Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.
The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.
GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.
2021-10-08 ⋅ Zscaler ⋅ Tarun Dewan, Lenart Brave
@online{dewan:20211008:new:b97c20c,
author = {Tarun Dewan and Lenart Brave},
title = {{New Trickbot and BazarLoader campaigns use multiple delivery vectorsi}},
date = {2021-10-08},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors},
language = {English},
urldate = {2021-10-14}
}
New Trickbot and BazarLoader campaigns use multiple delivery vectorsi
BazarBackdoor TrickBot |
2021-10-07 ⋅ Mandiant ⋅ Joshua Shilko, Zach Riddle, Jennifer Brooks, Genevieve Stark, Adam Brunner, Kimberly Goody, Jeremy Kennelly
@online{shilko:20211007:fin12:43d89f5,
author = {Joshua Shilko and Zach Riddle and Jennifer Brooks and Genevieve Stark and Adam Brunner and Kimberly Goody and Jeremy Kennelly},
title = {{FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets}},
date = {2021-10-07},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets},
language = {English},
urldate = {2021-10-08}
}
FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
BazarBackdoor GRIMAGENT Ryuk |
2021-10-05 ⋅ Trend Micro ⋅ Fyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
@online{yarochkin:20211005:ransomware:e5f5375,
author = {Fyodor Yarochkin and Janus Agcaoili and Byron Gelera and Nikko Tamana},
title = {{Ransomware as a Service: Enabler of Widespread Attacks}},
date = {2021-10-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks},
language = {English},
urldate = {2021-10-20}
}
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk |
2021-10-04 ⋅ Cisco ⋅ Tiago Pereira
@online{pereira:20211004:threat:9f493e1,
author = {Tiago Pereira},
title = {{Threat hunting in large datasets by clustering security events}},
date = {2021-10-04},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html},
language = {English},
urldate = {2021-10-20}
}
Threat hunting in large datasets by clustering security events
BazarBackdoor TrickBot |
2021-09-16 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20210916:untangling:d1e0f1b,
author = {RiskIQ},
title = {{Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit}},
date = {2021-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/c88cf7e6},
language = {English},
urldate = {2021-09-19}
}
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk |
2021-09-06 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20210906:trickbot:652a467,
author = {Lawrence Abrams},
title = {{TrickBot gang developer arrested when trying to leave Korea}},
date = {2021-09-06},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/},
language = {English},
urldate = {2021-09-10}
}
TrickBot gang developer arrested when trying to leave Korea
Diavol TrickBot |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
@techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
@online{krebs:20210805:ransomware:0962b82,
author = {Brian Krebs},
title = {{Ransomware Gangs and the Name Game Distraction}},
date = {2021-08-05},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/},
language = {English},
urldate = {2021-08-06}
}
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Ransomware Maze RansomEXX REvil Ryuk Sekhmet |
2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210801:bazarcall:bb6829b,
author = {The DFIR Report},
title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}},
date = {2021-08-01},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/},
language = {English},
urldate = {2021-08-02}
}
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot |
2021-07-21 ⋅ splunk ⋅ Splunk Threat Research Team
@online{team:20210721:detecting:ceb179f,
author = {Splunk Threat Research Team},
title = {{Detecting Trickbot with Splunk}},
date = {2021-07-21},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/detecting-trickbots.html},
language = {English},
urldate = {2021-07-22}
}
Detecting Trickbot with Splunk
TrickBot |
2021-07-15 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
@online{team:20210715:adjusting:3aa9a65,
author = {Kryptos Logic Vantage Team},
title = {{Adjusting the Anchor}},
date = {2021-07-15},
organization = {Kryptos Logic},
url = {https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/},
language = {English},
urldate = {2021-07-24}
}
Adjusting the Anchor
Anchor |
2021-07-12 ⋅ Bitdefender ⋅ Radu Tudorica, Bogdan Botezatu
@techreport{tudorica:20210712:fresh:d1d9d75,
author = {Radu Tudorica and Bogdan Botezatu},
title = {{A Fresh Look at Trickbot’s Ever-Improving VNC Module}},
date = {2021-07-12},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf},
language = {English},
urldate = {2021-07-19}
}
A Fresh Look at Trickbot’s Ever-Improving VNC Module
TrickBot |
2021-07-07 ⋅ McAfee ⋅ McAfee Labs
@techreport{labs:20210707:ryuk:ee88024,
author = {McAfee Labs},
title = {{Ryuk Ransomware Now Targeting Webservers}},
date = {2021-07-07},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf},
language = {English},
urldate = {2021-07-11}
}
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk |
2021-07-02 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210702:trickbot:7d2b9f7,
author = {Catalin Cimpanu},
title = {{TrickBot: New attacks see the botnet deploy new banking module, new ransomware}},
date = {2021-07-02},
organization = {The Record},
url = {https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/},
language = {English},
urldate = {2021-07-05}
}
TrickBot: New attacks see the botnet deploy new banking module, new ransomware
TrickBot |
2021-07-01 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
@online{team:20210701:trickbot:1df5ec3,
author = {Kryptos Logic Vantage Team},
title = {{TrickBot and Zeus}},
date = {2021-07-01},
organization = {Kryptos Logic},
url = {https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/},
language = {English},
urldate = {2021-07-11}
}
TrickBot and Zeus
TrickBot Zeus |
2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0,
author = {Selena Larson and Daniel Blackford and Garrett M. Graff},
title = {{The First Step: Initial Access Leads to Ransomware}},
date = {2021-06-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware},
language = {English},
urldate = {2021-06-21}
}
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker |
2021-06-09 ⋅ Twitter (@SecurityJoes) ⋅ SecurityJoes
@online{securityjoes:20210609:net:13f2b90,
author = {SecurityJoes},
title = {{Tweet on .NET builder of a Ryuk imposter malware}},
date = {2021-06-09},
organization = {Twitter (@SecurityJoes)},
url = {https://twitter.com/SecurityJoes/status/1402603695578157057},
language = {English},
urldate = {2021-06-16}
}
Tweet on .NET builder of a Ryuk imposter malware
Ryuk |
2021-06-07 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
@online{platt:20210607:inside:6c363a7,
author = {Joshua Platt and Jason Reaves},
title = {{Inside the SystemBC Malware-As-A-Service}},
date = {2021-06-07},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6},
language = {English},
urldate = {2021-06-08}
}
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot |
2021-06-04 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210604:us:20a6d26,
author = {Catalin Cimpanu},
title = {{US arrests Latvian woman who worked on Trickbot malware source code}},
date = {2021-06-04},
organization = {The Record},
url = {https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/},
language = {English},
urldate = {2021-06-16}
}
US arrests Latvian woman who worked on Trickbot malware source code
TrickBot |
2021-06-04 ⋅ Department of Justice ⋅ Office of Public Affairs
@online{affairs:20210604:latvian:4403f09,
author = {Office of Public Affairs},
title = {{Latvian National Charged for Alleged Role in Transnational Cybercrime Organization}},
date = {2021-06-04},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization},
language = {English},
urldate = {2021-06-16}
}
Latvian National Charged for Alleged Role in Transnational Cybercrime Organization
TrickBot |
2021-05-22 ⋅ Youtube (ACPEnw) ⋅ YouTube (ACPEnw)
@online{acpenw:20210522:lessons:6747f56,
author = {YouTube (ACPEnw)},
title = {{Lessons Learned from a Cyber Attack System Admin Perspective}},
date = {2021-05-22},
organization = {Youtube (ACPEnw)},
url = {https://www.youtube.com/watch?v=HwfRxjV2wok},
language = {English},
urldate = {2021-06-21}
}
Lessons Learned from a Cyber Attack System Admin Perspective
Ryuk |
2021-05-19 ⋅ Intel 471 ⋅ Intel 471
@online{471:20210519:look:5ba9516,
author = {Intel 471},
title = {{Look how many cybercriminals love Cobalt Strike}},
date = {2021-05-19},
organization = {Intel 471},
url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor},
language = {English},
urldate = {2021-05-19}
}
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot |
2021-05-18 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210518:darkside:14b6690,
author = {Catalin Cimpanu},
title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}},
date = {2021-05-18},
organization = {The Record},
url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/},
language = {English},
urldate = {2021-05-19}
}
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk |
2021-05-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20210518:darkside:d8e345b,
author = {Ionut Ilascu},
title = {{DarkSide ransomware made $90 million in just nine months}},
date = {2021-05-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/},
language = {English},
urldate = {2021-06-07}
}
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk |
2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
@online{maleats:20210511:campo:0305ab9,
author = {mal_eats},
title = {{Campo, a New Attack Campaign Targeting Japan}},
date = {2021-05-11},
organization = {Mal-Eats},
url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-06-01}
}
Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader |
2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
@online{maleats:20210510:overview:50ff3b3,
author = {mal_eats},
title = {{Overview of Campo, a new attack campaign targeting Japan}},
date = {2021-05-10},
organization = {Mal-Eats},
url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-05-13}
}
Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
2021-05-06 ⋅ Sophos Labs ⋅ Tilly Travers, Bill Kearney, Kyle Link, Peter Mackenzie, Matthew Sharf
@online{travers:20210506:mtr:1f2feb4,
author = {Tilly Travers and Bill Kearney and Kyle Link and Peter Mackenzie and Matthew Sharf},
title = {{MTR in Real Time: Pirates pave way for Ryuk ransomware}},
date = {2021-05-06},
organization = {Sophos Labs},
url = {https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/},
language = {English},
urldate = {2021-05-13}
}
MTR in Real Time: Pirates pave way for Ryuk ransomware
Ryuk |
2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
@online{denker:20210506:ransomware:a1f31df,
author = {Brandon Denker},
title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}},
date = {2021-05-06},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/},
language = {English},
urldate = {2021-05-08}
}
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX |
2021-05-05 ⋅ RiskIQ ⋅ Kelsey Clapp
@online{clapp:20210505:viruses:aab7c1a,
author = {Kelsey Clapp},
title = {{Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic}},
date = {2021-05-05},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/298c9fc9},
language = {English},
urldate = {2021-05-26}
}
Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic
TrickBot |
2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210502:trickbot:242b786,
author = {The DFIR Report},
title = {{Trickbot Brief: Creds and Beacons}},
date = {2021-05-02},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/},
language = {English},
urldate = {2021-05-04}
}
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot |
2021-04-26 ⋅ CoveWare ⋅ CoveWare
@online{coveware:20210426:ransomware:12586d5,
author = {CoveWare},
title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}},
date = {2021-04-26},
organization = {CoveWare},
url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound},
language = {English},
urldate = {2021-05-13}
}
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt |
2021-04-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Al Calleo, Yelisey Boguslavskiy
@online{kremez:20210417:adversary:197fcfa,
author = {Vitali Kremez and Al Calleo and Yelisey Boguslavskiy},
title = {{Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021}},
date = {2021-04-17},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021},
language = {English},
urldate = {2021-04-19}
}
Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021
Ryuk |
2021-04-15 ⋅ Proofpoint ⋅ Selena Larson
@online{larson:20210415:threat:cdfef32,
author = {Selena Larson},
title = {{Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes}},
date = {2021-04-15},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes},
language = {English},
urldate = {2021-08-23}
}
Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes
Dridex TrickBot |
2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20210414:april:4a29cb5,
author = {Brad Duncan},
title = {{April 2021 Forensic Quiz: Answers and Analysis}},
date = {2021-04-14},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/27308},
language = {English},
urldate = {2021-04-14}
}
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike |
2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac,
author = {Jon DiMaggio},
title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}},
date = {2021-04-07},
institution = {ANALYST1},
url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf},
language = {English},
urldate = {2021-04-09}
}
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER |
2021-04-06 ⋅ Intel 471 ⋅ Intel 471
@online{471:20210406:ettersilent:b591f59,
author = {Intel 471},
title = {{EtterSilent: the underground’s new favorite maldoc builder}},
date = {2021-04-06},
organization = {Intel 471},
url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/},
language = {English},
urldate = {2021-04-06}
}
EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot |
2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
@online{reaves:20210405:trickbot:a6b0592,
author = {Jason Reaves and Joshua Platt},
title = {{TrickBot Crews New CobaltStrike Loader}},
date = {2021-04-05},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c},
language = {English},
urldate = {2021-04-06}
}
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot |
2021-03-31 ⋅ Red Canary ⋅ Red Canary
@techreport{canary:20210331:2021:cd81f2d,
author = {Red Canary},
title = {{2021 Threat Detection Report}},
date = {2021-03-31},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf},
language = {English},
urldate = {2021-04-06}
}
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
2021-03-31 ⋅ Kaspersky ⋅ Kaspersky
@online{kaspersky:20210331:financial:3371aa0,
author = {Kaspersky},
title = {{Financial Cyberthreats in 2020}},
date = {2021-03-31},
organization = {Kaspersky},
url = {https://securelist.com/financial-cyberthreats-in-2020/101638/},
