SYMBOLCOMMON_NAMEaka. SYNONYMS

UNC2452  (Back to overview)

aka: DarkHalo, StellarParticle, NOBELIUM

Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.


Associated Families
win.teardrop win.sunburst win.goldmax win.raindrop win.cobalt_strike

References
2021-11-30BroadcomSymantec Threat Hunter Team
@online{team:20211130:yanluowang:538b90c, author = {Symantec Threat Hunter Team}, title = {{Yanluowang: Further Insights on New Ransomware Threat}}, date = {2021-11-30}, organization = {Broadcom}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue}, language = {English}, urldate = {2021-11-30} } Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands
2021-11-29MandiantTyler McLellan, Brandan Schondorfer
@online{mclellan:20211129:kittengif:efb8036, author = {Tyler McLellan and Brandan Schondorfer}, title = {{Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again}}, date = {2021-11-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/sabbath-ransomware-affiliate}, language = {English}, urldate = {2021-11-30} } Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike
2021-11-19Trend MicroMohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
@online{fahmy:20211119:squirrelwaffle:1e8fa78, author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar}, title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}}, date = {2021-11-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html}, language = {English}, urldate = {2021-11-25} } Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle
2021-11-17Trend MicroMohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque
@online{fahmy:20211117:analyzing:c6c52d1, author = {Mohamed Fahmy and Abdelrhman Sharshar and Sherif Magdy and Ryan Maglaque}, title = {{Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR}}, date = {2021-11-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html}, language = {English}, urldate = {2021-11-18} } Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT
2021-11-17nvisoDidier Stevens
@online{stevens:20211117:cobalt:0b6ecf5, author = {Didier Stevens}, title = {{Cobalt Strike: Decrypting Obfuscated Traffic – Part 4}}, date = {2021-11-17}, organization = {nviso}, url = {https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/}, language = {English}, urldate = {2021-11-18} } Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
Cobalt Strike
2021-11-17Twitter (@Unit42_Intel)Unit 42
@online{42:20211117:matanbuchus:9e3556c, author = {Unit 42}, title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}}, date = {2021-11-17}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1461004489234829320}, language = {English}, urldate = {2021-11-25} } Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot
2021-11-16BlackberryT.J. O'Leary, Tom Bonner, Marta Janus, Dean Given, Eoin Wickens, Jim Simpson
@techreport{oleary:20211116:finding:e8594dd, author = {T.J. O'Leary and Tom Bonner and Marta Janus and Dean Given and Eoin Wickens and Jim Simpson}, title = {{Finding Beacons in the dark}}, date = {2021-11-16}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf}, language = {English}, urldate = {2021-11-18} } Finding Beacons in the dark
Cobalt Strike
2021-11-16CiscoChetan Raghuprasad, Vanja Svajcer, Asheer Malhotra
@online{raghuprasad:20211116:attackers:c31ad77, author = {Chetan Raghuprasad and Vanja Svajcer and Asheer Malhotra}, title = {{Attackers use domain fronting technique to target Myanmar with Cobalt Strike}}, date = {2021-11-16}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html}, language = {English}, urldate = {2021-11-17} } Attackers use domain fronting technique to target Myanmar with Cobalt Strike
Cobalt Strike
2021-11-16IronNetIronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
@online{research:20211116:how:d7fdaf8, author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski}, title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}}, date = {2021-11-16}, organization = {IronNet}, url = {https://www.ironnet.com/blog/ransomware-graphic-blog}, language = {English}, urldate = {2021-11-25} } How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil
2021-11-15TRUESECFabio Viggiani
@online{viggiani:20211115:proxyshell:bf17c6d, author = {Fabio Viggiani}, title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}}, date = {2021-11-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks}, language = {English}, urldate = {2021-11-17} } ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot
2021-11-13Just StillStill Hsu
@online{hsu:20211113:threat:597b1a0, author = {Still Hsu}, title = {{Threat Spotlight - Domain Fronting}}, date = {2021-11-13}, organization = {Just Still}, url = {https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/}, language = {English}, urldate = {2021-11-18} } Threat Spotlight - Domain Fronting
Cobalt Strike
2021-11-12MalwarebytesHossein Jazi
@online{jazi:20211112:multistage:e70f6d0, author = {Hossein Jazi}, title = {{A multi-stage PowerShell based attack targets Kazakhstan}}, date = {2021-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/}, language = {English}, urldate = {2021-11-17} } A multi-stage PowerShell based attack targets Kazakhstan
Cobalt Strike
2021-11-11CynetMax Malyutin
@online{malyutin:20211111:duck:897cc6f, author = {Max Malyutin}, title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}}, date = {2021-11-11}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/}, language = {English}, urldate = {2021-11-25} } A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot
2021-11-10AT&TJosh Gomez
@online{gomez:20211110:stories:4ce1168, author = {Josh Gomez}, title = {{Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!}}, date = {2021-11-10}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my}, language = {English}, urldate = {2021-11-17} } Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti
2021-11-10SekoiaCyber Threat Intelligence team
@online{team:20211110:walking:cc41f24, author = {Cyber Threat Intelligence team}, title = {{Walking on APT31 infrastructure footprints}}, date = {2021-11-10}, organization = {Sekoia}, url = {https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/}, language = {English}, urldate = {2021-11-11} } Walking on APT31 infrastructure footprints
Rekoobe Unidentified ELF 004 Cobalt Strike
2021-11-09CybereasonCybereason Global SOC Team
@online{team:20211109:threat:9f898c9, author = {Cybereason Global SOC Team}, title = {{THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware}}, date = {2021-11-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware}, language = {English}, urldate = {2021-11-25} } THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti
2021-11-05Twitter (@Unit42_Intel)Unit 42
@online{42:20211105:ta551:98c564e, author = {Unit 42}, title = {{Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops}}, date = {2021-11-05}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1458113934024757256}, language = {English}, urldate = {2021-11-17} } Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9, author = {The BlackBerry Research & Intelligence Team}, title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}}, date = {2021-11-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/zebra2104}, language = {English}, urldate = {2021-11-08} } Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-11-03nvisoDidier Stevens
@online{stevens:20211103:cobalt:8f8223d, author = {Didier Stevens}, title = {{Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3}}, date = {2021-11-03}, organization = {nviso}, url = {https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/}, language = {English}, urldate = {2021-11-08} } Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
Cobalt Strike
2021-11-03Didier StevensDidier Stevens
@online{stevens:20211103:new:6f8b92c, author = {Didier Stevens}, title = {{New Tool: cs-extract-key.py}}, date = {2021-11-03}, organization = {Didier Stevens}, url = {https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/}, language = {English}, urldate = {2021-11-17} } New Tool: cs-extract-key.py
Cobalt Strike
2021-11-02Intel 471Intel 471
@online{471:20211102:cybercrime:4d53035, author = {Intel 471}, title = {{Cybercrime underground flush with shipping companies’ credentials}}, date = {2021-11-02}, organization = {Intel 471}, url = {https://intel471.com/blog/shipping-companies-ransomware-credentials}, language = {English}, urldate = {2021-11-03} } Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti
2021-11-02unh4ckCyb3rSn0rlax
@online{cyb3rsn0rlax:20211102:detecting:a2828eb, author = {Cyb3rSn0rlax}, title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2}}, date = {2021-11-02}, organization = {unh4ck}, url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2}, language = {English}, urldate = {2021-11-03} } Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti
2021-11-02boschko.ca blogOlivier Laflamme
@online{laflamme:20211102:cobalt:d09aa11, author = {Olivier Laflamme}, title = {{Cobalt Strike Process Injection}}, date = {2021-11-02}, organization = {boschko.ca blog}, url = {https://boschko.ca/cobalt-strike-process-injection/}, language = {English}, urldate = {2021-11-29} } Cobalt Strike Process Injection
Cobalt Strike
2021-11-01AccentureHeather Larrieu, Curt Wilson, Katrina Hill
@online{larrieu:20211101:diving:a732a35, author = {Heather Larrieu and Curt Wilson and Katrina Hill}, title = {{Diving into double extortion campaigns}}, date = {2021-11-01}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns}, language = {English}, urldate = {2021-11-03} } Diving into double extortion campaigns
Cobalt Strike MimiKatz
2021-11-01The DFIR Report@iiamaleks, @samaritan_o
@online{iiamaleks:20211101:from:2348d47, author = {@iiamaleks and @samaritan_o}, title = {{From Zero to Domain Admin}}, date = {2021-11-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/}, language = {English}, urldate = {2021-11-03} } From Zero to Domain Admin
Cobalt Strike Hancitor
2021-10-29Національна поліція УкраїниНаціональна поліція України
@online{:20211029:cyberpolice:fc43b20, author = {Національна поліція України}, title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}}, date = {2021-10-29}, organization = {Національна поліція України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-11-02} } Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-29EuropolEuropol
@online{europol:20211029:12:5c0fd59, author = {Europol}, title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}}, date = {2021-10-29}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure}, language = {English}, urldate = {2021-11-02} } 12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-27KasperskyIvan Kwiatkowski
@online{kwiatkowski:20211027:extracting:14de2bc, author = {Ivan Kwiatkowski}, title = {{Extracting type information from Go binaries}}, date = {2021-10-27}, organization = {Kaspersky}, url = {https://securelist.com/extracting-type-information-from-go-binaries/104715/}, language = {English}, urldate = {2021-11-03} } Extracting type information from Go binaries
GoldMax
2021-10-27nvisoDidier Stevens
@online{stevens:20211027:cobalt:b91181a, author = {Didier Stevens}, title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2}}, date = {2021-10-27}, organization = {nviso}, url = {https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/}, language = {English}, urldate = {2021-11-03} } Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2
Cobalt Strike
2021-10-26KasperskyKaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f, author = {Kaspersky Lab ICS CERT}, title = {{APT attacks on industrial organizations in H1 2021}}, date = {2021-10-26}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf}, language = {English}, urldate = {2021-11-08} } APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-10-26unh4ckHamza OUADIA
@online{ouadia:20211026:detecting:2a3e2fa, author = {Hamza OUADIA}, title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1}}, date = {2021-10-26}, organization = {unh4ck}, url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1}, language = {English}, urldate = {2021-11-03} } Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti
2021-10-26Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Mavis
@online{brumaghin:20211026:squirrelwaffle:88c5943, author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis}, title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}}, date = {2021-10-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html}, language = {English}, urldate = {2021-11-02} } SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-10-21CrowdStrikeAlex Clinton, Tasha Robinson
@online{clinton:20211021:stopping:3c26152, author = {Alex Clinton and Tasha Robinson}, title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}}, date = {2021-10-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/}, language = {English}, urldate = {2021-11-02} } Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet
2021-10-21nvisoDidier Stevens
@online{stevens:20211021:cobalt:bfc8702, author = {Didier Stevens}, title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1}}, date = {2021-10-21}, organization = {nviso}, url = {https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/}, language = {English}, urldate = {2021-10-26} } Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
Cobalt Strike
2021-10-18SymantecThreat Hunter Team
@online{team:20211018:harvester:ad72962, author = {Threat Hunter Team}, title = {{Harvester: Nation-state-backed group uses new toolset to target victims in South Asia}}, date = {2021-10-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia}, language = {English}, urldate = {2021-11-03} } Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
Cobalt Strike Graphon
2021-10-18paloalto Netoworks: Unit42Brad Duncan
@online{duncan:20211018:case:bdd95ff, author = {Brad Duncan}, title = {{Case Study: From BazarLoader to Network Reconnaissance}}, date = {2021-10-18}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/}, language = {English}, urldate = {2021-10-22} } Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike
2021-10-18The DFIR ReportThe DFIR Report
@online{report:20211018:icedid:0b574b0, author = {The DFIR Report}, title = {{IcedID to XingLocker Ransomware in 24 hours}}, date = {2021-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/}, language = {English}, urldate = {2021-10-22} } IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-12MandiantAlyssa Rahman
@online{rahman:20211012:defining:df3f43c, author = {Alyssa Rahman}, title = {{Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis}}, date = {2021-10-12}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/defining-cobalt-strike-components}, language = {English}, urldate = {2021-11-02} } Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
Cobalt Strike
2021-10-11AccentureAccenture Cyber Threat Intelligence
@online{intelligence:20211011:moving:3b0eaec, author = {Accenture Cyber Threat Intelligence}, title = {{Moving Left of the Ransomware Boom}}, date = {2021-10-11}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom}, language = {English}, urldate = {2021-11-03} } Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil
2021-10-080ffset BlogChuong Dong
@online{dong:20211008:squirrelwaffle:4549cd1, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing The Main Loader}}, date = {2021-10-08}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/}, language = {English}, urldate = {2021-10-14} } SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle
2021-10-07MandiantMandiant Research Team
@online{team:20211007:fin12:505a3a8, author = {Mandiant Research Team}, title = {{FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets}}, date = {2021-10-07}, organization = {Mandiant}, url = {https://www.mandiant.com/media/12596/download}, language = {English}, urldate = {2021-11-27} } FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot
2021-10-07NetskopeGustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211007:squirrelwaffle:3506816, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}}, date = {2021-10-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot}, language = {English}, urldate = {2021-10-11} } SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-10-06BlackberryBlackberry Research
@techreport{research:20211006:finding:50936df, author = {Blackberry Research}, title = {{Finding Beacons in the Dark}}, date = {2021-10-06}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf}, language = {English}, urldate = {2021-11-08} } Finding Beacons in the Dark
Cobalt Strike
2021-10-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211005:drawing:e53477d, author = {The BlackBerry Research & Intelligence Team}, title = {{Drawing a Dragon: Connecting the Dots to Find APT41}}, date = {2021-10-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41}, language = {English}, urldate = {2021-10-11} } Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT
2021-10-04SophosSean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
@online{gallagher:20211004:atom:782b979, author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah}, title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}}, date = {2021-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/}, language = {English}, urldate = {2021-10-11} } Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike
2021-10-04The DFIR ReportThe DFIR Report
@online{report:20211004:bazarloader:fe3adf3, author = {The DFIR Report}, title = {{BazarLoader and the Conti Leaks}}, date = {2021-10-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/}, language = {English}, urldate = {2021-10-11} } BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti
2021-10-03Github (0xjxd)Joel Dönne
@techreport{dnne:20211003:squirrelwaffle:3a35566, author = {Joel Dönne}, title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}}, date = {2021-10-03}, institution = {Github (0xjxd)}, url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf}, language = {English}, urldate = {2021-10-07} } SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-10-010ffset BlogChuong Dong
@online{dong:20211001:squirrelwaffle:24c9b06, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}}, date = {2021-10-01}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/}, language = {English}, urldate = {2021-10-14} } SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle
2021-09-30PT Expert Security Center
@online{center:20210930:masters:8707c00, author = {PT Expert Security Center}, title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}}, date = {2021-09-30}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang}, language = {English}, urldate = {2021-10-14} } Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike
2021-09-30PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210930:masters:4394504, author = {PT ESC Threat Intelligence}, title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}}, date = {2021-09-30}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3}, language = {English}, urldate = {2021-11-29} } Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike
2021-09-30CrowdStrikeFalcon OverWatch Team
@online{team:20210930:hunting:bc2e59d, author = {Falcon OverWatch Team}, title = {{Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense}}, date = {2021-09-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/}, language = {English}, urldate = {2021-10-05} } Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cobalt Strike
2021-09-29Malware Traffic AnalysisBrad Duncan
@online{duncan:20210929:20210929:e348fca, author = {Brad Duncan}, title = {{2021-09-29 (Wednesday) - Hancitor with Cobalt Strike}}, date = {2021-09-29}, organization = {Malware Traffic Analysis}, url = {https://malware-traffic-analysis.net/2021/09/29/index.html}, language = {English}, urldate = {2021-11-03} } 2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-29Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210929:backup:4aebe4e, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Backup “Removal” Solutions - From Conti Ransomware With Love}}, date = {2021-09-29}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love}, language = {English}, urldate = {2021-10-20} } Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti
2021-09-28ZscalerAvinash Kumar, Brett Stone-Gross
@online{kumar:20210928:squirrelwaffle:9b1cffc, author = {Avinash Kumar and Brett Stone-Gross}, title = {{Squirrelwaffle: New Loader Delivering Cobalt Strike}}, date = {2021-09-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike}, language = {English}, urldate = {2021-10-11} } Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-27CynetMax Malyutin
@online{malyutin:20210927:virtual:cd72501, author = {Max Malyutin}, title = {{A Virtual Baffle to Battle Squirrelwaffle}}, date = {2021-09-27}, organization = {Cynet}, url = {https://www.cynet.com/understanding-squirrelwaffle/}, language = {English}, urldate = {2021-09-28} } A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle
