Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.
2023-05-16 ⋅ CyberRaiju ⋅ Jai Minton
@online{minton:20230516:remcos:55b425b,
author = {Jai Minton},
title = {{Remcos RAT - Malware Analysis Lab}},
date = {2023-05-16},
organization = {CyberRaiju},
url = {https://www.jaiminton.com/reverse-engineering/remcos#},
language = {English},
urldate = {2023-05-21}
}
Remcos RAT - Malware Analysis Lab
Remcos |
2023-05-15 ⋅ embeeresearch ⋅ Embee_research
@online{embeeresearch:20230515:quasar:6a364a0,
author = {Embee_research},
title = {{Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys}},
date = {2023-05-15},
organization = {embeeresearch},
url = {https://embee-research.ghost.io/hunting-quasar-rat-shodan},
language = {English},
urldate = {2023-05-16}
}
Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys
Quasar RAT |
2023-04-13 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
@online{intelligence:20230413:threat:a445e97,
author = {Microsoft Threat Intelligence},
title = {{Threat actors strive to cause Tax Day headaches}},
date = {2023-04-13},
organization = {Microsoft},
url = {https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/},
language = {English},
urldate = {2023-04-18}
}
Threat actors strive to cause Tax Day headaches
CloudEyE Remcos |
2023-04-13 ⋅ OALabs ⋅ Sergei Frankoff
@online{frankoff:20230413:quasar:3ad6058,
author = {Sergei Frankoff},
title = {{Quasar Chaos: Open Source Ransomware Meets Open Source RAT}},
date = {2023-04-13},
organization = {OALabs},
url = {https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html},
language = {English},
urldate = {2023-05-02}
}
Quasar Chaos: Open Source Ransomware Meets Open Source RAT
Chaos Quasar RAT |
2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q1 2023}},
date = {2023-04-12},
institution = {Spamhaus},
url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf},
language = {English},
urldate = {2023-04-18}
}
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar |
2023-04-10 ⋅ Check Point ⋅ Check Point
@online{point:20230410:march:144c1ad,
author = {Check Point},
title = {{March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files}},
date = {2023-04-10},
organization = {Check Point},
url = {https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/},
language = {English},
urldate = {2023-04-12}
}
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee |
2023-03-30 ⋅ loginsoft ⋅ Saharsh Agrawal
@online{agrawal:20230330:from:7b46ae0,
author = {Saharsh Agrawal},
title = {{From Innocence to Malice: The OneNote Malware Campaign Uncovered}},
date = {2023-03-30},
organization = {loginsoft},
url = {https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/},
language = {English},
urldate = {2023-04-14}
}
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm |
2023-03-27 ⋅ Zscaler ⋅ Meghraj Nandanwar, Satyam Singh
@online{nandanwar:20230327:dbatloader:a8f205c,
author = {Meghraj Nandanwar and Satyam Singh},
title = {{DBatLoader: Actively Distributing Malwares Targeting European Businesses}},
date = {2023-03-27},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses},
language = {English},
urldate = {2023-03-29}
}
DBatLoader: Actively Distributing Malwares Targeting European Businesses
DBatLoader Remcos |
2023-03-16 ⋅ Trend Micro ⋅ Cedric Pernet, Jaromír Hořejší, Loseway Lu
@online{pernet:20230316:ipfs:6f479ce,
author = {Cedric Pernet and Jaromír Hořejší and Loseway Lu},
title = {{IPFS: A New Data Frontier or a New Cybercriminal Hideout?}},
date = {2023-03-16},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout},
language = {English},
urldate = {2023-03-20}
}
IPFS: A New Data Frontier or a New Cybercriminal Hideout?
Agent Tesla Formbook RedLine Stealer Remcos |
2023-02-24 ⋅ Zscaler ⋅ Niraj Shivtarkar, Avinash Kumar
@online{shivtarkar:20230224:snip3:8bab444,
author = {Niraj Shivtarkar and Avinash Kumar},
title = {{Snip3 Crypter Reveals New TTPs Over Time}},
date = {2023-02-24},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time},
language = {English},
urldate = {2023-03-13}
}
Snip3 Crypter Reveals New TTPs Over Time
DCRat Quasar RAT |
2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein
@online{olshtein:20230130:following:e442fcc,
author = {Arie Olshtein},
title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}},
date = {2023-01-30},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/},
language = {English},
urldate = {2023-01-31}
}
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot |
2023-01-24 ⋅ Trellix ⋅ Daksh Kapur, Tomer Shloman, Robert Venal, John Fokker
@online{kapur:20230124:cyberattacks:0a05372,
author = {Daksh Kapur and Tomer Shloman and Robert Venal and John Fokker},
title = {{Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity}},
date = {2023-01-24},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html},
language = {English},
urldate = {2023-01-25}
}
Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity
Andromeda Formbook Houdini Remcos |
2023-01-17 ⋅ Trend Micro ⋅ Peter Girnus, Aliakbar Zahravi
@online{girnus:20230117:earth:f1cba60,
author = {Peter Girnus and Aliakbar Zahravi},
title = {{Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures}},
date = {2023-01-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html},
language = {English},
urldate = {2023-01-19}
}
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
NjRAT |
2022-12-24 ⋅ di.sclosu.re ⋅ di.sclosu.re
@online{disclosure:20221224:njrat:0b45969,
author = {di.sclosu.re},
title = {{njRAT malware spreading through Discord CDN and Facebook Ads}},
date = {2022-12-24},
organization = {di.sclosu.re},
url = {https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/},
language = {English},
urldate = {2023-01-10}
}
njRAT malware spreading through Discord CDN and Facebook Ads
NjRAT |
2022-11-21 ⋅ Malwarebytes ⋅ Malwarebytes
@techreport{malwarebytes:20221121:20221121:f4c6d35,
author = {Malwarebytes},
title = {{2022-11-21 Threat Intel Report}},
date = {2022-11-21},
institution = {Malwarebytes},
url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf},
language = {English},
urldate = {2022-11-25}
}
2022-11-21 Threat Intel Report
404 Keylogger Agent Tesla Formbook Hive Remcos |
2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q3 2022}},
date = {2022-10-13},
institution = {Spamhaus},
url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf},
language = {English},
urldate = {2022-12-29}
}
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm |
2022-09-22 ⋅ Morphisec ⋅ Morphisec Labs
@online{labs:20220922:watch:0f6c6c3,
author = {Morphisec Labs},
title = {{Watch Out For The New NFT-001}},
date = {2022-09-22},
organization = {Morphisec},
url = {https://blog.morphisec.com/nft-malware-new-evasion-abilities},
language = {English},
urldate = {2022-11-21}
}
Watch Out For The New NFT-001
Eternity Stealer Remcos |
2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20220913:new:2ff2e98,
author = {Threat Hunter Team},
title = {{New Wave of Espionage Activity Targets Asian Governments}},
date = {2022-09-13},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments},
language = {English},
urldate = {2022-09-20}
}
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
2022-08-30 ⋅ Medium the_abjuri5t ⋅ John F
@online{f:20220830:nanocore:86aa443,
author = {John F},
title = {{NanoCore RAT Hunting Guide}},
date = {2022-08-30},
organization = {Medium the_abjuri5t},
url = {https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0},
language = {English},
urldate = {2022-08-30}
}
NanoCore RAT Hunting Guide
Nanocore RAT |
2022-08-29 ⋅ Soc Investigation ⋅ BalaGanesh
@online{balaganesh:20220829:remcos:6f6dbe5,
author = {BalaGanesh},
title = {{Remcos RAT New TTPS - Detection & Response}},
date = {2022-08-29},
organization = {Soc Investigation},
url = {https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/},
language = {English},
urldate = {2022-09-06}
}
Remcos RAT New TTPS - Detection & Response
Remcos |
2022-08-25 ⋅ splunk ⋅ Splunk Threat Research Team
@online{team:20220825:applocker:7ed5b33,
author = {Splunk Threat Research Team},
title = {{AppLocker Rules as Defense Evasion: Complete Analysis}},
date = {2022-08-25},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html},
language = {English},
urldate = {2022-08-30}
}
AppLocker Rules as Defense Evasion: Complete Analysis
Azorult |
2022-08-21 ⋅ Perception Point ⋅ Igal Lytzki
@online{lytzki:20220821:behind:e6e884e,
author = {Igal Lytzki},
title = {{Behind the Attack: Remcos RAT}},
date = {2022-08-21},
organization = {Perception Point},
url = {https://perception-point.io/behind-the-attack-remcos-rat/},
language = {English},
urldate = {2022-09-22}
}
Behind the Attack: Remcos RAT
Remcos |
2022-08-18 ⋅ Proofpoint ⋅ Joe Wise, Selena Larson, Proofpoint Threat Research Team
@online{wise:20220818:reservations:c2f9faf,
author = {Joe Wise and Selena Larson and Proofpoint Threat Research Team},
title = {{Reservations Requested: TA558 Targets Hospitality and Travel}},
date = {2022-08-18},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel},
language = {English},
urldate = {2022-08-18}
}
Reservations Requested: TA558 Targets Hospitality and Travel
AsyncRAT Loda NjRAT Ozone RAT Revenge RAT Vjw0rm |
2022-08-18 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20220818:cookie:74bd0f5,
author = {Sean Gallagher},
title = {{Cookie stealing: the new perimeter bypass}},
date = {2022-08-18},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass},
language = {English},
urldate = {2022-08-22}
}
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT |
2022-08-17 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220817:darktortilla:9a00612,
author = {Counter Threat Unit ResearchTeam},
title = {{DarkTortilla Malware Analysis}},
date = {2022-08-17},
organization = {Secureworks},
url = {https://www.secureworks.com/research/darktortilla-malware-analysis},
language = {English},
urldate = {2023-01-05}
}
DarkTortilla Malware Analysis
Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer |
2022-08-17 ⋅ 360 ⋅ 360 Threat Intelligence Center
@online{center:20220817:kasablanka:2a28570,
author = {360 Threat Intelligence Center},
title = {{Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East}},
date = {2022-08-17},
organization = {360},
url = {https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA},
language = {Chinese},
urldate = {2022-08-19}
}
Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East
SpyNote Loda Nanocore RAT NjRAT |
2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
@online{ancel:20220808:inside:67ef9a0,
author = {Benoît Ancel},
title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}},
date = {2022-08-08},
organization = {Medium CSIS Techblog},
url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145},
language = {English},
urldate = {2022-08-28}
}
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader |
2022-08-05 ⋅ 0xIvan ⋅ Twitter (@viljoenivan)
@online{viljoenivan:20220805:lokibot:bb5fd5d,
author = {Twitter (@viljoenivan)},
title = {{LokiBot Analysis}},
date = {2022-08-05},
organization = {0xIvan},
url = {https://ivanvza.github.io/posts/lokibot_analysis},
language = {English},
urldate = {2022-08-17}
}
LokiBot Analysis
Loki Password Stealer (PWS) |
2022-08-04 ⋅ ConnectWise ⋅ Stu Gonzalez
@online{gonzalez:20220804:formbook:f3addb8,
author = {Stu Gonzalez},
title = {{Formbook and Remcos Backdoor RAT by ConnectWise CRU}},
date = {2022-08-04},
organization = {ConnectWise},
url = {https://www.connectwise.com/resources/formbook-remcos-rat},
language = {English},
urldate = {2022-08-08}
}
Formbook and Remcos Backdoor RAT by ConnectWise CRU
Formbook Remcos |
2022-08-02 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20220802:initial:5caddb5,
author = {Insikt Group},
title = {{Initial Access Brokers Are Key to Rise in Ransomware Attacks}},
date = {2022-08-02},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf},
language = {English},
urldate = {2022-08-05}
}
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar |
2022-07-29 ⋅ Qualys ⋅ Viren Chaudhari
@online{chaudhari:20220729:new:3f06f5c,
author = {Viren Chaudhari},
title = {{New Qualys Research Report: Evolution of Quasar RAT}},
date = {2022-07-29},
organization = {Qualys},
url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat},
language = {English},
urldate = {2022-08-04}
}
New Qualys Research Report: Evolution of Quasar RAT
Quasar RAT |
2022-07-27 ⋅ Qualys ⋅ Viren Chaudhari
@techreport{chaudhari:20220727:stealthy:9b66a95,
author = {Viren Chaudhari},
title = {{Stealthy Quasar Evolving to Lead the RAT Race}},
date = {2022-07-27},
institution = {Qualys},
url = {https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf},
language = {English},
urldate = {2022-08-04}
}
Stealthy Quasar Evolving to Lead the RAT Race
Quasar RAT |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20220718:pasty:1cb785a,
author = {Unit 42},
title = {{Pasty Gemini}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/pastygemini/},
language = {English},
urldate = {2022-07-29}
}
Pasty Gemini
The Gorgon Group |
2022-07-13 ⋅ Weixin ⋅ Antiy CERT
@online{cert:20220713:confucius:307a7f4,
author = {Antiy CERT},
title = {{Confucius: The Angler Hidden Under CloudFlare}},
date = {2022-07-13},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ},
language = {English},
urldate = {2022-07-14}
}
Confucius: The Angler Hidden Under CloudFlare
Quasar RAT |
2022-07-13 ⋅ KELA ⋅ KELA Cyber Intelligence Center
@online{center:20220713:next:b2e43e4,
author = {KELA Cyber Intelligence Center},
title = {{The Next Generation of Info Stealers}},
date = {2022-07-13},
organization = {KELA},
url = {https://ke-la.com/information-stealers-a-new-landscape/},
language = {English},
urldate = {2022-07-18}
}
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar |
2022-06-30 ⋅ Cyber Geeks (CyberMasterV) ⋅ Vlad Pasca
@online{pasca:20220630:how:78e5c24,
author = {Vlad Pasca},
title = {{How to Expose a Potential Cybercriminal due to Misconfigurations}},
date = {2022-06-30},
organization = {Cyber Geeks (CyberMasterV)},
url = {https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/},
language = {English},
urldate = {2022-07-05}
}
How to Expose a Potential Cybercriminal due to Misconfigurations
Loki Password Stealer (PWS) |
2022-06-30 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
@online{cybermasterv:20220630:how:035d973,
author = {CyberMasterV},
title = {{How to Expose a Potential Cybercriminal due to Misconfigurations}},
date = {2022-06-30},
organization = {CYBER GEEKS All Things Infosec},
url = {https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations},
language = {English},
urldate = {2022-08-31}
}
How to Expose a Potential Cybercriminal due to Misconfigurations
Loki Password Stealer (PWS) |
2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}},
date = {2022-06-23},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader},
language = {English},
urldate = {2022-09-20}
}
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster |
2022-06-02 ⋅ FortiGuard Labs ⋅ Fred Gutierrez, Shunichi Imano, James Slaughter, Gergely Revay
@online{gutierrez:20220602:threat:6713237,
author = {Fred Gutierrez and Shunichi Imano and James Slaughter and Gergely Revay},
title = {{Threat Actors Prey on Eager Travelers}},
date = {2022-06-02},
organization = {FortiGuard Labs},
url = {https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers},
language = {English},
urldate = {2022-06-15}
}
Threat Actors Prey on Eager Travelers
AsyncRAT NetWire RC Quasar RAT |
2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c,
author = {The BlackBerry Research & Intelligence Team},
title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}},
date = {2022-05-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord},
language = {English},
urldate = {2022-06-09}
}
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate |
2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20220519:net:64662b5,
author = {The BlackBerry Research & Intelligence Team},
title = {{.NET Stubs: Sowing the Seeds of Discord}},
date = {2022-05-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?},