language = {English},
urldate = {2021-04-06}
}
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
@techreport{unit42:20210317:ransomware:504cc32,
author = {Unit42},
title = {{Ransomware Threat Report 2021}},
date = {2021-03-17},
institution = {Palo Alto Networks Unit 42},
url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf},
language = {English},
urldate = {2021-03-19}
}
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker |
2021-03-17 ⋅ CISA ⋅ US-CERT
@online{uscert:20210317:alert:5d25361,
author = {US-CERT},
title = {{Alert (AA21-076A): TrickBot Malware}},
date = {2021-03-17},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-076a},
language = {English},
urldate = {2021-03-19}
}
Alert (AA21-076A): TrickBot Malware
TrickBot |
2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210308:bazar:ba050d7,
author = {The DFIR Report},
title = {{Bazar Drops the Anchor}},
date = {2021-03-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/},
language = {English},
urldate = {2021-03-10}
}
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike |
2021-03-04 ⋅ NCC Group ⋅ Ollie Whitehouse
@online{whitehouse:20210304:deception:7435450,
author = {Ollie Whitehouse},
title = {{Deception Engineering: exploring the use of Windows Service Canaries against ransomware}},
date = {2021-03-04},
organization = {NCC Group},
url = {https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/},
language = {English},
urldate = {2021-03-11}
}
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Ryuk |
2021-03 ⋅ CCN-CERT ⋅ CCN-CERT
@online{ccncert:202103:informe:1628d52,
author = {CCN-CERT},
title = {{Informe Código DañinoCCN-CERT ID-03/21: RyukRansomware}},
date = {2021-03},
organization = {CCN-CERT},
url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html},
language = {Spanish},
urldate = {2021-03-19}
}
Informe Código DañinoCCN-CERT ID-03/21: RyukRansomware
Ryuk |
2021-03-01 ⋅ YouTube ( Malware_Analyzing_&_RE_Tips_Tricks) ⋅ Jiří Vinopal
@online{vinopal:20210301:ryuk:333699d,
author = {Jiří Vinopal},
title = {{Ryuk Ransomware - Advanced using of Scylla for Imports reconstruction}},
date = {2021-03-01},
organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)},
url = {https://www.youtube.com/watch?v=Of_KjNG9DHc},
language = {English},
urldate = {2021-03-02}
}
Ryuk Ransomware - Advanced using of Scylla for Imports reconstruction
Ryuk |
2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10,
author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev},
title = {{Ransomware Uncovered 2020/2021}},
date = {2021-03},
institution = {Group-IB},
url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf},
language = {English},
urldate = {2021-06-16}
}
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare |
2021-02-27 ⋅ 4rchibld ⋅ 4rchibld
@online{4rchibld:20210227:nice:e7960f8,
author = {4rchibld},
title = {{Nice to meet you, too. My name is Ryuk.}},
date = {2021-02-27},
organization = {4rchibld},
url = {https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/},
language = {English},
urldate = {2021-05-11}
}
Nice to meet you, too. My name is Ryuk.
Ryuk |
2021-02-25 ⋅ ANSSI ⋅ CERT-FR
@techreport{certfr:20210225:ryuk:7895e12,
author = {CERT-FR},
title = {{Ryuk Ransomware}},
date = {2021-02-25},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf},
language = {English},
urldate = {2021-03-02}
}
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot |
2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE
@online{xforce:20210224:xforce:ac9a90e,
author = {IBM SECURITY X-FORCE},
title = {{X-Force Threat Intelligence Index 2021}},
date = {2021-02-24},
organization = {IBM},
url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89},
language = {English},
urldate = {2021-03-02}
}
X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-22 ⋅ YouTube ( Malware_Analyzing_&_RE_Tips_Tricks) ⋅ Jiří Vinopal
@online{vinopal:20210222:ryuk:e9c5fb4,
author = {Jiří Vinopal},
title = {{Ryuk Ransomware API Resolving in 10 minutes}},
date = {2021-02-22},
organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)},
url = {https://www.youtube.com/watch?v=7xxRunBP5XA},
language = {English},
urldate = {2021-02-25}
}
Ryuk Ransomware API Resolving in 10 minutes
Ryuk |
2021-02-16 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
@online{team:20210216:q4:4a82474,
author = {Proofpoint Threat Research Team},
title = {{Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes}},
date = {2021-02-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes},
language = {English},
urldate = {2021-05-31}
}
Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes
Emotet Ryuk NARWHAL SPIDER |
2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8,
author = {CTI LEAGUE},
title = {{CTIL Darknet Report – 2021}},
date = {2021-02-11},
institution = {CTI LEAGUE},
url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf},
language = {English},
urldate = {2021-02-20}
}
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk |
2021-02-08 ⋅ ESET Research ⋅ ESET Research
@techreport{research:20210208:threat:fc2b885,
author = {ESET Research},
title = {{THREAT REPORT Q4 2020}},
date = {2021-02-08},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf},
language = {English},
urldate = {2021-02-09}
}
THREAT REPORT Q4 2020
TrickBot |
2021-02-04 ⋅ ClearSky ⋅ ClearSky Research Team
@techreport{team:20210204:conti:27cb3a2,
author = {ClearSky Research Team},
title = {{CONTI Modus Operandi and Bitcoin Tracking}},
date = {2021-02-04},
institution = {ClearSky},
url = {https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf},
language = {English},
urldate = {2021-02-06}
}
CONTI Modus Operandi and Bitcoin Tracking
Conti Ryuk |
2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
@online{fernndez:20210202:de:6ff4f3a,
author = {Germán Fernández},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-03-02}
}
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-01 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence
@online{intelligence:20210201:active:0a4f59f,
author = {Advanced Intelligence},
title = {{Tweet on Active Directory Exploitation by RYUK "one" group}},
date = {2021-02-01},
organization = {Twitter (@IntelAdvanced)},
url = {https://twitter.com/IntelAdvanced/status/1356114606780002308},
language = {English},
urldate = {2021-02-04}
}
Tweet on Active Directory Exploitation by RYUK "one" group
Ryuk |
2021-02-01 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
@online{team:20210201:what:2e12897,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}},
date = {2021-02-01},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/},
language = {English},
urldate = {2021-02-02}
}
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot |
2021-02-01 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
@online{team:20210201:trickbot:8ae2189,
author = {Kryptos Logic Vantage Team},
title = {{Trickbot masrv Module}},
date = {2021-02-01},
organization = {Kryptos Logic},
url = {https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/},
language = {English},
urldate = {2021-02-02}
}
Trickbot masrv Module
TrickBot |
2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210131:bazar:c3b3859,
author = {The DFIR Report},
title = {{Bazar, No Ryuk?}},
date = {2021-01-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/},
language = {English},
urldate = {2021-02-02}
}
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk |
2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
@online{ancel:20210128:bagsu:7de60de,
author = {Benoît Ancel},
title = {{The Bagsu banker case}},
date = {2021-01-28},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=EyDiIAt__dI},
language = {English},
urldate = {2021-02-01}
}
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction |
2021-01-28 ⋅ Huntress Labs ⋅ John Hammond
@techreport{hammond:20210128:analyzing:2f8dae2,
author = {John Hammond},
title = {{Analyzing Ryuk Another Link in the Cyber Attack Chain}},
date = {2021-01-28},
institution = {Huntress Labs},
url = {https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf},
language = {English},
urldate = {2021-01-29}
}
Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk |
2021-01-26 ⋅ IBM ⋅ Nir Shwarts
@online{shwarts:20210126:trickbots:a200e92,
author = {Nir Shwarts},
title = {{TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?}},
date = {2021-01-26},
organization = {IBM},
url = {https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/},
language = {English},
urldate = {2021-01-27}
}
TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?
TrickBot |
2021-01-25 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence
@online{intelligence:20210125:ryuk:25a96a7,
author = {Advanced Intelligence},
title = {{Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool}},
date = {2021-01-25},
organization = {Twitter (@IntelAdvanced)},
url = {https://twitter.com/IntelAdvanced/status/1353546534676258816},
language = {English},
urldate = {2021-01-25}
}
Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool
Ryuk |
2021-01-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
@online{reaves:20210120:anchor:b1e153f,
author = {Jason Reaves and Joshua Platt},
title = {{Anchor and Lazarus together again?}},
date = {2021-01-20},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607},
language = {English},
urldate = {2021-01-21}
}
Anchor and Lazarus together again?
Anchor TrickBot |
2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
@online{duncan:20210119:wireshark:be0c831,
author = {Brad Duncan},
title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}},
date = {2021-01-19},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/},
language = {English},
urldate = {2021-01-21}
}
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot |
2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210111:trickbot:d1011f9,
author = {The DFIR Report},
title = {{Trickbot Still Alive and Well}},
date = {2021-01-11},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/},
language = {English},
urldate = {2021-01-11}
}
Trickbot Still Alive and Well
Cobalt Strike TrickBot |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
@online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-07 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Brian Carter, HYAS
@online{kremez:20210107:crime:4c6f5c3,
author = {Vitali Kremez and Brian Carter and HYAS},
title = {{Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders}},
date = {2021-01-07},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders},
language = {English},
urldate = {2021-01-11}
}
Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders
Ryuk |
2021-01-06 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20210106:holiday:6ef0c9d,
author = {Joe Slowik},
title = {{Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident}},
date = {2021-01-06},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident},
language = {English},
urldate = {2021-01-10}
}
Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot |
2021-01-04 ⋅ SentinelOne ⋅ Marco Figueroa
@online{figueroa:20210104:building:37407a6,
author = {Marco Figueroa},
title = {{Building a Custom Malware Analysis Lab Environment}},
date = {2021-01-04},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/},
language = {English},
urldate = {2021-01-13}
}
Building a Custom Malware Analysis Lab Environment
TrickBot |
2021 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2021:threat:4e7c443,
author = {SecureWorks},
title = {{Threat Profile: GOLD BLACKBURN}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-blackburn},
language = {English},
urldate = {2021-05-28}
}
Threat Profile: GOLD BLACKBURN
Buer Dyre TrickBot WIZARD SPIDER |
2020-12-28 ⋅ 0xC0DECAFE ⋅ Thomas Barabosch
@online{barabosch:20201228:never:f7e93aa,
author = {Thomas Barabosch},
title = {{Never upload ransomware samples to the Internet}},
date = {2020-12-28},
organization = {0xC0DECAFE},
url = {https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/},
language = {English},
urldate = {2021-01-01}
}
Never upload ransomware samples to the Internet
Ryuk |
2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28,
author = {Mattias Wåhlén},
title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}},
date = {2020-12-22},
organization = {TRUESEC},
url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/},
language = {English},
urldate = {2021-01-01}
}
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk |
2020-12-21 ⋅ KEYSIGHT TECHNOLOGIES ⋅ Edsel Valle
@online{valle:20201221:trickbot:425da88,
author = {Edsel Valle},
title = {{TrickBot: A Closer Look}},
date = {2020-12-21},
organization = {KEYSIGHT TECHNOLOGIES},
url = {https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html},
language = {English},
urldate = {2021-01-01}
}
TrickBot: A Closer Look
TrickBot |
2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f,
author = {Adam Hlavek and Kimberly Ortiz},
title = {{Russian cyber attack campaigns and actors}},
date = {2020-12-21},
organization = {IronNet},
url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors},
language = {English},
urldate = {2021-01-05}
}
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess |
2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
@online{mansfield:20201216:tracking:25540bd,
author = {Paul Mansfield},
title = {{Tracking and combatting an evolving danger: Ransomware extortion}},
date = {2020-12-16},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion},
language = {English},
urldate = {2020-12-17}
}
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt |
2020-12-10 ⋅ Cybereason ⋅ Joakim Kandefelt
@online{kandefelt:20201210:cybereason:0267d5e,
author = {Joakim Kandefelt},
title = {{Cybereason vs. Ryuk Ransomware}},
date = {2020-12-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware},
language = {English},
urldate = {2020-12-14}
}
Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot |
2020-12-10 ⋅ CyberInt ⋅ CyberInt
@online{cyberint:20201210:ryuk:e74b8f6,
author = {CyberInt},
title = {{Ryuk Crypto-Ransomware}},
date = {2020-12-10},
organization = {CyberInt},
url = {https://blog.cyberint.com/ryuk-crypto-ransomware},
language = {English},
urldate = {2020-12-14}
}
Ryuk Crypto-Ransomware
Ryuk TrickBot |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-12-03 ⋅ Eclypsium ⋅ Eclypsium
@online{eclypsium:20201203:trickbot:7b5b0eb,
author = {Eclypsium},
title = {{TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit}},
date = {2020-12-03},
organization = {Eclypsium},
url = {https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/},
language = {English},
urldate = {2020-12-03}
}
TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit
TrickBot |
2020-11-23 ⋅ Bitdefender ⋅ Liviu Arsene, Radu Tudorica
@online{arsene:20201123:trickbot:bcf3c42,
author = {Liviu Arsene and Radu Tudorica},
title = {{TrickBot is Dead. Long Live TrickBot!}},
date = {2020-11-23},
organization = {Bitdefender},
url = {https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/},
language = {English},
urldate = {2020-11-25}
}
TrickBot is Dead. Long Live TrickBot!