2021-09-26NSFOCUSJie Ji
@online{ji:20210926:insights:51c06b8, author = {Jie Ji}, title = {{Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2}}, date = {2021-09-26}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/}, language = {English}, urldate = {2021-11-25} } Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile
2021-09-24Trend MicroWarren Sto.Tomas
@online{stotomas:20210924:examining:9165fe5, author = {Warren Sto.Tomas}, title = {{Examining the Cring Ransomware Techniques}}, date = {2021-09-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html}, language = {English}, urldate = {2021-09-29} } Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz
2021-09-22CISAUS-CERT
@online{uscert:20210922:alert:50b9d38, author = {US-CERT}, title = {{Alert (AA21-265A) Conti Ransomware}}, date = {2021-09-22}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-265a}, language = {English}, urldate = {2021-10-05} } Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti
2021-09-21GuidePoint SecurityDrew Schmitt
@online{schmitt:20210921:ransomware:7c6144d, author = {Drew Schmitt}, title = {{A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike}}, date = {2021-09-21}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/}, language = {English}, urldate = {2021-09-22} } A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
Cobalt Strike
2021-09-21Medium elis531989Eli Salem
@online{salem:20210921:squirrel:1254a9d, author = {Eli Salem}, title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}}, date = {2021-09-21}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9}, language = {English}, urldate = {2021-09-22} } The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle
2021-09-21skyblue.team blogskyblue team
@online{team:20210921:scanning:5a0697f, author = {skyblue team}, title = {{Scanning VirusTotal's firehose}}, date = {2021-09-21}, organization = {skyblue.team blog}, url = {https://skyblue.team/posts/scanning-virustotal-firehose/}, language = {English}, urldate = {2021-09-24} } Scanning VirusTotal's firehose
Cobalt Strike
2021-09-21SophosAndrew Brandt, Vikas Singh, Shefali Gupta, Krisztián Diriczi, Chaitanya Ghorpade
@online{brandt:20210921:cring:9bd4998, author = {Andrew Brandt and Vikas Singh and Shefali Gupta and Krisztián Diriczi and Chaitanya Ghorpade}, title = {{Cring ransomware group exploits ancient ColdFusion server}}, date = {2021-09-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728}, language = {English}, urldate = {2021-09-24} } Cring ransomware group exploits ancient ColdFusion server
Cobalt Strike Cring
2021-09-17Malware Traffic AnalysisBrad Duncan
@online{duncan:20210917:20210917:b995435, author = {Brad Duncan}, title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}}, date = {2021-09-17}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html}, language = {English}, urldate = {2021-09-20} } 2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-17CrowdStrikeFalcon OverWatch Team
@online{team:20210917:falcon:76aa03b, author = {Falcon OverWatch Team}, title = {{Falcon OverWatch Hunts Down Adversaries Where They Hide}}, date = {2021-09-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/}, language = {English}, urldate = {2021-10-05} } Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike
2021-09-17Medium inteloperatorIntel Operator
@online{operator:20210917:default:aaaa15c, author = {Intel Operator}, title = {{The default: 63 6f 62 61 6c 74 strike}}, date = {2021-09-17}, organization = {Medium inteloperator}, url = {https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7}, language = {English}, urldate = {2021-09-19} } The default: 63 6f 62 61 6c 74 strike
Cobalt Strike
2021-09-16Twitter (@GossiTheDog)Kevin Beaumont
@online{beaumont:20210916:some:550bbaa, author = {Kevin Beaumont}, title = {{Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell}}, date = {2021-09-16}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1438500100238577670}, language = {English}, urldate = {2021-09-20} } Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot
2021-09-16Medium ShabarkinPavel Shabarkin
@online{shabarkin:20210916:pointer:828998f, author = {Pavel Shabarkin}, title = {{Pointer: Hunting Cobalt Strike globally}}, date = {2021-09-16}, organization = {Medium Shabarkin}, url = {https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a}, language = {English}, urldate = {2021-09-19} } Pointer: Hunting Cobalt Strike globally
Cobalt Strike
2021-09-16RiskIQRiskIQ
@online{riskiq:20210916:untangling:d1e0f1b, author = {RiskIQ}, title = {{Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit}}, date = {2021-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/c88cf7e6}, language = {English}, urldate = {2021-09-19} } Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk
2021-09-15MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20210915:analyzing:37b6528, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability}}, date = {2021-09-15}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/}, language = {English}, urldate = {2021-09-19} } Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike
2021-09-14Recorded FutureInsikt Group®
@techreport{group:20210914:fullspectrum:fdc7b06, author = {Insikt Group®}, title = {{Full-Spectrum Cobalt Strike Detection}}, date = {2021-09-14}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf}, language = {English}, urldate = {2021-09-19} } Full-Spectrum Cobalt Strike Detection
Cobalt Strike
2021-09-13The DFIR ReportThe DFIR Report
@online{report:20210913:bazarloader:5073703, author = {The DFIR Report}, title = {{BazarLoader to Conti Ransomware in 32 Hours}}, date = {2021-09-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/}, language = {English}, urldate = {2021-09-14} } BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti
2021-09-10GigamonJoe Slowik
@online{slowik:20210910:rendering:59082b0, author = {Joe Slowik}, title = {{Rendering Threats: A Network Perspective}}, date = {2021-09-10}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/}, language = {English}, urldate = {2021-09-12} } Rendering Threats: A Network Perspective
Cobalt Strike
2021-09-09Trend MicroTrend Micro
@online{micro:20210909:remote:17382af, author = {Trend Micro}, title = {{Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs}}, date = {2021-09-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html}, language = {English}, urldate = {2021-09-12} } Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
Cobalt Strike
2021-09-08Arash's BlogArash Parsa
@online{parsa:20210908:hook:4dff1b6, author = {Arash Parsa}, title = {{Hook Heaps and Live Free}}, date = {2021-09-08}, organization = {Arash's Blog}, url = {https://www.arashparsa.com/hook-heaps-and-live-free/}, language = {English}, urldate = {2021-09-10} } Hook Heaps and Live Free
Cobalt Strike
2021-09-07Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20210907:cobalt:7af112e, author = {Michael Koczwara}, title = {{Cobalt Strike C2 Hunting with Shodan}}, date = {2021-09-07}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2}, language = {English}, urldate = {2021-09-09} } Cobalt Strike C2 Hunting with Shodan
Cobalt Strike
2021-09-06kienmanowar Blogm4n0w4r
@online{m4n0w4r:20210906:quick:0a892b2, author = {m4n0w4r}, title = {{Quick analysis CobaltStrike loader and shellcode}}, date = {2021-09-06}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/}, language = {English}, urldate = {2021-09-10} } Quick analysis CobaltStrike loader and shellcode
Cobalt Strike
2021-09-03SophosSean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
@online{gallagher:20210903:conti:db20680, author = {Sean Gallagher and Peter Mackenzie and Anand Ajjan and Andrew Ludgate and Gabor Szappanos and Sergio Bestulic and Syed Zaidi}, title = {{Conti affiliates use ProxyShell Exchange exploit in ransomware attacks}}, date = {2021-09-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/}, language = {English}, urldate = {2021-09-06} } Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-02Bleeping ComputerSergiu Gatlan
@online{gatlan:20210902:autodesk:a947f3f, author = {Sergiu Gatlan}, title = {{Autodesk reveals it was targeted by Russian SolarWinds hackers}}, date = {2021-09-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/}, language = {English}, urldate = {2021-09-06} } Autodesk reveals it was targeted by Russian SolarWinds hackers
SUNBURST
2021-09-02Twitter (@th3_protoCOL)Colin, GaborSzappanos
@online{colin:20210902:confluence:5bbf2cb, author = {Colin and GaborSzappanos}, title = {{Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)}}, date = {2021-09-02}, organization = {Twitter (@th3_protoCOL)}, url = {https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20}, language = {English}, urldate = {2021-09-06} } Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)
Cobalt Strike
2021-09-02Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20210902:cobalt:40a1888, author = {Michael Koczwara}, title = {{Cobalt Strike PowerShell Payload Analysis}}, date = {2021-09-02}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7}, language = {English}, urldate = {2021-09-09} } Cobalt Strike PowerShell Payload Analysis
Cobalt Strike
2021-09-01YouTube (Black Hat)Aragorn Tseng, Charles Li
@online{tseng:20210901:mem2img:7817a5d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=6SDdUVejR2w}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-08-31BreakPoint LabsBreakPoint Labs
@online{labs:20210831:cobalt:47e2c20, author = {BreakPoint Labs}, title = {{Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign}}, date = {2021-08-31}, organization = {BreakPoint Labs}, url = {https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/}, language = {English}, urldate = {2021-09-23} } Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign
Cobalt Strike
2021-08-30QianxinRed Raindrop Team
@online{team:20210830:operation:7b5be26, author = {Red Raindrop Team}, title = {{Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss}}, date = {2021-08-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/}, language = {Chinese}, urldate = {2021-09-09} } Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz
2021-08-29The DFIR ReportThe DFIR Report
@online{report:20210829:cobalt:1e4595e, author = {The DFIR Report}, title = {{Cobalt Strike, a Defender’s Guide}}, date = {2021-08-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/}, language = {English}, urldate = {2021-08-31} } Cobalt Strike, a Defender’s Guide
Cobalt Strike
2021-08-27MorphisecMorphisec Labs
@online{labs:20210827:proxyshell:a4650f1, author = {Morphisec Labs}, title = {{ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors}}, date = {2021-08-27}, organization = {Morphisec}, url = {https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors}, language = {English}, urldate = {2021-08-31} } ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors
Cobalt Strike
2021-08-25Trend MicroHara Hiroaki, Ted Lee
@techreport{hiroaki:20210825:earth:776384f, author = {Hara Hiroaki and Ted Lee}, title = {{Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor}}, date = {2021-08-25}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf}, language = {English}, urldate = {2021-08-31} } Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor
Cobalt Strike SideWalk
2021-08-24ESET ResearchThibaut Passilly, Mathieu Tartare
@online{passilly:20210824:sidewalk:75d39db, author = {Thibaut Passilly and Mathieu Tartare}, title = {{The SideWalk may be as dangerous as the CROSSWALK}}, date = {2021-08-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/}, language = {English}, urldate = {2021-08-31} } The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk
2021-08-23FBIFBI
@techreport{fbi:20210823:indicators:3308f26, author = {FBI}, title = {{Indicators of Compromise Associated with OnePercent Group Ransomware}}, date = {2021-08-23}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210823.pdf}, language = {English}, urldate = {2021-08-24} } Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz
2021-08-23Youtube (SANS Digital Forensics and Incident Response)Chad Tilbury
@online{tilbury:20210823:keynote:23c0084, author = {Chad Tilbury}, title = {{Keynote: Cobalt Strike Threat Hunting}}, date = {2021-08-23}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=borfuQGrB8g}, language = {English}, urldate = {2021-08-25} } Keynote: Cobalt Strike Threat Hunting
Cobalt Strike
2021-08-19BlackberryBlackBerry Research & Intelligence Team
@online{team:20210819:blackberry:2eec433, author = {BlackBerry Research & Intelligence Team}, title = {{BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware}}, date = {2021-08-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware}, language = {English}, urldate = {2021-08-23} } BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex
2021-08-19Sekoiasekoia
@online{sekoia:20210819:insider:ceb84de, author = {sekoia}, title = {{An insider insights into Conti operations – Part two}}, date = {2021-08-19}, organization = {Sekoia}, url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/}, language = {English}, urldate = {2021-09-06} } An insider insights into Conti operations – Part two
Cobalt Strike Conti
2021-08-18IntezerRyan Robinson
@online{robinson:20210818:cobalt:965e1a9, author = {Ryan Robinson}, title = {{Cobalt Strike: Detect this Persistent Threat}}, date = {2021-08-18}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/}, language = {English}, urldate = {2021-08-25} } Cobalt Strike: Detect this Persistent Threat
Cobalt Strike
2021-08-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210817:hunting:1dc14d0, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration}}, date = {2021-08-17}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations}, language = {English}, urldate = {2021-08-31} } Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti
2021-08-17Sekoiasekoia
@online{sekoia:20210817:insider:3b427c7, author = {sekoia}, title = {{An insider insights into Conti operations – Part one}}, date = {2021-08-17}, organization = {Sekoia}, url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one}, language = {English}, urldate = {2021-09-06} } An insider insights into Conti operations – Part one
Cobalt Strike Conti
2021-08-17Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20210817:cobalt:64689eb, author = {Michael Koczwara}, title = {{Cobalt Strike Hunting — DLL Hijacking/Attack Analysis}}, date = {2021-08-17}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e}, language = {English}, urldate = {2021-09-09} } Cobalt Strike Hunting — DLL Hijacking/Attack Analysis
Cobalt Strike
2021-08-11Advanced IntelligenceVitali Kremez
@online{kremez:20210811:secret:5c5f06c, author = {Vitali Kremez}, title = {{Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent}}, date = {2021-08-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent}, language = {English}, urldate = {2021-08-31} } Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti
2021-08-09IstroSecLadislav Bačo
@online{bao:20210809:cobalt:fc98da7, author = {Ladislav Bačo}, title = {{APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)}}, date = {2021-08-09}, organization = {IstroSec}, url = {https://www.istrosec.com/blog/apt-sk-cobalt/}, language = {English}, urldate = {2021-08-16} } APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)
Cobalt Strike
2021-08-05Red CanaryTony Lambert, Brian Donohue, Dan Cotton
@online{lambert:20210805:when:aeb7b10, author = {Tony Lambert and Brian Donohue and Dan Cotton}, title = {{When Dridex and Cobalt Strike give you Grief}}, date = {2021-08-05}, organization = {Red Canary}, url = {https://redcanary.com/blog/grief-ransomware/}, language = {English}, urldate = {2021-09-10} } When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer
2021-08-05SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210805:detecting:235fe13, author = {Counter Threat Unit ResearchTeam}, title = {{Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)}}, date = {2021-08-05}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups}, language = {English}, urldate = {2021-08-06} } Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)
Cobalt Strike
2021-08-04CrowdStrikeFalcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR
@online{team:20210804:prophet:e6e6a99, author = {Falcon OverWatch Team and CrowdStrike Intelligence Team and CrowdStrike IR}, title = {{PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity}}, date = {2021-08-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/}, language = {English}, urldate = {2021-09-02} } PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker
2021-08-04Sentinel LABSGal Kristal
@online{kristal:20210804:hotcobalt:136e715, author = {Gal Kristal}, title = {{Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations}}, date = {2021-08-04}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/}, language = {English}, urldate = {2021-08-06} } Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations
Cobalt Strike
2021-08-04SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210804:detecting:b379acb, author = {Counter Threat Unit ResearchTeam}, title = {{Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)}}, date = {2021-08-04}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks}, language = {English}, urldate = {2021-08-06} } Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)
Cobalt Strike
2021-08-03CybereasonAssaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20210803:deadringer:908e8d5, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}}, date = {2021-08-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos}, language = {English}, urldate = {2021-08-06} } DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae
2021-08-02Youtube (Forschungsinstitut Cyber Defense)Alexander Rausch, Konstantin Klinger
@online{rausch:20210802:code:dee039d, author = {Alexander Rausch and Konstantin Klinger}, title = {{The CODE 2021: Workshop presentation and demonstration about CobaltStrike}}, date = {2021-08-02}, organization = {Youtube (Forschungsinstitut Cyber Defense)}, url = {https://www.youtube.com/watch?v=y65hmcLIWDY}, language = {English}, urldate = {2021-08-25} } The CODE 2021: Workshop presentation and demonstration about CobaltStrike
Cobalt Strike
2021-08-01The DFIR ReportThe DFIR Report
@online{report:20210801:bazarcall:bb6829b, author = {The DFIR Report}, title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}}, date = {2021-08-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/}, language = {English}, urldate = {2021-08-02} } BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-30Twitter (@Unit42_Intel)Unit 42
@online{42:20210730:bazarloader:43bdc2c, author = {Unit 42}, title = {{Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability}}, date = {2021-07-30}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20}, language = {English}, urldate = {2021-08-02} } Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210729:bazacall:8d79cdf, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{BazaCall: Phony call centers lead to exfiltration and ransomware}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/}, language = {English}, urldate = {2021-08-02} } BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike
2021-07-29Rasta MouseRasta Mouse
@online{mouse:20210729:ntlm:7f97289, author = {Rasta Mouse}, title = {{NTLM Relaying via Cobalt Strike}}, date = {2021-07-29}, organization = {Rasta Mouse}, url = {https://rastamouse.me/ntlm-relaying-via-cobalt-strike/}, language = {English}, urldate = {2021-07-29} } NTLM Relaying via Cobalt Strike
Cobalt Strike
2021-07-27GigamonJoe Slowik
@online{slowik:20210727:ghosts:af3dc18, author = {Joe Slowik}, title = {{Ghosts on the Wire: Expanding Conceptions of Network Anomalies}}, date = {2021-07-27}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/}, language = {English}, urldate = {2021-08-02} } Ghosts on the Wire: Expanding Conceptions of Network Anomalies
SUNBURST
2021-07-27BlackberryBlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-07-25Medium svch0stsvch0st
@online{svch0st:20210725:guide:28267fd, author = {svch0st}, title = {{Guide to Named Pipes and Hunting for Cobalt Strike Pipes}}, date = {2021-07-25}, organization = {Medium svch0st}, url = {https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575}, language = {English}, urldate = {2021-08-02} } Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Cobalt Strike
2021-07-22Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20210722:cobalt:f102b02, author = {Michael Koczwara}, title = {{Cobalt Strike Hunting — simple PCAP and Beacon Analysis}}, date = {2021-07-22}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811}, language = {English}, urldate = {2021-07-22} } Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike
2021-07-19The DFIR ReportThe DFIR Report