language = {English},
urldate = {2022-05-23}
}
.NET Stubs: Sowing the Seeds of Discord
Agent Tesla Quasar RAT WhisperGate |
2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20220516:analysis:b1c8089,
author = {Shusei Tomonaga},
title = {{Analysis of HUI Loader}},
date = {2022-05-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html},
language = {English},
urldate = {2022-05-17}
}
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT |
2022-05-12 ⋅ Morphisec ⋅ Hido Cohen
@online{cohen:20220512:new:6e12278,
author = {Hido Cohen},
title = {{New SYK Crypter Distributed Via Discord}},
date = {2022-05-12},
organization = {Morphisec},
url = {https://blog.morphisec.com/syk-crypter-discord},
language = {English},
urldate = {2022-06-09}
}
New SYK Crypter Distributed Via Discord
AsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer |
2022-05-10 ⋅ Checkpoint ⋅ Checkpoint
@online{checkpoint:20220510:infostealer:33aee4a,
author = {Checkpoint},
title = {{Info-stealer Campaign targets German Car Dealerships and Manufacturers}},
date = {2022-05-10},
organization = {Checkpoint},
url = {https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/},
language = {English},
urldate = {2022-05-13}
}
Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon |
2022-05-09 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20220509:dirty:76f87f1,
author = {The BlackBerry Research & Intelligence Team},
title = {{Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains}},
date = {2022-05-09},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains},
language = {English},
urldate = {2022-05-17}
}
Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains
DCRat NjRAT |
2022-05-05 ⋅ Github (muha2xmad) ⋅ Muhammad Hasan Ali
@online{ali:20220505:analysis:3ec712d,
author = {Muhammad Hasan Ali},
title = {{Analysis of MS Word to drop Remcos RAT | VBA extraction and analysis | IoCs}},
date = {2022-05-05},
organization = {Github (muha2xmad)},
url = {https://muha2xmad.github.io/mal-document/remcosdoc/},
language = {English},
urldate = {2022-05-08}
}
Analysis of MS Word to drop Remcos RAT | VBA extraction and analysis | IoCs
Remcos |
2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
@online{lunghi:20220427:new:9068f6e,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}},
date = {2022-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html},
language = {English},
urldate = {2023-04-18}
}
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Trendmicro ⋅ Trendmicro
@online{trendmicro:20220427:iocs:18f7e31,
author = {Trendmicro},
title = {{IOCs for Earth Berberoka - Windows}},
date = {2022-04-27},
organization = {Trendmicro},
url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt},
language = {English},
urldate = {2022-07-25}
}
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220427:operation:bdba881,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Gambling Puppet}},
date = {2022-04-27},
institution = {Trendmicro},
url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
2022-04-26 ⋅ Trend Micro ⋅ Ryan Flores, Stephen Hilt, Lord Alfred Remorin
@online{flores:20220426:how:28d9476,
author = {Ryan Flores and Stephen Hilt and Lord Alfred Remorin},
title = {{How Cybercriminals Abuse Cloud Tunneling Services}},
date = {2022-04-26},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services},
language = {English},
urldate = {2022-05-03}
}
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT |
2022-04-17 ⋅ Malcat ⋅ malcat team
@online{team:20220417:reversing:4e53a3a,
author = {malcat team},
title = {{Reversing a NSIS dropper using quick and dirty shellcode emulation}},
date = {2022-04-17},
organization = {Malcat},
url = {https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/},
language = {English},
urldate = {2022-04-29}
}
Reversing a NSIS dropper using quick and dirty shellcode emulation
Loki Password Stealer (PWS) |
2022-04-15 ⋅ Center for Internet Security ⋅ CIS
@online{cis:20220415:top:62c8245,
author = {CIS},
title = {{Top 10 Malware March 2022}},
date = {2022-04-15},
organization = {Center for Internet Security},
url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022},
language = {English},
urldate = {2023-02-17}
}
Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus |
2022-04-12 ⋅ HP ⋅ Patrick Schläpfer
@online{schlpfer:20220412:malware:5032799,
author = {Patrick Schläpfer},
title = {{Malware Campaigns Targeting African Banking Sector}},
date = {2022-04-12},
organization = {HP},
url = {https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/},
language = {English},
urldate = {2022-04-15}
}
Malware Campaigns Targeting African Banking Sector
CloudEyE Remcos |
2022-04-07 ⋅ Perception Point ⋅ Igal Lytzki
@online{lytzki:20220407:revenge:9f4c4e4,
author = {Igal Lytzki},
title = {{Revenge RAT Malware is back: From Microsoft Excel macros to Remote Access Trojan}},
date = {2022-04-07},
organization = {Perception Point},
url = {https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/},
language = {English},
urldate = {2022-06-09}
}
Revenge RAT Malware is back: From Microsoft Excel macros to Remote Access Trojan
Revenge RAT |
2022-04-06 ⋅ Fortinet ⋅ Xiaopeng Zhang
@online{zhang:20220406:latest:a7dbcb3,
author = {Xiaopeng Zhang},
title = {{The Latest Remcos RAT Driven By Phishing Campaign}},
date = {2022-04-06},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing},
language = {English},
urldate = {2022-08-05}
}
The Latest Remcos RAT Driven By Phishing Campaign
Remcos |
2022-03-30 ⋅ Morphisec ⋅ Hido Cohen
@online{cohen:20220330:new:b2abe2b,
author = {Hido Cohen},
title = {{New Wave Of Remcos RAT Phishing Campaign}},
date = {2022-03-30},
organization = {Morphisec},
url = {https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain},
language = {English},
urldate = {2022-03-31}
}
New Wave Of Remcos RAT Phishing Campaign
Remcos |
2022-03-27 ⋅ Medium M3H51N ⋅ M3H51N
@online{m3h51n:20220327:malware:b1e1deb,
author = {M3H51N},
title = {{Malware Analysis — NanoCore Rat}},
date = {2022-03-27},
organization = {Medium M3H51N},
url = {https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918},
language = {English},
urldate = {2022-04-04}
}
Malware Analysis — NanoCore Rat
Nanocore RAT |
2022-03-25 ⋅ Trustwave ⋅ Trustwave SpiderLabs
@online{spiderlabs:20220325:cyber:6401810,
author = {Trustwave SpiderLabs},
title = {{Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns}},
date = {2022-03-25},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns},
language = {English},
urldate = {2022-08-17}
}
Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns
Remcos |
2022-03-24 ⋅ Lab52 ⋅ freyit
@online{freyit:20220324:another:4578bc2,
author = {freyit},
title = {{Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks}},
date = {2022-03-24},
organization = {Lab52},
url = {https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/},
language = {English},
urldate = {2022-03-25}
}
Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks
Quasar RAT |
2022-03-09 ⋅ Lab52 ⋅ Lab52
@online{lab52:20220309:very:b667537,
author = {Lab52},
title = {{Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation}},
date = {2022-03-09},
organization = {Lab52},
url = {https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/},
language = {English},
urldate = {2022-03-10}
}
Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation
NjRAT |
2022-03-07 ⋅ ASEC ⋅ ASEC
@online{asec:20220307:distribution:d298aca,
author = {ASEC},
title = {{Distribution of Remcos RAT Disguised as Tax Invoice}},
date = {2022-03-07},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/32376/},
language = {English},
urldate = {2022-03-07}
}
Distribution of Remcos RAT Disguised as Tax Invoice
Remcos |
2022-03-07 ⋅ LAC WATCH ⋅ Cyber Emergency Center
@online{center:20220307:i:aadcf34,
author = {Cyber Emergency Center},
title = {{I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS}},
date = {2022-03-07},
organization = {LAC WATCH},
url = {https://www.lac.co.jp/lacwatch/report/20220307_002893.html},
language = {Japanese},
urldate = {2022-04-05}
}
I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS
Xloader Agent Tesla Formbook Loki Password Stealer (PWS) |
2022-03-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20220305:malware:5ab8b53,
author = {Lawrence Abrams},
title = {{Malware now using NVIDIA's stolen code signing certificates}},
date = {2022-03-05},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/},
language = {English},
urldate = {2022-03-10}
}
Malware now using NVIDIA's stolen code signing certificates
Quasar RAT |
2022-03-04 ⋅ Bleeping Computer ⋅ Bill Toulas
@online{toulas:20220304:russiaukraine:60c3069,
author = {Bill Toulas},
title = {{Russia-Ukraine war exploited as lure for malware distribution}},
date = {2022-03-04},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/},
language = {English},
urldate = {2022-03-04}
}
Russia-Ukraine war exploited as lure for malware distribution
Agent Tesla Remcos |
2022-03-04 ⋅ Bitdefender ⋅ Alina Bizga
@online{bizga:20220304:bitdefender:44d1f32,
author = {Alina Bizga},
title = {{Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine}},
date = {2022-03-04},
organization = {Bitdefender},
url = {https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine},
language = {English},
urldate = {2022-03-04}
}
Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine
Agent Tesla Remcos |
2022-03 ⋅ VirusTotal ⋅ VirusTotal
@techreport{virustotal:202203:virustotals:c6af9c1,
author = {VirusTotal},
title = {{VirusTotal's 2021 Malware Trends Report}},
date = {2022-03},
institution = {VirusTotal},
url = {https://assets.virustotal.com/reports/2021trends.pdf},
language = {English},
urldate = {2022-04-13}
}
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT |
2022-02-28 ⋅ ASEC ⋅ ASEC
@online{asec:20220228:remcos:d53c470,
author = {ASEC},
title = {{Remcos RAT malware disseminated by pretending to be tax invoices}},
date = {2022-02-28},
organization = {ASEC},
url = {https://asec.ahnlab.com/ko/32101/},
language = {Korean},
urldate = {2022-03-07}
}
Remcos RAT malware disseminated by pretending to be tax invoices
Remcos |
2022-02-22 ⋅ CyCraft Technology Corp
@online{corp:20220222:china:76aa7e8,
author = {CyCraft Technology Corp},
title = {{China Implicated in Prolonged Supply Chain Attack Targeting Taiwan Financial Sector}},
date = {2022-02-22},
url = {https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525},
language = {English},
urldate = {2022-02-26}
}
China Implicated in Prolonged Supply Chain Attack Targeting Taiwan Financial Sector
Quasar RAT |
2022-02-21 ⋅ CyCraft ⋅ CyCraft AI
@online{ai:20220221:indepth:73e8778,
author = {CyCraft AI},
title = {{An in-depth analysis of the Operation Cache Panda organized supply chain attack on Taiwan's financial industry}},
date = {2022-02-21},
organization = {CyCraft},
url = {https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934},
language = {Chinese},
urldate = {2022-02-26}
}
An in-depth analysis of the Operation Cache Panda organized supply chain attack on Taiwan's financial industry
Quasar RAT |
2022-02-21 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20220221:chinese:fe29003,
author = {Catalin Cimpanu},
title = {{Chinese hackers linked to months-long attack on Taiwanese financial sector}},
date = {2022-02-21},
organization = {The Record},
url = {https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/},
language = {English},
urldate = {2022-02-26}
}
Chinese hackers linked to months-long attack on Taiwanese financial sector
Quasar RAT |
2022-02-18 ⋅ SANS ISC ⋅ Xavier Mertens
@online{mertens:20220218:remcos:c302a64,
author = {Xavier Mertens},
title = {{Remcos RAT Delivered Through Double Compressed Archive}},
date = {2022-02-18},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/},
language = {English},
urldate = {2022-02-18}
}
Remcos RAT Delivered Through Double Compressed Archive
Remcos |
2022-02-14 ⋅ Morphisec ⋅ Hido Cohen, Arnold Osipov
@techreport{cohen:20220214:journey:6c209dc,
author = {Hido Cohen and Arnold Osipov},
title = {{Journey of a Crypto Scammer - NFT-001}},
date = {2022-02-14},
institution = {Morphisec},
url = {https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf},
language = {English},
urldate = {2022-02-19}
}
Journey of a Crypto Scammer - NFT-001
AsyncRAT BitRAT Remcos |
2022-02-11 ⋅ Cisco Talos ⋅ Talos
@online{talos:20220211:threat:fcad762,
author = {Talos},
title = {{Threat Roundup for February 4 to February 11}},
date = {2022-02-11},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html},
language = {English},
urldate = {2022-02-14}
}
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus |
2022-02-11 ⋅ blog.rootshell.be ⋅ Xavier Mertens
@online{mertens:20220211:sans:7273063,
author = {Xavier Mertens},
title = {{[SANS ISC] CinaRAT Delivered Through HTML ID Attributes}},
date = {2022-02-11},
organization = {blog.rootshell.be},
url = {https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/},
language = {English},
urldate = {2022-02-14}
}
[SANS ISC] CinaRAT Delivered Through HTML ID Attributes
Quasar RAT |
2022-02-08 ⋅ ASEC ⋅ ASEC
@online{asec:20220208:distribution:1e72a12,
author = {ASEC},
title = {{Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed}},
date = {2022-02-08},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/31089/},
language = {English},
urldate = {2022-02-10}
}
Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed
GoldDragon Quasar RAT |
2022-02-08 ⋅ Intel 471 ⋅ Intel 471
@online{471:20220208:privateloader:5e226cd,
author = {Intel 471},
title = {{PrivateLoader: The first step in many malware schemes}},
date = {2022-02-08},
organization = {Intel 471},
url = {https://intel471.com/blog/privateloader-malware},
language = {English},
urldate = {2022-05-09}
}
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar |
2022-02-08 ⋅ Itay Migdal
@online{migdal:20220208:remcos:e52c6ec,
author = {Itay Migdal},
title = {{Remcos Analysis}},
date = {2022-02-08},
url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md},
language = {English},
urldate = {2022-02-09}
}
Remcos Analysis
Remcos |
2022-02-08 ⋅ Itay Migdal
@online{migdal:20220208:revengerat:c55bec4,
author = {Itay Migdal},
title = {{RevengeRAT Analysis}},
date = {2022-02-08},
url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md},
language = {English},
urldate = {2022-02-09}
}
RevengeRAT Analysis
Revenge RAT |
2022-02-07 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20220207:riskiq:43b167b,
author = {RiskIQ},
title = {{RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates}},
date = {2022-02-07},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/ade260c6},
language = {English},
urldate = {2022-02-09}
}
RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates
AsyncRAT BitRAT Nanocore RAT |
2022-02-03 ⋅ forensicitguy ⋅ Tony Lambert
@online{lambert:20220203:njrat:88ea206,
author = {Tony Lambert},
title = {{njRAT Installed from a MSI}},
date = {2022-02-03},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/njrat-installed-from-msi/},
language = {English},
urldate = {2022-02-04}
}
njRAT Installed from a MSI
NjRAT |
2022-01-28 ⋅ Atomic Matryoshka ⋅ z3r0day_504
@online{z3r0day504:20220128:malware:3628b1b,
author = {z3r0day_504},
title = {{Malware Headliners: LokiBot}},
date = {2022-01-28},
organization = {Atomic Matryoshka},
url = {https://www.atomicmatryoshka.com/post/malware-headliners-lokibot},
language = {English},
urldate = {2022-02-01}
}
Malware Headliners: LokiBot
Loki Password Stealer (PWS) |
2022-01-28 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
@online{tru:20220128:remcos:b6e5f46,
author = {eSentire Threat Response Unit (TRU)},
title = {{Remcos RAT}},
date = {2022-01-28},
organization = {eSentire},
url = {https://www.esentire.com/blog/remcos-rat},
language = {English},
urldate = {2022-05-23}
}
Remcos RAT
Remcos |
2022-01-13 ⋅ muha2xmad ⋅ Muhammad Hasan Ali
@online{ali:20220113:unpacking:09ab5c5,
author = {Muhammad Hasan Ali},
title = {{Unpacking Remcos malware}},
date = {2022-01-13},
organization = {muha2xmad},