TrickBot |
2020-11-22 ⋅ malware.love ⋅ Robert Giczewski
@online{giczewski:20201122:trickbot:06baa84,
author = {Robert Giczewski},
title = {{Trickbot tricks again [UPDATE]}},
date = {2020-11-22},
organization = {malware.love},
url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html},
language = {English},
urldate = {2020-11-23}
}
Trickbot tricks again [UPDATE]
TrickBot |
2020-11-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201120:lightbot:473b7c3,
author = {Lawrence Abrams},
title = {{LightBot: TrickBot’s new reconnaissance malware for high-value targets}},
date = {2020-11-20},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/},
language = {English},
urldate = {2020-11-23}
}
LightBot: TrickBot’s new reconnaissance malware for high-value targets
LightBot TrickBot |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-19 ⋅ Threatpost ⋅ Elizabeth Montalbano
@online{montalbano:20201119:exploits:f40feb2,
author = {Elizabeth Montalbano},
title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}},
date = {2020-11-19},
organization = {Threatpost},
url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/},
language = {English},
urldate = {2020-11-23}
}
APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk |
2020-11-18 ⋅ Sophos ⋅ Sophos
@techreport{sophos:20201118:sophos:8fd201e,
author = {Sophos},
title = {{SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world}},
date = {2020-11-18},
institution = {Sophos},
url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf},
language = {English},
urldate = {2020-11-19}
}
SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader |
2020-11-18 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20201118:analyzing:abccd43,
author = {Joe Slowik},
title = {{Analyzing Network Infrastructure as Composite Objects}},
date = {2020-11-18},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects},
language = {English},
urldate = {2020-11-19}
}
Analyzing Network Infrastructure as Composite Objects
Ryuk |
2020-11-17 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez
@online{kremez:20201117:new:2098c0a,
author = {Vitali Kremez},
title = {{Tweet on a new fileless TrickBot loading method using code from MemoryModule}},
date = {2020-11-17},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1328578336021483522},
language = {English},
urldate = {2020-12-14}
}
Tweet on a new fileless TrickBot loading method using code from MemoryModule
TrickBot |
2020-11-17 ⋅ malware.love ⋅ Robert Giczewski
@online{giczewski:20201117:trickbot:1bbf92a,
author = {Robert Giczewski},
title = {{Trickbot tricks again}},
date = {2020-11-17},
organization = {malware.love},
url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html},
language = {English},
urldate = {2020-11-19}
}
Trickbot tricks again
TrickBot |
2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse
@online{althouse:20201117:easily:172bd6d,
author = {John Althouse},
title = {{Easily Identify Malicious Servers on the Internet with JARM}},
date = {2020-11-17},
organization = {Salesforce Engineering},
url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a},
language = {English},
urldate = {2020-12-03}
}
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot |
2020-11-16 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b,
author = {Intel 471},
title = {{Ransomware-as-a-service: The pandemic within a pandemic}},
date = {2020-11-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/},
language = {English},
urldate = {2020-11-17}
}
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX |
2020-11-14 ⋅ Medium 0xastrovax ⋅ astrovax
@online{astrovax:20201114:deep:b50ae08,
author = {astrovax},
title = {{Deep Dive Into Ryuk Ransomware}},
date = {2020-11-14},
organization = {Medium 0xastrovax},
url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12},
language = {English},
urldate = {2021-01-25}
}
Deep Dive Into Ryuk Ransomware
Hermes Ryuk |
2020-11-12 ⋅ Hurricane Labs ⋅ Dusty Miller
@online{miller:20201112:splunking:26a0bd8,
author = {Dusty Miller},
title = {{Splunking with Sysmon Part 4: Detecting Trickbot}},
date = {2020-11-12},
organization = {Hurricane Labs},
url = {https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/},
language = {English},
urldate = {2021-01-18}
}
Splunking with Sysmon Part 4: Detecting Trickbot
TrickBot |
2020-11-10 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201110:trickbot:5db76db,
author = {Intel 471},
title = {{Trickbot down, but is it out?}},
date = {2020-11-10},
organization = {Intel 471},
url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/},
language = {English},
urldate = {2020-11-11}
}
Trickbot down, but is it out?
BazarBackdoor TrickBot |
2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae,
author = {Vitali Kremez},
title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}},
date = {2020-11-06},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike},
language = {English},
urldate = {2020-11-09}
}
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk |
2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85,
author = {TheAnalyst},
title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}},
date = {2020-11-05},
organization = {Twitter (@ffforward)},
url = {https://twitter.com/ffforward/status/1324281530026524672},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader |
2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201105:ryuk:ceaa823,
author = {The DFIR Report},
title = {{Ryuk Speed Run, 2 Hours to Ransom}},
date = {2020-11-05},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/},
language = {English},
urldate = {2020-11-06}
}
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk |
2020-11-05 ⋅ Github (scythe-io) ⋅ SCYTHE
@online{scythe:20201105:ryuk:8d7c4de,
author = {SCYTHE},
title = {{Ryuk Adversary Emulation Plan}},
date = {2020-11-05},
organization = {Github (scythe-io)},
url = {https://github.com/scythe-io/community-threats/tree/master/Ryuk},
language = {English},
urldate = {2020-11-11}
}
Ryuk Adversary Emulation Plan
Ryuk |
2020-11-05 ⋅ SCYTHE ⋅ Jorge Orchilles, Sean Lyngaas
@online{orchilles:20201105:threatthursday:a3297b9,
author = {Jorge Orchilles and Sean Lyngaas},
title = {{#ThreatThursday - Ryuk}},
date = {2020-11-05},
organization = {SCYTHE},
url = {https://www.scythe.io/library/threatthursday-ryuk},
language = {English},
urldate = {2020-11-06}
}
#ThreatThursday - Ryuk
BazarBackdoor Ryuk |
2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
@online{vigna:20201104:trick:a59a333,
author = {Giovanni Vigna},
title = {{Trick or Threat: Ryuk ransomware targets the health care industry}},
date = {2020-11-04},
organization = {VMRay},
url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/},
language = {English},
urldate = {2020-11-06}
}
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-31 ⋅ splunk ⋅ Ryan Kovar
@online{kovar:20201031:ryuk:735f563,
author = {Ryan Kovar},
title = {{Ryuk and Splunk Detections}},
date = {2020-10-31},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html},
language = {English},
urldate = {2020-11-02}
}
Ryuk and Splunk Detections
Ryuk |
2020-10-30 ⋅ Cofense ⋅ The Cofense Intelligence Team
@online{team:20201030:ryuk:9166a9a,
author = {The Cofense Intelligence Team},
title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}},
date = {2020-10-30},
organization = {Cofense},
url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/},
language = {English},
urldate = {2020-11-02}
}
The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk |
2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0,
author = {ThreatConnect},
title = {{UNC 1878 Indicators from Threatconnect}},
date = {2020-10-30},
organization = {Github (ThreatConnect-Inc)},
url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv},
language = {English},
urldate = {2020-11-06}
}
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk |
2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d,
author = {Brittany Barbehenn and Doel Santos and Brad Duncan},
title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}},
date = {2020-10-29},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/},
language = {English},
urldate = {2020-11-02}
}
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot |
2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201029:hacking:c8d5379,
author = {Lawrence Abrams},
title = {{Hacking group is targeting US hospitals with Ryuk ransomware}},
date = {2020-10-29},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/},
language = {English},
urldate = {2020-11-02}
}
Hacking group is targeting US hospitals with Ryuk ransomware
Ryuk |
2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4,
author = {Andrew Thompson},
title = {{Tweet on UNC1878 activity}},
date = {2020-10-29},
organization = {Twitter (@anthomsec)},
url = {https://twitter.com/anthomsec/status/1321865315513520128},
language = {English},
urldate = {2020-11-04}
}
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878 |
2020-10-29 ⋅ CNN ⋅ Vivian Salama, Alex Marquardt, Lauren Mascarenhas
@online{salama:20201029:several:88d8127,
author = {Vivian Salama and Alex Marquardt and Lauren Mascarenhas},
title = {{Several hospitals targeted in new wave of ransomware attacks}},
date = {2020-10-29},
organization = {CNN},
url = {https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html},
language = {English},
urldate = {2020-11-02}
}
Several hospitals targeted in new wave of ransomware attacks
Ryuk |
2020-10-29 ⋅ Twitter (@SophosLabs) ⋅ SophosLabs
@online{sophoslabs:20201029:similarities:408a640,
author = {SophosLabs},
title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}},
date = {2020-10-29},
organization = {Twitter (@SophosLabs)},
url = {https://twitter.com/SophosLabs/status/1321844306970251265},
language = {English},
urldate = {2020-11-02}
}
Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk |
2020-10-29 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20201029:ryuk:0643968,
author = {RiskIQ},
title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}},
date = {2020-10-29},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/0bcefe76},
language = {English},
urldate = {2020-11-02}
}
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk |
2020-10-29 ⋅ Reuters ⋅ Christopher Bing, Joseph Menn
@online{bing:20201029:building:ceeb50f,
author = {Christopher Bing and Joseph Menn},
title = {{Building wave of ransomware attacks strike U.S. hospitals}},
date = {2020-10-29},
organization = {Reuters},
url = {https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP},
language = {English},
urldate = {2020-11-02}
}
Building wave of ransomware attacks strike U.S. hospitals
Ryuk |
2020-10-29 ⋅ McAfee ⋅ McAfee Labs
@techreport{labs:20201029:mcafee:84eed4e,
author = {McAfee Labs},
title = {{McAfee Labs Threat Advisory Ransom-Ryuk}},
date = {2020-10-29},
institution = {McAfee},
url = {https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf},
language = {English},
urldate = {2020-11-02}
}
McAfee Labs Threat Advisory Ransom-Ryuk
Ryuk |
2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
@online{team:20201029:bazar:1846b93,
author = {The Red Canary Team},
title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}},
date = {2020-10-29},
organization = {Red Canary},
url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/},
language = {English},
urldate = {2020-11-02}
}
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot |
2020-10-28 ⋅ Youtube (SANS Institute) ⋅ Katie Nickels, Van Ta, Aaron Stephens
@online{nickels:20201028:spooky:3bf0a0a,
author = {Katie Nickels and Van Ta and Aaron Stephens},
title = {{Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast}},
date = {2020-10-28},
organization = {Youtube (SANS Institute)},
url = {https://www.youtube.com/watch?v=CgDtm05qApE},
language = {English},
urldate = {2020-11-04}
}
Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast
Ryuk UNC1878 |
2020-10-28 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Van Ta, Aaron Stephens, Katie Nickels
@online{ta:20201028:star:16965fb,
author = {Van Ta and Aaron Stephens and Katie Nickels},
title = {{STAR Webcast: Spooky RYUKy: The Return of UNC1878}},
date = {2020-10-28},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=BhjQ6zsCVSc},
language = {English},
urldate = {2020-11-02}
}
STAR Webcast: Spooky RYUKy: The Return of UNC1878
Ryuk |
2020-10-28 ⋅ CISA ⋅ CISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06,
author = {CISA and FBI and HHS},
title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}},
date = {2020-10-28},
institution = {CISA},
url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf},
language = {English},
urldate = {2020-11-02}
}
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk |
2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock},
title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}},
date = {2020-10-28},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html},
language = {English},
urldate = {2020-11-02}
}
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878 |
2020-10-28 ⋅ Github (aaronst) ⋅ Aaron Stephens
@online{stephens:20201028:unc1878:5f717f6,
author = {Aaron Stephens},
title = {{UNC1878 indicators}},
date = {2020-10-28},
organization = {Github (aaronst)},
url = {https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456},
language = {English},