@online{report:20210719:icedid:0365384, author = {The DFIR Report}, title = {{IcedID and Cobalt Strike vs Antivirus}}, date = {2021-07-19}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/}, language = {English}, urldate = {2021-07-20} } IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID
2021-07-14MDSecChris Basnett
@online{basnett:20210714:investigating:585e2a1, author = {Chris Basnett}, title = {{Investigating a Suspicious Service}}, date = {2021-07-14}, organization = {MDSec}, url = {https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/}, language = {English}, urldate = {2021-07-20} } Investigating a Suspicious Service
Cobalt Strike
2021-07-14KasperskyMark Lechtik, Paul Rascagnères, Aseel Kayal
@online{lechtik:20210714:luminousmoth:a5cf19d, author = {Mark Lechtik and Paul Rascagnères and Aseel Kayal}, title = {{LuminousMoth APT: Sweeping attacks for the chosen few}}, date = {2021-07-14}, organization = {Kaspersky}, url = {https://securelist.com/apt-luminousmoth/103332/}, language = {English}, urldate = {2021-07-20} } LuminousMoth APT: Sweeping attacks for the chosen few
Cobalt Strike
2021-07-14GoogleMaddie Stone, Clement Lecigne, Google Threat Analysis Group
@online{stone:20210714:how:38dfdc6, author = {Maddie Stone and Clement Lecigne and Google Threat Analysis Group}, title = {{How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)}}, date = {2021-07-14}, organization = {Google}, url = {https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/}, language = {English}, urldate = {2021-07-26} } How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)
Cobalt Strike
2021-07-13SymantecThreat Hunter Team
@techreport{team:20210713:attacks:76174fd, author = {Threat Hunter Team}, title = {{Attacks Against the Government Sector}}, date = {2021-07-13}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf}, language = {English}, urldate = {2021-07-20} } Attacks Against the Government Sector
Raindrop TEARDROP
2021-07-13YouTube ( Matt Soseman)Matt Soseman
@online{soseman:20210713:solarwinds:cb7df1d, author = {Matt Soseman}, title = {{Solarwinds and SUNBURST attacks compromised my lab!}}, date = {2021-07-13}, organization = {YouTube ( Matt Soseman)}, url = {https://www.youtube.com/watch?v=GfbxHy6xnbA}, language = {English}, urldate = {2021-07-21} } Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-07-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210709:hancitor:814e815, author = {Brad Duncan}, title = {{Hancitor tries XLL as initial malware file}}, date = {2021-07-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27618}, language = {English}, urldate = {2021-07-19} } Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor
2021-07-08Avast DecodedThreat Intelligence Team
@online{team:20210708:decoding:04acb98, author = {Threat Intelligence Team}, title = {{Decoding Cobalt Strike: Understanding Payloads}}, date = {2021-07-08}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/}, language = {English}, urldate = {2021-07-08} } Decoding Cobalt Strike: Understanding Payloads
Cobalt Strike Empire Downloader
2021-07-07Trend MicroJoseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
@online{chen:20210707:biopass:88dcdc2, author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen}, title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}}, date = {2021-07-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html}, language = {English}, urldate = {2021-07-19} } BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi
2021-07-07McAfeeMcAfee Labs
@techreport{labs:20210707:ryuk:ee88024, author = {McAfee Labs}, title = {{Ryuk Ransomware Now Targeting Webservers}}, date = {2021-07-07}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf}, language = {English}, urldate = {2021-07-11} } Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk
2021-07-07TrustwaveRodel Mendrez, Nikita Kazymirskyi
@online{mendrez:20210707:diving:1c04c81, author = {Rodel Mendrez and Nikita Kazymirskyi}, title = {{Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails}}, date = {2021-07-07}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/}, language = {English}, urldate = {2021-07-09} } Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil
2021-07-06Twitter (@MBThreatIntel)Malwarebytes Threat Intelligence
@online{intelligence:20210706:malspam:083ba5a, author = {Malwarebytes Threat Intelligence}, title = {{Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike}}, date = {2021-07-06}, organization = {Twitter (@MBThreatIntel)}, url = {https://twitter.com/MBThreatIntel/status/1412518446013812737}, language = {English}, urldate = {2021-07-09} } Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike
Cobalt Strike
2021-07-05Trend MicroAbraham Camba, Catherine Loveria, Ryan Maglaque, Buddy Tancio
@online{camba:20210705:tracking:6ae6ad5, author = {Abraham Camba and Catherine Loveria and Ryan Maglaque and Buddy Tancio}, title = {{Tracking Cobalt Strike: A Trend Micro Vision One Investigation}}, date = {2021-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html}, language = {English}, urldate = {2021-07-19} } Tracking Cobalt Strike: A Trend Micro Vision One Investigation
Cobalt Strike
2021-07-02MalwareBookReportsmuzi
@online{muzi:20210702:skip:09c3cd8, author = {muzi}, title = {{Skip the Middleman: Dridex Document to Cobalt Strike}}, date = {2021-07-02}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/cryptone-cobalt-strike/}, language = {English}, urldate = {2021-07-06} } Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex
2021-07-01The RecordCatalin Cimpanu
@online{cimpanu:20210701:mongolian:1fd57de, author = {Catalin Cimpanu}, title = {{Mongolian certificate authority hacked eight times, compromised with malware}}, date = {2021-07-01}, organization = {The Record}, url = {https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/}, language = {English}, urldate = {2021-07-02} } Mongolian certificate authority hacked eight times, compromised with malware
Cobalt Strike
2021-07-01Avast DecodedLuigino Camastra, Igor Morgenstern, Jan Vojtěšek
@online{camastra:20210701:backdoored:6f26c16, author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek}, title = {{Backdoored Client from Mongolian CA MonPass}}, date = {2021-07-01}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/}, language = {English}, urldate = {2021-07-02} } Backdoored Client from Mongolian CA MonPass
Cobalt Strike
2021-06-30Group-IBOleg Skulkin
@online{skulkin:20210630:revil:63bb524, author = {Oleg Skulkin}, title = {{REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs}}, date = {2021-06-30}, organization = {Group-IB}, url = {https://blog.group-ib.com/REvil_RaaS}, language = {English}, urldate = {2021-07-02} } REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil
2021-06-29ProofpointSelena Larson, Daniel Blackford
@online{larson:20210629:cobalt:99ad5a0, author = {Selena Larson and Daniel Blackford}, title = {{Cobalt Strike: Favorite Tool from APT to Crimeware}}, date = {2021-06-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware}, language = {English}, urldate = {2021-06-29} } Cobalt Strike: Favorite Tool from APT to Crimeware
Cobalt Strike
2021-06-29AccentureAccenture Security
@online{security:20210629:hades:2d4c606, author = {Accenture Security}, title = {{HADES ransomware operators continue attacks}}, date = {2021-06-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades}, language = {English}, urldate = {2021-07-01} } HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz
2021-06-28The DFIR ReportThe DFIR Report
@online{report:20210628:hancitor:b21cdd2, author = {The DFIR Report}, title = {{Hancitor Continues to Push Cobalt Strike}}, date = {2021-06-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/}, language = {English}, urldate = {2021-06-29} } Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor
2021-06-22CrowdStrikeThe Falcon Complete Team
@online{team:20210622:response:13a8ee6, author = {The Falcon Complete Team}, title = {{Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators}}, date = {2021-06-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/}, language = {English}, urldate = {2021-06-24} } Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
Cobalt Strike
2021-06-22Twitter (@Cryptolaemus1)Cryptolaemus, Kirk Sayre, dao ming si
@online{cryptolaemus:20210622:ta575:895ac37, author = {Cryptolaemus and Kirk Sayre and dao ming si}, title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}}, date = {2021-06-22}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680}, language = {English}, urldate = {2021-06-22} } Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex
2021-06-20The DFIR ReportThe DFIR Report
@online{report:20210620:from:aadb7e8, author = {The DFIR Report}, title = {{From Word to Lateral Movement in 1 Hour}}, date = {2021-06-20}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/}, language = {English}, urldate = {2021-06-22} } From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID
2021-06-18SecurityScorecardRyan Sherstobitoff
@online{sherstobitoff:20210618:securityscorecard:0000641, author = {Ryan Sherstobitoff}, title = {{SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought}}, date = {2021-06-18}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought}, language = {English}, urldate = {2021-06-22} } SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought
Cobalt Strike
2021-06-17Binary DefenseBrandon George
@online{george:20210617:analysis:6e4b8ac, author = {Brandon George}, title = {{Analysis of Hancitor – When Boring Begets Beacon}}, date = {2021-06-17}, organization = {Binary Defense}, url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon}, language = {English}, urldate = {2021-06-22} } Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-06-16MandiantTyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson, Jordan Nuce
@online{mclellan:20210616:smoking:a03a78c, author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson and Jordan Nuce}, title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}}, date = {2021-06-16}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise}, language = {English}, urldate = {2021-12-01} } Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM
2021-06-16FireEyeTyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson
@online{mclellan:20210616:smoking:fa6559d, author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson}, title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}}, date = {2021-06-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html}, language = {English}, urldate = {2021-12-01} } Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM
2021-06-16Національної поліції УкраїниНаціональна поліція України
@online{:20210616:cyberpolice:f455d86, author = {Національна поліція України}, title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}}, date = {2021-06-16}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-06-21} } Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2021-06-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210615:hades:e1734d8, author = {Counter Threat Unit ResearchTeam}, title = {{Hades Ransomware Operators Use Distinctive Tactics and Infrastructure}}, date = {2021-06-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure}, language = {English}, urldate = {2021-06-21} } Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Cobalt Strike Hades
2021-06-12Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210612:thread:eac742a, author = {Peter Mackenzie}, title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}}, date = {2021-06-12}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095}, language = {English}, urldate = {2021-06-21} } A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker
2021-06-12YouTube (BSidesBoulder)Kurt Baumgartner, Kaspersky
@online{baumgartner:20210612:same:49bc254, author = {Kurt Baumgartner and Kaspersky}, title = {{Same and Different - sesame street level attribution}}, date = {2021-06-12}, organization = {YouTube (BSidesBoulder)}, url = {https://youtu.be/SW8kVkwDOrc?t=24706}, language = {English}, urldate = {2021-06-21} } Same and Different - sesame street level attribution
Kazuar SUNBURST
2021-06-10Group-IBNikita Rostovcev
@online{rostovcev:20210610:big:4d0a5f2, author = {Nikita Rostovcev}, title = {{Big airline heist APT41 likely behind massive supply chain attack}}, date = {2021-06-10}, organization = {Group-IB}, url = {https://blog.group-ib.com/colunmtk_apt41}, language = {English}, urldate = {2021-06-16} } Big airline heist APT41 likely behind massive supply chain attack
Cobalt Strike
2021-06-09Twitter (@RedDrip7)RedDrip7
@online{reddrip7:20210609:in:74f9bac, author = {RedDrip7}, title = {{Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)}}, date = {2021-06-09}, organization = {Twitter (@RedDrip7)}, url = {https://twitter.com/RedDrip7/status/1402640362972147717?s=20}, language = {English}, urldate = {2021-06-21} } Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)
Cobalt Strike
2021-06-04InkyRoger Kay
@online{kay:20210604:colonial:959c12f, author = {Roger Kay}, title = {{Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts}}, date = {2021-06-04}, organization = {Inky}, url = {https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts}, language = {English}, urldate = {2021-06-16} } Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts
Cobalt Strike
2021-06-04Twitter (@alex_lanstein)Alex Lanstein
@online{lanstein:20210604:unc2652nobelium:460c6ab, author = {Alex Lanstein}, title = {{Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-​2021-1879}}, date = {2021-06-04}, organization = {Twitter (@alex_lanstein)}, url = {https://twitter.com/alex_lanstein/status/1399829754887524354}, language = {English}, urldate = {2021-07-26} } Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-​2021-1879
Cobalt Strike
2021-06-02Medium CyCraftCyCraft Technology Corp
@online{corp:20210602:chinalinked:487955f, author = {CyCraft Technology Corp}, title = {{China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware}}, date = {2021-06-02}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5}, language = {English}, urldate = {2021-06-09} } China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware
Cobalt Strike ColdLock
2021-06-02SophosSean Gallagher
@online{gallagher:20210602:amsi:084d0ba, author = {Sean Gallagher}, title = {{AMSI bypasses remain tricks of the malware trade}}, date = {2021-06-02}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/}, language = {English}, urldate = {2021-06-09} } AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-06-01Department of JusticeOffice of Public Affairs
@online{affairs:20210601:justice:1ed9656, author = {Office of Public Affairs}, title = {{Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development}}, date = {2021-06-01}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear}, language = {English}, urldate = {2021-06-09} } Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
Cobalt Strike
2021-06-01SANSKevin Haley, Jake Williams
@online{haley:20210601:contrarian:6aff18c, author = {Kevin Haley and Jake Williams}, title = {{A Contrarian View on SolarWinds}}, date = {2021-06-01}, organization = {SANS}, url = {https://www.sans.org/webcasts/contrarian-view-solarwinds-119515}, language = {English}, urldate = {2021-06-21} } A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-06-01SentinelOneJuan Andrés Guerrero-Saade
@online{guerrerosaade:20210601:noblebaron:20dd227, author = {Juan Andrés Guerrero-Saade}, title = {{NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks}}, date = {2021-06-01}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/}, language = {English}, urldate = {2021-06-09} } NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks
Cobalt Strike
2021-06-01MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
@online{mstic:20210601:new:83aee4c, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team}, title = {{New sophisticated email-based attack from NOBELIUM}}, date = {2021-06-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/}, language = {English}, urldate = {2021-06-09} } New sophisticated email-based attack from NOBELIUM
Cobalt Strike
2021-06-01CiscoJosh Pyorre
@online{pyorre:20210601:backdoors:577a28b, author = {Josh Pyorre}, title = {{Backdoors, RATs, Loaders evasion techniques}}, date = {2021-06-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques}, language = {English}, urldate = {2021-06-24} } Backdoors, RATs, Loaders evasion techniques
BazarNimrod GoldMax Oblique RAT
2021-05-29Twitter (@elisalem9)Eli Salem
@online{salem:20210529:obfuscation:f1b68f3, author = {Eli Salem}, title = {{Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452}}, date = {2021-05-29}, organization = {Twitter (@elisalem9)}, url = {https://twitter.com/elisalem9/status/1398566939656601606}, language = {English}, urldate = {2021-08-02} } Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452
Cobalt Strike
2021-05-28CISAUS-CERT
@online{uscert:20210528:alert:be89c5f, author = {US-CERT}, title = {{Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs}}, date = {2021-05-28}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-148a}, language = {English}, urldate = {2021-07-27} } Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs
Cobalt Strike
2021-05-28CISAUS-CERT
@online{uscert:20210528:malware:0913332, author = {US-CERT}, title = {{Malware Analysis Report (AR21-148A): Cobalt Strike Beacon}}, date = {2021-05-28}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a}, language = {English}, urldate = {2021-07-19} } Malware Analysis Report (AR21-148A): Cobalt Strike Beacon
Cobalt Strike
2021-05-27VolexityDamien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
@online{cash:20210527:suspected:beb9dd9, author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns}}, date = {2021-05-27}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/}, language = {English}, urldate = {2021-06-09} } Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
Cobalt Strike
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-25Huntress LabsMatthew Brennan
@online{brennan:20210525:cobalt:c428be0, author = {Matthew Brennan}, title = {{Cobalt Strikes Again: An Analysis of Obfuscated Malware}}, date = {2021-05-25}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware}, language = {English}, urldate = {2021-06-09} } Cobalt Strikes Again: An Analysis of Obfuscated Malware
Cobalt Strike
2021-05-21blackarrowPablo Ambite
@online{ambite:20210521:leveraging:55f56da, author = {Pablo Ambite}, title = {{Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic}}, date = {2021-05-21}, organization = {blackarrow}, url = {https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/}, language = {English}, urldate = {2021-06-22} } Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Cobalt Strike
2021-05-19Medium Mehmet ErgeneMehmet Ergene
@online{ergene:20210519:enterprise:f7fb481, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2}}, date = {2021-05-19}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e}, language = {English}, urldate = {2021-05-26} } Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2
Cobalt Strike
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-18SophosJohn Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
@online{shier:20210518:active:f313ac5, author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie}, title = {{The Active Adversary Playbook 2021}}, date = {2021-05-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153}, language = {English}, urldate = {2021-05-25} } The Active Adversary Playbook 2021
Cobalt Strike MimiKatz
2021-05-17TalosBrad Garnett
@online{garnett:20210517:case:a8ef9cf, author = {Brad Garnett}, title = {{Case Study: Incident Response is a relationship-driven business}}, date = {2021-05-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/05/ctir-case-study.html}, language = {English}, urldate = {2021-05-25} } Case Study: Incident Response is a relationship-driven business
Cobalt Strike
2021-05-16NCSC IrelandNCSC Ireland
@techreport{ireland:20210516:ransomware:b091d9b, author = {NCSC Ireland}, title = {{Ransomware Attack on Health Sector - UPDATE 2021-05-16}}, date = {2021-05-16}, institution = {NCSC Ireland}, url = {https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf}, language = {English}, urldate = {2021-05-17} } Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti
2021-05-14CISAUS-CERT
@online{uscert:20210514:analysis:f0b767a, author = {US-CERT}, title = {{Analysis Report (AR21-134A): Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise}}, date = {2021-05-14}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a}, language = {English}, urldate = {2021-07-19} } Analysis Report (AR21-134A): Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise
SUNBURST
2021-05-14Blue Team BlogAuth 0r
