate = {2020-12-03} } TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit
TrickBot
2020-12-02AhnLabAhnLab ASEC Analysis Team
@techreport{team:20201202:clop:2df3556, author = {AhnLab ASEC Analysis Team}, title = {{CLOP Ransomware Report}}, date = {2020-12-02}, institution = {AhnLab}, url = {https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf}, language = {Korean}, urldate = {2021-07-02} } CLOP Ransomware Report
Clop
2020-11-23BitdefenderLiviu Arsene, Radu Tudorica
@online{arsene:20201123:trickbot:bcf3c42, author = {Liviu Arsene and Radu Tudorica}, title = {{TrickBot is Dead. Long Live TrickBot!}}, date = {2020-11-23}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/}, language = {English}, urldate = {2020-11-25} } TrickBot is Dead. Long Live TrickBot!
TrickBot
2020-11-23S2W LAB Inc.TALON
@online{talon:20201123:s2w:97212ec, author = {TALON}, title = {{[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident}}, date = {2020-11-23}, organization = {S2W LAB Inc.}, url = {https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e}, language = {English}, urldate = {2020-12-03} } [S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident
Clop
2020-11-22malware.loveRobert Giczewski
@online{giczewski:20201122:trickbot:06baa84, author = {Robert Giczewski}, title = {{Trickbot tricks again [UPDATE]}}, date = {2020-11-22}, organization = {malware.love}, url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html}, language = {English}, urldate = {2020-11-23} } Trickbot tricks again [UPDATE]
TrickBot
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-20Bleeping ComputerLawrence Abrams
@online{abrams:20201120:lightbot:473b7c3, author = {Lawrence Abrams}, title = {{LightBot: TrickBot’s new reconnaissance malware for high-value targets}}, date = {2020-11-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/}, language = {English}, urldate = {2020-11-23} } LightBot: TrickBot’s new reconnaissance malware for high-value targets
LightBot TrickBot
2020-11-18SophosSophos
@techreport{sophos:20201118:sophos:8fd201e, author = {Sophos}, title = {{SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world}}, date = {2020-11-18}, institution = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf}, language = {English}, urldate = {2020-11-19} } SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader
2020-11-17malware.loveRobert Giczewski
@online{giczewski:20201117:trickbot:1bbf92a, author = {Robert Giczewski}, title = {{Trickbot tricks again}}, date = {2020-11-17}, organization = {malware.love}, url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html}, language = {English}, urldate = {2020-11-19} } Trickbot tricks again
TrickBot
2020-11-17Salesforce EngineeringJohn Althouse
@online{althouse:20201117:easily:172bd6d, author = {John Althouse}, title = {{Easily Identify Malicious Servers on the Internet with JARM}}, date = {2020-11-17}, organization = {Salesforce Engineering}, url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a}, language = {English}, urldate = {2020-12-03} } Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot
2020-11-17Twitter (@VK_intel)Vitali Kremez
@online{kremez:20201117:new:2098c0a, author = {Vitali Kremez}, title = {{Tweet on a new fileless TrickBot loading method using code from MemoryModule}}, date = {2020-11-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1328578336021483522}, language = {English}, urldate = {2020-12-14} } Tweet on a new fileless TrickBot loading method using code from MemoryModule
TrickBot
2020-11-16Fox-ITAntonis Terefos, Anne Postma, Tera0017
@online{terefos:20201116:ta505:8449383, author = {Antonis Terefos and Anne Postma and Tera0017}, title = {{TA505: A Brief History Of Their Time}}, date = {2020-11-16}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/}, language = {English}, urldate = {2020-11-23} } TA505: A Brief History Of Their Time
Clop Get2 SDBbot TA505
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-12Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
@online{acsc:20201112:biotech:edf0f4a, author = {Australian Cyber Security Centre (ACSC)}, title = {{Biotech research firm Miltenyi Biotec hit by ransomware, data leaked}}, date = {2020-11-12}, organization = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector}, language = {English}, urldate = {2020-11-18} } Biotech research firm Miltenyi Biotec hit by ransomware, data leaked
SDBbot
2020-11-12Hurricane LabsDusty Miller
@online{miller:20201112:splunking:26a0bd8, author = {Dusty Miller}, title = {{Splunking with Sysmon Part 4: Detecting Trickbot}}, date = {2020-11-12}, organization = {Hurricane Labs}, url = {https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/}, language = {English}, urldate = {2021-01-18} } Splunking with Sysmon Part 4: Detecting Trickbot
TrickBot
2020-11-10Intel 471Intel 471
@online{471:20201110:trickbot:5db76db, author = {Intel 471}, title = {{Trickbot down, but is it out?}}, date = {2020-11-10}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/}, language = {English}, urldate = {2020-11-11} } Trickbot down, but is it out?
BazarBackdoor TrickBot
2020-11-05Kaspersky LabsKaspersky Lab ICS CERT, Vyacheslav Kopeytsev
@techreport{cert:20201105:attackson:62f1e26, author = {Kaspersky Lab ICS CERT and Vyacheslav Kopeytsev}, title = {{Attackson industrial enterprises using RMS and TeamViewer: new data}}, date = {2020-11-05}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf}, language = {English}, urldate = {2020-11-06} } Attackson industrial enterprises using RMS and TeamViewer: new data
RMS
2020-11-04VMRayGiovanni Vigna
@online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-29Palo Alto Networks Unit 42Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-29Red CanaryThe Red Canary Team
@online{team:20201029:bazar:1846b93, author = {The Red Canary Team}, title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}}, date = {2020-10-29}, organization = {Red Canary}, url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/}, language = {English}, urldate = {2020-11-02} } A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot
2020-10-29Twitter (@anthomsec)Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4, author = {Andrew Thompson}, title = {{Tweet on UNC1878 activity}}, date = {2020-10-29}, organization = {Twitter (@anthomsec)}, url = {https://twitter.com/anthomsec/status/1321865315513520128}, language = {English}, urldate = {2020-11-04} } Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-26Arbor NetworksSuweera De Souza
@online{souza:20201026:dropping:8ac1e1d, author = {Suweera De Souza}, title = {{Dropping the Anchor}}, date = {2020-10-26}, organization = {Arbor Networks}, url = {https://www.netscout.com/blog/asert/dropping-anchor}, language = {English}, urldate = {2020-10-29} } Dropping the Anchor
AnchorDNS Anchor TrickBot
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-20Intel 471Intel 471
@online{471:20201020:global:570e26f, author = {Intel 471}, title = {{Global Trickbot disruption operation shows promise}}, date = {2020-10-20}, organization = {Intel 471}, url = {https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/}, language = {English}, urldate = {2020-10-21} } Global Trickbot disruption operation shows promise
TrickBot
2020-10-20MicrosoftTom Burt
@online{burt:20201020:update:12549c2, author = {Tom Burt}, title = {{An update on disruption of Trickbot}}, date = {2020-10-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/}, language = {English}, urldate = {2020-10-23} } An update on disruption of Trickbot
TrickBot
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
@online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-16DuoDennis Fisher
@online{fisher:20201016:trickbot:be18c46, author = {Dennis Fisher}, title = {{Trickbot Up to Its Old Tricks}}, date = {2020-10-16}, organization = {Duo}, url = {https://duo.com/decipher/trickbot-up-to-its-old-tricks}, language = {English}, urldate = {2020-10-23} } Trickbot Up to Its Old Tricks
TrickBot
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-15Intel 471Intel 471
@online{471:20201015:that:2d4b495, author = {Intel 471}, title = {{That was quick: Trickbot is back after disruption attempts}}, date = {2020-10-15}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/}, language = {English}, urldate = {2020-10-15} } That was quick: Trickbot is back after disruption attempts
TrickBot
2020-10-15Department of JusticeDepartment of Justice
@online{justice:20201015:officials:b340951, author = {Department of Justice}, title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}}, date = {2020-10-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization}, language = {English}, urldate = {2020-10-23} } Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot
2020-10-12SymantecThreat Hunter Team
@online{team:20201012:trickbot:5c1e5bf, author = {Threat Hunter Team}, title = {{Trickbot: U.S. Court Order Hits Botnet’s Infrastructure}}, date = {2020-10-12}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption}, language = {English}, urldate = {2020-10-12} } Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot
2020-10-12LumenBlack Lotus Labs
@online{labs:20201012:look:7b422f7, author = {Black Lotus Labs}, title = {{A Look Inside The TrickBot Botnet}}, date = {2020-10-12}, organization = {Lumen}, url = {https://blog.lumen.com/a-look-inside-the-trickbot-botnet/}, language = {English}, urldate = {2020-10-12} } A Look Inside The TrickBot Botnet
TrickBot
2020-10-12US District Court for the Eastern District of Virginia
@techreport{virginia:20201012:trickbot:f3af852, author = {US District Court for the Eastern District of Virginia}, title = {{TRICKBOT complaint}}, date = {2020-10-12}, institution = {}, url = {https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf}, language = {English}, urldate = {2020-10-13} } TRICKBOT complaint
TrickBot
2020-10-12MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20201012:trickbot:e4f086f, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{Trickbot disrupted}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/}, language = {English}, urldate = {2020-10-12} } Trickbot disrupted
TrickBot
2020-10-12ESET ResearchJean-Ian Boutin
@online{boutin:20201012:eset:a7eeb51, author = {Jean-Ian Boutin}, title = {{ESET takes part in global operation to disrupt Trickbot}}, date = {2020-10-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/}, language = {English}, urldate = {2020-10-12} } ESET takes part in global operation to disrupt Trickbot
TrickBot
2020-10-12MicrosoftTom Burt
@online{burt:20201012:new:045c1c3, author = {Tom Burt}, title = {{New action to combat ransomware ahead of U.S. elections}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/}, language = {English}, urldate = {2020-10-12} } New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot
2020-10-10The Washington PostEllen Nakashima
@online{nakashima:20201010:cyber:9f29985, author = {Ellen Nakashima}, title = {{Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election}}, date = {2020-10-10}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html}, language = {English}, urldate = {2020-10-12} } Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election
TrickBot
2020-10-08ZDNetCatalin Cimpanu
@online{cimpanu:20201008:german:7b88550, author = {Catalin Cimpanu}, title = {{German tech giant Software AG down after ransomware attack}}, date = {2020-10-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/}, language = {English}, urldate = {2020-10-12} } German tech giant Software AG down after ransomware attack
Clop
2020-10-08BromiumAlex Holland
@online{holland:20201008:droppers:b8a580e, author = {Alex Holland}, title = {{Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks}}, date = {2020-10-08}, organization = {Bromium}, url = {https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/}, language = {English}, urldate = {2020-10-29} } Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks
TrickBot
2020-10-06TelekomThomas Barabosch
@online{barabosch:20201006:eager:54da318, author = {Thomas Barabosch}, title = {{Eager Beaver: A Short Overview of the Restless Threat Actor TA505}}, date = {2020-10-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546}, language = {English}, urldate = {2020-10-08} } Eager Beaver: A Short Overview of the Restless Threat Actor TA505
Clop Get2 SDBbot TA505
2020-10-03AviraAvira Protection Labs
@online{labs:20201003:ta505:b03fbee, author = {Avira Protection Labs}, title = {{TA505 targets the Americas in a new campaign}}, date = {2020-10-03}, organization = {Avira}, url = {https://insights.oem.avira.com/ta505-apt-group-targets-americas/}, language = {English}, urldate = {2020-10-05} } TA505 targets the Americas in a new campaign
ServHelper
2020-10-02KrebsOnSecurityBrian Krebs
@online{krebs:20201002:attacks:a6dc6e3, author = {Brian Krebs}, title = {{Attacks Aimed at Disrupting the Trickbot Botnet}}, date = {2020-10-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/}, language = {English}, urldate = {2020-10-05} } Attacks Aimed at Disrupting the Trickbot Botnet
TrickBot
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-09-30CERT-XLMPaul Jung
@techreport{jung:20200930:another:5edbad3, author = {Paul Jung}, title = {{Another Threat Actor day...}}, date = {2020-09-30}, institution = {CERT-XLM}, url = {https://vblocalhost.com/uploads/VB2020-Jung.pdf}, language = {English}, urldate = {2020-12-08} } Another Threat Actor day...
SDBbot
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-22OSINT FansGabor Szathmari
@online{szathmari:20200922:what:60d1e26, author = {Gabor Szathmari}, title = {{What Service NSW has to do with Russia?}}, date = {2020-09-22}, organization = {OSINT Fans}, url = {https://osint.fans/service-nsw-russia-association}, language = {English}, urldate = {2020-09-23} } What Service NSW has to do with Russia?
TrickBot
2020-09-16Intel 471Intel 471
@online{471:20200916:partners:c65839f, author = {Intel 471}, title = {{Partners in crime: North Koreans and elite Russian-speaking cybercriminals}}, date = {2020-09-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/}, language = {English}, urldate = {2020-09-23} } Partners in crime: North Koreans and elite Russian-speaking cybercriminals
TrickBot
2020-08-31cyber.wtf blogLuca Ebach
@online{ebach:20200831:trickbot:c975ec5, author = {Luca Ebach}, title = {{Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers}}, date = {2020-08-31}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/}, language = {English}, urldate = {2020-08-31} } Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers
TrickBot
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-20sensecycyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-22SentinelOneJason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038, author = {Jason Reaves and Joshua Platt}, title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}}, date = {2020-07-22}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/}, language = {English}, urldate = {2020-07-23} } Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-20Bleeping ComputerLawrence Abrams
@online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } Emotet-TrickBot malware duo is back infecting Windows machines
Emotet TrickBot
2020-07-15Intel 471Intel 471
@online{471:20200715:flowspec:683a5a1, author = {Intel 471}, title = {{Flowspec – TA505’s bulletproof hoster of choice}}, date = {2020-07-15}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/}, language = {English}, urldate = {2020-07-16} } Flowspec – TA505’s bulletproof hoster of choice
Get2
2020-07-13JoeSecurityJoe Security
@online{security:20200713:trickbots:a164ba5, author = {Joe Security}, title = {{TrickBot's new API-Hammering explained}}, date = {2020-07-13}, organization = {JoeSecurity}, url = {https://www.joesecurity.org/blog/498839998833561473}, language = {English}, urldate = {2020-07-15} } TrickBot's new API-Hammering explained
TrickBot
2020-07-11BleepingComputerLawrence Abrams
@online{abrams:20200711:trickbot:7e70ad3, author = {Lawrence Abrams}, title = {{TrickBot malware mistakenly warns victims that they are infected}}, date = {2020-07-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/}, language = {English}, urldate = {2020-07-15} } TrickBot malware mistakenly warns victims that they are infected
TrickBot
2020-07-11Advanced IntelligenceVitali Kremez
@online{kremez:20200711:trickbot:602fd73, author = {Vitali Kremez}, title = {{TrickBot Group Launches Test Module Alerting on Fraud Activity}}, date = {2020-07-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity}, language = {English}, urldate = {2020-07-13} } TrickBot Group Launches Test Module Alerting on Fraud Activity
TrickBot
2020-07-09GdataG DATA Security Lab
@online{lab:20200709:servhelper:13899fd, author = {G DATA Security Lab}, title = {{ServHelper: Hidden Miners}}, date = {2020-07-09}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners}, language = {English}, urldate = {2020-07-16} } ServHelper: Hidden Miners
ServHelper
2020-07-07HornetsecurityHornetsecurity Security Lab
@online{lab:20200707:clop:12bb60d, author = {Hornetsecurity Security Lab}, title = {{Clop, Clop! It’s a TA505 HTML malspam analysis}}, date = {2020-07-07}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/}, language = {English}, urldate = {2020-07-30} } Clop, Clop! It’s a TA505 HTML malspam analysis
Clop Get2
2020-07-06NTTSecurity division of NTT Ltd.