urldate = {2020-11-04}
}
UNC1878 indicators
Ryuk UNC1878 |
2020-10-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs
@online{krebs:20201028:fbi:26b9480,
author = {Brian Krebs},
title = {{FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals}},
date = {2020-10-28},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/},
language = {English},
urldate = {2020-11-02}
}
FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals
Ryuk |
2020-10-28 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051,
author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos},
title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}},
date = {2020-10-28},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/},
language = {English},
urldate = {2020-11-02}
}
Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader |
2020-10-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201027:steelcase:25f66a9,
author = {Lawrence Abrams},
title = {{Steelcase furniture giant hit by Ryuk ransomware attack}},
date = {2020-10-27},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-28}
}
Steelcase furniture giant hit by Ryuk ransomware attack
Ryuk |
2020-10-26 ⋅ Arbor Networks ⋅ Suweera De Souza
@online{souza:20201026:dropping:8ac1e1d,
author = {Suweera De Souza},
title = {{Dropping the Anchor}},
date = {2020-10-26},
organization = {Arbor Networks},
url = {https://www.netscout.com/blog/asert/dropping-anchor},
language = {English},
urldate = {2020-10-29}
}
Dropping the Anchor
Anchor_DNS Anchor TrickBot |
2020-10-26 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20201026:threatconnect:0e90cc3,
author = {ThreatConnect Research Team},
title = {{ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft}},
date = {2020-10-26},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/},
language = {English},
urldate = {2020-10-29}
}
ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft
Ryuk |
2020-10-26 ⋅ Checkpoint ⋅ Itay Cohen, Eyal Itkin
@online{cohen:20201026:exploit:9ec173c,
author = {Itay Cohen and Eyal Itkin},
title = {{Exploit Developer Spotlight: The Story of PlayBit}},
date = {2020-10-26},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/},
language = {English},
urldate = {2020-10-27}
}
Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil |
2020-10-22 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201022:french:6d52e19,
author = {Lawrence Abrams},
title = {{French IT giant Sopra Steria hit by Ryuk ransomware}},
date = {2020-10-22},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/},
language = {English},
urldate = {2020-10-26}
}
French IT giant Sopra Steria hit by Ryuk ransomware
Ryuk |
2020-10-22 ⋅ Sentinel LABS ⋅ Marco Figueroa
@online{figueroa:20201022:inside:228798e,
author = {Marco Figueroa},
title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}},
date = {2020-10-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/},
language = {English},
urldate = {2020-10-26}
}
An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
Ryuk |
2020-10-20 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201020:global:570e26f,
author = {Intel 471},
title = {{Global Trickbot disruption operation shows promise}},
date = {2020-10-20},
organization = {Intel 471},
url = {https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/},
language = {English},
urldate = {2020-10-21}
}
Global Trickbot disruption operation shows promise
TrickBot |
2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI
@online{bsi:20201020:die:0683ad4,
author = {BSI},
title = {{Die Lage der IT-Sicherheit in Deutschland 2020}},
date = {2020-10-20},
organization = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2},
language = {German},
urldate = {2020-10-21}
}
Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot |
2020-10-20 ⋅ Microsoft ⋅ Tom Burt
@online{burt:20201020:update:12549c2,
author = {Tom Burt},
title = {{An update on disruption of Trickbot}},
date = {2020-10-20},
organization = {Microsoft},
url = {https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/},
language = {English},
urldate = {2020-10-23}
}
An update on disruption of Trickbot
TrickBot |
2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201018:ryuk:fbaadb8,
author = {The DFIR Report},
title = {{Ryuk in 5 Hours}},
date = {2020-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/},
language = {English},
urldate = {2020-10-19}
}
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk |
2020-10-16 ⋅ Duo ⋅ Dennis Fisher
@online{fisher:20201016:trickbot:be18c46,
author = {Dennis Fisher},
title = {{Trickbot Up to Its Old Tricks}},
date = {2020-10-16},
organization = {Duo},
url = {https://duo.com/decipher/trickbot-up-to-its-old-tricks},
language = {English},
urldate = {2020-10-23}
}
Trickbot Up to Its Old Tricks
TrickBot |
2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a,
author = {The Crowdstrike Intel Team},
title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}},
date = {2020-10-16},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/},
language = {English},
urldate = {2020-10-21}
}
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot |
2020-10-16 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20201016:threatconnect:2010d70,
author = {ThreatConnect Research Team},
title = {{ThreatConnect Research Roundup: Possible Ryuk Infrastructure}},
date = {2020-10-16},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/},
language = {English},
urldate = {2020-10-23}
}
ThreatConnect Research Roundup: Possible Ryuk Infrastructure
Ryuk |
2020-10-15 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201015:that:2d4b495,
author = {Intel 471},
title = {{That was quick: Trickbot is back after disruption attempts}},
date = {2020-10-15},
organization = {Intel 471},
url = {https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/},
language = {English},
urldate = {2020-10-15}
}
That was quick: Trickbot is back after disruption attempts
TrickBot |
2020-10-15 ⋅ Department of Justice ⋅ Department of Justice
@online{justice:20201015:officials:b340951,
author = {Department of Justice},
title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}},
date = {2020-10-15},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization},
language = {English},
urldate = {2020-10-23}
}
Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot |
2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20201014:theyre:99f5d1e,
author = {Sean Gallagher},
title = {{They’re back: inside a new Ryuk ransomware attack}},
date = {2020-10-14},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-16}
}
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC |
2020-10-13 ⋅ VirusTotal ⋅ Gerardo Fernández, Vicente Diaz
@online{fernndez:20201013:tracing:14bb6fa,
author = {Gerardo Fernández and Vicente Diaz},
title = {{Tracing fresh Ryuk campaigns itw}},
date = {2020-10-13},
organization = {VirusTotal},
url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html},
language = {English},
urldate = {2020-10-23}
}
Tracing fresh Ryuk campaigns itw
Ryuk |
2020-10-12 ⋅ US District Court for the Eastern District of Virginia
@techreport{virginia:20201012:trickbot:f3af852,
author = {US District Court for the Eastern District of Virginia},
title = {{TRICKBOT complaint}},
date = {2020-10-12},
institution = {},
url = {https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf},
language = {English},
urldate = {2020-10-13}
}
TRICKBOT complaint
TrickBot |
2020-10-12 ⋅ ESET Research ⋅ Jean-Ian Boutin
@online{boutin:20201012:eset:a7eeb51,
author = {Jean-Ian Boutin},
title = {{ESET takes part in global operation to disrupt Trickbot}},
date = {2020-10-12},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/},
language = {English},
urldate = {2020-10-12}
}
ESET takes part in global operation to disrupt Trickbot
TrickBot |
2020-10-12 ⋅ Lumen ⋅ Black Lotus Labs
@online{labs:20201012:look:7b422f7,
author = {Black Lotus Labs},
title = {{A Look Inside The TrickBot Botnet}},
date = {2020-10-12},
organization = {Lumen},
url = {https://blog.lumen.com/a-look-inside-the-trickbot-botnet/},
language = {English},
urldate = {2020-10-12}
}
A Look Inside The TrickBot Botnet
TrickBot |
2020-10-12 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
@online{team:20201012:trickbot:e4f086f,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Trickbot disrupted}},
date = {2020-10-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/},
language = {English},
urldate = {2020-10-12}
}
Trickbot disrupted
TrickBot |
2020-10-12 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20201012:trickbot:5c1e5bf,
author = {Threat Hunter Team},
title = {{Trickbot: U.S. Court Order Hits Botnet’s Infrastructure}},
date = {2020-10-12},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption},
language = {English},
urldate = {2020-10-12}
}
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot |
2020-10-12 ⋅ Microsoft ⋅ Tom Burt
@online{burt:20201012:new:045c1c3,
author = {Tom Burt},
title = {{New action to combat ransomware ahead of U.S. elections}},
date = {2020-10-12},
organization = {Microsoft},
url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/},
language = {English},
urldate = {2020-10-12}
}
New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot |
2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1,
author = {Roman Marshanski and Vitali Kremez},
title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}},
date = {2020-10-12},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon},
language = {English},
urldate = {2020-10-13}
}
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk |
2020-10-10 ⋅ The Washington Post ⋅ Ellen Nakashima
@online{nakashima:20201010:cyber:9f29985,
author = {Ellen Nakashima},
title = {{Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election}},
date = {2020-10-10},
organization = {The Washington Post},
url = {https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html},
language = {English},
urldate = {2020-10-12}
}
Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election
TrickBot |
2020-10-08 ⋅ Bromium ⋅ Alex Holland
@online{holland:20201008:droppers:b8a580e,
author = {Alex Holland},
title = {{Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks}},
date = {2020-10-08},
organization = {Bromium},
url = {https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/},
language = {English},
urldate = {2020-10-29}
}
Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks
TrickBot |
2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201008:ryuks:e47d8fa,
author = {The DFIR Report},
title = {{Ryuk’s Return}},
date = {2020-10-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/08/ryuks-return/},
language = {English},
urldate = {2020-10-09}
}
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk |
2020-10-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs
@online{krebs:20201002:attacks:a6dc6e3,
author = {Brian Krebs},
title = {{Attacks Aimed at Disrupting the Trickbot Botnet}},
date = {2020-10-02},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/},
language = {English},
urldate = {2020-10-05}
}
Attacks Aimed at Disrupting the Trickbot Botnet
TrickBot |
2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f,
author = {Health Sector Cybersecurity Coordination Center (HC3)},
title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}},
date = {2020-10-02},
institution = {Health Sector Cybersecurity Coordination Center (HC3)},
url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf},
language = {English},
urldate = {2020-11-02}
}
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09,
author = {Victoria Kivilevich},
title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}},
date = {2020-10-01},
organization = {KELA},
url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/},
language = {English},
urldate = {2021-05-07}
}
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt |
2020-09-29 ⋅ PWC UK ⋅ Andy Auld
@online{auld:20200929:whats:2782a62,
author = {Andy Auld},
title = {{What's behind the increase in ransomware attacks this year?}},
date = {2020-09-29},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html},
language = {English},
urldate = {2021-05-25}
}
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker |
2020-09-29 ⋅ Microsoft ⋅ Microsoft
@techreport{microsoft:20200929:microsoft:6e5d7b0,
author = {Microsoft},
title = {{Microsoft Digital Defense Report}},
date = {2020-09-29},
institution = {Microsoft},
url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf},
language = {English},
urldate = {2020-10-05}
}
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot |
2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d,
author = {Kaspersky Lab ICS CERT},
title = {{Threat landscape for industrial automation systems - H1 2020}},
date = {2020-09-24},
institution = {Kaspersky Labs},
url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf},
language = {English},
urldate = {2020-10-04}
}
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake |
2020-09-22 ⋅ OSINT Fans ⋅ Gabor Szathmari
@online{szathmari:20200922:what:60d1e26,
author = {Gabor Szathmari},
title = {{What Service NSW has to do with Russia?}},
date = {2020-09-22},
organization = {OSINT Fans},
url = {https://osint.fans/service-nsw-russia-association},
language = {English},
urldate = {2020-09-23}
}
What Service NSW has to do with Russia?