url = {https://muha2xmad.github.io/unpacking/remcos/},
language = {English},
urldate = {2022-01-25}
}
Unpacking Remcos malware
Remcos |
2022-01-12 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer
@online{raghuprasad:20220112:nanocore:938e93c,
author = {Chetan Raghuprasad and Vanja Svajcer},
title = {{Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure}},
date = {2022-01-12},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html},
language = {English},
urldate = {2022-01-18}
}
Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure
AsyncRAT Nanocore RAT NetWire RC |
2022-01-12 ⋅ Cyber And Ramen blog ⋅ Mike R
@online{r:20220112:analysis:2f570a4,
author = {Mike R},
title = {{Analysis of njRAT PowerPoint Macros}},
date = {2022-01-12},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/},
language = {English},
urldate = {2022-04-05}
}
Analysis of njRAT PowerPoint Macros
NjRAT |
2022-01-10 ⋅ splunk ⋅ Splunk Threat Research Team
@online{team:20220110:detecting:a46a6e5,
author = {Splunk Threat Research Team},
title = {{Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021}},
date = {2022-01-10},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html},
language = {English},
urldate = {2022-01-25}
}
Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021
Remcos |
2022-01-08 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20220108:trojanized:00522d1,
author = {Lawrence Abrams},
title = {{Trojanized dnSpy app drops malware cocktail on researchers, devs}},
date = {2022-01-08},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/},
language = {English},
urldate = {2022-01-18}
}
Trojanized dnSpy app drops malware cocktail on researchers, devs
Quasar RAT |
2022-01-02 ⋅ Medium amgedwageh ⋅ Amged Wageh
@online{wageh:20220102:automating:90d5701,
author = {Amged Wageh},
title = {{Automating The Analysis Of An AutoIT Script That Wraps A Remcos RAT}},
date = {2022-01-02},
organization = {Medium amgedwageh},
url = {https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87},
language = {English},
urldate = {2022-01-25}
}
Automating The Analysis Of An AutoIT Script That Wraps A Remcos RAT
Remcos |
2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34,
author = {Nick Dai and Ted Lee and Vickie Su},
title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}},
date = {2021-12-14},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html},
language = {English},
urldate = {2022-03-30}
}
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack |
2021-12-13 ⋅ RiskIQ ⋅ Jordan Herman
@online{herman:20211213:riskiq:82a7631,
author = {Jordan Herman},
title = {{RiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2 infrastructure}},
date = {2021-12-13},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/24759ad2},
language = {English},
urldate = {2022-01-18}
}
RiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2 infrastructure
AsyncRAT Nanocore RAT NetWire RC Vjw0rm |
2021-12-02 ⋅ Cisco ⋅ Tiago Pereira
@online{pereira:20211202:magnat:15dcabb,
author = {Tiago Pereira},
title = {{Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension}},
date = {2021-12-02},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html},
language = {English},
urldate = {2021-12-07}
}
Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension
Azorult RedLine Stealer |
2021-11-30 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
@online{cybermasterv:20211130:just:d5f53c9,
author = {CyberMasterV},
title = {{Just another analysis of the njRAT malware – A step-by-step approach}},
date = {2021-11-30},
organization = {CYBER GEEKS All Things Infosec},
url = {https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/},
language = {English},
urldate = {2021-12-06}
}
Just another analysis of the njRAT malware – A step-by-step approach
NjRAT |
2021-11-29 ⋅ Trend Micro ⋅ Jaromír Hořejší
@online{hoej:20211129:campaign:6e23cf5,
author = {Jaromír Hořejší},
title = {{Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites}},
date = {2021-11-29},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html},
language = {English},
urldate = {2021-12-07}
}
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
AsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos |
2021-11-23 ⋅ HP ⋅ Patrick Schläpfer
@online{schlpfer:20211123:ratdispenser:4677686,
author = {Patrick Schläpfer},
title = {{RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild}},
date = {2021-11-23},
organization = {HP},
url = {https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/},
language = {English},
urldate = {2021-11-29}
}
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos |
2021-11-23 ⋅ Morphisec ⋅ Hido Cohen, Arnold Osipov
@online{cohen:20211123:babadeda:ae0d0ac,
author = {Hido Cohen and Arnold Osipov},
title = {{Babadeda Crypter targeting crypto, NFT, and DeFi communities}},
date = {2021-11-23},
organization = {Morphisec},
url = {https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities},
language = {English},
urldate = {2021-12-22}
}
Babadeda Crypter targeting crypto, NFT, and DeFi communities
Babadeda BitRAT LockBit Remcos |
2021-11-17 ⋅ Infoblox ⋅ Gaetano Pellegrino
@techreport{pellegrino:20211117:deep:404458b,
author = {Gaetano Pellegrino},
title = {{Deep Analysis of a Recent Lokibot Attack}},
date = {2021-11-17},
institution = {Infoblox},
url = {https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf},
language = {English},
urldate = {2022-01-03}
}
Deep Analysis of a Recent Lokibot Attack
Loki Password Stealer (PWS) |
2021-11-11 ⋅ splunk ⋅ Splunk Threat Research Team
@online{team:20211111:fin7:cd0d233,
author = {Splunk Threat Research Team},
title = {{FIN7 Tools Resurface in the Field – Splinter or Copycat?}},
date = {2021-11-11},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html},
language = {English},
urldate = {2021-11-12}
}
FIN7 Tools Resurface in the Field – Splinter or Copycat?
JSSLoader Remcos |
2021-11-11 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
@online{team:20211111:html:410a27f,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks}},
date = {2021-11-11},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/},
language = {English},
urldate = {2021-11-12}
}
HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks
AsyncRAT Mekotio NjRAT |
2021-10-27 ⋅ Proofpoint ⋅ Selena Larson, Joe Wise
@online{larson:20211027:new:0d80a57,
author = {Selena Larson and Joe Wise},
title = {{New Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns}},
date = {2021-10-27},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread},
language = {English},
urldate = {2021-11-03}
}
New Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns
Nanocore RAT Remcos |
2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f,
author = {Kaspersky Lab ICS CERT},
title = {{APT attacks on industrial organizations in H1 2021}},
date = {2021-10-26},
institution = {Kaspersky},
url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf},
language = {English},
urldate = {2021-11-08}
}
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy |
2021-10-19 ⋅ Cisco Talos ⋅ Asheer Malhotra
@online{malhotra:20211019:malicious:6889662,
author = {Asheer Malhotra},
title = {{Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India}},
date = {2021-10-19},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html},
language = {English},
urldate = {2021-11-02}
}
Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
DCRat Quasar RAT |
2021-10-15 ⋅ ESET Research ⋅ ESET Research
@online{research:20211015:malicious:04da9c1,
author = {ESET Research},
title = {{Tweet on a malicious campaign targeting governmental and education entities in Colombia using multiple stages to drop AsyncRAT or njRAT Keylogger on their victims}},
date = {2021-10-15},
organization = {ESET Research},
url = {https://twitter.com/ESETresearch/status/1449132020613922828},
language = {English},
urldate = {2021-11-08}
}
Tweet on a malicious campaign targeting governmental and education entities in Colombia using multiple stages to drop AsyncRAT or njRAT Keylogger on their victims
AsyncRAT NjRAT |
2021-10-06 ⋅ ESET Research ⋅ Martina López
@online{lpez:20211006:to:8e09f8a,
author = {Martina López},
title = {{To the moon and hack: Fake SafeMoon app drops malware to spy on you}},
date = {2021-10-06},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/},
language = {English},
urldate = {2021-10-11}
}
To the moon and hack: Fake SafeMoon app drops malware to spy on you
Remcos |
2021-10-06 ⋅ zimperium ⋅ Jordan Herman
@online{herman:20211006:malware:7f7f055,
author = {Jordan Herman},
title = {{Malware Distribution with Mana Tools}},
date = {2021-10-06},
organization = {zimperium},
url = {https://community.riskiq.com/article/56e28880},
language = {English},
urldate = {2021-10-11}
}
Malware Distribution with Mana Tools
Agent Tesla Azorult |
2021-10 ⋅ HP ⋅ HP Wolf Security
@techreport{security:202110:threat:49f8fc2,
author = {HP Wolf Security},
title = {{Threat Insights Report Q3 - 2021}},
date = {2021-10},
institution = {HP},
url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf},
language = {English},
urldate = {2021-10-25}
}
Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm |
2021-09-20 ⋅ Trend Micro ⋅ Aliakbar Zahravi, William Gamazo Sanchez
@online{zahravi:20210920:water:63df486,
author = {Aliakbar Zahravi and William Gamazo Sanchez},
title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}},
date = {2021-09-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html},
language = {English},
urldate = {2021-09-22}
}
Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT |
2021-09-16 ⋅ Cisco ⋅ Tiago Pereira, Vitor Ventura
@online{pereira:20210916:operation:133992d,
author = {Tiago Pereira and Vitor Ventura},
title = {{Operation Layover: How we tracked an attack on the aviation industry to five years of compromise}},
date = {2021-09-16},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html},
language = {English},
urldate = {2021-09-19}
}
Operation Layover: How we tracked an attack on the aviation industry to five years of compromise
AsyncRAT Houdini NjRAT |
2021-09-15 ⋅ Telsy ⋅ Telsy
@online{telsy:20210915:remcos:83c0670,
author = {Telsy},
title = {{REMCOS and Agent Tesla loaded into memory with Rezer0 loader}},
date = {2021-09-15},
organization = {Telsy},
url = {https://www.telsy.com/download/4832/},
language = {English},
urldate = {2021-09-23}
}
REMCOS and Agent Tesla loaded into memory with Rezer0 loader
Agent Tesla Remcos |
2021-09-13 ⋅ Trend Micro ⋅ Jaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:d6456f8,
author = {Jaromír Hořejší and Daniel Lunghi},
title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}},
date = {2021-09-13},
organization = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt},
language = {English},
urldate = {2021-09-14}
}
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos |
2021-09-13 ⋅ Trend Micro ⋅ Jaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:9b97238,
author = {Jaromír Hořejší and Daniel Lunghi},
title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}},
date = {2021-09-13},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html},
language = {English},
urldate = {2021-09-14}
}
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos |
2021-09-08 ⋅ RiskIQ ⋅ Jennifer Grob
@online{grob:20210908:bulletproof:902e9f2,
author = {Jennifer Grob},
title = {{Bulletproof Hosting Services: Investigating Flowspec}},
date = {2021-09-08},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/2a36a7d2/description},
language = {English},
urldate = {2021-09-10}
}
Bulletproof Hosting Services: Investigating Flowspec
Azorult Glupteba |
2021-09-06 ⋅ cocomelonc ⋅ cocomelonc
@online{cocomelonc:20210906:av:215e5aa,
author = {cocomelonc},
title = {{AV engines evasion for C++ simple malware: part 2}},
date = {2021-09-06},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html},
language = {English},
urldate = {2022-11-28}
}
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze Unidentified 090 (Lazarus) |
2021-09-04 ⋅ cocomelonc ⋅ cocomelonc
@online{cocomelonc:20210904:av:06b27c5,
author = {cocomelonc},
title = {{AV engines evasion for C++ simple malware: part 1}},
date = {2021-09-04},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html},
language = {English},
urldate = {2022-11-28}
}
AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
@techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-08-25 ⋅ Trend Micro ⋅ William Gamazo Sanchez, Bin Lin
@online{sanchez:20210825:new:f09ef7d,
author = {William Gamazo Sanchez and Bin Lin},
title = {{New Campaign Sees LokiBot Delivered Via Multiple Methods}},
date = {2021-08-25},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html},
language = {English},
urldate = {2021-08-31}
}
New Campaign Sees LokiBot Delivered Via Multiple Methods
Loki Password Stealer (PWS) |
2021-08-23 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal
@online{vinopal:20210823:2:0b5dba8,
author = {Jiří Vinopal},
title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite}},
date = {2021-08-23},
organization = {YouTube ( DuMp-GuY TrIcKsTeR)},
url = {https://www.youtube.com/watch?v=N0wAh26wShE},
language = {English},
urldate = {2021-08-25}
}
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
CloudEyE Loki Password Stealer (PWS) |
2021-08-19 ⋅ Talos ⋅ Asheer Malhotra, Vitor Ventura, Vanja Svajcer
@online{malhotra:20210819:malicious:e04d4c9,
author = {Asheer Malhotra and Vitor Ventura and Vanja Svajcer},
title = {{Malicious Campaign Targets Latin America: The seller, The operator and a curious link}},
date = {2021-08-19},
organization = {Talos},
url = {https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html},
language = {English},
urldate = {2021-08-30}
}
Malicious Campaign Targets Latin America: The seller, The operator and a curious link
AsyncRAT NjRAT |
2021-08-18 ⋅ AhnLab ⋅ ASEC Analysis Team
@online{team:20210818:infostealer:1a3e7df,
author = {ASEC Analysis Team},
title = {{Infostealer Malware Azorult Being Distributed Through Spam Mails}},
date = {2021-08-18},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/26517/},
language = {English},
urldate = {2022-04-15}
}
Infostealer Malware Azorult Being Distributed Through Spam Mails
Azorult |
2021-08-16 ⋅ Malcat ⋅ malcat team
@online{team:20210816:statically:665b400,
author = {malcat team},
title = {{Statically unpacking a simple .NET dropper}},
date = {2021-08-16},
organization = {Malcat},
url = {https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/},
language = {English},
urldate = {2022-01-05}
}
Statically unpacking a simple .NET dropper
Loki Password Stealer (PWS) |
2021-08-04 ⋅ ASEC ⋅ ASEC
@online{asec:20210804:sw:fd538d1,
author = {ASEC},
title = {{S/W Download Camouflage, Spreading Various Kinds of Malware}},
date = {2021-08-04},
organization = {ASEC},
url = {https://asec.ahnlab.com/ko/25837/},
language = {Korean},
urldate = {2022-03-07}
}
S/W Download Camouflage, Spreading Various Kinds of Malware
Raccoon RedLine Stealer Remcos Vidar |
2021-07-30 ⋅ Menlo Security ⋅ MENLO Security
@online{security:20210730:isomorph:83956a0,
author = {MENLO Security},
title = {{ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign}},
date = {2021-07-30},
organization = {Menlo Security},
url = {https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/},
language = {English},
urldate = {2021-08-02}
}
ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
AsyncRAT NjRAT |
2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53,
author = {BlackBerry Research & Intelligence Team},
title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}},
date = {2021-07-27},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf},
language = {English},
urldate = {2021-07-27}
}
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy |
2021-07-19 ⋅ Malwarebytes ⋅ Erika Noerenberg
@online{noerenberg:20210719:remcos:fdf8bd6,
author = {Erika Noerenberg},
title = {{Remcos RAT delivered via Visual Basic}},
date = {2021-07-19},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/},
language = {English},
urldate = {2021-07-26}
}
Remcos RAT delivered via Visual Basic