@online{ltd:20200706:trickbot:9612912, author = {Security division of NTT Ltd.}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2020-07-06}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns}, language = {English}, urldate = {2020-07-30} } TrickBot variant “Anchor_DNS” communicating over DNS
AnchorDNS TrickBot
2020-06-22BleepingComputerLawrence Abrams
@online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Clop
2020-06-22Sentinel LABSJoshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5, author = {Joshua Platt and Jason Reaves}, title = {{Inside a TrickBot Cobalt Strike Attack Server}}, date = {2020-06-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}, language = {English}, urldate = {2020-06-23} } Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-17Twitter (@VK_intel)Vitali Kremez, malwrhunterteam
@online{kremez:20200617:signed:f8eecc6, author = {Vitali Kremez and malwrhunterteam}, title = {{Tweet on signed Tinymet payload (V.02) used by TA505}}, date = {2020-06-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1273292957429510150}, language = {English}, urldate = {2020-06-18} } Tweet on signed Tinymet payload (V.02) used by TA505
TinyMet
2020-06-17Youtube (Red Canary)Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
@online{noerenberg:20200617:attck:934d73c, author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan}, title = {{ATT&CK® Deep Dive: Process Injection}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/}, language = {English}, urldate = {2020-06-19} } ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot
2020-06-17Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace
2020-06-16TelekomThomas Barabosch
@online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } TA505 returns with a new bag of tricks
Clop Get2 SDBbot TA505
2020-06-15FortinetVal Saengphaibul, Fred Gutierrez
@online{saengphaibul:20200615:global:5c4be18, author = {Val Saengphaibul and Fred Gutierrez}, title = {{Global Malicious Spam Campaign Using Black Lives Matter as a Lure}}, date = {2020-06-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure}, language = {English}, urldate = {2020-06-16} } Global Malicious Spam Campaign Using Black Lives Matter as a Lure
TrickBot
2020-06-12HornetsecuritySecurity Lab
@online{lab:20200612:trickbot:2bf54ef, author = {Security Lab}, title = {{Trickbot Malspam Leveraging Black Lives Matter as Lure}}, date = {2020-06-12}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/}, language = {English}, urldate = {2020-07-01} } Trickbot Malspam Leveraging Black Lives Matter as Lure
TrickBot
2020-06-11CofenseJason Meurer
@online{meurer:20200611:all:cc2e167, author = {Jason Meurer}, title = {{All You Need Is Text: Second Wave}}, date = {2020-06-11}, organization = {Cofense}, url = {https://cofenselabs.com/all-you-need-is-text-second-wave/}, language = {English}, urldate = {2020-06-12} } All You Need Is Text: Second Wave
TrickBot
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-28Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200528:goodbye:87a0245, author = {Brad Duncan}, title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}}, date = {2020-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/}, language = {English}, urldate = {2020-05-29} } Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
TrickBot
2020-05-24Positive TechnologiesPT ESC Threat Intelligence
@online{intelligence:20200524:operation:2ce432b, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: network infrastructure. Part 3.}}, date = {2020-05-24}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/}, language = {English}, urldate = {2020-11-23} } Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader
2020-05-22Positive TechnologiesPT ESC Threat Intelligence
@online{intelligence:20200522:operation:6e4f978, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.}}, date = {2020-05-22}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/}, language = {English}, urldate = {2020-11-23} } Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-20PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-05-18ThreatpostTara Seals
@online{seals:20200518:ransomware:265e1f4, author = {Tara Seals}, title = {{Ransomware Gang Arrested for Spreading Locky to Hospitals}}, date = {2020-05-18}, organization = {Threatpost}, url = {https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/}, language = {English}, urldate = {2020-07-06} } Ransomware Gang Arrested for Spreading Locky to Hospitals
Locky
2020-05-14SentinelOneJason Reaves
@online{reaves:20200514:deep:1ee83b6, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant}}, date = {2020-05-14}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/}, language = {English}, urldate = {2020-05-18} } Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant
TrickBot
2020-04-14IntrinsecJean Bichet
@online{bichet:20200414:deobfuscating:d7320ab, author = {Jean Bichet}, title = {{Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend}}, date = {2020-04-14}, organization = {Intrinsec}, url = {https://www.intrinsec.com/deobfuscating-hunting-ostap/}, language = {English}, urldate = {2021-01-11} } Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend
ostap TrickBot
2020-04-14Intel 471Intel 471
@online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-04-09Github (Tera0017)Tera0017
@online{tera0017:20200409:sdbbot:a6c333e, author = {Tera0017}, title = {{SDBbot Unpacker}}, date = {2020-04-09}, organization = {Github (Tera0017)}, url = {https://github.com/Tera0017/SDBbot-Unpacker}, language = {English}, urldate = {2020-04-13} } SDBbot Unpacker
SDBbot
2020-04-09ZscalerAtinderpal Singh, Abhay Yadav
@online{singh:20200409:trickbot:9db52c2, author = {Atinderpal Singh and Abhay Yadav}, title = {{TrickBot Emerges with a Few New Tricks}}, date = {2020-04-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks}, language = {English}, urldate = {2020-07-01} } TrickBot Emerges with a Few New Tricks
TrickBot
2020-04-08SentinelOneJason Reaves
@online{reaves:20200408:deep:87b83bb, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}}, date = {2020-04-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/}, language = {English}, urldate = {2020-04-13} } Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-08SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20200408:how:192d583, author = {Counter Threat Unit ResearchTeam}, title = {{How Cyber Adversaries are Adapting to Exploit the Global Pandemic}}, date = {2020-04-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic}, language = {English}, urldate = {2021-05-28} } How Cyber Adversaries are Adapting to Exploit the Global Pandemic
GOLD SOUTHFIELD TA2101 TA505 WIZARD SPIDER
2020-04-07SecurityIntelligenceOle Villadsen
@online{villadsen:20200407:itg08:b0b782d, author = {Ole Villadsen}, title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}}, date = {2020-04-07}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/}, language = {English}, urldate = {2020-04-13} } ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-31Cisco TalosChris Neal
@online{neal:20200331:trickbot:dcf5314, author = {Chris Neal}, title = {{Trickbot: A primer}}, date = {2020-03-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/03/trickbot-primer.html}, language = {English}, urldate = {2020-04-01} } Trickbot: A primer
TrickBot
2020-03-31FireEyeVan Ta, Aaron Stephens
@online{ta:20200331:its:632dfca, author = {Van Ta and Aaron Stephens}, title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}}, date = {2020-03-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html}, language = {English}, urldate = {2020-04-06} } It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-25Wilbur SecurityJW
@online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-18BitdefenderLiviu Arsene, Radu Tudorica, Alexandru Maximciuc, Cristina Vatamanu
@techreport{arsene:20200318:new:2d895da, author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu}, title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}}, date = {2020-03-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf}, language = {English}, urldate = {2020-03-19} } New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong
TrickBot
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2020-03-09FortinetXiaopeng Zhang
@online{zhang:20200309:new:ff60491, author = {Xiaopeng Zhang}, title = {{New Variant of TrickBot Being Spread by Word Document}}, date = {2020-03-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html}, language = {English}, urldate = {2020-04-26} } New Variant of TrickBot Being Spread by Word Document
TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-04Bleeping ComputerLawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot
2020-03-04SentinelOneJason Reaves
@online{reaves:20200304:breaking:8262e7e, author = {Jason Reaves}, title = {{Breaking TA505’s Crypter with an SMT Solver}}, date = {2020-03-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/}, language = {English}, urldate = {2020-03-04} } Breaking TA505’s Crypter with an SMT Solver
Clop CryptoMix MINEBRIDGE
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-28MorphisecMichael Gorelik
@online{gorelik:20200228:trickbot:678683b, author = {Michael Gorelik}, title = {{Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10}}, date = {2020-02-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows}, language = {English}, urldate = {2020-03-03} } Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10
TrickBot
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-26SentinelOneJason Reaves
@online{reaves:20200226:revealing:2c3fc63, author = {Jason Reaves}, title = {{Revealing the Trick | A Deep Dive into TrickLoader Obfuscation}}, date = {2020-02-26}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/}, language = {English}, urldate = {2020-02-27} } Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
TrickBot
2020-02-20ZDNetCatalin Cimpanu
@online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } Croatia's largest petrol station chain impacted by cyber-attack
Clop
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10viXraJason Reaves
@techreport{reaves:20200210:case:3f668be, author = {Jason Reaves}, title = {{A Case Study into solving Crypters/Packers in Malware Obfuscation using an SMT approach}}, date = {2020-02-10}, institution = {viXra}, url = {https://vixra.org/pdf/2002.0183v1.pdf}, language = {English}, urldate = {2020-02-27} } A Case Study into solving Crypters/Packers in Malware Obfuscation using an SMT approach
Locky
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-07Bleeping ComputerSergiu Gatlan
@online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } TA505 Hackers Behind Maastricht University Ransomware Attack
Clop
2020-01-30MorphisecArnold Osipov
@online{osipov:20200130:trickbot:da5c80d, author = {Arnold Osipov}, title = {{Trickbot Trojan Leveraging a New Windows 10 UAC Bypass}}, date = {2020-01-30}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass}, language = {English}, urldate = {2020-02-03} } Trickbot Trojan Leveraging a New Windows 10 UAC Bypass
TrickBot
2020-01-30Bleeping ComputerLawrence Abrams
@online{abrams:20200130:trickbot:22db786, author = {Lawrence Abrams}, title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}}, date = {2020-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/}, language = {English}, urldate = {2020-02-03} } TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly
TrickBot
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-29Bleeping ComputerLawrence Abrams
@online{abrams:20200129:malware:920dc7e, author = {Lawrence Abrams}, title = {{Malware Tries to Trump Security Software With POTUS Impeachment}}, date = {2020-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/}, language = {English}, urldate = {2020-02-03} } Malware Tries to Trump Security Software With POTUS Impeachment
TrickBot
2020-01-27T-SystemsT-Systems
@techreport{tsystems:20200127:vorlufiger:39dc989, author = {T-Systems}, title = {{Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht}}, date = {2020-01-27}, institution = {T-Systems}, url = {https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf}, language = {German}, urldate = {2020-01-28} } Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht
Emotet TrickBot
2020-01-23Bleeping ComputerLawrence Abrams
@online{abrams:20200123:trickbot:5ca7827, author = {Lawrence Abrams}, title = {{TrickBot Now Steals Windows Active Directory Credentials}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/}, language = {English}, urldate = {2020-01-27} } TrickBot Now Steals Windows Active Directory Credentials
TrickBot
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020-01-16Bleeping ComputerLawrence Abrams
@online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
TrickBot
2020-01-14TelekomThomas Barabosch
@online{barabosch:20200114:inside:2187ad3, author = {Thomas Barabosch}, title = {{Inside of CL0P’s ransomware operation}}, date = {2020-01-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824}, language = {English}, urldate = {2021-01-14} } Inside of CL0P’s ransomware operation
Clop Get2 SDBbot
2020-01-13Github (Tera0017)Tera0017
@online{tera0017:20200113:tafof:d939bc6, author = {Tera0017}, title = {{TAFOF Unpacker}}, date = {2020-01-13}, organization = {Github (Tera0017)}, url = {https://github.com/Tera0017/TAFOF-Unpacker}, language = {English}, urldate = {2020-03-30} } TAFOF Unpacker
Clop Get2 Silence
2020-01-10CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-09SentinelOneVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20200109:toptier:4f8de90, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}}, date = {2020-01-09}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/}, language = {English}, urldate = {2020-01-13} } Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
TrickBot WIZARD SPIDER
2020-01-09SonicWallSonicWall
@online{sonicwall:20200109:servhelper:3e6a00c, author = {SonicWall}, title = {{ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access}}, date = {2020-01-09}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/}, language = {English}, urldate = {2020-09-18} } ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access
ServHelper
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:07d2a90, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md}, language = {English}, urldate = {2020-01-09} } Clop ransomware Notes
Clop
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:3e7202e, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md}, language = {English}, urldate = {2020-02-01} } Clop ransomware Notes
Clop
2020SecureworksSecureWorks
@online{secureworks:2020:gold:d8faa3e, author = {SecureWorks}, title = {{GOLD ULRICK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick}, language = {English}, urldate = {2020-05-23} } GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:21c4d39, author = {SecureWorks}, title = {{GOLD BLACKBURN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-blackburn}, language = {English}, urldate = {2020-05-23} } GOLD BLACKBURN
Dyre TrickBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2019-12-20Binary DefenseJames Quinn
@online{quinn:20191220:updated:2408ee7, author = {James Quinn}, title = {{An Updated ServHelper Tunnel Variant}}, date = {2019-12-20}, organization = {Binary Defense}, url = {https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/}, language = {English}, urldate = {2020-01-13} } An Updated ServHelper Tunnel Variant
ServHelper
2019-12-17BluelivAdrián Ruiz, Jose Miguel Esparza, Blueliv Labs Team
@online{ruiz:20191217:ta505:1c1204e, author = {Adrián Ruiz and Jose Miguel Esparza and Blueliv Labs Team}, title = {{TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking}}, date = {2019-12-17}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/}, language = {English}, urldate = {2020-01-09} } TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
ServHelper TA505
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-09Palo Alto Networks Unit 42Bryan Lee, Brittany Ash, Mike Harbison
@online{lee:20191209:trickbot:48d9da3, author = {Bryan Lee and Brittany Ash and Mike Harbison}, title = {{TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks}}, date = {2019-12-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/}, language = {English}, urldate = {2020-01-22} } TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