TrickBot |
2020-09-16 ⋅ Intel 471 ⋅ Intel 471
@online{471:20200916:partners:c65839f,
author = {Intel 471},
title = {{Partners in crime: North Koreans and elite Russian-speaking cybercriminals}},
date = {2020-09-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/},
language = {English},
urldate = {2020-09-23}
}
Partners in crime: North Koreans and elite Russian-speaking cybercriminals
TrickBot |
2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends in Summer 2020}},
date = {2020-09-01},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html},
language = {English},
urldate = {2020-09-03}
}
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk |
2020-08-31 ⋅ cyber.wtf blog ⋅ Luca Ebach
@online{ebach:20200831:trickbot:c975ec5,
author = {Luca Ebach},
title = {{Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers}},
date = {2020-08-31},
organization = {cyber.wtf blog},
url = {https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/},
language = {English},
urldate = {2020-08-31}
}
Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers
TrickBot |
2020-08-20 ⋅ CERT-FR ⋅ CERT-FR
@techreport{certfr:20200820:development:d518522,
author = {CERT-FR},
title = {{Development of the Activity of the TA505 Cybercriminal Group}},
date = {2020-08-20},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf},
language = {English},
urldate = {2020-08-28}
}
Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot |
2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea,
author = {cyberthreatinsider},
title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}},
date = {2020-08-20},
organization = {sensecy},
url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/},
language = {English},
urldate = {2020-11-04}
}
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk |
2020-08-18 ⋅ Arete ⋅ Arete Incident Response
@techreport{response:20200818:is:72e08da,
author = {Arete Incident Response},
title = {{Is Conti the New Ryuk?}},
date = {2020-08-18},
institution = {Arete},
url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf},
language = {English},
urldate = {2020-08-25}
}
Is Conti the New Ryuk?
Conti Ryuk |
2020-08-09 ⋅ F5 Labs ⋅ Remi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999,
author = {Remi Cohen and Debbie Walkowski},
title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}},
date = {2020-08-09},
organization = {F5 Labs},
url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree},
language = {English},
urldate = {2021-06-29}
}
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus |
2020-08 ⋅ Temple University ⋅ CARE
@online{care:202008:critical:415c34d,
author = {CARE},
title = {{Critical Infrastructure Ransomware Attacks}},
date = {2020-08},
organization = {Temple University},
url = {https://sites.temple.edu/care/ci-rw-attacks/},
language = {English},
urldate = {2020-09-15}
}
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity
@techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
2020-07-22 ⋅ SentinelOne ⋅ Jason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038,
author = {Jason Reaves and Joshua Platt},
title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}},
date = {2020-07-22},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/},
language = {English},
urldate = {2020-07-23}
}
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader |
2020-07-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200720:emotettrickbot:a8e84d2,
author = {Lawrence Abrams},
title = {{Emotet-TrickBot malware duo is back infecting Windows machines}},
date = {2020-07-20},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/},
language = {English},
urldate = {2020-07-21}
}
Emotet-TrickBot malware duo is back infecting Windows machines
Emotet TrickBot |
2020-07-13 ⋅ JoeSecurity ⋅ Joe Security
@online{security:20200713:trickbots:a164ba5,
author = {Joe Security},
title = {{TrickBot's new API-Hammering explained}},
date = {2020-07-13},
organization = {JoeSecurity},
url = {https://www.joesecurity.org/blog/498839998833561473},
language = {English},
urldate = {2020-07-15}
}
TrickBot's new API-Hammering explained
TrickBot |
2020-07-11 ⋅ BleepingComputer ⋅ Lawrence Abrams
@online{abrams:20200711:trickbot:7e70ad3,
author = {Lawrence Abrams},
title = {{TrickBot malware mistakenly warns victims that they are infected}},
date = {2020-07-11},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/},
language = {English},
urldate = {2020-07-15}
}
TrickBot malware mistakenly warns victims that they are infected
TrickBot |
2020-07-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez
@online{kremez:20200711:trickbot:602fd73,
author = {Vitali Kremez},
title = {{TrickBot Group Launches Test Module Alerting on Fraud Activity}},
date = {2020-07-11},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity},
language = {English},
urldate = {2020-07-13}
}
TrickBot Group Launches Test Module Alerting on Fraud Activity
TrickBot |
2020-07-06 ⋅ NTT ⋅ Security division of NTT Ltd.
@online{ltd:20200706:trickbot:9612912,
author = {Security division of NTT Ltd.},
title = {{TrickBot variant “Anchor_DNS” communicating over DNS}},
date = {2020-07-06},
organization = {NTT},
url = {https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns},
language = {English},
urldate = {2020-07-30}
}
TrickBot variant “Anchor_DNS” communicating over DNS
Anchor_DNS TrickBot |
2020-06-23 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20200623:ryuk:c63b0c6,
author = {Ionut Ilascu},
title = {{Ryuk ransomware deployed two weeks after Trickbot infection}},
date = {2020-06-23},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/},
language = {English},
urldate = {2020-06-30}
}
Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk |
2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5,
author = {Joshua Platt and Jason Reaves},
title = {{Inside a TrickBot Cobalt Strike Attack Server}},
date = {2020-06-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/},
language = {English},
urldate = {2020-06-23}
}
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot |
2020-06-22 ⋅ CERT-FR ⋅ CERT-FR
@techreport{certfr:20200622:volution:fba1cfa,
author = {CERT-FR},
title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}},
date = {2020-06-22},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf},
language = {French},
urldate = {2020-06-24}
}
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot |
2020-06-17 ⋅ Youtube (Red Canary) ⋅ Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
@online{noerenberg:20200617:attck:934d73c,
author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan},
title = {{ATT&CK® Deep Dive: Process Injection}},
date = {2020-06-17},
organization = {Youtube (Red Canary)},
url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/},
language = {English},
urldate = {2020-06-19}
}
ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot |
2020-06-15 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20200615:quarterly:c2dcd77,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly report: Incident Response trends in Summer 2020}},
date = {2020-06-15},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more},
language = {English},
urldate = {2020-06-19}
}
Quarterly report: Incident Response trends in Summer 2020
Ryuk |
2020-06-15 ⋅ Fortinet ⋅ Val Saengphaibul, Fred Gutierrez
@online{saengphaibul:20200615:global:5c4be18,
author = {Val Saengphaibul and Fred Gutierrez},
title = {{Global Malicious Spam Campaign Using Black Lives Matter as a Lure}},
date = {2020-06-15},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure},
language = {English},
urldate = {2020-06-16}
}
Global Malicious Spam Campaign Using Black Lives Matter as a Lure
TrickBot |
2020-06-12 ⋅ Hornetsecurity ⋅ Security Lab
@online{lab:20200612:trickbot:2bf54ef,
author = {Security Lab},
title = {{Trickbot Malspam Leveraging Black Lives Matter as Lure}},
date = {2020-06-12},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/},
language = {English},
urldate = {2020-07-01}
}
Trickbot Malspam Leveraging Black Lives Matter as Lure
TrickBot |
2020-06-11 ⋅ Cofense ⋅ Jason Meurer
@online{meurer:20200611:all:cc2e167,
author = {Jason Meurer},
title = {{All You Need Is Text: Second Wave}},
date = {2020-06-11},
organization = {Cofense},
url = {https://cofenselabs.com/all-you-need-is-text-second-wave/},
language = {English},
urldate = {2020-06-12}
}
All You Need Is Text: Second Wave
TrickBot |
2020-06-02 ⋅ Lastline Labs ⋅ James Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87,
author = {James Haughom and Stefano Ortolani},
title = {{Evolution of Excel 4.0 Macro Weaponization}},
date = {2020-06-02},
organization = {Lastline Labs},
url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/},
language = {English},
urldate = {2020-06-03}
}
Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader |
2020-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
@online{duncan:20200528:goodbye:87a0245,
author = {Brad Duncan},
title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}},
date = {2020-05-28},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/},
language = {English},
urldate = {2020-05-29}
}
Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
TrickBot |
2020-05-21 ⋅ Intel 471 ⋅ Intel 471
@online{471:20200521:brief:048d164,
author = {Intel 471},
title = {{A brief history of TA505}},
date = {2020-05-21},
organization = {Intel 471},
url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/},
language = {English},
urldate = {2020-05-23}
}
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot |
2020-05-19 ⋅ AlienLabs ⋅ Ofer Caspi
@online{caspi:20200519:trickbot:50c2a51,
author = {Ofer Caspi},
title = {{TrickBot BazarLoader In-Depth}},
date = {2020-05-19},
organization = {AlienLabs},
url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth},
language = {English},
urldate = {2020-05-20}
}
TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot |
2020-05-14 ⋅ SentinelOne ⋅ Jason Reaves
@online{reaves:20200514:deep:1ee83b6,
author = {Jason Reaves},
title = {{Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant}},
date = {2020-05-14},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/},
language = {English},
urldate = {2020-05-18}
}
Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant
TrickBot |
2020-05-05 ⋅ N1ght-W0lf Blog ⋅ Abdallah Elshinbary
@online{elshinbary:20200505:deep:f5661cb,
author = {Abdallah Elshinbary},
title = {{Deep Analysis of Ryuk Ransomware}},
date = {2020-05-05},
organization = {N1ght-W0lf Blog},
url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/},
language = {English},
urldate = {2020-05-10}
}
Deep Analysis of Ryuk Ransomware
Ryuk |
2020-04-19 ⋅ SecurityLiterate ⋅ Kyle Cucci
@online{cucci:20200419:reversing:4523233,
author = {Kyle Cucci},
title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}},
date = {2020-04-19},
organization = {SecurityLiterate},
url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/},
language = {English},
urldate = {2020-08-13}
}
Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk |
2020-04-14 ⋅ Intel 471 ⋅ Intel 471
@online{471:20200414:understanding:ca95961,
author = {Intel 471},
title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}},
date = {2020-04-14},
organization = {Intel 471},
url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/},
language = {English},
urldate = {2020-04-26}
}
Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot |
2020-04-14 ⋅ Intrinsec ⋅ Jean Bichet
@online{bichet:20200414:deobfuscating:d7320ab,
author = {Jean Bichet},
title = {{Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend}},
date = {2020-04-14},
organization = {Intrinsec},
url = {https://www.intrinsec.com/deobfuscating-hunting-ostap/},
language = {English},
urldate = {2021-01-11}
}
Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend
ostap TrickBot |
2020-04-09 ⋅ Zscaler ⋅ Atinderpal Singh, Abhay Yadav
@online{singh:20200409:trickbot:9db52c2,
author = {Atinderpal Singh and Abhay Yadav},
title = {{TrickBot Emerges with a Few New Tricks}},
date = {2020-04-09},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks},
language = {English},
urldate = {2020-07-01}
}
TrickBot Emerges with a Few New Tricks
TrickBot |
2020-04-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20200408:how:192d583,
author = {Counter Threat Unit ResearchTeam},
title = {{How Cyber Adversaries are Adapting to Exploit the Global Pandemic}},
date = {2020-04-08},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic},
language = {English},
urldate = {2021-05-28}
}
How Cyber Adversaries are Adapting to Exploit the Global Pandemic
GOLD SOUTHFIELD TA2101 TA505 WIZARD SPIDER |
2020-04-08 ⋅ SentinelOne ⋅ Jason Reaves
@online{reaves:20200408:deep:87b83bb,
author = {Jason Reaves},
title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}},
date = {2020-04-08},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/},
language = {English},
urldate = {2020-04-13}
}
Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot |
2020-04-07 ⋅ SecurityIntelligence ⋅ Ole Villadsen
@online{villadsen:20200407:itg08:b0b782d,
author = {Ole Villadsen},
title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}},
date = {2020-04-07},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/},
language = {English},
urldate = {2020-04-13}
}
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot |
2020-04-01 ⋅ Cisco ⋅ Shyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a,
author = {Shyam Sundar Ramaswami and Andrea Kaiser},