Remcos |
2021-07-12 ⋅ Cipher Tech Solutions ⋅ Melissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf,
author = {Melissa Frydrych and Claire Zaboeva and Dan Dash},
title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}},
date = {2021-07-12},
organization = {Cipher Tech Solutions},
url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/},
language = {English},
urldate = {2021-07-20}
}
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos |
2021-07-12 ⋅ IBM ⋅ Melissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418,
author = {Melissa Frydrych and Claire Zaboeva and Dan Dash},
title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}},
date = {2021-07-12},
organization = {IBM},
url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/},
language = {English},
urldate = {2021-07-20}
}
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos |
2021-07-09 ⋅ Seqrite ⋅ Chaitanya Haritash, Nihar Deshpande, Shayak Tarafdar
@techreport{haritash:20210709:seqrite:8d36786,
author = {Chaitanya Haritash and Nihar Deshpande and Shayak Tarafdar},
title = {{Seqrite uncovers second wave of Operation SideCopy targeting Indian critical infrastructure PSUs}},
date = {2021-07-09},
institution = {Seqrite},
url = {https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf},
language = {English},
urldate = {2021-07-20}
}
Seqrite uncovers second wave of Operation SideCopy targeting Indian critical infrastructure PSUs
NjRAT ReverseRAT |
2021-07-07 ⋅ Talos Intelligence ⋅ Asheer Malhotra, Justin Thattil
@online{malhotra:20210707:insidecopy:eca169d,
author = {Asheer Malhotra and Justin Thattil},
title = {{InSideCopy: How this APT continues to evolve its arsenal}},
date = {2021-07-07},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2021/07/sidecopy.html},
language = {English},
urldate = {2021-07-08}
}
InSideCopy: How this APT continues to evolve its arsenal
AllaKore NjRAT SideCopy |
2021-07-07 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal
@online{vinopal:20210707:2:85ce7e9,
author = {Jiří Vinopal},
title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python}},
date = {2021-07-07},
organization = {YouTube ( DuMp-GuY TrIcKsTeR)},
url = {https://www.youtube.com/watch?v=-FxyzuRv6Wg},
language = {English},
urldate = {2021-07-20}
}
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
CloudEyE Loki Password Stealer (PWS) |
2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil
@online{malhotra:20210707:insidecopy:ac5b778,
author = {Asheer Malhotra and Justin Thattil},
title = {{InSideCopy: How this APT continues to evolve its arsenal (Network IOCs)}},
date = {2021-07-07},
organization = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479},
language = {English},
urldate = {2021-07-09}
}
InSideCopy: How this APT continues to evolve its arsenal (Network IOCs)
AllaKore Lilith NjRAT |
2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil
@online{malhotra:20210707:insidecopy:e6b25bb,
author = {Asheer Malhotra and Justin Thattil},
title = {{InSideCopy: How this APT continues to evolve its arsenal (IOCs)}},
date = {2021-07-07},
organization = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt},
language = {English},
urldate = {2021-07-09}
}
InSideCopy: How this APT continues to evolve its arsenal (IOCs)
AllaKore Lilith NjRAT |
2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil
@techreport{malhotra:20210707:insidecopy:107d438,
author = {Asheer Malhotra and Justin Thattil},
title = {{InSideCopy: How this APT continues to evolve its arsenal}},
date = {2021-07-07},
institution = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf},
language = {English},
urldate = {2021-07-09}
}
InSideCopy: How this APT continues to evolve its arsenal
AllaKore Lilith NjRAT |
2021-07-06 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal
@online{vinopal:20210706:1:be25f45,
author = {Jiří Vinopal},
title = {{[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2}},
date = {2021-07-06},
organization = {YouTube ( DuMp-GuY TrIcKsTeR)},
url = {https://www.youtube.com/watch?v=K3Yxu_9OUxU},
language = {English},
urldate = {2021-07-20}
}
[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
CloudEyE Loki Password Stealer (PWS) |
2021-07-02 ⋅ Cisco ⋅ Asheer Malhotra, Justin Thattil
@online{malhotra:20210702:insidecopy:c85188c,
author = {Asheer Malhotra and Justin Thattil},
title = {{InSideCopy: How this APT continues to evolve its arsenal}},
date = {2021-07-02},
organization = {Cisco},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388},
language = {English},
urldate = {2022-01-25}
}
InSideCopy: How this APT continues to evolve its arsenal
AllaKore CetaRAT Lilith NjRAT ReverseRAT |
2021-06-08 ⋅ ilbaroni
@online{ilbaroni:20210608:lokibot:26e4005,
author = {ilbaroni},
title = {{LOKIBOT - A commodity malware}},
date = {2021-06-08},
url = {http://reversing.fun/posts/2021/06/08/lokibot.html},
language = {English},
urldate = {2022-01-05}
}
LOKIBOT - A commodity malware
Loki Password Stealer (PWS) |
2021-05-27 ⋅ MinervaLabs ⋅ Tom Roter
@online{roter:20210527:trapping:76b0b81,
author = {Tom Roter},
title = {{Trapping A Fat Quasar RAT}},
date = {2021-05-27},
organization = {MinervaLabs},
url = {https://blog.minerva-labs.com/trapping-quasar-rat},
language = {English},
urldate = {2021-06-01}
}
Trapping A Fat Quasar RAT
Quasar RAT |
2021-05-20 ⋅ Github (microsoft) ⋅ Microsoft
@online{microsoft:20210520:microsoft:41112d3,
author = {Microsoft},
title = {{Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares}},
date = {2021-05-20},
organization = {Github (microsoft)},
url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries},
language = {English},
urldate = {2021-05-25}
}
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy |
2021-05-14 ⋅ Morphisec ⋅ Arnold Osipov
@online{osipov:20210514:ahk:2da8d24,
author = {Arnold Osipov},
title = {{AHK RAT Loader Used in Unique Delivery Campaigns}},
date = {2021-05-14},
organization = {Morphisec},
url = {https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns},
language = {English},
urldate = {2021-05-17}
}
AHK RAT Loader Used in Unique Delivery Campaigns
AsyncRAT Houdini Revenge RAT |
2021-05-13 ⋅ Anomali ⋅ Tara Gould, Gage Mele
@online{gould:20210513:threat:6115cfb,
author = {Tara Gould and Gage Mele},
title = {{Threat Actors Use MSBuild to Deliver RATs Filelessly}},
date = {2021-05-13},
organization = {Anomali},
url = {https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly},
language = {English},
urldate = {2021-05-17}
}
Threat Actors Use MSBuild to Deliver RATs Filelessly
Remcos |
2021-05-07 ⋅ Morphisec ⋅ Nadav Lorber
@online{lorber:20210507:revealing:add3b8a,
author = {Nadav Lorber},
title = {{Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader}},
date = {2021-05-07},
organization = {Morphisec},
url = {https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader},
language = {English},
urldate = {2021-05-13}
}
Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader
Agent Tesla AsyncRAT NetWire RC Revenge RAT |
2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc,
author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule},
title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}},
date = {2021-05-05},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols},
language = {English},
urldate = {2021-05-08}
}
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos |
2021-04-27 ⋅ Kaspersky ⋅ GReAT
@online{great:20210427:trends:e1c92a3,
author = {GReAT},
title = {{APT trends report Q1 2021}},
date = {2021-04-27},
organization = {Kaspersky},
url = {https://securelist.com/apt-trends-report-q1-2021/101967/},
language = {English},
urldate = {2021-04-29}
}
APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster |
2021-04-21 ⋅ Facebook ⋅ Mike Dvilyanski, David Agranovich
@online{dvilyanski:20210421:taking:23e0fb2,
author = {Mike Dvilyanski and David Agranovich},
title = {{Taking Action Against Hackers in Palestine}},
date = {2021-04-21},
organization = {Facebook},
url = {https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/},
language = {English},
urldate = {2021-04-28}
}
Taking Action Against Hackers in Palestine
SpyNote Houdini NjRAT |
2021-04-21 ⋅ Talos ⋅ Vanja Svajcer
@online{svajcer:20210421:year:4741c8e,
author = {Vanja Svajcer},
title = {{A year of Fajan evolution and Bloomberg themed campaigns}},
date = {2021-04-21},
organization = {Talos},
url = {https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html},
language = {English},
urldate = {2021-04-28}
}
A year of Fajan evolution and Bloomberg themed campaigns
MASS Logger Nanocore RAT NetWire RC Revenge RAT XpertRAT |
2021-04-14 ⋅ Zscaler ⋅ Rohit Chaturvedi, Atinderpal Singh, Tarun Dewan
@online{chaturvedi:20210414:look:02bf1e0,
author = {Rohit Chaturvedi and Atinderpal Singh and Tarun Dewan},
title = {{A look at HydroJiin campaign}},
date = {2021-04-14},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign},
language = {English},
urldate = {2021-04-16}
}
A look at HydroJiin campaign
NetWire RC Quasar RAT |
2021-04-07 ⋅ F5 ⋅ Aditya K. Sood
@techreport{sood:20210407:dissecting:43afa3d,
author = {Aditya K. Sood},
title = {{Dissecting the Design and Vulnerabilities in Azorult C&C Panels}},
date = {2021-04-07},
institution = {F5},
url = {https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf},
language = {English},
urldate = {2021-04-19}
}
Dissecting the Design and Vulnerabilities in Azorult C&C Panels
Azorult |
2021-04-06 ⋅ InfoSec Handlers Diary Blog ⋅ Jan Kopriva
@online{kopriva:20210406:malspam:817a035,
author = {Jan Kopriva},
title = {{Malspam with Lokibot vs. Outlook and RFCs}},
date = {2021-04-06},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/27282},
language = {English},
urldate = {2021-04-06}
}
Malspam with Lokibot vs. Outlook and RFCs
Loki Password Stealer (PWS) |
2021-03-22 ⋅ K7 Security ⋅ Mary Muthu Francisca
@online{francisca:20210322:malspam:7d33257,
author = {Mary Muthu Francisca},
title = {{MalSpam Campaigns Download njRAT from Paste Sites}},
date = {2021-03-22},
organization = {K7 Security},
url = {https://labs.k7computing.com/?p=21904},
language = {English},
urldate = {2021-03-25}
}
MalSpam Campaigns Download njRAT from Paste Sites
NjRAT |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-18 ⋅ Cybereason ⋅ Daniel Frank
@online{frank:20210318:cybereason:22a301a,
author = {Daniel Frank},
title = {{Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware}},
date = {2021-03-18},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers},
language = {English},
urldate = {2021-03-19}
}
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
NetWire RC Remcos |
2021-03-16 ⋅ Morphisec ⋅ Nadav Lorber
@online{lorber:20210316:tracking:2d8ef0b,
author = {Nadav Lorber},
title = {{Tracking HCrypt: An Active Crypter as a Service}},
date = {2021-03-16},
organization = {Morphisec},
url = {https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service},
language = {English},
urldate = {2021-05-13}
}
Tracking HCrypt: An Active Crypter as a Service
AsyncRAT LimeRAT Remcos |
2021-03-12 ⋅ Reversing Labs ⋅ Robert Simmons
@online{simmons:20210312:dotnet:0d3ffca,
author = {Robert Simmons},
title = {{DotNET Loaders}},
date = {2021-03-12},
organization = {Reversing Labs},
url = {https://blog.reversinglabs.com/blog/dotnet-loaders},
language = {English},
urldate = {2021-03-16}
}
DotNET Loaders
Revenge RAT |
2021-03-11 ⋅ Trustwave ⋅ Diana Lopera
@online{lopera:20210311:image:dbb9908,
author = {Diana Lopera},
title = {{Image File Trickery Part II: Fake Icon Delivers NanoCore}},
date = {2021-03-11},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/},
language = {English},
urldate = {2021-03-16}
}
Image File Trickery Part II: Fake Icon Delivers NanoCore
Nanocore RAT |
2021-02-25 ⋅ Intezer ⋅ Intezer
@techreport{intezer:20210225:year:eb47cd1,
author = {Intezer},
title = {{Year of the Gopher A 2020 Go Malware Round-Up}},
date = {2021-02-25},
institution = {Intezer},
url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf},
language = {English},
urldate = {2021-06-30}
}
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-18 ⋅ PTSecurity ⋅ PTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f,
author = {PTSecurity},
title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}},
date = {2021-02-18},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/},
language = {English},
urldate = {2021-02-25}
}
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader |
2021-02-15 ⋅ Medium s2wlab ⋅ Sojun Ryu
@online{ryu:20210215:operation:b0712b0,
author = {Sojun Ryu},
title = {{Operation SyncTrek}},
date = {2021-02-15},
organization = {Medium s2wlab},
url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167},
language = {English},
urldate = {2021-09-02}
}
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker |
2021-02-06 ⋅ Medium mariohenkel ⋅ Mario Henkel
@online{henkel:20210206:decrypting:1013bd8,
author = {Mario Henkel},
title = {{Decrypting AzoRult traffic for fun and profit}},
date = {2021-02-06},
organization = {Medium mariohenkel},
url = {https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05},
language = {English},
urldate = {2021-02-06}
}
Decrypting AzoRult traffic for fun and profit
Azorult |
2021-02-05 ⋅ Morphisec ⋅ Nadav Lorber
@online{lorber:20210205:cinarat:772720f,
author = {Nadav Lorber},
title = {{CinaRAT Resurfaces with New Evasive Tactics and Techniques}},
date = {2021-02-05},
organization = {Morphisec},
url = {https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques},
language = {English},
urldate = {2021-02-09}
}
CinaRAT Resurfaces with New Evasive Tactics and Techniques
Quasar RAT |
2021-02-03 ⋅ Medium s2wlab ⋅ Hyunmin Suh, Minjei Cho
@online{suh:20210203:w1:45a76f4,
author = {Hyunmin Suh and Minjei Cho},
title = {{W1 Feb| EN | Story of the week: Stealers on the Darkweb}},
date = {2021-02-03},
organization = {Medium s2wlab},
url = {https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d},
language = {English},
urldate = {2021-02-04}
}
W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar |
2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
@online{ancel:20210128:bagsu:7de60de,
author = {Benoît Ancel},
title = {{The Bagsu banker case}},
date = {2021-01-28},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=EyDiIAt__dI},
language = {English},
urldate = {2021-02-01}
}
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction |
2021-01-13 ⋅ Bitdefender ⋅ Janos Gergo Szeles
@techreport{szeles:20210113:remcos:5ffdb28,
author = {Janos Gergo Szeles},
title = {{Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign}},
date = {2021-01-13},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf},
language = {English},
urldate = {2021-01-18}
}
Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign
Remcos |
2021-01-11 ⋅ ESET Research ⋅ Matías Porolli
@online{porolli:20210111:operation:409662d,
author = {Matías Porolli},
title = {{Operation Spalax: Targeted malware attacks in Colombia}},
date = {2021-01-11},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/},
language = {English},
urldate = {2021-01-18}
}
Operation Spalax: Targeted malware attacks in Colombia
Agent Tesla AsyncRAT NjRAT Remcos |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
@online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-06 ⋅ Talos ⋅ Irshad Muhammad, Holger Unterbrink
@online{muhammad:20210106:deep:8fa3a1f,
author = {Irshad Muhammad and Holger Unterbrink},
title = {{A Deep Dive into Lokibot Infection Chain}},
date = {2021-01-06},
organization = {Talos},
url = {https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html},
language = {English},
urldate = {2021-01-10}
}
A Deep Dive into Lokibot Infection Chain
Loki Password Stealer (PWS) |
2021-01-05 ⋅ Sangfor ⋅ Clairvoyance Safety Laboratory
@online{laboratory:20210105:attack:828ee7a,
author = {Clairvoyance Safety Laboratory},
title = {{Attack from Mustang Panda? My rabbit is back!}},
date = {2021-01-05},
organization = {Sangfor},
url = {https://www.4hou.com/posts/VoPM},
language = {Japanese},
urldate = {2021-01-10}
}
Attack from Mustang Panda? My rabbit is back!