TrickBot
2019-11-24Jacob Pimental
@online{pimental:20191124:ta505:fb32d29, author = {Jacob Pimental}, title = {{TA505 Get2 Analysis}}, date = {2019-11-24}, url = {https://www.goggleheadedhacker.com/blog/post/13}, language = {English}, urldate = {2019-12-17} } TA505 Get2 Analysis
Get2
2019-11-22Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } Trickbot Updates Password Grabber Module
TrickBot
2019-11-22CERT-FRCERT-FR
@online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } RAPPORT MENACES ET INCIDENTS DU CERT-FR
Clop
2019-11-19ACTURédaction Normandie
@online{normandie:20191119:une:d09ec98, author = {Rédaction Normandie}, title = {{Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates}}, date = {2019-11-19}, organization = {ACTU}, url = {https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html}, language = {French}, urldate = {2019-12-05} } Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates
Clop
2019-11-13CrowdStrikeJen Ayers, Jason Rivera
@techreport{ayers:20191113:through:70cc3b3, author = {Jen Ayers and Jason Rivera}, title = {{Through the Eyes of the Adversary}}, date = {2019-11-13}, institution = {CrowdStrike}, url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf}, language = {English}, urldate = {2020-03-22} } Through the Eyes of the Adversary
TrickBot CLOCKWORK SPIDER
2019-11-08Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } Wireshark Tutorial: Examining Trickbot Infections
TrickBot
2019-11-06Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-10-29SneakyMonkey BlogSneakyMonkey
@online{sneakymonkey:20191029:trickbot:bd7249c, author = {SneakyMonkey}, title = {{TRICKBOT - Analysis Part II}}, date = {2019-10-29}, organization = {SneakyMonkey Blog}, url = {https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/}, language = {English}, urldate = {2019-12-17} } TRICKBOT - Analysis Part II
TrickBot
2019-10-24Sentinel LABSVitali Kremez
@online{kremez:20191024:how:e6d838d, author = {Vitali Kremez}, title = {{How TrickBot Malware Hooking Engine Targets Windows 10 Browsers}}, date = {2019-10-24}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/}, language = {English}, urldate = {2020-07-03} } How TrickBot Malware Hooking Engine Targets Windows 10 Browsers
TrickBot
2019-10-16ProofpointDennis Schwarz, Kafeine, Matthew Mesa, Axel F, Proofpoint Threat Insight Team
@online{schwarz:20191016:ta505:9d7155a, author = {Dennis Schwarz and Kafeine and Matthew Mesa and Axel F and Proofpoint Threat Insight Team}, title = {{TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader}}, date = {2019-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader}, language = {English}, urldate = {2020-01-10} } TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader
Get2 SDBbot TA505
2019-10-16ProofpointProofpoint
@online{proofpoint:20191016:ta505:9bca8d0, author = {Proofpoint}, title = {{TA505 Timeline}}, date = {2019-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png}, language = {English}, urldate = {2020-01-08} } TA505 Timeline
TA505
2019-10-10Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20191010:analysis:45d6c09, author = {StrangerealIntel}, title = {{Analysis of the new TA505 campaign}}, date = {2019-10-10}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md}, language = {English}, urldate = {2020-01-13} } Analysis of the new TA505 campaign
Get2
2019-10-10AhnLabASEC Analysis Team
@techreport{team:20191010:asec:6452cd4, author = {ASEC Analysis Team}, title = {{ASEC Report Vol. 96: Analysis Report on Operation Red Salt, Analysis on the Malicious SDB File Found in Ammyy Hacking Tool}}, date = {2019-10-10}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf}, language = {English}, urldate = {2022-04-15} } ASEC Report Vol. 96: Analysis Report on Operation Red Salt, Analysis on the Malicious SDB File Found in Ammyy Hacking Tool
SDBbot
2019-09-25GovCERT.chGovCERT.ch
@online{govcertch:20190925:trickbot:8346dd7, author = {GovCERT.ch}, title = {{Trickbot - An analysis of data collected from the botnet}}, date = {2019-09-25}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet}, language = {English}, urldate = {2020-01-08} } Trickbot - An analysis of data collected from the botnet
TrickBot
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-08-29ThreatReconThreatRecon Team
@online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27SecureworksCTU Research Team
@online{team:20190827:trickbot:fa5f95b, author = {CTU Research Team}, title = {{TrickBot Modifications Target U.S. Mobile Users}}, date = {2019-08-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users}, language = {English}, urldate = {2020-01-09} } TrickBot Modifications Target U.S. Mobile Users
TrickBot WIZARD SPIDER
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
@online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-08-26InQuestJosiah Smith
@online{smith:20190826:memory:c4cea9b, author = {Josiah Smith}, title = {{Memory Analysis of TrickBot}}, date = {2019-08-26}, organization = {InQuest}, url = {https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis}, language = {English}, urldate = {2020-01-10} } Memory Analysis of TrickBot
TrickBot
2019-08-20Github (SherifEldeeb)Sherif Eldeeb
@online{eldeeb:20190820:source:66124bb, author = {Sherif Eldeeb}, title = {{Source code: TinyMet}}, date = {2019-08-20}, organization = {Github (SherifEldeeb)}, url = {https://github.com/SherifEldeeb/TinyMet}, language = {English}, urldate = {2020-02-13} } Source code: TinyMet
TinyMet
2019-08-05Trend MicroNoel Anthony Llimos, Michael Jhon Ofiaza
@online{llimos:20190805:latest:62ba94b, author = {Noel Anthony Llimos and Michael Jhon Ofiaza}, title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}}, date = {2019-08-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/}, language = {English}, urldate = {2020-01-23} } Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot
2019-08-01McAfeeAlexandre Mundo, Marc Rivero López
@online{mundo:20190801:clop:fa3429f, author = {Alexandre Mundo and Marc Rivero López}, title = {{Clop Ransomware}}, date = {2019-08-01}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/}, language = {English}, urldate = {2020-01-06} } Clop Ransomware
Clop
2019-07-30Dissecting MalwareMarius Genheimer
@online{genheimer:20190730:picking:cea78ea, author = {Marius Genheimer}, title = {{Picking Locky}}, date = {2019-07-30}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/picking-locky.html}, language = {English}, urldate = {2020-03-27} } Picking Locky
Locky
2019-07-12DeepInstinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20190712:trickbooster:107fdd5, author = {Shaul Vilkomir-Preisman}, title = {{TrickBooster – TrickBot’s Email-Based Infection Module}}, date = {2019-07-12}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/}, language = {English}, urldate = {2021-07-08} } TrickBooster – TrickBot’s Email-Based Infection Module
TrickBot
2019-07-11NTT SecurityNTT Security
@online{security:20190711:targeted:a48e692, author = {NTT Security}, title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}}, date = {2019-07-11}, organization = {NTT Security}, url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor}, language = {English}, urldate = {2019-12-18} } Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot
2019-07-04Trend MicroTrend Micro
@techreport{micro:20190704:latest:dd6099a, author = {Trend Micro}, title = {{Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi}}, date = {2019-07-04}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf}, language = {English}, urldate = {2020-01-13} } Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
2019-06-04SlideShareVitali Kremez
@online{kremez:20190604:inside:d633c6f, author = {Vitali Kremez}, title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}}, date = {2019-06-04}, organization = {SlideShare}, url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez}, language = {English}, urldate = {2020-01-13} } Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
TrickBot