title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}},
date = {2020-04-01},
organization = {Cisco},
url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors},
language = {English},
urldate = {2020-08-19}
}
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot |
2020-03-31 ⋅ FireEye ⋅ Van Ta, Aaron Stephens
@online{ta:20200331:its:632dfca,
author = {Van Ta and Aaron Stephens},
title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}},
date = {2020-03-31},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html},
language = {English},
urldate = {2020-04-06}
}
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878 |
2020-03-31 ⋅ Cisco Talos ⋅ Chris Neal
@online{neal:20200331:trickbot:dcf5314,
author = {Chris Neal},
title = {{Trickbot: A primer}},
date = {2020-03-31},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/03/trickbot-primer.html},
language = {English},
urldate = {2020-04-01}
}
Trickbot: A primer
TrickBot |
2020-03-30 ⋅ Intezer ⋅ Michael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60,
author = {Michael Kajiloti},
title = {{Fantastic payloads and where we find them}},
date = {2020-03-30},
organization = {Intezer},
url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them},
language = {English},
urldate = {2020-04-07}
}
Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot |
2020-03-25 ⋅ Wilbur Security ⋅ JW
@online{jw:20200325:trickbot:17b0dc3,
author = {JW},
title = {{Trickbot to Ryuk in Two Hours}},
date = {2020-03-25},
organization = {Wilbur Security},
url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/},
language = {English},
urldate = {2020-03-26}
}
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot |
2020-03-18 ⋅ Bitdefender ⋅ Liviu Arsene, Radu Tudorica, Alexandru Maximciuc, Cristina Vatamanu
@techreport{arsene:20200318:new:2d895da,
author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu},
title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}},
date = {2020-03-18},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf},
language = {English},
urldate = {2020-03-19}
}
New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong
TrickBot |
2020-03-09 ⋅ Fortinet ⋅ Xiaopeng Zhang
@online{zhang:20200309:new:ff60491,
author = {Xiaopeng Zhang},
title = {{New Variant of TrickBot Being Spread by Word Document}},
date = {2020-03-09},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html},
language = {English},
urldate = {2020-04-26}
}
New Variant of TrickBot Being Spread by Word Document
TrickBot |
2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Human-operated ransomware attacks: A preventable disaster}},
date = {2020-03-05},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/},
language = {English},
urldate = {2020-03-06}
}
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-04 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}},
date = {2020-03-04},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/},
language = {English},
urldate = {2020-03-09}
}
Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom |
2020-03-02 ⋅ c't ⋅ Christian Wölbert
@online{wlbert:20200302:was:1b9cc93,
author = {Christian Wölbert},
title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}},
date = {2020-03-02},
organization = {c't},
url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html},
language = {German},
urldate = {2020-03-02}
}
Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk |
2020-02-28 ⋅ Morphisec ⋅ Michael Gorelik
@online{gorelik:20200228:trickbot:678683b,
author = {Michael Gorelik},
title = {{Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10}},
date = {2020-02-28},
organization = {Morphisec},
url = {https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows},
language = {English},
urldate = {2020-03-03}
}
Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10
TrickBot |
2020-02-26 ⋅ SentinelOne ⋅ Jason Reaves
@online{reaves:20200226:revealing:2c3fc63,
author = {Jason Reaves},
title = {{Revealing the Trick | A Deep Dive into TrickLoader Obfuscation}},
date = {2020-02-26},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/},
language = {English},
urldate = {2020-02-27}
}
Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
TrickBot |
2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
@online{decapua:20200225:feds:423f929,
author = {Joel DeCapua},
title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}},
date = {2020-02-25},
organization = {RSA Conference},
url = {https://www.youtube.com/watch?v=LUxOcpIRxmg},
language = {English},
urldate = {2020-03-04}
}
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus |
2020-02-19 ⋅ FireEye ⋅ FireEye
@online{fireeye:20200219:mtrends:193613a,
author = {FireEye},
title = {{M-Trends 2020}},
date = {2020-02-19},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020},
language = {English},
urldate = {2020-02-20}
}
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot |
2020-02-18 ⋅ Sophos Labs ⋅ Luca Nagy
@online{nagy:20200218:nearly:8ff363f,
author = {Luca Nagy},
title = {{Nearly a quarter of malware now communicates using TLS}},
date = {2020-02-18},
organization = {Sophos Labs},
url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/},
language = {English},
urldate = {2020-02-27}
}
Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020-02-13 ⋅ Quick Heal ⋅ Goutam Tripathy
@online{tripathy:20200213:deep:34e3281,
author = {Goutam Tripathy},
title = {{A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk}},
date = {2020-02-13},
organization = {Quick Heal},
url = {https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/},
language = {English},
urldate = {2021-01-25}
}
A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk
Ryuk |
2020-02-12 ⋅ VMWare Carbon Black ⋅ Rachel E. King, AC
@online{king:20200212:ryuk:720c14e,
author = {Rachel E. King and AC},
title = {{Ryuk Ransomware Technical Analysis}},
date = {2020-02-12},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/},
language = {English},
urldate = {2020-11-19}
}
Ryuk Ransomware Technical Analysis
Ryuk |
2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12,
author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz},
title = {{2020 State of Malware Report}},
date = {2020-02-10},
institution = {Malwarebytes},
url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf},
language = {English},
urldate = {2020-02-13}
}
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor |
2020-01-30 ⋅ Morphisec ⋅ Arnold Osipov
@online{osipov:20200130:trickbot:da5c80d,
author = {Arnold Osipov},
title = {{Trickbot Trojan Leveraging a New Windows 10 UAC Bypass}},
date = {2020-01-30},
organization = {Morphisec},
url = {https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass},
language = {English},
urldate = {2020-02-03}
}
Trickbot Trojan Leveraging a New Windows 10 UAC Bypass
TrickBot |
2020-01-30 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200130:trickbot:22db786,
author = {Lawrence Abrams},
title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}},
date = {2020-01-30},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/},
language = {English},
urldate = {2020-02-03}
}
TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly
TrickBot |
2020-01-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200129:malware:920dc7e,
author = {Lawrence Abrams},
title = {{Malware Tries to Trump Security Software With POTUS Impeachment}},
date = {2020-01-29},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/},
language = {English},
urldate = {2020-02-03}
}
Malware Tries to Trump Security Software With POTUS Impeachment
TrickBot |
2020-01-29 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200129:dod:57de65d,
author = {Catalin Cimpanu},
title = {{DOD contractor suffers ransomware infection}},
date = {2020-01-29},
organization = {ZDNet},
url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/},
language = {English},
urldate = {2020-02-03}
}
DOD contractor suffers ransomware infection
Ryuk |
2020-01-29 ⋅ ANSSI ⋅ ANSSI
@techreport{anssi:20200129:tat:3d59e6e,
author = {ANSSI},
title = {{État de la menace rançongiciel}},
date = {2020-01-29},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf},
language = {English},
urldate = {2020-02-03}
}
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam |
2020-01-27 ⋅ T-Systems ⋅ T-Systems
@techreport{tsystems:20200127:vorlufiger:39dc989,
author = {T-Systems},
title = {{Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht}},
date = {2020-01-27},
institution = {T-Systems},
url = {https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf},
language = {German},
urldate = {2020-01-28}
}
Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht
Emotet TrickBot |
2020-01-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200124:new:05d5a6a,
author = {Lawrence Abrams},
title = {{New Ryuk Info Stealer Targets Government and Military Secrets}},
date = {2020-01-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/},
language = {English},
urldate = {2020-02-03}
}
New Ryuk Info Stealer Targets Government and Military Secrets
Ryuk |
2020-01-24 ⋅ ReversingLabs ⋅ Robert Simmons
@online{simmons:20200124:hunting:f99f1f9,
author = {Robert Simmons},
title = {{Hunting for Ransomware}},
date = {2020-01-24},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/hunting-for-ransomware},
language = {English},
urldate = {2020-01-29}
}
Hunting for Ransomware
Ryuk |
2020-01-23 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200123:trickbot:5ca7827,
author = {Lawrence Abrams},
title = {{TrickBot Now Steals Windows Active Directory Credentials}},
date = {2020-01-23},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/},
language = {English},
urldate = {2020-01-27}
}
TrickBot Now Steals Windows Active Directory Credentials
TrickBot |
2020-01-17 ⋅ Secureworks ⋅ Tamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38,
author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru},
title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}},
date = {2020-01-17},
institution = {Secureworks},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf},
language = {English},
urldate = {2020-04-06}
}
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware |
2020-01-17 ⋅ Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5,
author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa},
title = {{Battle Against Ursnif Malspam Campaign targeting Japan}},
date = {2020-01-17},
institution = {},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf},
language = {English},
urldate = {2020-01-17}
}
Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone |
2020-01-16 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200116:trickbot:ed6fdb3,
author = {Lawrence Abrams},
title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}},
date = {2020-01-16},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/},
language = {English},
urldate = {2020-01-20}
}
TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
TrickBot |
2020-01-14 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}},
date = {2020-01-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/},
language = {English},
urldate = {2020-01-15}
}
Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk |
2020-01-10 ⋅ CSIS ⋅ CSIS
@techreport{csis:20200110:threat:7454f36,
author = {CSIS},
title = {{Threat Matrix H1 2019}},
date = {2020-01-10},
institution = {CSIS},
url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf},
language = {English},
urldate = {2020-01-22}
}
Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot |
2020-01-09 ⋅ SentinelOne ⋅ Vitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20200109:toptier:4f8de90,
author = {Vitali Kremez and Joshua Platt and Jason Reaves},
title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}},
date = {2020-01-09},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/},
language = {English},
urldate = {2020-01-13}
}
Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
TrickBot WIZARD SPIDER |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:d8faa3e,
author = {SecureWorks},
title = {{GOLD ULRICK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick},
language = {English},
urldate = {2020-05-23}
}
GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER |
2020 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:2020:state:e5941af,
author = {Blackberry Research},
title = {{State of Ransomware}},
date = {2020},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf},
language = {English},
urldate = {2021-01-01}
}
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:65fcc96,
author = {SecureWorks},
title = {{GOLD SWATHMORE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore},
language = {English},
urldate = {2020-05-23}
}
GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:21c4d39,
author = {SecureWorks},
title = {{GOLD BLACKBURN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-blackburn},
language = {English},
urldate = {2020-05-23}
}
GOLD BLACKBURN
Dyre TrickBot |
2019-12-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191226:ryuk:acc2284,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Stops Encrypting Linux Folders}},
date = {2019-12-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/},
language = {English},
urldate = {2020-01-08}
}
Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk |
2019-12-21 ⋅ Decrypt ⋅ Adriana Hamacher
@online{hamacher:20191221:how:9d026a8,
author = {Adriana Hamacher},
title = {{How ransomware exploded in the age of Bitcoin}},
date = {2019-12-21},
organization = {Decrypt},