NjRAT |
2020-12-29 ⋅ Uptycs ⋅ Abhijit Mohanta
@online{mohanta:20201229:revenge:7c79587,
author = {Abhijit Mohanta},
title = {{Revenge RAT targeting users in South America}},
date = {2020-12-29},
organization = {Uptycs},
url = {https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america},
language = {English},
urldate = {2021-01-25}
}
Revenge RAT targeting users in South America
Revenge RAT |
2020-12-28 ⋅ Antiy CERT ⋅ Antiy CERT
@online{cert:20201228:civerids:b40d172,
author = {Antiy CERT},
title = {{"Civerids" organization vs. Middle East area attack activity analysis report}},
date = {2020-12-28},
organization = {Antiy CERT},
url = {https://www.antiy.cn/research/notice&report/research_report/20201228.html},
language = {Chinese},
urldate = {2021-01-04}
}
"Civerids" organization vs. Middle East area attack activity analysis report
Quasar RAT |
2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
@online{hlavek:20201224:china:723bed3,
author = {Adam Hlavek},
title = {{China cyber attacks: the current threat landscape}},
date = {2020-12-24},
organization = {IronNet},
url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape},
language = {English},
urldate = {2021-01-01}
}
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW
@online{munshaw:20201221:2020:4a88f84,
author = {JON MUNSHAW},
title = {{2020: The year in malware}},
date = {2020-12-21},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html},
language = {English},
urldate = {2020-12-26}
}
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader |
2020-12-14 ⋅ Blueliv ⋅ Alberto Marín, Carlos Rubio, Blueliv Labs Team
@online{marn:20201214:using:e81621e,
author = {Alberto Marín and Carlos Rubio and Blueliv Labs Team},
title = {{Using Qiling Framework to Unpack TA505 packed samples}},
date = {2020-12-14},
organization = {Blueliv},
url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/},
language = {English},
urldate = {2020-12-15}
}
Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-10 ⋅ JPCERT/CC ⋅ Kota Kino
@online{kino:20201210:attack:cd8c552,
author = {Kota Kino},
title = {{Attack Activities by Quasar Family}},
date = {2020-12-10},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html},
language = {English},
urldate = {2020-12-10}
}
Attack Activities by Quasar Family
AsyncRAT Quasar RAT Venom RAT XPCTRA |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
2020-12-09 ⋅ Palo Alto Networks Unit 42 ⋅ Yanhui Jia, Chris Navarrete, Haozhe Zhang
@online{jia:20201209:njrat:f7f3b49,
author = {Yanhui Jia and Chris Navarrete and Haozhe Zhang},
title = {{njRAT Spreading Through Active Pastebin Command and Control Tunnel}},
date = {2020-12-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control},
language = {English},
urldate = {2020-12-11}
}
njRAT Spreading Through Active Pastebin Command and Control Tunnel
NjRAT |
2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus Team
@techreport{team:20201209:molerats:a13c569,
author = {Cybereason Nocturnus Team},
title = {{MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign}},
date = {2020-12-09},
institution = {Cybereason},
url = {https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf},
language = {English},
urldate = {2022-02-09}
}
MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign
DropBook JhoneRAT Molerat Loader Pierogi Quasar RAT SharpStage Spark |
2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus
@online{nocturnus:20201209:new:ef00418,
author = {Cybereason Nocturnus},
title = {{New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign}},
date = {2020-12-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign},
language = {English},
urldate = {2020-12-10}
}
New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
DropBook MoleNet Quasar RAT SharpStage Spark |
2020-12-07 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
@online{team:20201207:commodity:027b864,
author = {Proofpoint Threat Research Team},
title = {{Commodity .NET Packers use Embedded Images to Hide Payloads}},
date = {2020-12-07},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads},
language = {English},
urldate = {2020-12-10}
}
Commodity .NET Packers use Embedded Images to Hide Payloads
Agent Tesla Loki Password Stealer (PWS) Remcos |
2020-12-02 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20201202:identifying:8ac64c3,
author = {Joe Slowik},
title = {{Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign}},
date = {2020-12-02},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign},
language = {English},
urldate = {2020-12-08}
}
Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign
Azorult Glupteba |
2020-12-01 ⋅ sonatype ⋅ Ax Sharma
@online{sharma:20201201:theres:9e5f87e,
author = {Ax Sharma},
title = {{There’s a RAT in my code: new npm malware with Bladabindi trojan spotted}},
date = {2020-12-01},
organization = {sonatype},
url = {https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware},
language = {English},
urldate = {2020-12-08}
}
There’s a RAT in my code: new npm malware with Bladabindi trojan spotted
NjRAT |
2020-11-19 ⋅ Threatpost ⋅ Elizabeth Montalbano
@online{montalbano:20201119:exploits:f40feb2,
author = {Elizabeth Montalbano},
title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}},
date = {2020-11-19},
organization = {Threatpost},
url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/},
language = {English},
urldate = {2020-11-23}
}
APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk |
2020-11-18 ⋅ G Data ⋅ G-Data
@online{gdata:20201118:business:f4eda3a,
author = {G-Data},
title = {{Business as usual: Criminal Activities in Times of a Global Pandemic}},
date = {2020-11-18},
organization = {G Data},
url = {https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire},
language = {English},
urldate = {2020-11-23}
}
Business as usual: Criminal Activities in Times of a Global Pandemic
Agent Tesla Nanocore RAT NetWire RC Remcos |
2020-11-18 ⋅ VMRay ⋅ VMRay Labs Team, Pascal Brackmann, Mateusz Lukaszewski
@online{team:20201118:malware:2c9a122,
author = {VMRay Labs Team and Pascal Brackmann and Mateusz Lukaszewski},
title = {{Malware Analysis Spotlight: AZORult Delivered by GuLoader}},
date = {2020-11-18},
organization = {VMRay},
url = {https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/},
language = {English},
urldate = {2022-02-14}
}
Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE |
2020-11-17 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20201117:japanlinked:42c6320,
author = {Threat Hunter Team},
title = {{Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign}},
date = {2020-11-17},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage},
language = {English},
urldate = {2020-11-19}
}
Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign
Quasar RAT |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-10-26 ⋅ 360 Core Security ⋅ 360
@online{360:20201026:aptc44:a336bf6,
author = {360},
title = {{北非狐(APT-C-44)攻击活动揭露}},
date = {2020-10-26},
organization = {360 Core Security},
url = {https://blogs.360.cn/post/APT-C-44.html},
language = {Chinese},
urldate = {2020-11-09}
}
北非狐(APT-C-44)攻击活动揭露
Xtreme RAT Houdini NjRAT Revenge RAT |
2020-10-01 ⋅ SpiderLabs Blog ⋅ Diana Lopera
@online{lopera:20201001:evasive:c15da47,
author = {Diana Lopera},
title = {{Evasive URLs in Spam: Part 2}},
date = {2020-10-01},
organization = {SpiderLabs Blog},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/},
language = {English},
urldate = {2020-10-12}
}
Evasive URLs in Spam: Part 2
Loki Password Stealer (PWS) |
2020-09-29 ⋅ Zscaler ⋅ Sudeep Singh, Sahil Antil
@online{singh:20200929:targeted:136d828,
author = {Sudeep Singh and Sahil Antil},
title = {{Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East}},
date = {2020-09-29},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east},
language = {English},
urldate = {2020-10-04}
}
Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East
Azorult |
2020-09-21 ⋅ Trend Micro ⋅ Raphael Centeno
@online{centeno:20200921:cybercriminals:0dbaa08,
author = {Raphael Centeno},
title = {{Cybercriminals Distribute Backdoor With VPN Installer}},
date = {2020-09-21},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html},
language = {English},
urldate = {2020-09-23}
}
Cybercriminals Distribute Backdoor With VPN Installer
NjRAT |
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20200918:elfin:dff6499,
author = {Threat Hunter Team},
title = {{Elfin: Latest U.S. Indictments Appear to Target Iranian Espionage Group}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage},
language = {English},
urldate = {2020-09-23}
}
Elfin: Latest U.S. Indictments Appear to Target Iranian Espionage Group
Nanocore RAT |
2020-09-17 ⋅ FBI ⋅ FBI
@techreport{fbi:20200917:fbi:9893ba0,
author = {FBI},
title = {{FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks}},
date = {2020-09-17},
institution = {FBI},
url = {https://www.ic3.gov/media/news/2020/200917-1.pdf},
language = {English},
urldate = {2020-09-23}
}
FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks
MimiKatz Nanocore RAT |
2020-09-10 ⋅ Medium mariohenkel ⋅ Mario Henkel
@online{henkel:20200910:decrypting:2bcb10d,
author = {Mario Henkel},
title = {{Decrypting NanoCore config and dump all plugins}},
date = {2020-09-10},
organization = {Medium mariohenkel},
url = {https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52},
language = {English},
urldate = {2020-09-10}
}
Decrypting NanoCore config and dump all plugins
Nanocore RAT |
2020-09-02 ⋅ Palo Alto Networks Unit 42 ⋅ Zhanhao Chen, Janos Szurdi
@online{chen:20200902:cybersquatting:b5f5a8f,
author = {Zhanhao Chen and Janos Szurdi},
title = {{Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers}},
date = {2020-09-02},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/cybersquatting/},
language = {English},
urldate = {2021-07-02}
}
Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers
Azorult |
2020-09-01 ⋅ nviso ⋅ Didier Stevens, Maxime Thiebaut, Dries Boone, Bart Parys, Michel Coene
@online{stevens:20200901:epic:038897f,
author = {Didier Stevens and Maxime Thiebaut and Dries Boone and Bart Parys and Michel Coene},
title = {{Epic Manchego – atypical maldoc delivery brings flurry of infostealers}},
date = {2020-09-01},
organization = {nviso},
url = {https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/},
language = {English},
urldate = {2020-09-01}
}
Epic Manchego – atypical maldoc delivery brings flurry of infostealers
Azorult NjRAT |
2020-08-26 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
@online{team:20200826:threat:e6d1646,
author = {Proofpoint Threat Research Team},
title = {{Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages}},
date = {2020-08-26},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages},
language = {English},
urldate = {2020-09-01}
}
Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages
AsyncRAT Nanocore RAT |
2020-08-26 ⋅ Lab52 ⋅ Jagaimo Kawaii
@online{kawaii:20200826:twisted:b91cfb5,
author = {Jagaimo Kawaii},
title = {{A twisted malware infection chain}},
date = {2020-08-26},
organization = {Lab52},
url = {https://lab52.io/blog/a-twisted-malware-infection-chain/},
language = {English},
urldate = {2020-08-31}
}
A twisted malware infection chain
Agent Tesla Loki Password Stealer (PWS) |
2020-08-19 ⋅ AhnLab ⋅ AhnLab ASEC 분석팀
@online{:20200819:njrat:a8e3234,
author = {AhnLab ASEC 분석팀},
title = {{국내 유명 웹하드를 통해 유포되는 njRAT 악성코드}},
date = {2020-08-19},
organization = {AhnLab},
url = {https://asec.ahnlab.com/1369},
language = {Korean},
urldate = {2020-08-25}
}
국내 유명 웹하드를 통해 유포되는 njRAT 악성코드
NjRAT |
2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q2 2020}},
date = {2020-07-30},
institution = {Spamhaus},
url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf},
language = {English},
urldate = {2020-07-30}
}
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity
@techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
2020-07-13 ⋅ Github (1d8) ⋅ 1d8
@online{1d8:20200713:remcos:531702d,
author = {1d8},
title = {{Remcos RAT Macro Dropper Doc}},
date = {2020-07-13},
organization = {Github (1d8)},
url = {https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD},
language = {English},
urldate = {2020-07-16}
}
Remcos RAT Macro Dropper Doc
Remcos |
2020-06-22 ⋅ Anurag
@online{anurag:20200622:njrat:381c066,
author = {Anurag},
title = {{njRat Malware Analysis}},
date = {2020-06-22},
url = {https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/},
language = {English},
urldate = {2020-06-22}
}
njRat Malware Analysis
NjRAT |
2020-06-22 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz
@online{kotowicz:20200622:venomrat:129ba02,
author = {Maciej Kotowicz},
title = {{VenomRAT - new, hackforums grade, reincarnation of QuassarRAT}},
date = {2020-06-22},
organization = {MalwareLab.pl},
url = {https://blog.malwarelab.pl/posts/venom/},
language = {English},
urldate = {2020-06-25}
}
VenomRAT - new, hackforums grade, reincarnation of QuassarRAT
Quasar RAT Venom RAT |
2020-06-11 ⋅ Talos Intelligence ⋅ Kendall McKay, Joe Marshall
@online{mckay:20200611:tor2mine:ee5dda6,
author = {Kendall McKay and Joe Marshall},
title = {{Tor2Mine is up to their old tricks — and adds a few new ones}},
date = {2020-06-11},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html},
language = {English},
urldate = {2020-06-12}
}
Tor2Mine is up to their old tricks — and adds a few new ones
Azorult Remcos |
2020-06-07 ⋅ Zero2Automated Blog ⋅ 0verfl0w_
@online{0verfl0w:20200607:dealing:b50665d,
author = {0verfl0w_},
title = {{Dealing with Obfuscated Macros, Statically - NanoCore}},
date = {2020-06-07},
organization = {Zero2Automated Blog},
url = {https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/},
language = {English},
urldate = {2020-06-11}
}
Dealing with Obfuscated Macros, Statically - NanoCore
Nanocore RAT |
2020-05-29 ⋅ Zscaler ⋅ Sudeep Singh
@online{singh:20200529:shellreset:e80d2c8,
author = {Sudeep Singh},
title = {{ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass}},
date = {2020-05-29},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass},
language = {English},
urldate = {2020-06-05}
}
ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass
Quasar RAT |
2020-05-26 ⋅ CrowdStrike ⋅ Guillermo Taibo
@online{taibo:20200526:weaponized:0bca503,
author = {Guillermo Taibo},
title = {{Weaponized Disk Image Files: Analysis, Trends and Remediation}},
date = {2020-05-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/},