2019-05-31Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-05-29YoroiDavide Testa, Antonio Farina, Luca Mella
@online{testa:20190529:ta505:07b59dd, author = {Davide Testa and Antonio Farina and Luca Mella}, title = {{TA505 is Expanding its Operations}}, date = {2019-05-29}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/ta505-is-expanding-its-operations/}, language = {English}, urldate = {2021-06-16} } TA505 is Expanding its Operations
RMS
2019-05-28MITREMITRE
@online{mitre:20190528:flawedammyy:c4f6363, author = {MITRE}, title = {{FlawedAmmyy}}, date = {2019-05-28}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0381/}, language = {English}, urldate = {2020-01-13} } FlawedAmmyy
FlawedAmmyy
2019-05-22sneakymonk3y (Mark)
@online{mark:20190522:trickbot:277256b, author = {sneakymonk3y (Mark)}, title = {{TRICKBOT - Analysis}}, date = {2019-05-22}, url = {https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/}, language = {English}, urldate = {2020-01-06} } TRICKBOT - Analysis
TrickBot
2019-05-16YoroiLuigi Martire, Davide Testa, Antonio Pirozzi, Luca Mella
@online{martire:20190516:stealthy:930aa98, author = {Luigi Martire and Davide Testa and Antonio Pirozzi and Luca Mella}, title = {{The Stealthy Email Stealer in the TA505 Arsenal}}, date = {2019-05-16}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/}, language = {English}, urldate = {2019-10-14} } The Stealthy Email Stealer in the TA505 Arsenal
TA505
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-02CERT.PLMichał Praszmo
@online{praszmo:20190502:detricking:43a7dc1, author = {Michał Praszmo}, title = {{Detricking TrickBot Loader}}, date = {2019-05-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/detricking-trickbot-loader/}, language = {English}, urldate = {2020-01-08} } Detricking TrickBot Loader
TrickBot
2019-04-25CybereasonCybereason Nocturnus
@online{nocturnus:20190425:threat:63e7d51, author = {Cybereason Nocturnus}, title = {{Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware}}, date = {2019-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware}, language = {English}, urldate = {2020-01-08} } Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware
ServHelper TA505
2019-04-22SANSMike Downey
@online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy
2019-04-05Medium vishal_thakurVishal Thakur
@online{thakur:20190405:trickbot:d1c4891, author = {Vishal Thakur}, title = {{Trickbot — a concise treatise}}, date = {2019-04-05}, organization = {Medium vishal_thakur}, url = {https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737}, language = {English}, urldate = {2020-01-13} } Trickbot — a concise treatise
TrickBot
2019-04-02CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-04-02DeepInstinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20190402:new:4dbdc56, author = {Shaul Vilkomir-Preisman}, title = {{New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload}}, date = {2019-04-02}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/}, language = {English}, urldate = {2019-07-11} } New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload
ServHelper
2019-03-28Carbon BlackCB TAU Threat Intelligence
@online{intelligence:20190328:cryptomix:622c0b3, author = {CB TAU Threat Intelligence}, title = {{CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies}}, date = {2019-03-28}, organization = {Carbon Black}, url = {https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/}, language = {English}, urldate = {2021-07-02} } CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies
Clop
2019-03-20FlashpointJoshua Platt, Jason Reaves
@online{platt:20190320:fin7:bac265f, author = {Joshua Platt and Jason Reaves}, title = {{FIN7 Revisited: Inside Astra Panel and SQLRat Malware}}, date = {2019-03-20}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/}, language = {English}, urldate = {2019-12-18} } FIN7 Revisited: Inside Astra Panel and SQLRat Malware
DNSRat TinyMet
2019-03-05PepperMalware BlogPepper Potts
@online{potts:20190305:quick:773aabc, author = {Pepper Potts}, title = {{Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework}}, date = {2019-03-05}, organization = {PepperMalware Blog}, url = {http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html}, language = {English}, urldate = {2019-12-19} } Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
TrickBot
2019-03-05Bleeping ComputerLawrence Abrams
@online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers
Clop
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER
2019-02-12Trend MicroTrend Micro
@online{micro:20190212:trickbot:73576ba, author = {Trend Micro}, title = {{Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire}}, date = {2019-02-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/}, language = {English}, urldate = {2020-01-12} } Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
TrickBot
2019-02-02Medium SebdravenSébastien Larinier
@online{larinier:20190202:unpacking:894335d, author = {Sébastien Larinier}, title = {{Unpacking Clop}}, date = {2019-02-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f}, language = {English}, urldate = {2020-01-06} } Unpacking Clop
Clop
2019-01-24奇安信威胁情报中心事件追踪
@online{:20190124:excel:2dd401c, author = {事件追踪}, title = {{Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently}}, date = {2019-01-24}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/}, language = {English}, urldate = {2019-12-02} } Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently
ServHelper
2019-01-14Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20190114:quick:42a2552, author = {Rolf Rolles}, title = {{A Quick Solution to an Ugly Reverse Engineering Problem}}, date = {2019-01-14}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem}, language = {English}, urldate = {2020-01-13} } A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace
2019-01-11FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-11ThreatpostTara Seals
@online{seals:20190111:ta505:48e9745, author = {Tara Seals}, title = {{TA505 Crime Gang Debuts Brand-New ServHelper Backdoor}}, date = {2019-01-11}, organization = {Threatpost}, url = {https://threatpost.com/ta505-servhelper-malware/140792/}, language = {English}, urldate = {2020-01-08} } TA505 Crime Gang Debuts Brand-New ServHelper Backdoor
TA505
2019-01-10Bleeping ComputerIonut Ilascu
@online{ilascu:20190110:ta505:12f4881, author = {Ionut Ilascu}, title = {{TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT}}, date = {2019-01-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/}, language = {English}, urldate = {2019-12-20} } TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT
TA505
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
@online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
2019CyberIntCyberInt
@techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } Legit Remote Admin Tools Turn into Threat Actors' Tools
RMS ServHelper TA505
2018-12-12SecureDataWicus Ross
@online{ross:20181212:trickbot:7a0e2a6, author = {Wicus Ross}, title = {{The TrickBot and MikroTik connection}}, date = {2018-12-12}, organization = {SecureData}, url = {https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/}, language = {English}, urldate = {2020-05-18} } The TrickBot and MikroTik connection
TrickBot
2018-12-05VIPREVIPRE Labs
@online{labs:20181205:trickbots:b45d588, author = {VIPRE Labs}, title = {{Trickbot’s Tricks}}, date = {2018-12-05}, organization = {VIPRE}, url = {https://labs.vipre.com/trickbots-tricks/}, language = {English}, urldate = {2020-01-09} } Trickbot’s Tricks
TrickBot
2018-11-12Malwarebyteshasherezade
@online{hasherezade:20181112:whats:e44d5f3, author = {hasherezade}, title = {{What’s new in TrickBot? Deobfuscating elements}}, date = {2018-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/}, language = {English}, urldate = {2019-12-20} } What’s new in TrickBot? Deobfuscating elements
TrickBot
2018-11-08FortinetXiaopeng Zhang
@online{zhang:20181108:deep:fca360c, author = {Xiaopeng Zhang}, title = {{Deep Analysis of TrickBot New Module pwgrab}}, date = {2018-11-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html}, language = {English}, urldate = {2019-11-17} } Deep Analysis of TrickBot New Module pwgrab