@online{0r:20210514:darkside:bf9c5bc, author = {Auth 0r}, title = {{DarkSide Ransomware Operations – Preventions and Detections.}}, date = {2021-05-14}, organization = {Blue Team Blog}, url = {https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections}, language = {English}, urldate = {2021-05-17} } DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide
2021-05-14GuidePoint SecurityDrew Schmitt
@online{schmitt:20210514:from:944b5f1, author = {Drew Schmitt}, title = {{From ZLoader to DarkSide: A Ransomware Story}}, date = {2021-05-14}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/}, language = {English}, urldate = {2021-05-17} } From ZLoader to DarkSide: A Ransomware Story
DarkSide Cobalt Strike Zloader
2021-05-13AWAKEKieran Evans
@online{evans:20210513:catching:eaa13e2, author = {Kieran Evans}, title = {{Catching the White Stork in Flight}}, date = {2021-05-13}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/}, language = {English}, urldate = {2021-09-19} } Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS
2021-05-12Medium Mehmet ErgeneMehmet Ergene
@online{ergene:20210512:enterprise:09742df, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1}}, date = {2021-05-12}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f}, language = {English}, urldate = {2021-05-26} } Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1
Cobalt Strike
2021-05-12The DFIR Report
@online{report:20210512:conti:598c5f2, author = {The DFIR Report}, title = {{Conti Ransomware}}, date = {2021-05-12}, url = {https://thedfirreport.com/2021/05/12/conti-ransomware/}, language = {English}, urldate = {2021-05-13} } Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-11Mal-Eatsmal_eats
@online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-11FireEyeJordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson
@online{nuce:20210511:shining:339d137, author = {Jordan Nuce and Jeremy Kennelly and Kimberly Goody and Andrew Moore and Alyssa Rahman and Brendan McKeague and Jared Wilson}, title = {{Shining a Light on DARKSIDE Ransomware Operations}}, date = {2021-05-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html}, language = {English}, urldate = {2021-05-13} } Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide
2021-05-10ZERO.BSZEROBS
@online{zerobs:20210510:cobaltstrikebeacons:b7fee54, author = {ZEROBS}, title = {{Cobaltstrike-Beacons analyzed}}, date = {2021-05-10}, organization = {ZERO.BS}, url = {https://zero.bs/cobaltstrike-beacons-analyzed.html}, language = {English}, urldate = {2021-05-11} } Cobaltstrike-Beacons analyzed
Cobalt Strike
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-05-08The RecordCatalin Cimpanu
@online{cimpanu:20210508:solarwinds:501c002, author = {Catalin Cimpanu}, title = {{SolarWinds says fewer than 100 customers were impacted by supply chain attack}}, date = {2021-05-08}, organization = {The Record}, url = {https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack}, language = {English}, urldate = {2021-05-11} } SolarWinds says fewer than 100 customers were impacted by supply chain attack
SUNBURST
2021-05-07TEAMT5Aragorn Tseng, Charles Li
@techreport{tseng:20210507:mem2img:494799d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-05-07Cisco TalosCaitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81, author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin}, title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}}, date = {2021-05-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html}, language = {English}, urldate = {2021-05-11} } Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike
2021-05-07SophosLabs UncutRajesh Nataraj
@online{nataraj:20210507:new:79ec788, author = {Rajesh Nataraj}, title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}}, date = {2021-05-07}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728}, language = {English}, urldate = {2021-05-11} } New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike
2021-05-07Medium svch0stsvch0st
@online{svch0st:20210507:stats:11919e5, author = {svch0st}, title = {{Stats from Hunting Cobalt Strike Beacons}}, date = {2021-05-07}, organization = {Medium svch0st}, url = {https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b}, language = {English}, urldate = {2021-05-08} } Stats from Hunting Cobalt Strike Beacons
Cobalt Strike
2021-05-07SolarWindsSolarwind
@online{solarwind:20210507:investigative:54c699d, author = {Solarwind}, title = {{An Investigative Update of the Cyberattack}}, date = {2021-05-07}, organization = {SolarWinds}, url = {https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm}, language = {English}, urldate = {2021-05-11} } An Investigative Update of the Cyberattack
SUNBURST
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2021-05-11} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
Prometei BlackKingdom Ransomware CHINACHOPPER Cobalt Strike
2021-05-05TRUESECMattias Wåhlén
@online{whln:20210505:are:61bb8a0, author = {Mattias Wåhlén}, title = {{Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?}}, date = {2021-05-05}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/}, language = {English}, urldate = {2021-05-08} } Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker
2021-05-05SophosLabs UncutAndrew Brandt, Peter Mackenzie, Vikas Singh, Gabor Szappanos
@online{brandt:20210505:intervention:f548dee, author = {Andrew Brandt and Peter Mackenzie and Vikas Singh and Gabor Szappanos}, title = {{Intervention halts a ProxyLogon-enabled attack}}, date = {2021-05-05}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack}, language = {English}, urldate = {2021-05-07} } Intervention halts a ProxyLogon-enabled attack
Cobalt Strike
2021-05-04Medium sergiusechelSergiu Sechel
@online{sechel:20210504:improving:ce4da6d, author = {Sergiu Sechel}, title = {{Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives}}, date = {2021-05-04}, organization = {Medium sergiusechel}, url = {https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468}, language = {English}, urldate = {2021-05-04} } Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives
Cobalt Strike
2021-05-02The DFIR ReportThe DFIR Report
@online{report:20210502:trickbot:242b786, author = {The DFIR Report}, title = {{Trickbot Brief: Creds and Beacons}}, date = {2021-05-02}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/}, language = {English}, urldate = {2021-05-04} } Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot
2021-04-29NTTThreat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4, author = {Threat Detection NTT Ltd.}, title = {{The Operations of Winnti group}}, date = {2021-04-29}, institution = {NTT}, url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf}, language = {English}, urldate = {2021-08-09} } The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti
2021-04-27Trend MicroJanus Agcaoili, Earle Earnshaw
@online{agcaoili:20210427:legitimate:b293526, author = {Janus Agcaoili and Earle Earnshaw}, title = {{Legitimate Tools Weaponized for Ransomware in 2021}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021}, language = {English}, urldate = {2021-05-03} } Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz
2021-04-27Trend MicroJanus Agcaoili
@online{agcaoili:20210427:hello:b3c5de5, author = {Janus Agcaoili}, title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html}, language = {English}, urldate = {2021-04-29} } Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike
2021-04-26getrevueTwitter (@80vul)
@online{80vul:20210426:hunting:e8be278, author = {Twitter (@80vul)}, title = {{Hunting Cobalt Strike DNS redirectors by using ZoomEye}}, date = {2021-04-26}, organization = {getrevue}, url = {https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734}, language = {English}, urldate = {2021-04-29} } Hunting Cobalt Strike DNS redirectors by using ZoomEye
Cobalt Strike
2021-04-26nvisoMaxime Thiebaut
@online{thiebaut:20210426:anatomy:0ade0a5, author = {Maxime Thiebaut}, title = {{Anatomy of Cobalt Strike’s DLL Stager}}, date = {2021-04-26}, organization = {nviso}, url = {https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/}, language = {English}, urldate = {2021-04-29} } Anatomy of Cobalt Strike’s DLL Stager
Cobalt Strike
2021-04-24Non-offensive securityNon-offensive security team
@online{team:20210424:detect:4fab11a, author = {Non-offensive security team}, title = {{Detect Cobalt Strike server through DNS protocol}}, date = {2021-04-24}, organization = {Non-offensive security}, url = {https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ}, language = {Chinese}, urldate = {2021-04-29} } Detect Cobalt Strike server through DNS protocol
Cobalt Strike
2021-04-23Twitter (@vikas891)Vikas Singh
@online{singh:20210423:doppel:1bfd6da, author = {Vikas Singh}, title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}}, date = {2021-04-23}, organization = {Twitter (@vikas891)}, url = {https://twitter.com/vikas891/status/1385306823662587905}, language = {English}, urldate = {2021-05-25} } Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer
2021-04-22RiskIQRiskIQ
@online{riskiq:20210422:solarwinds:83581ea, author = {RiskIQ}, title = {{SolarWinds: Advancing the Story}}, date = {2021-04-22}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/9a515637}, language = {English}, urldate = {2021-04-28} } SolarWinds: Advancing the Story
SUNBURST
2021-04-22Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210422:twwet:62355c6, author = {Peter Mackenzie}, title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}}, date = {2021-04-22}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688}, language = {English}, urldate = {2021-05-25} } Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer
2021-04-21SophosLabs UncutSean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
@online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-20Medium walmartglobaltechJason Reaves
@online{reaves:20210420:cobaltstrike:d18d4c4, author = {Jason Reaves}, title = {{CobaltStrike Stager Utilizing Floating Point Math}}, date = {2021-04-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718}, language = {English}, urldate = {2021-04-20} } CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike
2021-04-19NetresecErik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49, author = {Erik Hjelmvik}, title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}}, date = {2021-04-19}, organization = {Netresec}, url = {https://netresec.com/?b=214d7ff}, language = {English}, urldate = {2021-04-20} } Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-18YouTube (dist67)Didier Stevens
@online{stevens:20210418:decoding:18e5319, author = {Didier Stevens}, title = {{Decoding Cobalt Strike Traffic}}, date = {2021-04-18}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=ysN-MqyIN7M}, language = {English}, urldate = {2021-04-20} } Decoding Cobalt Strike Traffic
Cobalt Strike
2021-04-15European CouncilCouncil of the European Union
@online{union:20210415:declaration:f535296, author = {Council of the European Union}, title = {{Declaration by the High Representative on behalf of the European Union expressing solidarity with the United States on the impact of the SolarWinds cyber operation}}, date = {2021-04-15}, organization = {European Council}, url = {https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation}, language = {English}, urldate = {2021-04-16} } Declaration by the High Representative on behalf of the European Union expressing solidarity with the United States on the impact of the SolarWinds cyber operation
SUNBURST
2021-04-15CISAUS-CERT
@online{uscert:20210415:malware:27f4af4, author = {US-CERT}, title = {{Malware Analysis Report (AR21-105A): SUNSHUTTLE}}, date = {2021-04-15}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a}, language = {English}, urldate = {2021-04-16} } Malware Analysis Report (AR21-105A): SUNSHUTTLE
GoldMax
2021-04-15Ministry of foreign affairs of the Republic of LatviaMinistry of foreign affairs of the Republic of Latvia
@online{latvia:20210415:latvias:9f5fa8a, author = {Ministry of foreign affairs of the Republic of Latvia}, title = {{Latvia’s statement following the announcement by the United States of actions to respond to the Russian Federation’s destabilizing activities (Deadlink)}}, date = {2021-04-15}, organization = {Ministry of foreign affairs of the Republic of Latvia}, url = {https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities}, language = {English}, urldate = {2021-08-02} } Latvia’s statement following the announcement by the United States of actions to respond to the Russian Federation’s destabilizing activities (Deadlink)
SUNBURST
2021-04-15Ministry of Foreign Affairs Republic of PolandMinistry of Foreign Affairs Republic of Poland
@online{poland:20210415:statement:3a57d39, author = {Ministry of Foreign Affairs Republic of Poland}, title = {{Statement on Solar Winds Orion cyberattacks}}, date = {2021-04-15}, organization = {Ministry of Foreign Affairs Republic of Poland}, url = {https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks}, language = {English}, urldate = {2021-04-16} } Statement on Solar Winds Orion cyberattacks
SUNBURST
2021-04-15North Atlantic Treaty OrganizationNATO
@online{nato:20210415:north:823013b, author = {NATO}, title = {{North Atlantic Council Statement following the announcement by the United States of actions with regard to Russia}}, date = {2021-04-15}, organization = {North Atlantic Treaty Organization}, url = {https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en}, language = {English}, urldate = {2021-04-16} } North Atlantic Council Statement following the announcement by the United States of actions with regard to Russia
SUNBURST
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-09F-SecureRiccardo Ancarani, Giulio Ginesi
@online{ancarani:20210409:detecting:01d28ed, author = {Riccardo Ancarani and Giulio Ginesi}, title = {{Detecting Exposed Cobalt Strike DNS Redirectors}}, date = {2021-04-09}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors}, language = {English}, urldate = {2021-04-14} } Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike
2021-04-07Medium sixdubJustin Warner
@online{warner:20210407:using:a7d19fd, author = {Justin Warner}, title = {{Using Kaitai Struct to Parse Cobalt Strike Beacon Configs}}, date = {2021-04-07}, organization = {Medium sixdub}, url = {https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e}, language = {English}, urldate = {2021-04-09} } Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike
2021-04-05Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20210405:trickbot:a6b0592, author = {Jason Reaves and Joshua Platt}, title = {{TrickBot Crews New CobaltStrike Loader}}, date = {2021-04-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c}, language = {English}, urldate = {2021-04-06} } TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot
2021-04-01Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210401:hancitors:8876ca1, author = {Brad Duncan}, title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/}, language = {English}, urldate = {2021-04-06} } Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor
2021-04-01DomainToolsJoe Slowik
@online{slowik:20210401:covid19:6a96e45, author = {Joe Slowik}, title = {{COVID-19 Phishing With a Side of Cobalt Strike}}, date = {2021-04-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#}, language = {English}, urldate = {2021-04-06} } COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-30GuidePoint SecurityDrew Schmitt
@online{schmitt:20210330:yet:9855592, author = {Drew Schmitt}, title = {{Yet Another Cobalt Strike Stager: GUID Edition}}, date = {2021-03-30}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/}, language = {English}, urldate = {2021-04-06} } Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike
2021-03-29The DFIR ReportThe DFIR Report
@online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-21YouTube (dist67)Didier Stevens
@online{stevens:20210321:finding:92a9a4d, author = {Didier Stevens}, title = {{Finding Metasploit & Cobalt Strike URLs}}, date = {2021-03-21}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=WW0_TgWT2gs}, language = {English}, urldate = {2021-03-25} } Finding Metasploit & Cobalt Strike URLs
Cobalt Strike
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-18CISAUS-CERT
@online{uscert:20210318:alert:bff148c, author = {US-CERT}, title = {{Alert (AA21-077A): Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool}}, date = {2021-03-18}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-077a}, language = {English}, urldate = {2021-03-19} } Alert (AA21-077A): Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
SUNBURST
2021-03-18Github (cisagov)CISA
@online{cisa:20210318:cisa:49f510f, author = {CISA}, title = {{CISA Hunt and Incident Response Program (CHIRP)}}, date = {2021-03-18}, organization = {Github (cisagov)}, url = {https://github.com/cisagov/CHIRP}, language = {English}, urldate = {2021-03-19} } CISA Hunt and Incident Response Program (CHIRP)
SUNBURST
2021-03-18DeepInstinctBen Gross
@online{gross:20210318:cobalt:5392fb0, author = {Ben Gross}, title = {{Cobalt Strike – Post-Exploitation Attackers Toolkit}}, date = {2021-03-18}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/}, language = {English}, urldate = {2021-06-22} } Cobalt Strike – Post-Exploitation Attackers Toolkit
Cobalt Strike
2021-03-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-03-17CISAUS-CERT
@techreport{uscert:20210317:solarwinds:3d7860a, author = {US-CERT}, title = {{SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures (Dead Link)}}, date = {2021-03-17}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf}, language = {English}, urldate = {2021-08-02} } SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures (Dead Link)
SUNBURST
2021-03-16McAfeeMcAfee ATR
@techreport{atr:20210316:technical:8c4909a, author = {McAfee ATR}, title = {{Technical Analysis of Operation Diànxùn}}, date = {2021-03-16}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf}, language = {English}, urldate = {2021-03-22} } Technical Analysis of Operation Diànxùn
Cobalt Strike
2021-03-16MimecastMimecast
@online{mimecast:20210316:incident:2c3e79a, author = {Mimecast}, title = {{Incident Report}}, date = {2021-03-16}, organization = {Mimecast}, url = {https://www.mimecast.com/incident-report/}, language = {English}, urldate = {2021-03-22} } Incident Report
SUNBURST
2021-03-16ElasticJoe Desimone
@online{desimone:20210316:detecting:4091130, author = {Joe Desimone}, title = {{Detecting Cobalt Strike with memory signatures}}, date = {2021-03-16}, organization = {Elastic}, url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures}, language = {English}, urldate = {2021-03-22} } Detecting Cobalt Strike with memory signatures
Cobalt Strike
2021-03-11QuriumQurium
@online{qurium:20210311:myanmar:7bfc8ce, author = {Qurium}, title = {{Myanmar – Multi-stage malware attack targets elected lawmakers}}, date = {2021-03-11}, organization = {Qurium}, url = {https://www.qurium.org/alerts/targeted-malware-against-crph/}, language = {English}, urldate = {2021-06-21} } Myanmar – Multi-stage malware attack targets elected lawmakers
Cobalt Strike
2021-03-11Cyborg SecurityJosh Campbell
@online{campbell:20210311:you:7bd2342, author = {Josh Campbell}, title = {{You Don't Know the HAFNIUM of it...}}, date = {2021-03-11}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/}, language = {English}, urldate = {2021-03-16} } You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat
2021-03-10US-CERTCISA
@online{cisa:20210310:remediating:23bf74d, author = {CISA}, title = {{Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise}}, date = {2021-03-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/remediating-apt-compromised-networks}, language = {English}, urldate = {2021-03-12} } Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
SUNBURST
2021-03-10ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
@online{schwarz:20210310:nimzaloader:f6960d4, author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team}, title = {{NimzaLoader: TA800’s New Initial Access Malware}}, date = {2021-03-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware}, language = {English}, urldate = {2021-03-12} } NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike
2021-03-09splunkSecurity Research Team
@online{team:20210309:cloud:4deeb78, author = {Security Research Team}, title = {{Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021}}, date = {2021-03-09}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html}, language = {English}, urldate = {2021-03-11} } Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike
2021-03-08Youtube (SANS Digital Forensics and Incident Response)Katie Nickels, Adam Pennington, Jen Burns
@online{nickels:20210308:star:083eb29, author = {Katie Nickels and Adam Pennington and Jen Burns}, title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}}, date = {2021-03-08}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU}, language = {English}, urldate = {2021-03-11} } STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP
2021-03-08The DFIR ReportThe DFIR Report
@online{report:20210308:bazar:ba050d7, author = {The DFIR Report}, title = {{Bazar Drops the Anchor}}, date = {2021-03-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/}, language = {English}, urldate = {2021-03-10} } Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-03-08x0r19x91.gitlab.ioSuvaditya Sur
@online{sur:20210308:sunshuttle:a45d8a5, author = {Suvaditya Sur}, title = {{Sunshuttle Malware}}, date = {2021-03-08}, organization = {x0r19x91.gitlab.io}, url = {https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/}, language = {English}, urldate = {2021-03-11} } Sunshuttle Malware
GoldMax
2021-03-07InfoSec Handlers Diary BlogDidier Stevens
@online{stevens:20210307:pcaps:980212d, author = {Didier Stevens}, title = {{PCAPs and Beacons}}, date = {2021-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27176}, language = {English}, urldate = {2021-03-11} } PCAPs and Beacons
Cobalt Strike
2021-03-04MicrosoftRamin Nafisi, Andrea Lelli, Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
@online{nafisi:20210304:goldmax:3fa3f68, author = {Ramin Nafisi and Andrea Lelli and Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team}, title = {{GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence}}, date = {2021-03-04}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware}, language = {English}, urldate = {2021-03-06} } GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
SUNBURST TEARDROP UNC2452
2021-03-04MicrosoftRamin Nafisi, Andrea Lelli
@online{nafisi:20210304:goldmax:f699172, author = {Ramin Nafisi and Andrea Lelli}, title = {{GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence}}, date = {2021-03-04}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/}, language = {English}, urldate = {2021-03-07} } GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
GoldMax
2021-03-04FireEyeLindsay Smith, Jonathan Leathery, Ben Read
@online{smith:20210304:new:53f1d8d, author = {Lindsay Smith and Jonathan Leathery and Ben Read}, title = {{New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452}}, date = {2021-03-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html}, language = {English}, urldate = {2021-03-06} } New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
UNC2452
2021-03-01Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210301:nimar:c26af08, author = {Joshua Platt and Jason Reaves}, title = {{Nimar Loader}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e}, language = {English}, urldate = {2021-03-04} } Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike
2021-03-01Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210301:investigation:a7851d5, author = {Joshua Platt and Jason Reaves}, title = {{Investigation into the state of Nim malware}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811}, language = {English}, urldate = {2021-03-04} } Investigation into the state of Nim malware
BazarNimrod Cobalt Strike
2021-03-01MicrosoftMicrosoft
@online{microsoft:20210301:detect:330c71c, author = {Microsoft}, title = {{Detect and defend against the recent nation-state cyber attack}}, date = {2021-03-01}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance}, language = {English}, urldate = {2021-03-04} } Detect and defend against the recent nation-state cyber attack
SUNBURST
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-26YouTube (Oversight Committee)Oversight Committee
@online{committee:20210226:weathering:6dfb09f, author = {Oversight Committee}, title = {{Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign}}, date = {2021-02-26}, organization = {YouTube (Oversight Committee)}, url = {https://www.youtube.com/watch?v=dV2QTLSecpc}, language = {English}, urldate = {2021-03-25} } Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign
SUNBURST
2021-02-25MicrosoftMicrosoft Identity Security Team
@online{team:20210225:microsoft:bd11fce, author = {Microsoft Identity Security Team}, title = {{Microsoft open sources CodeQL queries used to hunt for Solorigate activity}}, date = {2021-02-25}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/}, language = {English}, urldate = {2021-02-25} } Microsoft open sources CodeQL queries used to hunt for Solorigate activity
SUNBURST
2021-02-25MicrosoftMicrosoft
@online{microsoft:20210225:codeql:a43a525, author = {Microsoft}, title = {{CodeQL queries to hunt for Solorigate activity}}, date = {2021-02-25}, organization = {Microsoft}, url = {https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign}, language = {English}, urldate = {2021-02-25} } CodeQL queries to hunt for Solorigate activity
SUNBURST
2021-02-25BrightTALK (FireEye)Andrew Rector, Matt Bromiley, Mandiant
@online{rector:20210225:light:005aa58, author = {Andrew Rector and Matt Bromiley and Mandiant}, title = {{Light in the Dark: Hunting for SUNBURST}}, date = {2021-02-25}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/469525}, language = {English}, urldate = {2021-02-20} } Light in the Dark: Hunting for SUNBURST
SUNBURST
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-24Github (AmnestyTech)Amnesty International
@online{international:20210224:overview:95b80e0, author = {Amnesty International}, title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}}, date = {2021-02-24}, organization = {Github (AmnestyTech)}, url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam}, language = {English}, urldate = {2021-02-25} } Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown
2021-02-24Bleeping ComputerSergiu Gatlan
@online{gatlan:20210224:nasa:646b084, author = {Sergiu Gatlan}, title = {{NASA and the FAA were also breached by the SolarWinds hackers}}, date = {2021-02-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/}, language = {English}, urldate = {2021-02-25} } NASA and the FAA were also breached by the SolarWinds hackers
SUNBURST
2021-02-24VMWare Carbon BlackTakahiro Haruyama
@techreport{haruyama:20210224:knock:f4903a2, author = {Takahiro Haruyama}, title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}}, date = {2021-02-24}, institution = {VMWare Carbon Black}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf}, language = {Japanese}, urldate = {2021-02-26} } Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-19THE NEW STACKLior Sonntag, Dror Alon
@online{sonntag:20210219:behind:a40f5e6, author = {Lior Sonntag and Dror Alon}, title = {{Behind the Scenes of the SunBurst Attack}}, date = {2021-02-19}, organization = {THE NEW STACK}, url = {https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/}, language = {English}, urldate = {2021-02-20} } Behind the Scenes of the SunBurst Attack
SUNBURST
2021-02-17apirroAriel Levy
@online{levy:20210217:detect:e5bdc1b, author = {Ariel Levy}, title = {{Detect and prevent the SolarWinds build-time code injection attack}}, date = {2021-02-17}, organization = {apirro}, url = {https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack}, language = {English}, urldate = {2021-02-20} } Detect and prevent the SolarWinds build-time code injection attack
SUNBURST
2021-02-17YouTube (The White House)Anne Neuberger
@online{neuberger:20210217:update:f24ad1e, author = {Anne Neuberger}, title = {{Update on Investigaton on Solarwinds supply chain attack from the Deputy National Security Advisor}}, date = {2021-02-17}, organization = {YouTube (The White House)}, url = {https://youtu.be/Ta_vatZ24Cs?t=59}, language = {English}, urldate = {2021-02-18} } Update on Investigaton on Solarwinds supply chain attack from the Deputy National Security Advisor
SUNBURST
2021-02-17NetresecErik Hjelmvik
@online{hjelmvik:20210217:targeting:6deceed, author = {Erik Hjelmvik}, title = {{Targeting Process for the SolarWinds Backdoor}}, date = {2021-02-17}, organization = {Netresec}, url = {https://netresec.com/?b=212a6ad}, language = {English}, urldate = {2021-02-18} } Targeting Process for the SolarWinds Backdoor
SUNBURST
2021-02-16AccentureAlexandrea Berninger
@online{berninger:20210216:hard:55e809e, author = {Alexandrea Berninger}, title = {{Hard lessons learned: Threat intel takeaways from the community response to Solarigate}}, date = {2021-02-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate}, language = {English}, urldate = {2021-02-20} } Hard lessons learned: Threat intel takeaways from the community response to Solarigate
SUNBURST TEARDROP
2021-02-16FireEyeMatt Bromiley, Andrew Rector, Robert Wallace
@online{bromiley:20210216:light:5541ad4, author = {Matt Bromiley and Andrew Rector and Robert Wallace}, title = {{Light in the Dark: Hunting for SUNBURST}}, date = {2021-02-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html}, language = {English}, urldate = {2021-02-20} } Light in the Dark: Hunting for SUNBURST
SUNBURST
2021-02-11Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210211:hancitor:9fa527e, author = {The DFIR Report}, title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}}, date = {2021-02-11}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1359669513520873473}, language = {English}, urldate = {2021-02-18} } Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor
2021-02-09Cobalt StrikeRaphael Mudge
@online{mudge:20210209:learn:c08b657, author = {Raphael Mudge}, title = {{Learn Pipe Fitting for all of your Offense Projects}}, date = {2021-02-09}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/}, language = {English}, urldate = {2021-02-10} } Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike
2021-02-09SecurehatSecurehat
@online{securehat:20210209:extracting:0f4ae2f, author = {Securehat}, title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}}, date = {2021-02-09}, organization = {Securehat}, url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader}, language = {English}, urldate = {2021-02-10} } Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP
2021-02-08US-CERTUS-CERT
@online{uscert:20210208:malware:f32efbc, author = {US-CERT}, title = {{Malware Analysis Report (AR21-039B): MAR-10320115-1.v1 - TEARDROP}}, date = {2021-02-08}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b}, language = {English}, urldate = {2021-02-09} } Malware Analysis Report (AR21-039B): MAR-10320115-1.v1 - TEARDROP
TEARDROP
2021-02-08US-CERTUS-CERT
@online{uscert:20210208:malware:3a963a6, author = {US-CERT}, title = {{Malware Analysis Report (AR21-039A): SUNBURST}}, date = {2021-02-08}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a}, language = {English}, urldate = {2021-02-09} } Malware Analysis Report (AR21-039A): SUNBURST
SUNBURST
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2021-02-02Committee to Protect JournalistsMadeline Earp
@online{earp:20210202:how:923f969, author = {Madeline Earp}, title = {{How Vietnam-based hacking operation OceanLotus targets journalists}}, date = {2021-02-02}, organization = {Committee to Protect Journalists}, url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists}, language = {English}, urldate = {2021-02-04} } How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-02Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210202:recent:5272ed0, author = {The DFIR Report}, title = {{Tweet on recent dridex post infection activity}}, date = {2021-02-02}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1356729371931860992}, language = {English}, urldate = {2021-02-04} } Tweet on recent dridex post infection activity
Cobalt Strike Dridex
2021-02-01pkb1s.github.ioPetros Koutroumpis
@online{koutroumpis:20210201:relay:596413f, author = {Petros Koutroumpis}, title = {{Relay Attacks via Cobalt Strike Beacons}}, date = {2021-02-01}, organization = {pkb1s.github.io}, url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/}, language = {English}, urldate = {2021-02-04} } Relay Attacks via Cobalt Strike Beacons
Cobalt Strike
2021-02-01AhnLabASEC Analysis Team
@online{team:20210201:bluecrab:df21c0a, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}}, date = {2021-02-01}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19860/}, language = {English}, urldate = {2021-02-06} } BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil
2021-01-31The DFIR ReportThe DFIR Report
@online{report:20210131:bazar:c3b3859, author = {The DFIR Report}, title = {{Bazar, No Ryuk?}}, date = {2021-01-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/}, language = {English}, urldate = {2021-02-02} } Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-29AonPartha Alwar, Carly Battaile, Alex Parsons
@online{alwar:20210129:cloudy:e701758, author = {Partha Alwar and Carly Battaile and Alex Parsons}, title = {{Cloudy with a Chance of Persistent Email Access}}, date = {2021-01-29}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/}, language = {English}, urldate = {2021-02-09} } Cloudy with a Chance of Persistent Email Access
SUNBURST
2021-01-28TrustedSecAdam Chester
@online{chester:20210128:tailoring:d3f973c, author = {Adam Chester}, title = {{Tailoring Cobalt Strike on Target}}, date = {2021-01-28}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/}, language = {English}, urldate = {2021-01-29} } Tailoring Cobalt Strike on Target
Cobalt Strike
2021-01-28Check PointLior Sonntag
@online{sonntag:20210128:deep:99eb275, author = {Lior Sonntag}, title = {{Deep into the SunBurst Attack}}, date = {2021-01-28}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/}, language = {English}, urldate = {2021-02-02} } Deep into the SunBurst Attack
SUNBURST
2021-01-28AhnLabASEC Analysis Team
@online{team:20210128:bluecrab:44d2e64, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware constantly trying to bypass detection}}, date = {2021-01-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19640/}, language = {Korean}, urldate = {2021-02-04} } BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil
2021-01-28YouTube (Microsoft Security Community)Microsoft
@online{microsoft:20210128:microsoft:9c8f303, author = {Microsoft}, title = {{Microsoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender}}, date = {2021-01-28}, organization = {YouTube (Microsoft Security Community)}, url = {https://www.youtube.com/watch?v=-Vsgmw2G4Wo}, language = {English}, urldate = {2021-03-19} } Microsoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender
SUNBURST
2021-01-26Twitter (@swisscom_csirt)Swisscom CSIRT
@online{csirt:20210126:cring:f12c487, author = {Swisscom CSIRT}, title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}}, date = {2021-01-26}, organization = {Twitter (@swisscom_csirt)}, url = {https://twitter.com/swisscom_csirt/status/1354052879158571008}, language = {English}, urldate = {2021-01-27} } Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz
2021-01-26Bleeping ComputerSergiu Gatlan
@online{gatlan:20210126:mimecast:ef80465, author = {Sergiu Gatlan}, title = {{Mimecast links security breach to SolarWinds hackers}}, date = {2021-01-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/}, language = {English}, urldate = {2021-01-27} } Mimecast links security breach to SolarWinds hackers
SUNBURST
2021-01-26Kaspersky LabsKaspersky Lab ICS CERT
@online{cert:20210126:sunburst:0170800, author = {Kaspersky Lab ICS CERT}, title = {{SunBurst industrial victims}}, date = {2021-01-26}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/}, language = {English}, urldate = {2021-01-27} } SunBurst industrial victims
SUNBURST
2021-01-26FidelisChris Kubic
@online{kubic:20210126:ongoing:c57f443, author = {Chris Kubic}, title = {{Ongoing Analysis of SolarWinds Impacts}}, date = {2021-01-26}, organization = {Fidelis}, url = {https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/}, language = {English}, urldate = {2021-01-27} } Ongoing Analysis of SolarWinds Impacts
SUNBURST
2021-01-26MimecastMimecast Contributing Writer
@online{writer:20210126:important:b395e4f, author = {Mimecast Contributing Writer}, title = {{Important Security Update}}, date = {2021-01-26}, organization = {Mimecast}, url = {https://www.mimecast.com/blog/important-security-update/}, language = {English}, urldate = {2021-01-27} } Important Security Update
SUNBURST
2021-01-25NetresecErik Hjelmvik
@online{hjelmvik:20210125:twentythree:d3fad49, author = {Erik Hjelmvik}, title = {{Twenty-three SUNBURST Targets Identified}}, date = {2021-01-25}, organization = {Netresec}, url = {https://netresec.com/?b=211cd21}, language = {English}, urldate = {2021-01-25} } Twenty-three SUNBURST Targets Identified
SUNBURST
2021-01-25ZenGoTal Be'ery
@online{beery:20210125:ungilded:97355a8, author = {Tal Be'ery}, title = {{Ungilded Secrets: A New Paradigm for Key Security}}, date = {2021-01-25}, organization = {ZenGo}, url = {https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/}, language = {English}, urldate = {2021-01-26} } Ungilded Secrets: A New Paradigm for Key Security
SUNBURST
2021-01-24Medium vrieshdVriesHD
@online{vrieshd:20210124:finding:ef9bdc1, author = {VriesHD}, title = {{Finding SUNBURST victims and targets by using passive DNS, OSINT}}, date = {2021-01-24}, organization = {Medium vrieshd}, url = {https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc}, language = {English}, urldate = {2021-01-25} } Finding SUNBURST victims and targets by using passive DNS, OSINT
SUNBURST
2021-01-22SymantecThreat Hunter Team
@online{team:20210122:solarwinds:b82c2df, author = {Threat Hunter Team}, title = {{SolarWinds: How Sunburst Sends Data Back to the Attackers}}, date = {2021-01-22}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data}, language = {English}, urldate = {2021-01-25} } SolarWinds: How Sunburst Sends Data Back to the Attackers
SUNBURST
2021-01-22DomainToolsJoe Slowik
@online{slowik:20210122:change:ed52aef, author = {Joe Slowik}, title = {{Change in Perspective on the Utility of SUNBURST-related Network Indicators}}, date = {2021-01-22}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#}, language = {English}, urldate = {2021-01-25} } Change in Perspective on the Utility of SUNBURST-related Network Indicators
SUNBURST
2021-01-20MicrosoftMicrosoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC)
@online{team:20210120:deep:1cc0551, author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)}, title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}}, date = {2021-01-20}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/}, language = {English}, urldate = {2021-01-21} } Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP
2021-01-19Github (fireeye)FireEye
@online{fireeye:20210119:mandiant:26223c8, author = {FireEye}, title = {{Mandiant Azure AD Investigator: Focusing on UNC2452 TTPs}}, date = {2021-01-19}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/Mandiant-Azure-AD-Investigator}, language = {English}, urldate = {2021-01-21} } Mandiant Azure AD Investigator: Focusing on UNC2452 TTPs
SUNBURST
2021-01-18SymantecThreat Hunter Team
@online{team:20210118:raindrop:9ab1262, author = {Threat Hunter Team}, title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}}, date = {2021-01-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware}, language = {English}, urldate = {2021-01-21} } Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-01-17a12d404Markus Piéton
@online{piton:20210117:backdooring:fa3eabe, author = {Markus Piéton}, title = {{Backdooring MSBuild}}, date = {2021-01-17}, organization = {a12d404}, url = {https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html}, language = {English}, urldate = {2021-01-21} } Backdooring MSBuild
SUNBURST
2021-01-17Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210117:conti:db7f1cb, author = {Peter Mackenzie}, title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}}, date = {2021-01-17}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352}, language = {English}, urldate = {2021-01-21} } Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti
2021-01-15SymantecThreat Hunter Team
@online{team:20210115:solarwinds:46d0db6, author = {Threat Hunter Team}, title = {{SolarWinds: Insights into Attacker Command and Control Process}}, date = {2021-01-15}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control}, language = {English}, urldate = {2021-01-21} } SolarWinds: Insights into Attacker Command and Control Process
SUNBURST
2021-01-15Medium DansecDan Lussier
@online{lussier:20210115:detecting:fecd6c3, author = {Dan Lussier}, title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}}, date = {2021-01-15}, organization = {Medium Dansec}, url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64}, language = {English}, urldate = {2021-01-21} } Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike
2021-01-14DomainToolsJoe Slowik
@online{slowik:20210114:devils:ce9d4c8, author = {Joe Slowik}, title = {{The Devil’s in the Details: SUNBURST Attribution}}, date = {2021-01-14}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution}, language = {English}, urldate = {2021-01-18} } The Devil’s in the Details: SUNBURST Attribution
SUNBURST
2021-01-14MicrosoftMicrosoft 365 Defender Team