language = {English},
urldate = {2020-06-05}
}
Weaponized Disk Image Files: Analysis, Trends and Remediation
Nanocore RAT |
2020-05-21 ⋅ Malwarebytes ⋅ Malwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da,
author = {Malwarebytes Labs},
title = {{Cybercrime tactics and techniques}},
date = {2020-05-21},
institution = {Malwarebytes},
url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf},
language = {English},
urldate = {2020-06-03}
}
Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC |
2020-05-14 ⋅ SophosLabs ⋅ Markel Picado
@online{picado:20200514:raticate:6334722,
author = {Markel Picado},
title = {{RATicate: an attacker’s waves of information-stealing malware}},
date = {2020-05-14},
organization = {SophosLabs},
url = {https://news.sophos.com/en-us/2020/05/14/raticate/},
language = {English},
urldate = {2020-05-18}
}
RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos |
2020-05-14 ⋅ Lab52 ⋅ Dex
@online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-14 ⋅ 360 Total Security ⋅ kate
@online{kate:20200514:vendetta:06e3cde,
author = {kate},
title = {{Vendetta - new threat actor from Europe}},
date = {2020-05-14},
organization = {360 Total Security},
url = {https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/},
language = {English},
urldate = {2020-05-18}
}
Vendetta - new threat actor from Europe
Nanocore RAT Remcos |
2020-04-29 ⋅ FR3D.HK ⋅ Fred HK
@online{hk:20200429:gazorp:3aef446,
author = {Fred HK},
title = {{Gazorp - Thieving from thieves}},
date = {2020-04-29},
organization = {FR3D.HK},
url = {https://fr3d.hk/blog/gazorp-thieving-from-thieves},
language = {English},
urldate = {2020-05-06}
}
Gazorp - Thieving from thieves
Azorult |
2020-04-28 ⋅ Trend Micro ⋅ Miguel Ang
@online{ang:20200428:loki:169b27e,
author = {Miguel Ang},
title = {{Loki Info Stealer Propagates through LZH Files}},
date = {2020-04-28},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files},
language = {English},
urldate = {2020-08-14}
}
Loki Info Stealer Propagates through LZH Files
Loki Password Stealer (PWS) |
2020-04-27 ⋅ 0x00sec ⋅ Dan Lisichkin
@online{lisichkin:20200427:master:1cfb192,
author = {Dan Lisichkin},
title = {{Master of RATs - How to create your own Tracker}},
date = {2020-04-27},
organization = {0x00sec},
url = {https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848},
language = {English},
urldate = {2020-04-28}
}
Master of RATs - How to create your own Tracker
Quasar RAT |
2020-04-15 ⋅ Zscaler ⋅ Sudeep Singh
@online{singh:20200415:multistage:c0330fa,
author = {Sudeep Singh},
title = {{Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult}},
date = {2020-04-15},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat},
language = {English},
urldate = {2020-06-08}
}
Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult
Azorult Nanocore RAT |
2020-04-13 ⋅ Blackberry ⋅ Tatsuya Hasegawa, Masaki Kasuya
@online{hasegawa:20200413:threat:57b739e,
author = {Tatsuya Hasegawa and Masaki Kasuya},
title = {{Threat Spotlight: Gootkit Banking Trojan}},
date = {2020-04-13},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan},
language = {English},
urldate = {2020-11-23}
}
Threat Spotlight: Gootkit Banking Trojan
Azorult GootKit |
2020-04-04 ⋅ MalwareInDepth ⋅ Myrtus 0x0
@online{0x0:20200404:nanocore:6649008,
author = {Myrtus 0x0},
title = {{Nanocore & CypherIT}},
date = {2020-04-04},
organization = {MalwareInDepth},
url = {https://malwareindepth.com/defeating-nanocore-and-cypherit/},
language = {English},
urldate = {2020-04-07}
}
Nanocore & CypherIT
Nanocore RAT |
2020-04-02 ⋅ Cisco Talos ⋅ Vanja Svajcer
@online{svajcer:20200402:azorult:97b15f2,
author = {Vanja Svajcer},
title = {{AZORult brings friends to the party}},
date = {2020-04-02},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html},
language = {English},
urldate = {2020-04-07}
}
AZORult brings friends to the party
Azorult Remcos |
2020-04-01 ⋅ Cisco ⋅ Shyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a,
author = {Shyam Sundar Ramaswami and Andrea Kaiser},
title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}},
date = {2020-04-01},
organization = {Cisco},
url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors},
language = {English},
urldate = {2020-08-19}
}
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot |
2020-03-31 ⋅ Click All the Things! Blog ⋅ Jamie
@online{jamie:20200331:lokibot:f927742,
author = {Jamie},
title = {{LokiBot: Getting Equation Editor Shellcode}},
date = {2020-03-31},
organization = {Click All the Things! Blog},
url = {https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/},
language = {English},
urldate = {2020-04-07}
}
LokiBot: Getting Equation Editor Shellcode
Loki Password Stealer (PWS) |
2020-03-26 ⋅ Max Kersten's Blog ⋅ Max Kersten
@online{kersten:20200326:azorult:5d5ee1f,
author = {Max Kersten},
title = {{Azorult loader stages}},
date = {2020-03-26},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/},
language = {English},
urldate = {2020-03-26}
}
Azorult loader stages
Azorult |
2020-03-26 ⋅ Telekom ⋅ Thomas Barabosch
@online{barabosch:20200326:ta505s:24d9805,
author = {Thomas Barabosch},
title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}},
date = {2020-03-26},
organization = {Telekom},
url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672},
language = {English},
urldate = {2020-03-27}
}
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505 |
2020-03-20 ⋅ Bitdefender ⋅ Liviu Arsene
@online{arsene:20200320:5:46813c6,
author = {Liviu Arsene},
title = {{5 Times More Coronavirus-themed Malware Reports during March}},
date = {2020-03-20},
organization = {Bitdefender},
url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter},
language = {English},
urldate = {2020-03-26}
}
5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos |
2020-03-18 ⋅ Proofpoint ⋅ Axel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3,
author = {Axel F and Sam Scholten},
title = {{Coronavirus Threat Landscape Update}},
date = {2020-03-18},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update},
language = {English},
urldate = {2020-03-26}
}
Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos |
2020-02-26 ⋅ KELA ⋅ Leon Kurolapnik, Raveed Laeb
@online{kurolapnik:20200226:whats:930c58d,
author = {Leon Kurolapnik and Raveed Laeb},
title = {{What’s Dead May Never Die: AZORult Infostealer Decommissioned Again}},
date = {2020-02-26},
organization = {KELA},
url = {https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/},
language = {English},
urldate = {2021-05-07}
}
What’s Dead May Never Die: AZORult Infostealer Decommissioned Again
Azorult |
2020-02-21 ⋅ KELA ⋅ Raveed Laeb
@online{laeb:20200221:exploring:179689d,
author = {Raveed Laeb},
title = {{Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology}},
date = {2020-02-21},
organization = {KELA},
url = {https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/},
language = {English},
urldate = {2020-02-26}
}
Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology
Azorult |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-02-19 ⋅ Team Cymru ⋅ Team Cymru
@online{cymru:20200219:azorult:de72301,
author = {Team Cymru},
title = {{Azorult – what we see using our own tools}},
date = {2020-02-19},
organization = {Team Cymru},
url = {https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/},
language = {English},
urldate = {2020-02-26}
}
Azorult – what we see using our own tools
Azorult |
2020-02-14 ⋅ Virus Bulletin ⋅ Aditya K. Sood
@online{sood:20200214:lokibot:c4e5d9d,
author = {Aditya K. Sood},
title = {{LokiBot: dissecting the C&C panel deployments}},
date = {2020-02-14},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/},
language = {English},
urldate = {2020-02-25}
}
LokiBot: dissecting the C&C panel deployments
Loki Password Stealer (PWS) |
2020-02-13 ⋅ Talos ⋅ Nick Biasini, Edmund Brumaghin
@online{biasini:20200213:threat:443d687,
author = {Nick Biasini and Edmund Brumaghin},
title = {{Threat actors attempt to capitalize on coronavirus outbreak}},
date = {2020-02-13},
organization = {Talos},
url = {https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html},
language = {English},
urldate = {2020-03-19}
}
Threat actors attempt to capitalize on coronavirus outbreak
Emotet Nanocore RAT Parallax RAT |
2020-02-12 ⋅ Twitter (@DrStache_) ⋅ DrStache
@online{drstache:20200212:manabotnet:9a3d3c6,
author = {DrStache},
title = {{Tweet on ManaBotnet}},
date = {2020-02-12},
organization = {Twitter (@DrStache_)},
url = {https://twitter.com/DrStache_/status/1227662001247268864},
language = {English},
urldate = {2020-02-27}
}
Tweet on ManaBotnet
Azorult |
2020-02-06 ⋅ Prevailion ⋅ Danny Adamitis
@online{adamitis:20200206:triune:ada8ad3,
author = {Danny Adamitis},
title = {{The Triune Threat: MasterMana Returns}},
date = {2020-02-06},
organization = {Prevailion},
url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html},
language = {English},
urldate = {2020-04-13}
}
The Triune Threat: MasterMana Returns
Azorult Loki Password Stealer (PWS) |
2020-02-05 ⋅ Cybereason ⋅ Lior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31,
author = {Lior Rochberger and Assaf Dahan},
title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}},
date = {2020-02-05},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware},
language = {English},
urldate = {2020-02-09}
}
The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar |
2020-02-03 ⋅ SANS ISC ⋅ Jan Kopriva
@online{kopriva:20200203:analysis:c531bd3,
author = {Jan Kopriva},
title = {{Analysis of a triple-encrypted AZORult downloader}},
date = {2020-02-03},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/},
language = {English},
urldate = {2020-02-10}
}
Analysis of a triple-encrypted AZORult downloader
Azorult |
2020-01-31 ⋅ ReversingLabs ⋅ Robert Simmons
@online{simmons:20200131:rats:d8a4021,
author = {Robert Simmons},
title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}},
date = {2020-01-31},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/rats-in-the-library},
language = {English},
urldate = {2020-02-03}
}
RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site
CyberGate LimeRAT NjRAT Quasar RAT Revenge RAT |
2020-01-27 ⋅ Yoroi ⋅ Luigi Martire, Luca Mella
@online{martire:20200127:aggah:9ed3380,
author = {Luigi Martire and Luca Mella},
title = {{Aggah: How to run a botnet without renting a Server (for more than a year)}},
date = {2020-01-27},
organization = {Yoroi},
url = {https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/},
language = {English},
urldate = {2021-06-16}
}
Aggah: How to run a botnet without renting a Server (for more than a year)
LokiBot Azorult |
2020-01-22 ⋅ Thomas Barabosch
@online{barabosch:20200122:malware:f805475,
author = {Thomas Barabosch},
title = {{The malware analyst’s guide to PE timestamps}},
date = {2020-01-22},
url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/},
language = {English},
urldate = {2021-01-25}
}
The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP |
2020-01-19 ⋅ 360 ⋅ kate
@online{kate:20200119:bayworld:2cc2212,
author = {kate},
title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}},
date = {2020-01-19},
organization = {360},
url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/},
language = {English},
urldate = {2020-02-03}
}
BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT |
2020-01-17 ⋅ JPCERT/CC ⋅ Takayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1,
author = {Takayoshi Shiigi},
title = {{Looking back on the incidents in 2019}},
date = {2020-01-17},
institution = {JPCERT/CC},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf},
language = {English},
urldate = {2020-04-06}
}
Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:aluminum:af22ffd,
author = {SecureWorks},
title = {{ALUMINUM SARATOGA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga},
language = {English},
urldate = {2020-05-23}
}
ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:cobalt:8d36ac3,
author = {SecureWorks},
title = {{COBALT TRINITY}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity},
language = {English},
urldate = {2020-05-23}
}
COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33 |
2020-01 ⋅ Dragos ⋅ Joe Slowik
@techreport{slowik:202001:threat:d891011,
author = {Joe Slowik},
title = {{Threat Intelligence and the Limits of Malware Analysis}},
date = {2020-01},
institution = {Dragos},
url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf},
language = {English},
urldate = {2020-06-10}
}
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:copper:e356116,
author = {SecureWorks},
title = {{COPPER FIELDSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/copper-fieldstone},
language = {English},
urldate = {2020-05-23}
}
COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major |
2019-12-28 ⋅ Paul Burbage
@online{burbage:20191228:tale:2e5f361,
author = {Paul Burbage},
title = {{The Tale of the Pija-Droid Firefinch}},
date = {2019-12-28},
url = {https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2},
language = {English},
urldate = {2020-02-14}
}
The Tale of the Pija-Droid Firefinch
Loki Password Stealer (PWS) |
2019-12-24 ⋅ Github (itsKindred) ⋅ Derek Kleinhen
@techreport{kleinhen:20191224:bashar:944cfdf,
author = {Derek Kleinhen},
title = {{Bashar Bachir Infection Chain Analysis}},
date = {2019-12-24},
institution = {Github (itsKindred)},
url = {https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf},
language = {English},
urldate = {2020-01-10}
}
Bashar Bachir Infection Chain Analysis
NjRAT |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-11-28 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20191128:revengehotels:4fd8ea9,
author = {GReAT},
title = {{RevengeHotels: cybercrime targeting hotel front desks worldwide}},
date = {2019-11-28},
organization = {Kaspersky Labs},
url = {https://securelist.com/revengehotels/95229/},
language = {English},
urldate = {2020-01-09}
}
RevengeHotels: cybercrime targeting hotel front desks worldwide
Revenge RAT |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-11-11 ⋅ Binary Defense ⋅ Binary Defense
@online{defense:20191111:revenge:114921b,
author = {Binary Defense},
title = {{Revenge Is A Dish Best Served… Obfuscated?}},
date = {2019-11-11},
organization = {Binary Defense},
url = {https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated},
language = {English},
urldate = {2020-01-09}
}
Revenge Is A Dish Best Served… Obfuscated?