TrickBot
2018-11-01Trend MicroNoel Anthony Llimos, Carl Maverick Pascual
@online{llimos:20181101:trickbot:7d0ea94, author = {Noel Anthony Llimos and Carl Maverick Pascual}, title = {{Trickbot Shows Off New Trick: Password Grabber Module}}, date = {2018-11-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module}, language = {English}, urldate = {2020-01-06} } Trickbot Shows Off New Trick: Password Grabber Module
TrickBot
2018-10-01Macnica NetworksMacnica Networks
@techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-08-14CyberbitHod Gavriel
@online{gavriel:20180814:latest:7df6364, author = {Hod Gavriel}, title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}}, date = {2018-08-14}, organization = {Cyberbit}, url = {https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/}, language = {English}, urldate = {2020-08-21} } Latest Trickbot Variant has New Tricks Up Its Sleeve
TrickBot
2018-07-26IEEE Symposium on Security and Privacy (SP)Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy
@techreport{huang:20180726:tracking:b51d0ee, author = {Danny Yuxing Huang and Maxwell Matthaios Aliapoulios and Vector Guo Li and Luca Invernizzi and Kylie McRoberts and Elie Bursztein and Jonathan Levin and Kirill Levchenko and Alex C. Snoeren and Damon McCoy}, title = {{Tracking Ransomware End-to-end}}, date = {2018-07-26}, institution = {IEEE Symposium on Security and Privacy (SP)}, url = {https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf}, language = {English}, urldate = {2021-04-16} } Tracking Ransomware End-to-end
Cerber Locky WannaCryptor
2018-07-19ProofpointProofpoint Staff
@online{staff:20180719:ta505:3c29d5a, author = {Proofpoint Staff}, title = {{TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT}}, date = {2018-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy
2018-07-03Talos IntelligenceBen Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-06-28Secrary BlogLasha Khasaia
@online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy
2018-06-20OALabs
@online{oalabs:20180620:unpacking:e4d59a4, author = {OALabs}, title = {{Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python}}, date = {2018-06-20}, url = {https://www.youtube.com/watch?v=EdchPEHnohw}, language = {English}, urldate = {2019-12-24} } Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
TrickBot
2018-06-13Github (JR0driguezB)Jorge Rodriguez
@online{rodriguez:20180613:trickbot:e004ae8, author = {Jorge Rodriguez}, title = {{TrickBot config files}}, date = {2018-06-13}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot}, language = {English}, urldate = {2019-07-11} } TrickBot config files
TrickBot
2018-04-16Random REsysopfb
@online{sysopfb:20180416:trickbot:5305f46, author = {sysopfb}, title = {{TrickBot & UACME}}, date = {2018-04-16}, organization = {Random RE}, url = {https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html}, language = {English}, urldate = {2020-01-09} } TrickBot & UACME
TrickBot
2018-04-03Vitali Kremez BlogVitali Kremez
@online{kremez:20180403:lets:b45dd50, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}}, date = {2018-04-03}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html}, language = {English}, urldate = {2019-07-27} } Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
TrickBot
2018-03-31Youtube (hasherezade)hasherezade
@online{hasherezade:20180331:deobfuscating:39c1be0, author = {hasherezade}, title = {{Deobfuscating TrickBot's strings with libPeConv}}, date = {2018-03-31}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KMcSAlS9zGE}, language = {English}, urldate = {2020-01-13} } Deobfuscating TrickBot's strings with libPeConv
TrickBot
2018-03-27Trend MicroTrendmicro
@online{trendmicro:20180327:evolving:faa2e54, author = {Trendmicro}, title = {{Evolving Trickbot Adds Detection Evasion and Screen-Locking Features}}, date = {2018-03-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features}, language = {English}, urldate = {2020-01-07} } Evolving Trickbot Adds Detection Evasion and Screen-Locking Features
TrickBot
2018-03-21WebrootJason Davison
@online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } TrickBot Banking Trojan Adapts with New Module
TrickBot
2018-03-20StormshieldMehdi Talbi
@online{talbi:20180320:deobfuscating:7ac7605, author = {Mehdi Talbi}, title = {{De-obfuscating Jump Chains with Binary Ninja}}, date = {2018-03-20}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/}, language = {English}, urldate = {2020-03-16} } De-obfuscating Jump Chains with Binary Ninja
Locky
2018-03-07ProofpointProofpoint Staff
@online{staff:20180307:leaked:5e33f64, author = {Proofpoint Staff}, title = {{Leaked Ammyy Admin Source Code Turned into Malware}}, date = {2018-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader
2018-02-15SecurityIntelligenceOphir Harpaz, Magal Baz, Limor Kessem
@online{harpaz:20180215:trickbots:2cf1b53, author = {Ophir Harpaz and Magal Baz and Limor Kessem}, title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}}, date = {2018-02-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/}, language = {English}, urldate = {2020-01-06} } TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
TrickBot
2018-02-01Malware Traffic AnalysisBrad Duncan
@online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } Quick Test Drive of Trickbot (It now has a Monero Module)
TrickBot
2017-12-30Youtube (hasherezade)hasherezade
@online{hasherezade:20171230:unpacking:5477bb2, author = {hasherezade}, title = {{Unpacking TrickBot with PE-sieve}}, date = {2017-12-30}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=lTywPmZEU1A}, language = {English}, urldate = {2020-01-06} } Unpacking TrickBot with PE-sieve
TrickBot
2017-12-19Vitali Kremez BlogVitali Kremez
@online{kremez:20171219:lets:030e09a, author = {Vitali Kremez}, title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}}, date = {2017-12-19}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html}, language = {English}, urldate = {2019-11-23} } Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module
TrickBot
2017-11-22FlashpointVitali Kremez
@online{kremez:20171122:trickbot:faea11e, author = {Vitali Kremez}, title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}}, date = {2017-11-22}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/}, language = {English}, urldate = {2019-12-10} } Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
TrickBot
2017-11-21Vitali Kremez
@online{kremez:20171121:lets:5fb17b0, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}}, date = {2017-11-21}, url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html}, language = {English}, urldate = {2019-11-22} } Let's Learn: Trickbot Socks5 Backconnect Module In Detail
TrickBot
2017-11-07ThreatVectorCylance Threat Research Team
@online{team:20171107:locky:a38e9b5, author = {Cylance Threat Research Team}, title = {{Locky Ransomware}}, date = {2017-11-07}, organization = {ThreatVector}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html}, language = {English}, urldate = {2020-01-07} } Locky Ransomware
Locky
2017-10-06BluelivBlueliv
@online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } TrickBot banking trojan using EFLAGS as an anti-hook technique
TrickBot
2017-09-27ProofpointProofpoint Staff
@online{staff:20170927:threat:272e6ac, author = {Proofpoint Staff}, title = {{Threat Actor Profile: TA505, From Dridex to GlobeImposter}}, date = {2017-09-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter}, language = {English}, urldate = {2019-12-20} } Threat Actor Profile: TA505, From Dridex to GlobeImposter
TA505
2017-09-21MalwarebytesJérôme Segura
@online{segura:20170921:fake:5f5963f, author = {Jérôme Segura}, title = {{Fake IRS notice delivers customized spying tool}}, date = {2017-09-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/}, language = {English}, urldate = {2019-12-20} } Fake IRS notice delivers customized spying tool
RMS
2017-08-20MyOnlineSecurityMyOnlineSecurity