@online{team:20210114:increasing:dc031fe, author = {Microsoft 365 Defender Team}, title = {{Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender}}, date = {2021-01-14}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/}, language = {English}, urldate = {2021-01-18} } Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender
SUNBURST
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2021-01-12BrightTALK (FireEye)Ben Read, John Hultquist
@online{read:20210112:unc2452:6e54c6c, author = {Ben Read and John Hultquist}, title = {{UNC2452: What We Know So Far}}, date = {2021-01-12}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/462719}, language = {English}, urldate = {2021-01-18} } UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP
2021-01-12Fox-ITWouter Jansen
@online{jansen:20210112:abusing:c38eeb6, author = {Wouter Jansen}, title = {{Abusing cloud services to fly under the radar}}, date = {2021-01-12}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/}, language = {English}, urldate = {2021-01-18} } Abusing cloud services to fly under the radar
Cobalt Strike
2021-01-11Kaspersky LabsGeorgy Kucherin, Igor Kuznetsov, Costin Raiu
@online{kucherin:20210111:sunburst:a4ecf12, author = {Georgy Kucherin and Igor Kuznetsov and Costin Raiu}, title = {{Sunburst backdoor – code overlaps with Kazuar}}, date = {2021-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-backdoor-kazuar/99981/}, language = {English}, urldate = {2021-01-11} } Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST
2021-01-11The DFIR ReportThe DFIR Report
@online{report:20210111:trickbot:d1011f9, author = {The DFIR Report}, title = {{Trickbot Still Alive and Well}}, date = {2021-01-11}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/}, language = {English}, urldate = {2021-01-11} } Trickbot Still Alive and Well
Cobalt Strike TrickBot
2021-01-11SolarWindsSudhakar Ramakrishna
@online{ramakrishna:20210111:new:296b621, author = {Sudhakar Ramakrishna}, title = {{New Findings From Our Investigation of SUNBURST}}, date = {2021-01-11}, organization = {SolarWinds}, url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/}, language = {English}, urldate = {2021-01-18} } New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP
2021-01-11CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210111:sunspot:70e8a4c, author = {CrowdStrike Intelligence Team}, title = {{SUNSPOT: An Implant in the Build Process}}, date = {2021-01-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/}, language = {English}, urldate = {2021-01-21} } SUNSPOT: An Implant in the Build Process
SUNBURST
2021-01-11NetresecErik Hjelmvik
@online{hjelmvik:20210111:robust:5683220, author = {Erik Hjelmvik}, title = {{Robust Indicators of Compromise for SUNBURST}}, date = {2021-01-11}, organization = {Netresec}, url = {https://netresec.com/?b=211f30f}, language = {English}, urldate = {2021-01-21} } Robust Indicators of Compromise for SUNBURST
SUNBURST
2021-01-10Medium walmartglobaltechJason Reaves
@online{reaves:20210110:man1:54a4162, author = {Jason Reaves}, title = {{MAN1, Moskal, Hancitor and a side of Ransomware}}, date = {2021-01-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618}, language = {English}, urldate = {2021-01-11} } MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-09Connor McGarr's BlogConnor McGarr
@online{mcgarr:20210109:malware:dde1353, author = {Connor McGarr}, title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}}, date = {2021-01-09}, organization = {Connor McGarr's Blog}, url = {https://connormcgarr.github.io/thread-hijacking/}, language = {English}, urldate = {2021-01-11} } Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike
2021-01-08US-CERTUS-CERT
@online{uscert:20210108:alert:874cda9, author = {US-CERT}, title = {{Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments}}, date = {2021-01-08}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-008a}, language = {English}, urldate = {2021-01-11} } Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
SUNBURST SUPERNOVA
2021-01-08splunkMarcus LaFerrera, John Stoner, Lily Lee, James Brodsky, Ryan Kovar
@online{laferrera:20210108:golden:d31442a, author = {Marcus LaFerrera and John Stoner and Lily Lee and James Brodsky and Ryan Kovar}, title = {{A Golden SAML Journey: SolarWinds Continued}}, date = {2021-01-08}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html}, language = {English}, urldate = {2021-01-11} } A Golden SAML Journey: SolarWinds Continued
SUNBURST
2021-01-07Recorded FutureInsikt Group®
@techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-07SymantecThreat Hunter Team
@online{team:20210107:solarwinds:29f7094, author = {Threat Hunter Team}, title = {{SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar}}, date = {2021-01-07}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga}, language = {English}, urldate = {2021-01-11} } SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar
SUNBURST
2021-01-07TRUESECSebastian Olsson
@online{olsson:20210107:avoiding:e492089, author = {Sebastian Olsson}, title = {{Avoiding supply-chain attacks similar to SolarWinds Orion’s (SUNBURST)}}, date = {2021-01-07}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst}, language = {English}, urldate = {2021-01-11} } Avoiding supply-chain attacks similar to SolarWinds Orion’s (SUNBURST)
SUNBURST
2021-01-06Department of JusticeDepartment of Justice
@online{justice:20210106:department:b7e85eb, author = {Department of Justice}, title = {{Department of Justice Statement on Solarwinds Update}}, date = {2021-01-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update}, language = {English}, urldate = {2021-01-11} } Department of Justice Statement on Solarwinds Update
SUNBURST
2021-01-06Github (SentinelLabs)SentinelLabs
@online{sentinellabs:20210106:solarwindscountermeasures:c2aa91e, author = {SentinelLabs}, title = {{SolarWinds_Countermeasures}}, date = {2021-01-06}, organization = {Github (SentinelLabs)}, url = {https://github.com/SentineLabs/SolarWinds_Countermeasures}, language = {English}, urldate = {2021-01-11} } SolarWinds_Countermeasures
SUNBURST
2021-01-06CISAUS-CERT
@online{uscert:20210106:supply:e8f4577, author = {US-CERT}, title = {{Supply Chain Compromise}}, date = {2021-01-06}, organization = {CISA}, url = {https://www.cisa.gov/supply-chain-compromise}, language = {English}, urldate = {2021-03-19} } Supply Chain Compromise
SUNBURST
2021-01-06Red CanaryTony Lambert
@online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06MITREMITRE ATT&CK
@online{attck:20210106:attck:841bad7, author = {MITRE ATT&CK}, title = {{ATT&CK Navigator layer for UNC2452}}, date = {2021-01-06}, organization = {MITRE}, url = {https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json}, language = {English}, urldate = {2021-01-11} } ATT&CK Navigator layer for UNC2452
SUNBURST
2021-01-05SangforClairvoyance Safety Laboratory
@online{laboratory:20210105:red:9ddfb7a, author = {Clairvoyance Safety Laboratory}, title = {{Red team's perspective on the TTPs in Sunburst's backdoor}}, date = {2021-01-05}, organization = {Sangfor}, url = {https://www.4hou.com/posts/KzZR}, language = {Chinese}, urldate = {2021-01-11} } Red team's perspective on the TTPs in Sunburst's backdoor
SUNBURST
2021-01-05Trend MicroTrend Micro Research
@online{research:20210105:earth:d7bb547, author = {Trend Micro Research}, title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}}, date = {2021-01-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html}, language = {English}, urldate = {2021-01-10} } Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike
2021-01-04Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20210104:some:9e72d62, author = {Dominik Reichel}, title = {{Some small detail on compiler used for TEARDROP}}, date = {2021-01-04}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1346096298311741440}, language = {English}, urldate = {2021-01-11} } Some small detail on compiler used for TEARDROP
TEARDROP
2021-01-04Medium haggis-mMichael Haag
@online{haag:20210104:malleable:ab64356, author = {Michael Haag}, title = {{Malleable C2 Profiles and You}}, date = {2021-01-04}, organization = {Medium haggis-m}, url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929}, language = {English}, urldate = {2021-01-05} } Malleable C2 Profiles and You
Cobalt Strike
2021-01-04NetresecErik Hjelmvik
@online{hjelmvik:20210104:finding:d869bd9, author = {Erik Hjelmvik}, title = {{Finding Targeted SUNBURST Victims with pDNS}}, date = {2021-01-04}, organization = {Netresec}, url = {https://netresec.com/?b=2113a6a}, language = {English}, urldate = {2021-01-05} } Finding Targeted SUNBURST Victims with pDNS
SUNBURST
2021MandiantMandiant
@online{mandiant:2021:mtrends:4d981a4, author = {Mandiant}, title = {{M-TRENDS 2021}}, date = {2021}, organization = {Mandiant}, url = {https://www.mandiant.com/media/10916/download}, language = {English}, urldate = {2021-11-02} } M-TRENDS 2021
Cobalt Strike SUNBURST
2021TalosTalos Incident Response
@techreport{response:2021:evicting:c795470, author = {Talos Incident Response}, title = {{Evicting Maze}}, date = {2021}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf}, language = {English}, urldate = {2021-05-26} } Evicting Maze
Cobalt Strike Maze
2021Github (WBGlIl)WBGlIl
@online{wbglil:2021:book:7ff34b3, author = {WBGlIl}, title = {{A book on cobaltstrike}}, date = {2021}, organization = {Github (WBGlIl)}, url = {https://wbglil.gitbook.io/cobalt-strike/}, language = {Chinese}, urldate = {2021-11-29} } A book on cobaltstrike
Cobalt Strike
2021TalosTalos Incident Response
@techreport{response:2021:cobalt:f4412fa, author = {Talos Incident Response}, title = {{Cobalt Strikes Out}}, date = {2021}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf}, language = {English}, urldate = {2021-05-26} } Cobalt Strikes Out
Cobalt Strike
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2021SecureworksSecureWorks
@online{secureworks:2021:threat:bce1d06, author = {SecureWorks}, title = {{Threat Profile: GOLD WINTER}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-winter}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER
2021DomainToolsJoe Slowik
@techreport{slowik:2021:conceptualizing:3cdf067, author = {Joe Slowik}, title = {{Conceptualizing a Continuum of Cyber Threat Attribution}}, date = {2021}, institution = {DomainTools}, url = {https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf}, language = {English}, urldate = {2021-11-02} } Conceptualizing a Continuum of Cyber Threat Attribution
CHINACHOPPER SUNBURST
2021SecureworksSecureWorks
@online{secureworks:2021:threat:45f61e0, author = {SecureWorks}, title = {{Threat Profile: GOLD WATERFALL}}, date = {2021}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-waterfall}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL
2020-12-31IronNetIronNet
@online{ironnet:20201231:solarwindssunburst:1422ef4, author = {IronNet}, title = {{SolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action}}, date = {2020-12-31}, organization = {IronNet}, url = {https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action}, language = {English}, urldate = {2021-01-05} } SolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action
SUNBURST
2020-12-31MicrosoftMSRC Team
@online{team:20201231:microsoft:c94b7aa, author = {MSRC Team}, title = {{Microsoft Internal Solorigate Investigation Update}}, date = {2020-12-31}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/}, language = {English}, urldate = {2021-01-04} } Microsoft Internal Solorigate Investigation Update
SUNBURST
2020-12-30Recorded FutureJohn Wetzel
@techreport{wetzel:20201230:solarwinds:59c847b, author = {John Wetzel}, title = {{SOLARWINDS ATTRIBUTION: Are We Getting Ahead of Ourselves? An Analysis of UNC2452 Attribution}}, date = {2020-12-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf}, language = {English}, urldate = {2021-01-05} } SOLARWINDS ATTRIBUTION: Are We Getting Ahead of Ourselves? An Analysis of UNC2452 Attribution
SUNBURST
2020-12-29CyberArkShaked Reiner
@online{reiner:20201229:golden:8601f2d, author = {Shaked Reiner}, title = {{Golden SAML Revisited: The Solorigate Connection}}, date = {2020-12-29}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection}, language = {English}, urldate = {2021-01-05} } Golden SAML Revisited: The Solorigate Connection
SUNBURST
2020-12-29NetresecErik Hjelmvik
@online{hjelmvik:20201229:extracting:1640842, author = {Erik Hjelmvik}, title = {{Extracting Security Products from SUNBURST DNS Beacons}}, date = {2020-12-29}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons}, language = {English}, urldate = {2021-01-04} } Extracting Security Products from SUNBURST DNS Beacons
SUNBURST
2020-12-28MicrosoftMicrosoft 365 Defender Team
@online{team:20201228:using:f8e8574, author = {Microsoft 365 Defender Team}, title = {{Using Microsoft 365 Defender to protect against Solorigate}}, date = {2020-12-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/}, language = {English}, urldate = {2021-01-01} } Using Microsoft 365 Defender to protect against Solorigate
SUNBURST TEARDROP
2020-12-26Medium grimminckStefan Grimminck
@online{grimminck:20201226:spoofing:a0a5622, author = {Stefan Grimminck}, title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}}, date = {2020-12-26}, organization = {Medium grimminck}, url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b}, language = {English}, urldate = {2021-01-01} } Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike
2020-12-25ComaeMatt Suiche
@online{suiche:20201225:sunburst:4169084, author = {Matt Suiche}, title = {{SUNBURST & Memory Analysis}}, date = {2020-12-25}, organization = {Comae}, url = {https://www.comae.com/posts/sunburst-memory-analysis/}, language = {English}, urldate = {2020-12-26} } SUNBURST & Memory Analysis
SUNBURST
2020-12-24FireEyeStephen Eckels, Jay Smith, William Ballenthin
@online{eckels:20201224:sunburst:3fcb239, author = {Stephen Eckels and Jay Smith and William Ballenthin}, title = {{SUNBURST Additional Technical Details}}, date = {2020-12-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html}, language = {English}, urldate = {2020-12-26} } SUNBURST Additional Technical Details
SUNBURST
2020-12-24Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20201224:teardrop:8b014ba, author = {Dominik Reichel}, title = {{Tweet on TEARDROP sample}}, date = {2020-12-24}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1342041055563313152}, language = {English}, urldate = {2021-01-01} } Tweet on TEARDROP sample
TEARDROP
2020-12-23QianxinQi AnXin CERT
@online{cert:20201223:solarwindsapt:a237c40, author = {Qi AnXin CERT}, title = {{从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战}}, date = {2020-12-23}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q}, language = {Chinese}, urldate = {2020-12-23} } 从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战
SUNBURST
2020-12-23Palo Alto Networks Unit 42Unit 42
@online{42:20201223:timeline:466b51a, author = {Unit 42}, title = {{A Timeline Perspective of the SolarStorm Supply-Chain Attack}}, date = {2020-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline}, language = {English}, urldate = {2020-12-26} } A Timeline Perspective of the SolarStorm Supply-Chain Attack
SUNBURST TEARDROP
2020-12-23PrevasioSergei Shevchenko
@techreport{shevchenko:20201223:dns:0f3f013, author = {Sergei Shevchenko}, title = {{DNS Tunneling In The SolarWinds Supply Chain Attack}}, date = {2020-12-23}, institution = {Prevasio}, url = {https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf}, language = {English}, urldate = {2021-01-01} } DNS Tunneling In The SolarWinds Supply Chain Attack
SUNBURST
2020-12-23CrowdStrikeMichael Sentonas
@online{sentonas:20201223:crowdstrike:ee76d67, author = {Michael Sentonas}, title = {{CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory}}, date = {2020-12-23}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/}, language = {English}, urldate = {2021-01-01} } CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
SUNBURST
2020-12-22CheckpointCheck Point Research
@online{research:20201222:sunburst:f3cfd5f, author = {Check Point Research}, title = {{SUNBURST, TEARDROP and the NetSec New Normal}}, date = {2020-12-22}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/}, language = {English}, urldate = {2020-12-23} } SUNBURST, TEARDROP and the NetSec New Normal
SUNBURST TEARDROP
2020-12-22SymantecThreat Hunter Team
@online{team:20201222:solarwinds:b77e372, author = {Threat Hunter Team}, title = {{SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection}}, date = {2020-12-22}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection}, language = {English}, urldate = {2020-12-23} } SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection
SUNBURST
2020-12-22MicrosoftAlex Weinert
@online{weinert:20201222:azure:b2fee7b, author = {Alex Weinert}, title = {{Azure AD workbook to help you assess Solorigate risk}}, date = {2020-12-22}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718}, language = {English}, urldate = {2020-12-23} } Azure AD workbook to help you assess Solorigate risk
SUNBURST
2020-12-22ZscalerZscaler
@online{zscaler:20201222:hitchhikers:1875e0b, author = {Zscaler}, title = {{The Hitchhiker’s Guide to SolarWinds Incident Response}}, date = {2020-12-22}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response}, language = {English}, urldate = {2021-01-10} } The Hitchhiker’s Guide to SolarWinds Incident Response
SUNBURST
2020-12-22TRUESECMattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28, author = {Mattias Wåhlén}, title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}}, date = {2020-12-22}, organization = {TRUESEC}, url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/}, language = {English}, urldate = {2021-01-01} } Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-12-22FBIFBI
@online{fbi:20201222:pin:ea37578, author = {FBI}, title = {{PIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities}}, date = {2020-12-22}, organization = {FBI}, url = {https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view}, language = {English}, urldate = {2020-12-26} } PIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities
SUNBURST
2020-12-22Medium mitre-attackMatt Malone, Adam Pennington
@online{malone:20201222:identifying:259fcd9, author = {Matt Malone and Adam Pennington}, title = {{Identifying UNC2452-Related Techniques for ATT&CK}}, date = {2020-12-22}, organization = {Medium mitre-attack}, url = {https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714}, language = {English}, urldate = {2020-12-23} } Identifying UNC2452-Related Techniques for ATT&CK
SUNBURST TEARDROP UNC2452
2020-12-22Youtube (Colin Hardy)Colin Hardy
@online{hardy:20201222:sunburst:78b5056, author = {Colin Hardy}, title = {{SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims}}, date = {2020-12-22}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=mbGN1xqy1jY}, language = {English}, urldate = {2020-12-23} } SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims
SUNBURST
2020-12-22PrevasioSergei Shevchenko
@online{shevchenko:20201222:sunburst:9670fa6, author = {Sergei Shevchenko}, title = {{Sunburst Backdoor, Part III: DGA & Security Software (Broken Link)}}, date = {2020-12-22}, organization = {Prevasio}, url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html}, language = {English}, urldate = {2021-08-03} } Sunburst Backdoor, Part III: DGA & Security Software (Broken Link)
SUNBURST
2020-12-21McAfeeMo Cashman, Arnab Roy
@online{cashman:20201221:how:10d8756, author = {Mo Cashman and Arnab Roy}, title = {{How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise}}, date = {2020-12-21}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/}, language = {English}, urldate = {2020-12-23} } How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise
SUNBURST
2020-12-21FortinetUdi Yavo
@online{yavo:20201221:what:716b31d, author = {Udi Yavo}, title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}}, date = {2020-12-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack}, language = {English}, urldate = {2021-01-18} } What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP
2020-12-21SophosLabs UncutSophosLabs Threat Research
@online{research:20201221:how:42cc330, author = {SophosLabs Threat Research}, title = {{How SunBurst malware does defense evasion}}, date = {2020-12-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/}, language = {English}, urldate = {2020-12-23} } How SunBurst malware does defense evasion
SUNBURST UNC2452
2020-12-21MicrosoftAlex Weinert
@online{weinert:20201221:understanding:ea5a2f8, author = {Alex Weinert}, title = {{Understanding "Solorigate"'s Identity IOCs - for Identity Vendors and their customers.}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610}, language = {English}, urldate = {2020-12-23} } Understanding "Solorigate"'s Identity IOCs - for Identity Vendors and their customers.