url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc},
language = {English},
urldate = {2020-01-13}
}
How ransomware exploded in the age of Bitcoin
Ryuk |
2019-12-19 ⋅ Malwarebytes ⋅ Jovi Umawing
@online{umawing:20191219:threat:552a941,
author = {Jovi Umawing},
title = {{Threat spotlight: the curious case of Ryuk ransomware}},
date = {2019-12-19},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/},
language = {English},
urldate = {2020-01-08}
}
Threat spotlight: the curious case of Ryuk ransomware
Ryuk |
2019-12-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191215:ryuk:74f6eab,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}},
date = {2019-12-15},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/},
language = {English},
urldate = {2020-01-13}
}
Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-11 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel, Matt Hart
@online{dahan:20191211:dropping:0849f70,
author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart},
title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}},
date = {2019-12-11},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware},
language = {English},
urldate = {2020-01-06}
}
Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Anchor WIZARD SPIDER |
2019-12-10 ⋅ Sentinel LABS ⋅ Vitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20191210:morphisec:c0fc51c,
author = {Vitali Kremez and Joshua Platt and Jason Reaves},
title = {{MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS}},
date = {2019-12-10},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/},
language = {English},
urldate = {2020-01-08}
}
MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS
Anchor |
2019-12-09 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Brittany Ash, Mike Harbison
@online{lee:20191209:trickbot:48d9da3,
author = {Bryan Lee and Brittany Ash and Mike Harbison},
title = {{TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks}},
date = {2019-12-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/},
language = {English},
urldate = {2020-01-22}
}
TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
TrickBot |
2019-12-09 ⋅ Emsisoft ⋅ EmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a,
author = {EmsiSoft Malware Lab},
title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}},
date = {2019-12-09},
organization = {Emsisoft},
url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/},
language = {English},
urldate = {2020-01-07}
}
Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk |
2019-11-27 ⋅ Twitter (@Prosegur) ⋅ Prosegur
@online{prosegur:20191127:incident:bd76c3f,
author = {Prosegur},
title = {{Tweet on Incident of Information Security}},
date = {2019-11-27},
organization = {Twitter (@Prosegur)},
url = {https://twitter.com/Prosegur/status/1199732264386596864},
language = {English},
urldate = {2020-01-09}
}
Tweet on Incident of Information Security
Ryuk |
2019-11-22 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
@online{duncan:20191122:trickbot:e14933b,
author = {Brad Duncan},
title = {{Trickbot Updates Password Grabber Module}},
date = {2019-11-22},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/},
language = {English},
urldate = {2020-01-22}
}
Trickbot Updates Password Grabber Module
TrickBot |
2019-11-13 ⋅ CrowdStrike ⋅ Jen Ayers, Jason Rivera
@techreport{ayers:20191113:through:70cc3b3,
author = {Jen Ayers and Jason Rivera},
title = {{Through the Eyes of the Adversary}},
date = {2019-11-13},
institution = {CrowdStrike},
url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf},
language = {English},
urldate = {2020-03-22}
}
Through the Eyes of the Adversary
TrickBot CLOCKWORK SPIDER |
2019-11-08 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
@online{duncan:20191108:wireshark:f37b983,
author = {Brad Duncan},
title = {{Wireshark Tutorial: Examining Trickbot Infections}},
date = {2019-11-08},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/},
language = {English},
urldate = {2020-01-06}
}
Wireshark Tutorial: Examining Trickbot Infections
TrickBot |
2019-11-06 ⋅ Heise Security ⋅ Thomas Hungenberg
@online{hungenberg:20191106:emotet:1605954,
author = {Thomas Hungenberg},
title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}},
date = {2019-11-06},
organization = {Heise Security},
url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html},
language = {German},
urldate = {2020-01-06}
}
Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot |
2019-11 ⋅ CCN-CERT ⋅ CCN-CERT
@online{ccncert:201911:informe:69b39b5,
author = {CCN-CERT},
title = {{Informe Código Dañino CCN-CERT ID-26/19}},
date = {2019-11},
organization = {CCN-CERT},
url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html},
language = {Espanyol},
urldate = {2020-01-10}
}
Informe Código Dañino CCN-CERT ID-26/19
Ryuk |
2019-11-01 ⋅ CrowdStrike ⋅ Alexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e,
author = {Alexander Hanel and Brett Stone-Gross},
title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}},
date = {2019-11-01},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/},
language = {English},
urldate = {2019-12-20}
}
WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER |
2019-10-29 ⋅ SneakyMonkey Blog ⋅ SneakyMonkey
@online{sneakymonkey:20191029:trickbot:bd7249c,
author = {SneakyMonkey},
title = {{TRICKBOT - Analysis Part II}},
date = {2019-10-29},
organization = {SneakyMonkey Blog},
url = {https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/},
language = {English},
urldate = {2019-12-17}
}
TRICKBOT - Analysis Part II
TrickBot |
2019-10-24 ⋅ Sentinel LABS ⋅ Vitali Kremez
@online{kremez:20191024:how:e6d838d,
author = {Vitali Kremez},
title = {{How TrickBot Malware Hooking Engine Targets Windows 10 Browsers}},
date = {2019-10-24},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/},
language = {English},
urldate = {2020-07-03}
}
How TrickBot Malware Hooking Engine Targets Windows 10 Browsers
TrickBot |
2019-10-18 ⋅ NTT ⋅ NTT Security
@online{security:20191018:trickbot:6e2f73f,
author = {NTT Security},
title = {{TrickBot variant “Anchor_DNS” communicating over DNS}},
date = {2019-10-18},
organization = {NTT},
url = {https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns},
language = {English},
urldate = {2020-10-12}
}
TrickBot variant “Anchor_DNS” communicating over DNS
Anchor |
2019-09-25 ⋅ GovCERT.ch ⋅ GovCERT.ch
@online{govcertch:20190925:trickbot:8346dd7,
author = {GovCERT.ch},
title = {{Trickbot - An analysis of data collected from the botnet}},
date = {2019-09-25},
organization = {GovCERT.ch},
url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet},
language = {English},
urldate = {2020-01-08}
}
Trickbot - An analysis of data collected from the botnet
TrickBot |
2019-09-09 ⋅ McAfee ⋅ Thomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c,
author = {Thomas Roccia and Marc Rivero López and Chintan Shah},
title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}},
date = {2019-09-09},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/},
language = {English},
urldate = {2020-08-30}
}
Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda |
2019-08-27 ⋅ Secureworks ⋅ CTU Research Team
@online{team:20190827:trickbot:fa5f95b,
author = {CTU Research Team},
title = {{TrickBot Modifications Target U.S. Mobile Users}},
date = {2019-08-27},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users},
language = {English},
urldate = {2020-01-09}
}
TrickBot Modifications Target U.S. Mobile Users
TrickBot WIZARD SPIDER |
2019-08-26 ⋅ InQuest ⋅ Josiah Smith
@online{smith:20190826:memory:c4cea9b,
author = {Josiah Smith},
title = {{Memory Analysis of TrickBot}},
date = {2019-08-26},
organization = {InQuest},
url = {https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis},
language = {English},
urldate = {2020-01-10}
}
Memory Analysis of TrickBot
TrickBot |
2019-08-05 ⋅ Trend Micro ⋅ Noel Anthony Llimos, Michael Jhon Ofiaza
@online{llimos:20190805:latest:62ba94b,
author = {Noel Anthony Llimos and Michael Jhon Ofiaza},
title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}},
date = {2019-08-05},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/},
language = {English},
urldate = {2020-01-23}
}
Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot |
2019-07-12 ⋅ DeepInstinct ⋅ Shaul Vilkomir-Preisman
@online{vilkomirpreisman:20190712:trickbooster:107fdd5,
author = {Shaul Vilkomir-Preisman},
title = {{TrickBooster – TrickBot’s Email-Based Infection Module}},
date = {2019-07-12},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/},
language = {English},
urldate = {2021-07-08}
}
TrickBooster – TrickBot’s Email-Based Infection Module
TrickBot |
2019-07-11 ⋅ NTT Security ⋅ NTT Security
@online{security:20190711:targeted:a48e692,
author = {NTT Security},
title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}},
date = {2019-07-11},
organization = {NTT Security},
url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor},
language = {English},
urldate = {2019-12-18}
}
Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot |
2019-06-04 ⋅ SlideShare ⋅ Vitali Kremez
@online{kremez:20190604:inside:d633c6f,
author = {Vitali Kremez},
title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}},
date = {2019-06-04},
organization = {SlideShare},
url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez},
language = {English},
urldate = {2020-01-13}
}
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
TrickBot |
2019-05-22 ⋅ sneakymonk3y (Mark)
@online{mark:20190522:trickbot:277256b,
author = {sneakymonk3y (Mark)},
title = {{TRICKBOT - Analysis}},
date = {2019-05-22},
url = {https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/},
language = {English},
urldate = {2020-01-06}
}
TRICKBOT - Analysis
TrickBot |
2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch
@online{govcertch:20190509:severe:2767782,
author = {GovCERT.ch},
title = {{Severe Ransomware Attacks Against Swiss SMEs}},
date = {2019-05-09},
organization = {GovCERT.ch},
url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes},
language = {English},
urldate = {2019-07-11}
}
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot |
2019-05-02 ⋅ CERT.PL ⋅ Michał Praszmo
@online{praszmo:20190502:detricking:43a7dc1,
author = {Michał Praszmo},
title = {{Detricking TrickBot Loader}},
date = {2019-05-02},
organization = {CERT.PL},
url = {https://www.cert.pl/en/news/single/detricking-trickbot-loader/},
language = {English},
urldate = {2020-01-08}
}
Detricking TrickBot Loader
TrickBot |
2019-04-05 ⋅ Medium vishal_thakur ⋅ Vishal Thakur
@online{thakur:20190405:trickbot:d1c4891,
author = {Vishal Thakur},
title = {{Trickbot — a concise treatise}},
date = {2019-04-05},
organization = {Medium vishal_thakur},
url = {https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737},
language = {English},
urldate = {2020-01-13}
}
Trickbot — a concise treatise
TrickBot |
2019-04-05 ⋅ FireEye ⋅ Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59,
author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock},
title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}},
date = {2019-04-05},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html},
language = {English},
urldate = {2019-12-20}
}
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6 |
2019-04-02 ⋅ Cybereason ⋅ Noa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37,
author = {Noa Pinkas and Lior Rochberger and Matan Zatz},
title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}},
date = {2019-04-02},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware},
language = {English},
urldate = {2020-01-09}
}
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot |
2019-03-26 ⋅ ANSSI ⋅ ANSSI
@techreport{anssi:20190326:informations:7965c3d,
author = {ANSSI},
title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}},
date = {2019-03-26},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf},
language = {French},
urldate = {2020-01-10}
}
INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk |
2019-03-20 ⋅ CrowdStrike ⋅ Brendon Feeley, Brett Stone-Gross
@online{feeley:20190320:new:07bf05b,
author = {Brendon Feeley and Brett Stone-Gross},
title = {{New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration}},
date = {2019-03-20},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/},
language = {English},
urldate = {2019-12-20}
}
New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration
LUNAR SPIDER WIZARD SPIDER |
2019-03-05 ⋅ PepperMalware Blog ⋅ Pepper Potts
@online{potts:20190305:quick:773aabc,
author = {Pepper Potts},
title = {{Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework}},
date = {2019-03-05},
organization = {PepperMalware Blog},
url = {http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html},
language = {English},
urldate = {2019-12-19}
}
Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
TrickBot |
2019-02-15 ⋅ CrowdStrike ⋅ Brendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693,
author = {Brendon Feeley and Bex Hartley},
title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}},
date = {2019-02-15},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/},
language = {English},
urldate = {2019-12-20}
}
“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER |
2019-02-12 ⋅ Trend Micro ⋅ Trend Micro
@online{micro:20190212:trickbot:73576ba,
author = {Trend Micro},
title = {{Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire}},
date = {2019-02-12},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/},