@online{myonlinesecurity:20170820:return:cf54ed9, author = {MyOnlineSecurity}, title = {{return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload}}, date = {2017-08-20}, organization = {MyOnlineSecurity}, url = {http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/}, language = {English}, urldate = {2020-11-26} } return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload
Cold$eal Locky
2017-08-16Bleeping ComputerLawrence Abrams
@online{abrams:20170816:locky:7445bd0, author = {Lawrence Abrams}, title = {{Locky Ransomware switches to the Lukitus extension for Encrypted Files}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/}, language = {English}, urldate = {2019-12-20} } Locky Ransomware switches to the Lukitus extension for Encrypted Files
Locky
2017-08-10botfrei BlogTom Berchem
@online{berchem:20170810:weltweite:5df6bfa, author = {Tom Berchem}, title = {{Weltweite Spamwelle verbreitet teuflische Variante des Locky}}, date = {2017-08-10}, organization = {botfrei Blog}, url = {https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/}, language = {German}, urldate = {2019-12-10} } Weltweite Spamwelle verbreitet teuflische Variante des Locky
Locky
2017-08-01MalwarebytesMalwarebytes Labs
@online{labs:20170801:trickbot:222d8bc, author = {Malwarebytes Labs}, title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}}, date = {2017-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/}, language = {English}, urldate = {2019-12-20} } TrickBot comes up with new tricks: attacking Outlook and browsing data
TrickBot
2017-07-27FlashpointFlashpoint
@online{flashpoint:20170727:new:bb5c883, author = {Flashpoint}, title = {{New Version of “Trickbot” Adds Worm Propagation Module}}, date = {2017-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/}, language = {English}, urldate = {2020-01-13} } New Version of “Trickbot” Adds Worm Propagation Module
TrickBot
2017-07-18ElasticAshkan Hosseini
@online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2017-07Ring Zero LabsRing Zero Labs
@online{labs:201707:trickbot:e738eaf, author = {Ring Zero Labs}, title = {{TrickBot Banking Trojan - DOC00039217.doc}}, date = {2017-07}, organization = {Ring Zero Labs}, url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html}, language = {English}, urldate = {2020-01-10} } TrickBot Banking Trojan - DOC00039217.doc
TrickBot
2017-06-22Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20170622:locky:4a088f0, author = {Catalin Cimpanu}, title = {{Locky Ransomware Returns, but Targets Only Windows XP & Vista}}, date = {2017-06-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/}, language = {English}, urldate = {2019-12-20} } Locky Ransomware Returns, but Targets Only Windows XP & Vista
Locky
2017-06-21CiscoAlex Chiu, Warren Mercer, Jaeson Schultz, Sean Baird, Matthew Molyett
@online{chiu:20170621:player:b44064a, author = {Alex Chiu and Warren Mercer and Jaeson Schultz and Sean Baird and Matthew Molyett}, title = {{Player 1 Limps Back Into the Ring - Hello again, Locky!}}, date = {2017-06-21}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html}, language = {English}, urldate = {2019-12-17} } Player 1 Limps Back Into the Ring - Hello again, Locky!
Locky
2017-06-15F5Sara Boddy, Jesse Smith, Doron Voolf
@online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs
TrickBot
2017-06-12Security Art WorkMarc Salinas, JoséMiguel Holguín
@techreport{salinas:20170612:evolucin:9930231, author = {Marc Salinas and JoséMiguel Holguín}, title = {{Evolución de Trickbot}}, date = {2017-06-12}, institution = {Security Art Work}, url = {https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf}, language = {Spanish}, urldate = {2020-01-10} } Evolución de Trickbot
TrickBot
2017-05-26PWCBart Parys
@online{parys:20170526:trickbots:c1b84e1, author = {Bart Parys}, title = {{TrickBot’s bag of tricks}}, date = {2017-05-26}, organization = {PWC}, url = {http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html}, language = {English}, urldate = {2020-06-18} } TrickBot’s bag of tricks
TrickBot
2017-05-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20170515:evolution:d0e74ea, author = {Counter Threat Unit ResearchTeam}, title = {{Evolution of the GOLD EVERGREEN Threat Group}}, date = {2017-05-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group}, language = {English}, urldate = {2021-05-28} } Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN
2017-03-01FraudWatch InternationalFraudWatch International
@online{international:20170301:how:fb75ef9, author = {FraudWatch International}, title = {{How Does the Trickbot Malware Work?}}, date = {2017-03-01}, organization = {FraudWatch International}, url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works}, language = {English}, urldate = {2020-01-08} } How Does the Trickbot Malware Work?
TrickBot
2017-01-31MalwarebytesMalwarebytes Labs
@online{labs:20170131:locky:92db484, author = {Malwarebytes Labs}, title = {{Locky Bart ransomware and backend server analysis}}, date = {2017-01-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/}, language = {English}, urldate = {2019-12-20} } Locky Bart ransomware and backend server analysis
Locky
2016-12-07BotconfJoshua Adams
@techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } The TrickBot Evolution
TrickBot
2016-12-06FortinetXiaopeng Zhang
@online{zhang:20161206:deep:1f1521f, author = {Xiaopeng Zhang}, title = {{Deep Analysis of the Online Banking Botnet TrickBot}}, date = {2016-12-06}, organization = {Fortinet}, url = {http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot}, language = {English}, urldate = {2020-01-08} } Deep Analysis of the Online Banking Botnet TrickBot
TrickBot
2016-11-09Lior Keshet
@online{keshet:20161109:tricks:c3ab510, author = {Lior Keshet}, title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}}, date = {2016-11-09}, url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/}, language = {English}, urldate = {2019-10-17} } Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
TrickBot
2016-11-07F5 LabsJulia Karpin, Shaul Vilkomir-Preisman, Anna Dorfman
@online{karpin:20161107:little:598f939, author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman}, title = {{Little Trickbot Growing Up: New Campaign}}, date = {2016-11-07}, organization = {F5 Labs}, url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412}, language = {English}, urldate = {2020-01-06} } Little Trickbot Growing Up: New Campaign
TrickBot
2016-10-25NetScoutASERT Team
@online{team:20161025:trickbot:dd465d9, author = {ASERT Team}, title = {{TrickBot Banker Insights}}, date = {2016-10-25}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/}, language = {English}, urldate = {2019-07-11} } TrickBot Banker Insights
TrickBot
2016-10-24MalwarebytesMalwarebytes Labs
@online{labs:20161024:introducing:e59ac27, author = {Malwarebytes Labs}, title = {{Introducing TrickBot, Dyreza’s successor}}, date = {2016-10-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/}, language = {English}, urldate = {2019-12-20} } Introducing TrickBot, Dyreza’s successor
TrickBot
2016-10-15Fidelis CybersecurityThreat Research Team
@online{team:20161015:trickbot:cc9f48f, author = {Threat Research Team}, title = {{TrickBot: We Missed you, Dyre}}, date = {2016-10-15}, organization = {Fidelis Cybersecurity}, url = {https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre}, language = {English}, urldate = {2019-11-28} } TrickBot: We Missed you, Dyre
TrickBot
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:bdd6f10, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2020-04-21} } Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS FIN7
2016-07-07Pierluigi Paganini
@online{paganini:20160707:new:7c765a2, author = {Pierluigi Paganini}, title = {{New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware.}}, date = {2016-07-07}, url = {http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html}, language = {English}, urldate = {2019-11-22} } New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware.
Locky
2016-03-01Malwarebyteshasherezade
@online{hasherezade:20160301:look:fe35696, author = {hasherezade}, title = {{Look Into Locky Ransomware}}, date = {2016-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/}, language = {English}, urldate = {2019-12-20} } Look Into Locky Ransomware
Locky

Credits: MISP Project