SUNBURST
2020-12-21IronNetPeter Rydzynski
@online{rydzynski:20201221:solarwindssunburst:cabeea6, author = {Peter Rydzynski}, title = {{SolarWinds/SUNBURST: DGA or DNS Tunneling?}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling}, language = {English}, urldate = {2021-01-05} } SolarWinds/SUNBURST: DGA or DNS Tunneling?
SUNBURST
2020-12-21MicrosoftMSRC Team
@online{team:20201221:solorigate:7c7ab64, author = {MSRC Team}, title = {{Solorigate Resource Center}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/}, language = {English}, urldate = {2021-01-01} } Solorigate Resource Center
SUNBURST TEARDROP
2020-12-20Twitter (@TychoTithonus)Royce Williams
@online{williams:20201220:solarwindssunburst:c93e0ce, author = {Royce Williams}, title = {{SolarWinds/SunBurst FNV-1a-XOR hashes found in analysis}}, date = {2020-12-20}, organization = {Twitter (@TychoTithonus)}, url = {https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs}, language = {English}, urldate = {2021-02-18} } SolarWinds/SunBurst FNV-1a-XOR hashes found in analysis
SUNBURST
2020-12-20Medium Asuna AmawakaAsuna Amawaka
@online{amawaka:20201220:look:8cd19a2, author = {Asuna Amawaka}, title = {{A Look into SUNBURST’s DGA}}, date = {2020-12-20}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947}, language = {English}, urldate = {2021-02-18} } A Look into SUNBURST’s DGA
SUNBURST
2020-12-20RandhomeEtienne Maynier
@online{maynier:20201220:analyzing:3e15960, author = {Etienne Maynier}, title = {{Analyzing Cobalt Strike for Fun and Profit}}, date = {2020-12-20}, organization = {Randhome}, url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/}, language = {English}, urldate = {2020-12-23} } Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike
2020-12-19Bleeping ComputerLawrence Abrams
@online{abrams:20201219:solarwinds:0129ee8, author = {Lawrence Abrams}, title = {{The SolarWinds cyberattack: The hack, the victims, and what we know}}, date = {2020-12-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/}, language = {English}, urldate = {2020-12-19} } The SolarWinds cyberattack: The hack, the victims, and what we know
SUNBURST
2020-12-18Costin Raiu
@online{raiu:20201218:from:4f8eb88, author = {Costin Raiu}, title = {{Tweet from Costin Raiu about confirmed TEARDROP sample}}, date = {2020-12-18}, url = {https://twitter.com/craiu/status/1339954817247158272}, language = {English}, urldate = {2020-12-19} } Tweet from Costin Raiu about confirmed TEARDROP sample
TEARDROP
2020-12-18CloudflareNick Blazier, Jesse Kipp
@online{blazier:20201218:quirk:fe216c8, author = {Nick Blazier and Jesse Kipp}, title = {{A quirk in the SUNBURST DGA algorithm}}, date = {2020-12-18}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/}, language = {English}, urldate = {2020-12-18} } A quirk in the SUNBURST DGA algorithm
SUNBURST
2020-12-18ElasticCamilla Montonen, Justin Ibarra
@online{montonen:20201218:combining:13fef73, author = {Camilla Montonen and Justin Ibarra}, title = {{Combining supervised and unsupervised machine learning for DGA detection}}, date = {2020-12-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection}, language = {English}, urldate = {2020-12-18} } Combining supervised and unsupervised machine learning for DGA detection
SUNBURST
2020-12-18IBMGladys Koskas
@online{koskas:20201218:sunburst:c79fb22, author = {Gladys Koskas}, title = {{SUNBURST indicator detection in QRadar}}, date = {2020-12-18}, organization = {IBM}, url = {https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar}, language = {English}, urldate = {2021-01-10} } SUNBURST indicator detection in QRadar
SUNBURST
2020-12-18Sentinel LABSJames Haughom
@online{haughom:20201218:solarwinds:8e1f0c5, author = {James Haughom}, title = {{SolarWinds SUNBURST Backdoor: Inside the APT Campaign}}, date = {2020-12-18}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/}, language = {English}, urldate = {2020-12-19} } SolarWinds SUNBURST Backdoor: Inside the APT Campaign
SUNBURST
2020-12-18Kaspersky LabsIgor Kuznetsov, Costin Raiu
@online{kuznetsov:20201218:sunburst:85b411a, author = {Igor Kuznetsov and Costin Raiu}, title = {{Sunburst: connecting the dots in the DNS requests}}, date = {2020-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/}, language = {English}, urldate = {2020-12-18} } Sunburst: connecting the dots in the DNS requests
SUNBURST
2020-12-18DomainToolsJoe Slowik
@online{slowik:20201218:continuous:71ffa78, author = {Joe Slowik}, title = {{Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident}}, date = {2020-12-18}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident}, language = {English}, urldate = {2020-12-18} } Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident
SUNBURST
2020-12-18ThreatConnectThreatConnect
@online{threatconnect:20201218:tracking:765f272, author = {ThreatConnect}, title = {{Tracking Sunburst-Related Activity with ThreatConnect Dashboards}}, date = {2020-12-18}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards}, language = {English}, urldate = {2020-12-19} } Tracking Sunburst-Related Activity with ThreatConnect Dashboards
SUNBURST
2020-12-18MicrosoftMicrosoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201218:analyzing:9486213, author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers}}, date = {2020-12-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/}, language = {English}, urldate = {2020-12-19} } Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-17TRUESECFabio Viggiani
@online{viggiani:20201217:solarwinds:f367284, author = {Fabio Viggiani}, title = {{The SolarWinds Orion SUNBURST supply-chain Attack}}, date = {2020-12-17}, organization = {TRUESEC}, url = {https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/}, language = {English}, urldate = {2020-12-18} } The SolarWinds Orion SUNBURST supply-chain Attack
SUNBURST
2020-12-17MicrosoftBrad Smith
@online{smith:20201217:moment:cd1089e, author = {Brad Smith}, title = {{A moment of reckoning: the need for a strong and global cybersecurity response}}, date = {2020-12-17}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/}, language = {English}, urldate = {2020-12-18} } A moment of reckoning: the need for a strong and global cybersecurity response
SUNBURST
2020-12-17US-CERTUS-CERT
@online{uscert:20201217:alert:1d517b0, author = {US-CERT}, title = {{Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations}}, date = {2020-12-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-352a}, language = {English}, urldate = {2020-12-18} } Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
SUNBURST
2020-12-17McAfeeChristiaan Beek, Cedric Cochin, Raj Samani
@online{beek:20201217:additional:cd38b54, author = {Christiaan Beek and Cedric Cochin and Raj Samani}, title = {{Additional Analysis into the SUNBURST Backdoor}}, date = {2020-12-17}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/}, language = {English}, urldate = {2020-12-18} } Additional Analysis into the SUNBURST Backdoor
SUNBURST
2020-12-17PrevasioSergei Shevchenko
@online{shevchenko:20201217:sunburst:9b615cf, author = {Sergei Shevchenko}, title = {{Sunburst Backdoor, Part II: DGA & The List of Victims}}, date = {2020-12-17}, organization = {Prevasio}, url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html}, language = {English}, urldate = {2020-12-23} } Sunburst Backdoor, Part II: DGA & The List of Victims
SUNBURST
2020-12-17Twitter (@megabeets_)Itay Cohen
@online{cohen:20201217:sunburst:7931c48, author = {Itay Cohen}, title = {{Tweet on SUNBURST malware discussing some of its evasion techniques}}, date = {2020-12-17}, organization = {Twitter (@megabeets_)}, url = {https://twitter.com/megabeets_/status/1339308801112027138}, language = {English}, urldate = {2020-12-18} } Tweet on SUNBURST malware discussing some of its evasion techniques
SUNBURST
2020-12-17Youtube (Colin Hardy)Colin Hardy
@online{hardy:20201217:sunburst:059bdbe, author = {Colin Hardy}, title = {{SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering}}, date = {2020-12-17}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=JoMwrkijTZ8}, language = {English}, urldate = {2020-12-18} } SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering
SUNBURST
2020-12-17NetresecErik Hjelmvik
@online{hjelmvik:20201217:reassembling:2a2f222, author = {Erik Hjelmvik}, title = {{Reassembling Victim Domain Fragments from SUNBURST DNS}}, date = {2020-12-17}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS}, language = {English}, urldate = {2020-12-18} } Reassembling Victim Domain Fragments from SUNBURST DNS
SUNBURST
2020-12-17splunkJohn Stoner
@online{stoner:20201217:onboarding:cef2450, author = {John Stoner}, title = {{Onboarding Threat Indicators into Splunk Enterprise Security: SolarWinds Continued}}, date = {2020-12-17}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html}, language = {English}, urldate = {2021-01-11} } Onboarding Threat Indicators into Splunk Enterprise Security: SolarWinds Continued
SUNBURST
2020-12-17TrustedSecTrustedsec
@online{trustedsec:20201217:solarwinds:8185fab, author = {Trustedsec}, title = {{SolarWinds Backdoor (Sunburst) Incident Response Playbook}}, date = {2020-12-17}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306}, language = {English}, urldate = {2020-12-18} } SolarWinds Backdoor (Sunburst) Incident Response Playbook
SUNBURST
2020-12-16Github (RedDrip7)RedDrip7
@online{reddrip7:20201216:script:4476c58, author = {RedDrip7}, title = {{A script to decode SUNBURST DGA domain}}, date = {2020-12-16}, organization = {Github (RedDrip7)}, url = {https://github.com/RedDrip7/SunBurst_DGA_Decode}, language = {English}, urldate = {2020-12-17} } A script to decode SUNBURST DGA domain
SUNBURST
2020-12-16MicrosoftShain Wray
@online{wray:20201216:solarwinds:98db0a9, author = {Shain Wray}, title = {{SolarWinds Post-Compromise Hunting with Azure Sentinel}}, date = {2020-12-16}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095}, language = {English}, urldate = {2020-12-17} } SolarWinds Post-Compromise Hunting with Azure Sentinel
SUNBURST
2020-12-16Cyborg SecurityJosh Meltzer
@online{meltzer:20201216:sunburst:6866abc, author = {Josh Meltzer}, title = {{SUNBURST: SolarWinds Supply-Chain Attack}}, date = {2020-12-16}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/}, language = {English}, urldate = {2020-12-23} } SUNBURST: SolarWinds Supply-Chain Attack
SUNBURST
2020-12-16ReversingLabsTomislav Pericin
@online{pericin:20201216:sunburst:02a2fd8, author = {Tomislav Pericin}, title = {{SunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience}}, date = {2020-12-16}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth}, language = {English}, urldate = {2020-12-17} } SunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience
SUNBURST
2020-12-16Twitter (@0xrb)R. Bansal
@online{bansal:20201216:list:aa0388d, author = {R. Bansal}, title = {{List of domain infrastructure including DGA domain used by UNC2452}}, date = {2020-12-16}, organization = {Twitter (@0xrb)}, url = {https://twitter.com/0xrb/status/1339199268146442241}, language = {English}, urldate = {2020-12-17} } List of domain infrastructure including DGA domain used by UNC2452
SUNBURST
2020-12-16PastebinAnonymous
@online{anonymous:20201216:paste:a02ef52, author = {Anonymous}, title = {{Paste of subdomain & DGA domain names used in SolarWinds attack}}, date = {2020-12-16}, organization = {Pastebin}, url = {https://pastebin.com/6EDgCKxd}, language = {English}, urldate = {2021-01-13} } Paste of subdomain & DGA domain names used in SolarWinds attack
SUNBURST UNC2452
2020-12-16Intel 471Intel 471
@online{471:20201216:intel471s:f245d05, author = {Intel 471}, title = {{Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground}}, date = {2020-12-16}, organization = {Intel 471}, url = {https://twitter.com/Intel471Inc/status/1339233255741120513}, language = {English}, urldate = {2020-12-17} } Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground
SUNBURST
2020-12-16QianxinRed Raindrop Team
@online{team:20201216:solarwinds:0871f46, author = {Red Raindrop Team}, title = {{中招目标首次披露:SolarWinds供应链攻击相关域名生成算法可破解!}}, date = {2020-12-16}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug}, language = {Chinese}, urldate = {2020-12-17} } 中招目标首次披露:SolarWinds供应链攻击相关域名生成算法可破解!
SUNBURST
2020-12-16CloudflareJesse Kipp, Malavika Balachandran Tadeusz
@online{kipp:20201216:trend:29b2a2d, author = {Jesse Kipp and Malavika Balachandran Tadeusz}, title = {{Trend data on the SolarWinds Orion compromise}}, date = {2020-12-16}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/}, language = {English}, urldate = {2020-12-18} } Trend data on the SolarWinds Orion compromise
SUNBURST
2020-12-16Twitter @cybercdh)Colin Hardy
@online{hardy:20201216:3:c3e0e68, author = {Colin Hardy}, title = {{Tweet on 3 key actions SUNBURST performs as soon as it's invoked}}, date = {2020-12-16}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1339241246024404994}, language = {English}, urldate = {2020-12-18} } Tweet on 3 key actions SUNBURST performs as soon as it's invoked
SUNBURST
2020-12-16Twitter (@FireEye)FireEye
@online{fireeye:20201216:sunburst:310ef08, author = {FireEye}, title = {{Tweet on SUNBURST from FireEye detailing some additional information}}, date = {2020-12-16}, organization = {Twitter (@FireEye)}, url = {https://twitter.com/FireEye/status/1339295983583244302}, language = {English}, urldate = {2020-12-17} } Tweet on SUNBURST from FireEye detailing some additional information
SUNBURST
2020-12-16Bleeping ComputerLawrence Abrams
@online{abrams:20201216:fireeye:d24dc6f, author = {Lawrence Abrams}, title = {{FireEye, Microsoft create kill switch for SolarWinds backdoor}}, date = {2020-12-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/}, language = {English}, urldate = {2020-12-17} } FireEye, Microsoft create kill switch for SolarWinds backdoor
SUNBURST
2020-12-15360 Threat Intelligence CenterAdvanced Threat Institute
@online{institute:20201215:operation:899bf4d, author = {Advanced Threat Institute}, title = {{Operation Falling Eagle-the secret of the most influential supply chain attack in history}}, date = {2020-12-15}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q}, language = {Chinese}, urldate = {2020-12-18} } Operation Falling Eagle-the secret of the most influential supply chain attack in history
SUNBURST
2020-12-15Github (sophos-cybersecurity)Sophos Cyber Security Team
@online{team:20201215:solarwindsthreathunt:4357421, author = {Sophos Cyber Security Team}, title = {{solarwinds-threathunt}}, date = {2020-12-15}, organization = {Github (sophos-cybersecurity)}, url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt}, language = {English}, urldate = {2020-12-15} } solarwinds-threathunt
Cobalt Strike SUNBURST
2020-12-15CorelightJohn Gamble
@online{gamble:20201215:finding:50ef51c, author = {John Gamble}, title = {{Finding SUNBURST Backdoor with Zeek Logs & Corelight}}, date = {2020-12-15}, organization = {Corelight}, url = {https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/}, language = {English}, urldate = {2020-12-15} } Finding SUNBURST Backdoor with Zeek Logs & Corelight
SUNBURST
2020-12-15PrevasioSergei Shevchenko
@online{shevchenko:20201215:sunburst:7f6b5db, author = {Sergei Shevchenko}, title = {{Sunburst Backdoor: A Deeper Look Into The SolarWinds' Supply Chain Malware}}, date = {2020-12-15}, organization = {Prevasio}, url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html}, language = {English}, urldate = {2020-12-17} } Sunburst Backdoor: A Deeper Look Into The SolarWinds' Supply Chain Malware
SUNBURST
2020-12-15Twitter @cybercdh)Colin Hardy
@online{hardy:20201215:cyberchef:9f25c79, author = {Colin Hardy}, title = {{Tweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.}}, date = {2020-12-15}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1338885244246765569}, language = {English}, urldate = {2020-12-17} } Tweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.