Houdini Revenge RAT |
2019-10-28 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
@online{ramilli:20191028:sweed:bce7adf,
author = {Marco Ramilli},
title = {{SWEED Targeting Precision Engineering Companies in Italy}},
date = {2019-10-28},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/},
language = {English},
urldate = {2019-12-17}
}
SWEED Targeting Precision Engineering Companies in Italy
Loki Password Stealer (PWS) |
2019-10-21 ⋅ Fortinet ⋅ Xiaopeng Zhang, Chris Navarrete
@online{zhang:20191021:new:b72bcde,
author = {Xiaopeng Zhang and Chris Navarrete},
title = {{New Variant of Remcos RAT Observed In the Wild}},
date = {2019-10-21},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html},
language = {English},
urldate = {2019-11-21}
}
New Variant of Remcos RAT Observed In the Wild
Remcos |
2019-09-26 ⋅ Proofpoint ⋅ Bryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362,
author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team},
title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}},
date = {2019-09-26},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware},
language = {English},
urldate = {2020-02-26}
}
New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos |
2019-09-24 ⋅ Yoroi ⋅ Antonio Farina, Luca Mella
@online{farina:20190924:or:901ce1d,
author = {Antonio Farina and Luca Mella},
title = {{APT or not APT? What's Behind the Aggah Campaign}},
date = {2019-09-24},
organization = {Yoroi},
url = {https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/},
language = {English},
urldate = {2021-06-16}
}
APT or not APT? What's Behind the Aggah Campaign
Azorult |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-09-19 ⋅ NSHC ⋅ ThreatRecon Team
@online{team:20190919:hagga:066e932,
author = {ThreatRecon Team},
title = {{Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore}},
date = {2019-09-19},
organization = {NSHC},
url = {https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/},
language = {English},
urldate = {2020-01-08}
}
Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore
Nanocore RAT Revenge RAT |
2019-09-07 ⋅ Dissecting Malware ⋅ Marius Genheimer
@online{genheimer:20190907:malicious:37195ec,
author = {Marius Genheimer},
title = {{Malicious RATatouille}},
date = {2019-09-07},
organization = {Dissecting Malware},
url = {https://dissectingmalwa.re/malicious-ratatouille.html},
language = {English},
urldate = {2020-03-27}
}
Malicious RATatouille
Remcos |
2019-08-30 ⋅ Github (threatland) ⋅ ThreatLand
@online{threatland:20190830:njrat:995c281,
author = {ThreatLand},
title = {{njRAT builders}},
date = {2019-08-30},
organization = {Github (threatland)},
url = {https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT},
language = {English},
urldate = {2020-01-08}
}
njRAT builders
NjRAT |
2019-08-25 ⋅ Github (threatland) ⋅ ThreatLand
@online{threatland:20190825:nanocor:0ef5e7c,
author = {ThreatLand},
title = {{Nanocor Sample}},
date = {2019-08-25},
organization = {Github (threatland)},
url = {https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore},
language = {English},
urldate = {2020-01-13}
}
Nanocor Sample
Nanocore RAT |
2019-08-22 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff
@online{frankoff:20190822:remcos:b86c5bd,
author = {Sergei Frankoff},
title = {{Remcos RAT Unpacked From VB6 With x64dbg Debugger}},
date = {2019-08-22},
organization = {Youtube (OALabs)},
url = {https://www.youtube.com/watch?v=DIH4SvKuktM},
language = {English},
urldate = {2020-01-10}
}
Remcos RAT Unpacked From VB6 With x64dbg Debugger
Remcos |
2019-08-15 ⋅ Trend Micro ⋅ Aliakbar Zahravi
@online{zahravi:20190815:analysis:fadf6bc,
author = {Aliakbar Zahravi},
title = {{Analysis: New Remcos RAT Arrives Via Phishing Email}},
date = {2019-08-15},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html},
language = {English},
urldate = {2021-08-25}
}
Analysis: New Remcos RAT Arrives Via Phishing Email
Remcos |
2019-08-10 ⋅ Check Point ⋅ Omer Gull
@online{gull:20190810:select:56061b1,
author = {Omer Gull},
title = {{SELECT code_execution FROM * USING SQLite;}},
date = {2019-08-10},
organization = {Check Point},
url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/},
language = {English},
urldate = {2020-02-09}
}
SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony |
2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20190801:trends:5e25d5b,
author = {GReAT},
title = {{APT trends report Q2 2019}},
date = {2019-08-01},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2019/91897/},
language = {English},
urldate = {2020-08-13}
}
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy |
2019-07-15 ⋅ Cisco Talos ⋅ Edmund Brumaghin
@online{brumaghin:20190715:sweed:9725699,
author = {Edmund Brumaghin},
title = {{SWEED: Exposing years of Agent Tesla campaigns}},
date = {2019-07-15},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html},
language = {English},
urldate = {2020-01-08}
}
SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED |
2019-07-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20190711:recent:bd25d5a,
author = {Brad Duncan},
title = {{Recent AZORult activity}},
date = {2019-07-11},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/25120},
language = {English},
urldate = {2020-01-10}
}
Recent AZORult activity
Azorult |
2019-06-19 ⋅ Check Point ⋅ Kobi Eisenkraft, Moshe Hayun
@online{eisenkraft:20190619:check:0a79b2b,
author = {Kobi Eisenkraft and Moshe Hayun},
title = {{Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany}},
date = {2019-06-19},
organization = {Check Point},
url = {https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/},
language = {English},
urldate = {2020-01-08}
}
Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany
Remcos |
2019-06-08 ⋅ Yoroi ⋅ Luigi Martire, Davide Testa, Luca Mella, ZLAB-Yoroi
@online{martire:20190608:evolution:c9d130c,
author = {Luigi Martire and Davide Testa and Luca Mella and ZLAB-Yoroi},
title = {{The Evolution of Aggah: From Roma225 to the RG Campaign}},
date = {2019-06-08},
organization = {Yoroi},
url = {https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/},
language = {English},
urldate = {2021-06-16}
}
The Evolution of Aggah: From Roma225 to the RG Campaign
Revenge RAT |
2019-06-04 ⋅ Cylance ⋅ Cylance Threat Research Team
@online{team:20190604:threat:c448cf8,
author = {Cylance Threat Research Team},
title = {{Threat Spotlight: Analyzing AZORult Infostealer Malware}},
date = {2019-06-04},
organization = {Cylance},
url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html},
language = {English},
urldate = {2020-02-10}
}
Threat Spotlight: Analyzing AZORult Infostealer Malware
Azorult |
2019-05-24 ⋅ Fortinet ⋅ Ben Hunter
@online{hunter:20190524:uncovering:7d8776e,
author = {Ben Hunter},
title = {{Uncovering new Activity by APT10}},
date = {2019-05-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-},
language = {English},
urldate = {2020-11-04}
}
Uncovering new Activity by APT10
PlugX Quasar RAT |
2019-05-20 ⋅ Twitter (@struppigel) ⋅ Karsten Hahn
@online{hahn:20190520:yggdrasil:5a23fde,
author = {Karsten Hahn},
title = {{Tweet on Yggdrasil / CinaRAT}},
date = {2019-05-20},
organization = {Twitter (@struppigel)},
url = {https://twitter.com/struppigel/status/1130455143504318466},
language = {English},
urldate = {2020-01-13}
}
Tweet on Yggdrasil / CinaRAT
Quasar RAT |
2019-05-08 ⋅ VMRay ⋅ Francis Montesino
@online{montesino:20190508:get:ed8ceb4,
author = {Francis Montesino},
title = {{Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0}},
date = {2019-05-08},
organization = {VMRay},
url = {https://www.vmray.com/cyber-security-blog/smart-memory-dumping/},
language = {English},
urldate = {2020-01-13}
}
Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0
Remcos |
2019-05-05 ⋅ GoggleHeadedHacker Blog ⋅ Jacob Pimental
@online{pimental:20190505:unpacking:3b96fc8,
author = {Jacob Pimental},
title = {{Unpacking NanoCore Sample Using AutoIT}},
date = {2019-05-05},
organization = {GoggleHeadedHacker Blog},
url = {https://goggleheadedhacker.com/blog/post/11},
language = {English},
urldate = {2019-12-18}
}
Unpacking NanoCore Sample Using AutoIT
Nanocore RAT |
2019-04-17 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Brittany Ash
@online{falcone:20190417:aggah:f17c88f,
author = {Robert Falcone and Brittany Ash},
title = {{Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign}},
date = {2019-04-17},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/},
language = {English},
urldate = {2020-01-07}
}
Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign
The Gorgon Group |
2019-04-16 ⋅ FireEye ⋅ John Hultquist, Ben Read, Oleg Bondarenko, Chi-en Shen
@online{hultquist:20190416:spear:a0125cb,
author = {John Hultquist and Ben Read and Oleg Bondarenko and Chi-en Shen},
title = {{Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic}},
date = {2019-04-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html},
language = {English},
urldate = {2019-12-20}
}
Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic
Quasar RAT Vermin |
2019-04-05 ⋅ Trustwave ⋅ Phil Hay, Rodel Mendrez
@online{hay:20190405:spammed:82cb5e3,
author = {Phil Hay and Rodel Mendrez},
title = {{Spammed PNG file hides LokiBot}},
date = {2019-04-05},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/},
language = {English},
urldate = {2022-08-15}
}
Spammed PNG file hides LokiBot
Loki Password Stealer (PWS) |
2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20190401:trends:cf738dc,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 2nd Half of 2018}},
date = {2019-04-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
2019-03-27 ⋅ Symantec ⋅ Security Response Attack Investigation Team
@online{team:20190327:elfin:836cc39,
author = {Security Response Attack Investigation Team},
title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}},
date = {2019-03-27},
organization = {Symantec},
url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage},
language = {English},
urldate = {2020-01-06}
}
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33 |
2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}},
date = {2019-03-27},
organization = {Symantec},
url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage},
language = {English},
urldate = {2020-04-21}
}
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33 |
2019-03-25 ⋅ 360 Core Security ⋅ zhanghao-ms
@online{zhanghaoms:20190325:patting:92fda17,
author = {zhanghao-ms},
title = {{Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization}},
date = {2019-03-25},
organization = {360 Core Security},
url = {http://blogs.360.cn/post/analysis-of-apt-c-37.html},
language = {Chinese},
urldate = {2020-01-08}
}
Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization
Houdini NjRAT |
2019-03-22 ⋅ Kaspersky Labs ⋅ Alexander Eremin
@online{eremin:20190322:azorult:3080ee5,
author = {Alexander Eremin},
title = {{AZORult++: Rewriting history}},
date = {2019-03-22},
organization = {Kaspersky Labs},
url = {https://securelist.com/azorult-analysis-history/89922/},
language = {English},
urldate = {2019-12-20}
}
AZORult++: Rewriting history
Azorult |
2019-02-07 ⋅ Blueliv ⋅ Blueliv Labs Team
@online{team:20190207:sales:c48c8d0,
author = {Blueliv Labs Team},
title = {{Sales of AZORult grind to an AZOR-halt}},
date = {2019-02-07},
organization = {Blueliv},
url = {https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/},
language = {English},
urldate = {2019-11-20}
}
Sales of AZORult grind to an AZOR-halt
Azorult |
2019-01-28 ⋅ Minerva Labs ⋅ Asaf Aprozper, Gal Bitensky
@online{aprozper:20190128:azorult:78563e2,
author = {Asaf Aprozper and Gal Bitensky},
title = {{AZORult: Now, as A Signed “Google Update”}},
date = {2019-01-28},
organization = {Minerva Labs},
url = {https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update},
language = {English},
urldate = {2019-12-04}
}
AZORult: Now, as A Signed “Google Update”
Azorult |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:gorgon:f7c9936,
author = {MITRE ATT&CK},
title = {{Group description: Gorgon Group}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0078/},
language = {English},
urldate = {2019-12-20}
}
Group description: Gorgon Group
The Gorgon Group |
2018-12-04 ⋅ Brad Duncan
@online{duncan:20181204:malspam:8e2d810,
author = {Brad Duncan},
title = {{Malspam pushing Lokibot malware}},
date = {2018-12-04},
url = {https://isc.sans.edu/diary/24372},
language = {English},
urldate = {2019-10-29}
}
Malspam pushing Lokibot malware
Loki Password Stealer (PWS) |
2018-10-17 ⋅ Check Point ⋅ Israel Gubi
@online{gubi:20181017:emergence:670b6fd,
author = {Israel Gubi},
title = {{The Emergence of the New Azorult 3.3}},
date = {2018-10-17},
organization = {Check Point},
url = {https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/},
language = {English},
urldate = {2020-01-07}
}
The Emergence of the New Azorult 3.3
Azorult |
2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20181001:trends:17b1db5,
author = {Macnica Networks},
title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}},
date = {2018-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm |
2018-08-29 ⋅ Kaspersky Labs ⋅ Tatyana Shcherbakova
@online{shcherbakova:20180829:loki:c239728,
author = {Tatyana Shcherbakova},
title = {{Loki Bot: On a hunt for corporate passwords}},
date = {2018-08-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/loki-bot-stealing-corporate-passwords/87595/},
language = {English},
urldate = {2019-12-20}
}
Loki Bot: On a hunt for corporate passwords
Loki Password Stealer (PWS) |
2018-08-22 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Holger Unterbrink, Eric Kuhla, Lilia Gonzalez Medina
@online{brumaghin:20180822:picking:925912d,
author = {Edmund Brumaghin and Holger Unterbrink and Eric Kuhla and Lilia Gonzalez Medina},
title = {{Picking Apart Remcos Botnet-In-A-Box}},
date = {2018-08-22},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html},
language = {English},
urldate = {2019-10-23}
}
Picking Apart Remcos Botnet-In-A-Box
Remcos |
2018-08-18 ⋅ Bleeping Computer ⋅ Vishal Thakur
@online{thakur:20180818:azorult:e096002,
author = {Vishal Thakur},
title = {{AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys}},
date = {2018-08-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/},
language = {English},
urldate = {2019-12-20}
}
AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult |
2018-08-02 ⋅ Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:8a338cc,
author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit},
title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}},
date = {2018-08-02},
url = {https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/},
language = {English},
urldate = {2019-11-29}
}
The Gorgon Group: Slithering Between Nation State and Cybercrime