SUNBURST
2020-12-15Cyborg SecurityAustin Jackson
@online{jackson:20201215:threat:00bfb46, author = {Austin Jackson}, title = {{Threat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)}}, date = {2020-12-15}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/}, language = {English}, urldate = {2020-12-23} } Threat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)
SUNBURST
2020-12-15PICUS SecuritySüleyman Özarslan
@online{zarslan:20201215:tactics:bba1b4f, author = {Süleyman Özarslan}, title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}}, date = {2020-12-15}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach}, language = {English}, urldate = {2020-12-17} } Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST
2020-12-15Twitter @cybercdh)Colin Hardy
@online{hardy:20201215:some:5b19d5f, author = {Colin Hardy}, title = {{Tweet on some more capabilties of SUNBURST backdoor}}, date = {2020-12-15}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1338975171093336067}, language = {English}, urldate = {2020-12-18} } Tweet on some more capabilties of SUNBURST backdoor
SUNBURST
2020-12-14Twitter (@lordx64)Taha Karim
@online{karim:20201214:one:5d9f92c, author = {Taha Karim}, title = {{Tweet on a one liner to decrypt SUNBURST backdoor}}, date = {2020-12-14}, organization = {Twitter (@lordx64)}, url = {https://twitter.com/lordx64/status/1338526166051934213}, language = {English}, urldate = {2020-12-15} } Tweet on a one liner to decrypt SUNBURST backdoor
SUNBURST
2020-12-14TrustedSecNick Gilberti, Tyler Hudak
@online{gilberti:20201214:solarwinds:394f5d5, author = {Nick Gilberti and Tyler Hudak}, title = {{SolarWinds Orion and UNC2452 – Summary and Recommendations}}, date = {2020-12-14}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/}, language = {English}, urldate = {2020-12-16} } SolarWinds Orion and UNC2452 – Summary and Recommendations
SUNBURST
2020-12-14Cado SecurityChristopher Doman
@online{doman:20201214:responding:639d2ce, author = {Christopher Doman}, title = {{Responding to Solarigate}}, date = {2020-12-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/responding-to-solarigate}, language = {English}, urldate = {2020-12-14} } Responding to Solarigate
SUNBURST
2020-12-14Olaf Hartong
@online{hartong:20201214:fireeye:d7c17f5, author = {Olaf Hartong}, title = {{FireEye Sunburst KQL Detections}}, date = {2020-12-14}, url = {https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f}, language = {English}, urldate = {2020-12-15} } FireEye Sunburst KQL Detections
SUNBURST
2020-12-14Palo Alto Networks Unit 42Unit 42
@online{42:20201214:threat:032b92d, author = {Unit 42}, title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}}, date = {2020-12-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/}, language = {English}, urldate = {2020-12-15} } Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST
2020-12-14Cisco TalosNick Biasini
@online{biasini:20201214:threat:63acc35, author = {Nick Biasini}, title = {{Threat Advisory: SolarWinds supply chain attack}}, date = {2020-12-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more}, language = {English}, urldate = {2020-12-19} } Threat Advisory: SolarWinds supply chain attack
SUNBURST TEARDROP
2020-12-14SymantecThreat Hunter Team
@online{team:20201214:sunburst:12e5814, author = {Threat Hunter Team}, title = {{Sunburst: Supply Chain Attack Targets SolarWinds Users}}, date = {2020-12-14}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds}, language = {English}, urldate = {2020-12-19} } Sunburst: Supply Chain Attack Targets SolarWinds Users
SUNBURST TEARDROP
2020-12-14Twitter (@ItsReallyNick)Nick Carr
@online{carr:20201214:summarizing:67227be, author = {Nick Carr}, title = {{Tweet on summarizing post-compromise actvity of UNC2452}}, date = {2020-12-14}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1338382939835478016}, language = {English}, urldate = {2020-12-14} } Tweet on summarizing post-compromise actvity of UNC2452
SUNBURST
2020-12-14Twitter (@KimZetter)Kim Zetter
@online{zetter:20201214:thread:783b5ed, author = {Kim Zetter}, title = {{Tweet thread on microsoft report on Solarwind supply chain attack by UNC2452}}, date = {2020-12-14}, organization = {Twitter (@KimZetter)}, url = {https://twitter.com/KimZetter/status/1338305089597964290}, language = {English}, urldate = {2020-12-14} } Tweet thread on microsoft report on Solarwind supply chain attack by UNC2452
SUNBURST
2020-12-14Youtube (Ali Hadi)Ali Hadi
@online{hadi:20201214:learning:f4175a9, author = {Ali Hadi}, title = {{Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor}}, date = {2020-12-14}, organization = {Youtube (Ali Hadi)}, url = {https://www.youtube.com/watch?v=cMauHTV-lJg}, language = {English}, urldate = {2020-12-18} } Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor
SUNBURST
2020-12-14SolarwindSolarwind
@online{solarwind:20201214:security:a763c2a, author = {Solarwind}, title = {{Security Advisory on SolarWinds Supply chain attack FAQ}}, date = {2020-12-14}, organization = {Solarwind}, url = {https://www.solarwinds.com/securityadvisory/faq}, language = {English}, urldate = {2021-01-04} } Security Advisory on SolarWinds Supply chain attack FAQ
SUNBURST SUPERNOVA
2020-12-14SolarwindSolarwind
@online{solarwind:20201214:security:68f32e4, author = {Solarwind}, title = {{Security Advisory on SolarWinds Supply chain attack}}, date = {2020-12-14}, organization = {Solarwind}, url = {https://www.solarwinds.com/securityadvisory}, language = {English}, urldate = {2021-01-01} } Security Advisory on SolarWinds Supply chain attack
SUNBURST SUPERNOVA
2020-12-14DomainToolsJoe Slowik
@online{slowik:20201214:unraveling:d212099, author = {Joe Slowik}, title = {{Unraveling Network Infrastructure Linked to the SolarWinds Hack}}, date = {2020-12-14}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack}, language = {English}, urldate = {2020-12-15} } Unraveling Network Infrastructure Linked to the SolarWinds Hack
SUNBURST
2020-12-14VolexityDamien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, Volexity Threat Research
@online{cash:20201214:dark:7d54c5d, author = {Damien Cash and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{Dark Halo Leverages SolarWinds Compromise to Breach Organizations}}, date = {2020-12-14}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/}, language = {English}, urldate = {2020-12-15} } Dark Halo Leverages SolarWinds Compromise to Breach Organizations
SUNBURST
2020-12-14splunkRyan Kovar
@online{kovar:20201214:using:7fa58c8, author = {Ryan Kovar}, title = {{Using Splunk to Detect Sunburst Backdoor}}, date = {2020-12-14}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html}, language = {English}, urldate = {2020-12-15} } Using Splunk to Detect Sunburst Backdoor
SUNBURST
2020-12-14SophosRoss McKerchar
@online{mckerchar:20201214:incident:fa87d28, author = {Ross McKerchar}, title = {{Incident response playbook for responding to SolarWinds Orion compromise}}, date = {2020-12-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/}, language = {English}, urldate = {2020-12-15} } Incident response playbook for responding to SolarWinds Orion compromise
SUNBURST
2020-12-13VX-Underground
@online{vxunderground:20201213:directory:a270772, author = {VX-Underground}, title = {{Directory: /samples/Exotic/UNC2452/SolarWinds Breach/}}, date = {2020-12-13}, url = {https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/}, language = {English}, urldate = {2020-12-14} } Directory: /samples/Exotic/UNC2452/SolarWinds Breach/
SUNBURST
2020-12-13FireEyeAndrew Archer, Doug Bienstock, Chris DiGiamo, Glenn Edwards, Nick Hornick, Alex Pennino, Andrew Rector, Scott Runnels, Eric Scales, Nalani Fraiser, Sarah Jones, John Hultquist, Ben Read, Jon Leathery, Fred House, Dileep Jallepalli, Michael Sikorski, Stephen Eckels, William Ballenthin, Jay Smith, Alex Berry, Nick Richard, Isif Ibrahima, Dan Perez, Marcin Siedlarz, Ben Withnell, Barry Vengerik, Nicole Oppenheim, Ian Ahl, Andrew Thompson, Matt Dunwoody, Evan Reese, Steve Miller, Alyssa Rahman, John Gorman, Lennard Galang, Steve Stone, Nick Bennett, Matthew McWhirt, Mike Burns, Omer Baig, Nick Carr, Christopher Glyer, Ramin Nafisi, Microsoft
@online{archer:20201213:highly:9fe1728, author = {Andrew Archer and Doug Bienstock and Chris DiGiamo and Glenn Edwards and Nick Hornick and Alex Pennino and Andrew Rector and Scott Runnels and Eric Scales and Nalani Fraiser and Sarah Jones and John Hultquist and Ben Read and Jon Leathery and Fred House and Dileep Jallepalli and Michael Sikorski and Stephen Eckels and William Ballenthin and Jay Smith and Alex Berry and Nick Richard and Isif Ibrahima and Dan Perez and Marcin Siedlarz and Ben Withnell and Barry Vengerik and Nicole Oppenheim and Ian Ahl and Andrew Thompson and Matt Dunwoody and Evan Reese and Steve Miller and Alyssa Rahman and John Gorman and Lennard Galang and Steve Stone and Nick Bennett and Matthew McWhirt and Mike Burns and Omer Baig and Nick Carr and Christopher Glyer and Ramin Nafisi and Microsoft}, title = {{Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor}}, date = {2020-12-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html}, language = {English}, urldate = {2020-12-19} } Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-13Github (fireeye)FireEye
@online{fireeye:20201213:sunburst:04e594f, author = {FireEye}, title = {{SUNBURST Countermeasures}}, date = {2020-12-13}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/sunburst_countermeasures}, language = {English}, urldate = {2020-12-19} } SUNBURST Countermeasures
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-13MicrosoftMicrosoft Security Intelligence
@online{intelligence:20201213:trojanmsilsolorigatebdha:f470d89, author = {Microsoft Security Intelligence}, title = {{Trojan:MSIL/Solorigate.B!dha}}, date = {2020-12-13}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha}, language = {English}, urldate = {2020-12-14} } Trojan:MSIL/Solorigate.B!dha
SUNBURST
2020-12-13CISACISA
@online{cisa:20201213:active:44eb4a4, author = {CISA}, title = {{Active Exploitation of SolarWinds Software}}, date = {2020-12-13}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software}, language = {English}, urldate = {2020-12-15} } Active Exploitation of SolarWinds Software
SUNBURST
2020-12-11BlackberryBlackBerry Research and Intelligence team
@online{team:20201211:mountlocker:9c495cb, author = {BlackBerry Research and Intelligence team}, title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}}, date = {2020-12-11}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates}, language = {English}, urldate = {2020-12-14} } MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker
2020-12-10Palo Alto Networks Unit 42Unit42
@online{unit42:20201210:threat:6ac31af, author = {Unit42}, title = {{Threat Brief: FireEye Red Team Tool Breach}}, date = {2020-12-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/}, language = {English}, urldate = {2020-12-15} } Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-09FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } Recent Qakbot (Qbot) activity
Cobalt Strike QakBot
2020-12-08Cobalt StrikeRaphael Mudge
@online{mudge:20201208:red:8ccdfcf, author = {Raphael Mudge}, title = {{A Red Teamer Plays with JARM}}, date = {2020-12-08}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/}, language = {English}, urldate = {2021-01-11} } A Red Teamer Plays with JARM
Cobalt Strike
2020-12-08SecuronixOleg Kolesnikov, Den Iyzvyk
@techreport{kolesnikov:20201208:detecting:ba06a76, author = {Oleg Kolesnikov and Den Iyzvyk}, title = {{Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks}}, date = {2020-12-08}, institution = {Securonix}, url = {https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf}, language = {English}, urldate = {2021-01-10} } Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks
SUNBURST
2020-12-02Red Canarytwitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce, author = {twitter (@redcanary)}, title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}}, date = {2020-12-02}, organization = {Red Canary}, url = {https://twitter.com/redcanary/status/1334224861628039169}, language = {English}, urldate = {2020-12-08} } Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12FireEyeFireEye
@online{fireeye:202012:solarwinds:4ce144e, author = {FireEye}, title = {{Solarwinds Breach Resource Center}}, date = {2020-12}, organization = {FireEye}, url = {https://www.fireeye.com/current-threats/sunburst-malware.html}, language = {English}, urldate = {2021-03-02} } Solarwinds Breach Resource Center
SUNBURST
2020-12-01360.cnjindanlong
@online{jindanlong:20201201:hunting:b9e2674, author = {jindanlong}, title = {{Hunting Beacons}}, date = {2020-12-01}, organization = {360.cn}, url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950}, language = {English}, urldate = {2021-01-10} } Hunting Beacons
Cobalt Strike
2020-12-01mez0.ccmez0
@online{mez0:20201201:cobalt:38336ed, author = {mez0}, title = {{Cobalt Strike PowerShell Execution}}, date = {2020-12-01}, organization = {mez0.cc}, url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/}, language = {English}, urldate = {2020-12-14} } Cobalt Strike PowerShell Execution
Cobalt Strike
2020-11-30MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201130:threat:2633df5, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}}, date = {2020-11-30}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/}, language = {English}, urldate = {2020-12-01} } Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-27MacnicaHiroshi Takeuchi
@online{takeuchi:20201127:analyzing:4089f84, author = {Hiroshi Takeuchi}, title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}}, date = {2020-11-27}, organization = {Macnica}, url = {https://blog.macnica.net/blog/2020/11/dtrack.html}, language = {Japanese}, urldate = {2020-12-08} } Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-25SentinelOneJim Walter
@online{walter:20201125:egregor:5727f7a, author = {Jim Walter}, title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}}, date = {2020-11-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/}, language = {English}, urldate = {2020-12-08} } Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-20F-Secure LabsRiccardo Ancarani
@online{ancarani:20201120:detecting:79afa40, author = {Riccardo Ancarani}, title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}}, date = {2020-11-20}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis}, language = {English}, urldate = {2020-11-23} } Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike
2020-11-20360 netlabJiaYu
@online{jiayu:20201120:blackrota:ee43da1, author = {JiaYu}, title = {{Blackrota, a highly obfuscated backdoor developed by Go}}, date = {2020-11-20}, organization = {360 netlab}, url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/}, language = {Chinese}, urldate = {2020-11-23} } Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike
2020-11-17cybleCyble
@online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-11-17Salesforce EngineeringJohn Althouse
@online{althouse:20201117:easily:172bd6d, author = {John Althouse}, title = {{Easily Identify Malicious Servers on the Internet with JARM}}, date = {2020-11-17}, organization = {Salesforce Engineering}, url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a}, language = {English}, urldate = {2020-12-03} } Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot
2020-11-15TrustnetMichael Wainshtain
@online{wainshtain:20201115:from:719b7ff, author = {Michael Wainshtain}, title = {{From virus alert to PowerShell Encrypted Loader}}, date = {2020-11-15}, organization = {Trustnet}, url = {https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/}, language = {English}, urldate = {2021-07-26} } From virus alert to PowerShell Encrypted Loader
Cobalt Strike
2020-11-09Bleeping ComputerIonut Ilascu
@online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-11-06VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20201106:oceanlotus:f7b11ac, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}}, date = {2020-11-06}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/}, language = {English}, urldate = {2020-11-09} } OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32
2020-11-06Cobalt StrikeRaphael Mudge
@online{mudge:20201106:cobalt:05fe8fc, author = {Raphael Mudge}, title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}}, date = {2020-11-06}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/}, language = {English}, urldate = {2020-11-09} } Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/}, language = {English}, urldate = {2020-11-12} } Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06Advanced IntelligenceVitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-05The DFIR ReportThe DFIR Report
@online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-05Twitter (@ffforward)TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85, author = {TheAnalyst}, title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}}, date = {2020-11-05}, organization = {Twitter (@ffforward)}, url = {https://twitter.com/ffforward/status/1324281530026524672}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader
2020-11-04VMRayGiovanni Vigna
@online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-11-03InfoSec Handlers Diary BlogRenato Marinho
@online{marinho:20201103:attackers:9b3762b, author = {Renato Marinho}, title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}}, date = {2020-11-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26752}, language = {English}, urldate = {2020-11-06} } Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0, author = {ThreatConnect}, title = {{UNC 1878 Indicators from Threatconnect}}, date = {2020-10-30}, organization = {Github (ThreatConnect-Inc)}, url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv}, language = {English}, urldate = {2020-11-06} } UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-29RiskIQRiskIQ
@online{riskiq:20201029:ryuk:0643968, author = {RiskIQ}, title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}}, date = {2020-10-29}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/0bcefe76}, language = {English}, urldate = {2020-11-02} } Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk
2020-10-29Red CanaryThe Red Canary Team
@online{team:20201029:bazar:1846b93, author = {The Red Canary Team}, title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}}, date = {2020-10-29}, organization = {Red Canary}, url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/}, language = {English}, urldate = {2020-11-02} } A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot
2020-10-29Github (Swisscom)Swisscom CSIRT
@online{csirt:20201029:list:5fb0206, author = {Swisscom CSIRT}, title = {{List of CobaltStrike C2's used by RYUK}}, date = {2020-10-29}, organization = {Github (Swisscom)}, url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt}, language = {English}, urldate = {2020-11-02} } List of CobaltStrike C2's used by RYUK
Cobalt Strike
2020-10-28FireEyeKimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-27Sophos Managed Threat Response (MTR)Greg Iddon
@online{iddon:20201027:mtr:3b62ca9, author = {Greg Iddon}, title = {{MTR Casebook: An active adversary caught in the act}}, date = {2020-10-27}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/}, language = {English}, urldate = {2020-11-02} } MTR Casebook: An active adversary caught in the act
Cobalt Strike
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-14RiskIQSteve Ginty, Jon Gross
@online{ginty:20201014:wellmarked:9176303, author = {Steve Ginty and Jon Gross}, title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}}, date = {2020-10-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f0320980}, language = {English}, urldate = {2020-10-23} } A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-11Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-08Bayerischer RundfunkHakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen
@online{tanriverdi:20201008:there:620f4e7, author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen}, title = {{There is no safe place}}, date = {2020-10-08}, organization = {Bayerischer Rundfunk}, url = {https://web.br.de/interaktiv/ocean-lotus/en/}, language = {English}, urldate = {2020-10-12} } There is no safe place
Cobalt Strike
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-01WiredAndy Greenberg
@online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-10-01US-CERTUS-CERT
@online{uscert:20201001:alert:a46c3d4, author = {US-CERT}, title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}}, date = {2020-10-01}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a}, language = {English}, urldate = {2020-10-04} } Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-09-29CrowdStrikeKareem Hamdan, Lucas Miller
@online{hamdan:20200929:getting:c01923a, author = {Kareem Hamdan and Lucas Miller}, title = {{Getting the Bacon from the Beacon}}, date = {2020-09-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/}, language = {English}, urldate = {2020-10-05} } Getting the Bacon from the Beacon
Cobalt Strike
2020-09-29Github (Apr4h)Apra
@online{apra:20200929:cobaltstrikescan:ab5f221, author = {Apra}, title = {{CobaltStrikeScan}}, date = {2020-09-29}, organization = {Github (Apr4h)}, url = {https://github.com/Apr4h/CobaltStrikeScan}, language = {English}, urldate = {2020-10-05} } CobaltStrikeScan
Cobalt Strike
2020-09-24US-CERTUS-CERT
@online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2020-09-21Cisco TalosNick Mavis, Joe Marshall, JON MUNSHAW
@techreport{mavis:20200921:art:d9702a4, author = {Nick Mavis and Joe Marshall and JON MUNSHAW}, title = {{The art and science of detecting Cobalt Strike}}, date = {2020-09-21}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf}, language = {English}, urldate = {2020-09-23} } The art and science of detecting Cobalt Strike
Cobalt Strike
2020-09-18Trend Micro