The Gorgon Group |
2018-08-02 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1,
author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit},
title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}},
date = {2018-08-02},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/},
language = {English},
urldate = {2019-12-20}
}
The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT |
2018-07-30 ⋅ Proofpoint ⋅ Proofpoint Staff
@online{staff:20180730:new:07c5e76,
author = {Proofpoint Staff},
title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}},
date = {2018-07-30},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside},
language = {English},
urldate = {2021-12-13}
}
New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes |
2018-07-23 ⋅ 360 Threat Intelligence ⋅ Qi Anxin Threat Intelligence Center
@online{center:20180723:golden:acfd437,
author = {Qi Anxin Threat Intelligence Center},
title = {{Golden Rat Organization-targeted attack in Syria}},
date = {2018-07-23},
organization = {360 Threat Intelligence},
url = {https://ti.360.net/blog/articles/analysis-of-apt-c-27/},
language = {Chinese},
urldate = {2020-04-28}
}
Golden Rat Organization-targeted attack in Syria
NjRAT APT-C-27 |
2018-07-17 ⋅ ESET Research ⋅ Kaspars Osis
@online{osis:20180717:deep:56fcfcf,
author = {Kaspars Osis},
title = {{A deep dive down the Vermin RAThole}},
date = {2018-07-17},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/},
language = {English},
urldate = {2019-11-14}
}
A deep dive down the Vermin RAThole
Quasar RAT Sobaken Vermin |
2018-07-06 ⋅ Github (d00rt) ⋅ d00rt
@techreport{d00rt:20180706:lokibot:6508667,
author = {d00rt},
title = {{LokiBot Infostealer Jihacked Version}},
date = {2018-07-06},
institution = {Github (d00rt)},
url = {https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf},
language = {English},
urldate = {2020-01-10}
}
LokiBot Infostealer Jihacked Version
Loki Password Stealer (PWS) |
2018-06-07 ⋅ Volexity ⋅ Matthew Meltzer, Sean Koessel, Steven Adair
@online{meltzer:20180607:patchwork:5b8d3c8,
author = {Matthew Meltzer and Sean Koessel and Steven Adair},
title = {{Patchwork APT Group Targets US Think Tanks}},
date = {2018-06-07},
organization = {Volexity},
url = {https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/},
language = {English},
urldate = {2020-01-08}
}
Patchwork APT Group Targets US Think Tanks
Quasar RAT Unidentified 047 QUILTED TIGER |
2018-05-17 ⋅ Minerva Labs ⋅ Gal Bitensky
@online{bitensky:20180517:analyzing:c25d2ac,
author = {Gal Bitensky},
title = {{Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers}},
date = {2018-05-17},
organization = {Minerva Labs},
url = {https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers},
language = {English},
urldate = {2019-10-14}
}
Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers
Azorult |
2018-03-30 ⋅ 360 Threat Intelligence ⋅ Qi Anxin Threat Intelligence Center
@online{center:20180330:analysis:4f1feb9,
author = {Qi Anxin Threat Intelligence Center},
title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}},
date = {2018-03-30},
organization = {360 Threat Intelligence},
url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/},
language = {Chinese},
urldate = {2020-01-13}
}
Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China
Quasar RAT |
2018-03-02 ⋅ KrabsOnSecurity ⋅ Mr. Krabs
@online{krabs:20180302:analysing:7b1f12f,
author = {Mr. Krabs},
title = {{Analysing Remcos RAT’s executable}},
date = {2018-03-02},
organization = {KrabsOnSecurity},
url = {https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/},
language = {English},
urldate = {2019-07-31}
}
Analysing Remcos RAT’s executable
Remcos |
2018-03-01 ⋅ My Online Security ⋅ My Online Security
@online{security:20180301:fake:7f835ef,
author = {My Online Security},
title = {{Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments}},
date = {2018-03-01},
organization = {My Online Security},
url = {https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/},
language = {English},
urldate = {2020-01-13}
}
Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments
Remcos |
2018-02-26 ⋅ Bleeping Computer ⋅ Catalin Cimpanu
@online{cimpanu:20180226:nanocore:4659d30,
author = {Catalin Cimpanu},
title = {{Nanocore RAT Author Gets 33 Months in Prison}},
date = {2018-02-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/},
language = {English},
urldate = {2019-12-20}
}
Nanocore RAT Author Gets 33 Months in Prison
Nanocore RAT |
2018-01-23 ⋅ RiskIQ ⋅ Yonathan Klijnsma
@online{klijnsma:20180123:espionage:f3d28b0,
author = {Yonathan Klijnsma},
title = {{Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors}},
date = {2018-01-23},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/},
language = {English},
urldate = {2019-12-24}
}
Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors
Remcos |
2017-12-22 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
@online{duncan:20171222:malspam:4a3fd87,
author = {Brad Duncan},
title = {{MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT}},
date = {2017-12-22},
organization = {Malware Traffic Analysis},
url = {http://malware-traffic-analysis.net/2017/12/22/index.html},
language = {English},
urldate = {2019-07-11}
}
MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT
Remcos |
2017-12-19 ⋅ Lastline ⋅ Andy Norton
@online{norton:20171219:novel:2a852a7,
author = {Andy Norton},
title = {{Novel Excel Spreadsheet Attack Launches Password Stealing Malware Loki Bot}},
date = {2017-12-19},
organization = {Lastline},
url = {https://www.lastline.com/blog/password-stealing-malware-loki-bot/},
language = {English},
urldate = {2020-01-13}
}
Novel Excel Spreadsheet Attack Launches Password Stealing Malware Loki Bot
Loki Password Stealer (PWS) |
2017-12-11 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší, Cedric Pernet
@online{lunghi:20171211:untangling:5f00f99,
author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet},
title = {{Untangling the Patchwork Cyberespionage Group}},
date = {2017-12-11},
organization = {Trend Micro},
url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite},
language = {English},
urldate = {2019-10-21}
}
Untangling the Patchwork Cyberespionage Group
Quasar RAT |
2017-11-12 ⋅ MalwareBreakdown
@online{malwarebreakdown:20171112:seamless:0a1c207,
author = {MalwareBreakdown},
title = {{Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.}},
date = {2017-11-12},
url = {https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/},
language = {English},
urldate = {2019-12-17}
}
Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.
Azorult |
2017-10-27 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
@online{unit42:20171027:tracking:4a4e969,
author = {Unit42},
title = {{Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository}},
date = {2017-10-27},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/},
language = {English},
urldate = {2020-01-09}
}
Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository
The Gorgon Group |
2017-09-20 ⋅ FireEye ⋅ Jacqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser
@online{oleary:20170920:insights:27e8253,
author = {Jacqueline O’Leary and Josiah Kimble and Kelli Vanderlee and Nalani Fraser},
title = {{Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware}},
date = {2017-09-20},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html},
language = {English},
urldate = {2019-12-20}
}
Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware
DROPSHOT Nanocore RAT NetWire RC SHAPESHIFT TURNEDUP APT33 |
2017-07-24 ⋅ Malware Breakdown ⋅ Malware Breakdown
@online{breakdown:20170724:seamless:7e55e6a,
author = {Malware Breakdown},
title = {{The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.}},
date = {2017-07-24},
organization = {Malware Breakdown},
url = {https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/},
language = {English},
urldate = {2020-01-10}
}
The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.
Azorult |
2017-07-24 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
@online{kremez:20170724:lets:8b64c6c,
author = {Vitali Kremez},
title = {{Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'}},
date = {2017-07-24},
organization = {Vitali Kremez Blog},
url = {http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html},
language = {English},
urldate = {2020-01-06}
}
Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'
Azorult |
2017-07-08 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens
@online{mertens:20170708:vbscript:e2baa5d,
author = {Xavier Mertens},
title = {{A VBScript with Obfuscated Base64 Data}},
date = {2017-07-08},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/22590},
language = {English},
urldate = {2020-01-13}
}
A VBScript with Obfuscated Base64 Data
Revenge RAT |
2017-07-01 ⋅ Secrary Blog ⋅ lasha
@online{lasha:20170701:remcos:984d85c,
author = {lasha},
title = {{Remcos RAT}},
date = {2017-07-01},
organization = {Secrary Blog},
url = {https://secrary.com/ReversingMalware/RemcosRAT/},
language = {English},
urldate = {2020-01-09}
}
Remcos RAT
Remcos |
2017-06-22 ⋅ SANS Institute Information Security Reading Room ⋅ Rob Pantazopoulos
@online{pantazopoulos:20170622:lokibot:cb24973,
author = {Rob Pantazopoulos},
title = {{Loki-Bot: InformationStealer, Keylogger, &More!}},
date = {2017-06-22},
organization = {SANS Institute Information Security Reading Room},
url = {https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850},
language = {English},
urldate = {2019-07-11}
}
Loki-Bot: InformationStealer, Keylogger, &More!
Loki Password Stealer (PWS) |
2017-05-17 ⋅ Fortinet ⋅ Xiaopeng Zhang, Hua Liu
@online{zhang:20170517:new:15004ed,
author = {Xiaopeng Zhang and Hua Liu},
title = {{New Loki Variant Being Spread via PDF File}},
date = {2017-05-17},
organization = {Fortinet},
url = {https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file},
language = {English},
urldate = {2020-01-05}
}
New Loki Variant Being Spread via PDF File
Loki Password Stealer (PWS) |
2017-05-07 ⋅ R3MRUM ⋅ R3MRUM
@online{r3mrum:20170507:lokibot:5a6975d,
author = {R3MRUM},
title = {{Loki-Bot: Come out, come out, wherever you are!}},
date = {2017-05-07},
organization = {R3MRUM},
url = {https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/},
language = {English},
urldate = {2020-01-12}
}
Loki-Bot: Come out, come out, wherever you are!
Loki Password Stealer (PWS) |
2017-05-05 ⋅ Github (R3MRUM) ⋅ R3MRUM
@online{r3mrum:20170505:lokiparse:c8a2916,
author = {R3MRUM},
title = {{loki-parse}},
date = {2017-05-05},
organization = {Github (R3MRUM)},
url = {https://github.com/R3MRUM/loki-parse},
language = {English},
urldate = {2019-11-29}
}
loki-parse
Loki Password Stealer (PWS) |
2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712,
author = {PricewaterhouseCoopers},
title = {{Operation Cloud Hopper: Technical Annex}},
date = {2017-04},
institution = {PricewaterhouseCoopers},
url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf},
language = {English},
urldate = {2019-10-15}
}
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
2017-03-23 ⋅ Cofense ⋅ Cofense
@online{cofense:20170323:tales:cbdee9a,
author = {Cofense},
title = {{Tales from the Trenches: Loki Bot Malware}},
date = {2017-03-23},
organization = {Cofense},
url = {https://phishme.com/loki-bot-malware/},
language = {English},
urldate = {2019-12-02}
}
Tales from the Trenches: Loki Bot Malware
Loki Password Stealer (PWS) |
2017-02-16 ⋅ Cysinfo ⋅ Winston M
@online{m:20170216:nefarious:a0ed57b,
author = {Winston M},
title = {{Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!}},
date = {2017-02-16},
organization = {Cysinfo},
url = {https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/},
language = {English},
urldate = {2019-10-23}
}
Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!
Loki Password Stealer (PWS) |
2017-02-14 ⋅ Fortinet ⋅ Floser Bacurio, Joie Salvio
@online{bacurio:20170214:remcos:e924c55,
author = {Floser Bacurio and Joie Salvio},
title = {{REMCOS: A New RAT In The Wild}},
date = {2017-02-14},
organization = {Fortinet},
url = {https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2},
language = {English},
urldate = {2020-01-09}
}
REMCOS: A New RAT In The Wild
Remcos |
2017-01-30 ⋅ Palo Alto Networks Unit 42 ⋅ Mashav Sapir, Tomer Bar, Netanel Rimer, Taras Malivanchuk, Yaron Samuel, Simon Conant
@online{sapir:20170130:downeks:8ed6329,
author = {Mashav Sapir and Tomer Bar and Netanel Rimer and Taras Malivanchuk and Yaron Samuel and Simon Conant},
title = {{Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments}},
date = {2017-01-30},
organization = {Palo Alto Networks Unit 42},
url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments},
language = {English},
urldate = {2019-12-20}
}
Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments
Quasar RAT |
2016-11-30 ⋅ Fortinet ⋅ Lilia Elena Gonzalez Medina
@online{medina:20161130:bladabindi:22e025f,
author = {Lilia Elena Gonzalez Medina},
title = {{Bladabindi Remains A Constant Threat By Using Dynamic DNS Services}},
date = {2016-11-30},
organization = {Fortinet},
url = {https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services},
language = {English},
urldate = {2020-01-09}
}
Bladabindi Remains A Constant Threat By Using Dynamic DNS Services
NjRAT |
2016-10-26 ⋅ Unknown ⋅ Chris Doman
@online{doman:20161026:moonlight:1edffaa,
author = {Chris Doman},
title = {{Moonlight – Targeted attacks in the Middle East}},
date = {2016-10-26},
organization = {Unknown},
url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks},
language = {English},
urldate = {2020-04-06}
}
Moonlight – Targeted attacks in the Middle East
Houdini NjRAT Molerats |
2016-10-20 ⋅ Twitter (@malwrhunterteam) ⋅ MalwareHunterTeam
@online{malwarehunterteam:20161020:quasar:f530cea,
author = {MalwareHunterTeam},
title = {{Tweet on Quasar RAT}},
date = {2016-10-20},
organization = {Twitter (@malwrhunterteam)},
url = {https://twitter.com/malwrhunterteam/status/789153556255342596},
language = {English},
urldate = {2019-07-11}
}
Tweet on Quasar RAT
Quasar RAT |
2016-07-26 ⋅ Proofpoint ⋅ Proofpoint
@online{proofpoint:20160726:threat:076e87a,
author = {Proofpoint},
title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}},
date = {2016-07-26},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan},
language = {English},
urldate = {2019-07-09}
}
Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic |
2015-01-22 ⋅ Trend Micro ⋅ Michael Marcos
@online{marcos:20150122:new:1fdb830,
author = {Michael Marcos},
title = {{New RATs Emerge from Leaked Njw0rm Source Code}},
date = {2015-01-22},
organization = {Trend Micro},
url = {http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/},
language = {English},
urldate = {2019-12-17}
}
New RATs Emerge from Leaked Njw0rm Source Code
NjRAT |