language = {English},
urldate = {2020-01-12}
}
Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
TrickBot |
2019-01-11 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4,
author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer},
title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}},
date = {2019-01-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html},
language = {English},
urldate = {2019-12-20}
}
A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER |
2019-01-10 ⋅ CrowdStrike ⋅ Alexander Hanel
@online{hanel:20190110:big:7e10bdf,
author = {Alexander Hanel},
title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}},
date = {2019-01-10},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/},
language = {English},
urldate = {2019-12-20}
}
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER |
2019-01-09 ⋅ McAfee ⋅ John Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477,
author = {John Fokker and Christiaan Beek},
title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}},
date = {2019-01-09},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/},
language = {English},
urldate = {2020-01-09}
}
Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk |
2019 ⋅ Virus Bulletin ⋅ Gabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861,
author = {Gabriela Nicolao and Luciano Martins},
title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf},
language = {English},
urldate = {2020-01-05}
}
Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk |
2018-12-29 ⋅ Los Angeles Times ⋅ Tony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d,
author = {Tony Barboza and Meg James and Emily Alpert Reyes},
title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}},
date = {2018-12-29},
organization = {Los Angeles Times},
url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html},
language = {English},
urldate = {2020-01-10}
}
Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk |
2018-12-12 ⋅ SecureData ⋅ Wicus Ross
@online{ross:20181212:trickbot:7a0e2a6,
author = {Wicus Ross},
title = {{The TrickBot and MikroTik connection}},
date = {2018-12-12},
organization = {SecureData},
url = {https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/},
language = {English},
urldate = {2020-05-18}
}
The TrickBot and MikroTik connection
TrickBot |
2018-12-05 ⋅ VIPRE ⋅ VIPRE Labs
@online{labs:20181205:trickbots:b45d588,
author = {VIPRE Labs},
title = {{Trickbot’s Tricks}},
date = {2018-12-05},
organization = {VIPRE},
url = {https://labs.vipre.com/trickbots-tricks/},
language = {English},
urldate = {2020-01-09}
}
Trickbot’s Tricks
TrickBot |
2018-11-12 ⋅ Malwarebytes ⋅ hasherezade
@online{hasherezade:20181112:whats:e44d5f3,
author = {hasherezade},
title = {{What’s new in TrickBot? Deobfuscating elements}},
date = {2018-11-12},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/},
language = {English},
urldate = {2019-12-20}
}
What’s new in TrickBot? Deobfuscating elements
TrickBot |
2018-11-08 ⋅ Fortinet ⋅ Xiaopeng Zhang
@online{zhang:20181108:deep:fca360c,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of TrickBot New Module pwgrab}},
date = {2018-11-08},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html},
language = {English},
urldate = {2019-11-17}
}
Deep Analysis of TrickBot New Module pwgrab
TrickBot |
2018-11-01 ⋅ Trend Micro ⋅ Noel Anthony Llimos, Carl Maverick Pascual
@online{llimos:20181101:trickbot:7d0ea94,
author = {Noel Anthony Llimos and Carl Maverick Pascual},
title = {{Trickbot Shows Off New Trick: Password Grabber Module}},
date = {2018-11-01},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module},
language = {English},
urldate = {2020-01-06}
}
Trickbot Shows Off New Trick: Password Grabber Module
TrickBot |
2018-08-20 ⋅ Check Point ⋅ Itay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495,
author = {Itay Cohen and Ben Herzog},
title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}},
date = {2018-08-20},
organization = {Check Point},
url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/},
language = {English},
urldate = {2019-12-10}
}
Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk |
2018-08-14 ⋅ Cyberbit ⋅ Hod Gavriel
@online{gavriel:20180814:latest:7df6364,
author = {Hod Gavriel},
title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}},
date = {2018-08-14},
organization = {Cyberbit},
url = {https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/},
language = {English},
urldate = {2020-08-21}
}
Latest Trickbot Variant has New Tricks Up Its Sleeve
TrickBot |
2018-07-03 ⋅ Talos Intelligence ⋅ Ben Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f,
author = {Ben Baker and Holger Unterbrink},
title = {{Smoking Guns - Smoke Loader learned new tricks}},
date = {2018-07-03},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html},
language = {English},
urldate = {2019-10-14}
}
Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot |
2018-06-20 ⋅ OALabs
@online{oalabs:20180620:unpacking:e4d59a4,
author = {OALabs},
title = {{Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python}},
date = {2018-06-20},
url = {https://www.youtube.com/watch?v=EdchPEHnohw},
language = {English},
urldate = {2019-12-24}
}
Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
TrickBot |
2018-06-13 ⋅ Github (JR0driguezB) ⋅ Jorge Rodriguez
@online{rodriguez:20180613:trickbot:e004ae8,
author = {Jorge Rodriguez},
title = {{TrickBot config files}},
date = {2018-06-13},
organization = {Github (JR0driguezB)},
url = {https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot},
language = {English},
urldate = {2019-07-11}
}
TrickBot config files
TrickBot |
2018-04-16 ⋅ Random RE ⋅ sysopfb
@online{sysopfb:20180416:trickbot:5305f46,
author = {sysopfb},
title = {{TrickBot & UACME}},
date = {2018-04-16},
organization = {Random RE},
url = {https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html},
language = {English},
urldate = {2020-01-09}
}
TrickBot & UACME
TrickBot |
2018-04-03 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
@online{kremez:20180403:lets:b45dd50,
author = {Vitali Kremez},
title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}},
date = {2018-04-03},
organization = {Vitali Kremez Blog},
url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html},
language = {English},
urldate = {2019-07-27}
}
Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
TrickBot |
2018-03-31 ⋅ Youtube (hasherezade) ⋅ hasherezade
@online{hasherezade:20180331:deobfuscating:39c1be0,
author = {hasherezade},
title = {{Deobfuscating TrickBot's strings with libPeConv}},
date = {2018-03-31},
organization = {Youtube (hasherezade)},
url = {https://www.youtube.com/watch?v=KMcSAlS9zGE},
language = {English},
urldate = {2020-01-13}
}
Deobfuscating TrickBot's strings with libPeConv
TrickBot |
2018-03-27 ⋅ Trend Micro ⋅ Trendmicro
@online{trendmicro:20180327:evolving:faa2e54,
author = {Trendmicro},
title = {{Evolving Trickbot Adds Detection Evasion and Screen-Locking Features}},
date = {2018-03-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features},
language = {English},
urldate = {2020-01-07}
}
Evolving Trickbot Adds Detection Evasion and Screen-Locking Features
TrickBot |
2018-03-21 ⋅ Webroot ⋅ Jason Davison
@online{davison:20180321:trickbot:1f0576e,
author = {Jason Davison},
title = {{TrickBot Banking Trojan Adapts with New Module}},
date = {2018-03-21},
organization = {Webroot},
url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/},
language = {English},
urldate = {2020-01-13}
}
TrickBot Banking Trojan Adapts with New Module
TrickBot |
2018-02-15 ⋅ SecurityIntelligence ⋅ Ophir Harpaz, Magal Baz, Limor Kessem
@online{harpaz:20180215:trickbots:2cf1b53,
author = {Ophir Harpaz and Magal Baz and Limor Kessem},
title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}},
date = {2018-02-15},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/},
language = {English},
urldate = {2020-01-06}
}
TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
TrickBot |
2018-02-01 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
@online{duncan:20180201:quick:320f855,
author = {Brad Duncan},
title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}},
date = {2018-02-01},
organization = {Malware Traffic Analysis},
url = {http://www.malware-traffic-analysis.net/2018/02/01/},
language = {English},
urldate = {2019-07-09}
}
Quick Test Drive of Trickbot (It now has a Monero Module)
TrickBot |
2017-12-30 ⋅ Youtube (hasherezade) ⋅ hasherezade
@online{hasherezade:20171230:unpacking:5477bb2,
author = {hasherezade},
title = {{Unpacking TrickBot with PE-sieve}},
date = {2017-12-30},
organization = {Youtube (hasherezade)},
url = {https://www.youtube.com/watch?v=lTywPmZEU1A},
language = {English},
urldate = {2020-01-06}
}
Unpacking TrickBot with PE-sieve
TrickBot |
2017-12-19 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
@online{kremez:20171219:lets:030e09a,
author = {Vitali Kremez},
title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}},
date = {2017-12-19},
organization = {Vitali Kremez Blog},
url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html},
language = {English},
urldate = {2019-11-23}
}
Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module
TrickBot |
2017-11-22 ⋅ Flashpoint ⋅ Vitali Kremez
@online{kremez:20171122:trickbot:faea11e,
author = {Vitali Kremez},
title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}},
date = {2017-11-22},
organization = {Flashpoint},
url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/},
language = {English},
urldate = {2019-12-10}
}
Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
TrickBot |
2017-11-21 ⋅ Vitali Kremez
@online{kremez:20171121:lets:5fb17b0,
author = {Vitali Kremez},
title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}},
date = {2017-11-21},
url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html},
language = {English},
urldate = {2019-11-22}
}
Let's Learn: Trickbot Socks5 Backconnect Module In Detail
TrickBot |
2017-10-06 ⋅ Blueliv ⋅ Blueliv
@online{blueliv:20171006:trickbot:a2a9ac8,
author = {Blueliv},
title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}},
date = {2017-10-06},
organization = {Blueliv},
url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/},
language = {English},
urldate = {2020-01-08}
}
TrickBot banking trojan using EFLAGS as an anti-hook technique
TrickBot |
2017-08-01 ⋅ Malwarebytes ⋅ Malwarebytes Labs
@online{labs:20170801:trickbot:222d8bc,
author = {Malwarebytes Labs},
title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}},
date = {2017-08-01},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/},
language = {English},
urldate = {2019-12-20}
}
TrickBot comes up with new tricks: attacking Outlook and browsing data
TrickBot |
2017-07-27 ⋅ Flashpoint ⋅ Flashpoint
@online{flashpoint:20170727:new:bb5c883,
author = {Flashpoint},
title = {{New Version of “Trickbot” Adds Worm Propagation Module}},
date = {2017-07-27},
organization = {Flashpoint},
url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/},
language = {English},
urldate = {2020-01-13}
}
New Version of “Trickbot” Adds Worm Propagation Module
TrickBot |
2017-07 ⋅ Ring Zero Labs ⋅ Ring Zero Labs
@online{labs:201707:trickbot:e738eaf,
author = {Ring Zero Labs},
title = {{TrickBot Banking Trojan - DOC00039217.doc}},
date = {2017-07},
organization = {Ring Zero Labs},
url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html},
language = {English},
urldate = {2020-01-10}
}
TrickBot Banking Trojan - DOC00039217.doc
TrickBot |
2017-06-15 ⋅ F5 ⋅ Sara Boddy, Jesse Smith, Doron Voolf
@online{boddy:20170615:trickbot:6eb1db4,
author = {Sara Boddy and Jesse Smith and Doron Voolf},
title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}},
date = {2017-06-15},
organization = {F5},
url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms},
language = {English},
urldate = {2019-12-24}
}
Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs
TrickBot |
2017-06-12 ⋅ Security Art Work ⋅ Marc Salinas, JoséMiguel Holguín
@techreport{salinas:20170612:evolucin:9930231,
author = {Marc Salinas and JoséMiguel Holguín},
title = {{Evolución de Trickbot}},
date = {2017-06-12},
institution = {Security Art Work},
url = {https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf},
language = {Spanish},
urldate = {2020-01-10}
}
Evolución de Trickbot
TrickBot |
2017-05-26 ⋅ PWC ⋅ Bart Parys
@online{parys:20170526:trickbots:c1b84e1,
author = {Bart Parys},
title = {{TrickBot’s bag of tricks}},
date = {2017-05-26},
organization = {PWC},
url = {http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html},
language = {English},
urldate = {2020-06-18}
}
TrickBot’s bag of tricks
TrickBot |
2017-05-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20170515:evolution:d0e74ea,
author = {Counter Threat Unit ResearchTeam},
title = {{Evolution of the GOLD EVERGREEN Threat Group}},
date = {2017-05-15},
organization = {Secureworks},
url = {https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group},
language = {English},
urldate = {2021-05-28}
}
Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN |
2017-05-04 ⋅ Forbes ⋅ Thomas Brewster
@online{brewster:20170504:behind:4da1ded,
author = {Thomas Brewster},
title = {{Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business}},
date = {2017-05-04},
organization = {Forbes},
url = {https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates},
language = {English},
urldate = {2020-01-09}
}
Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business
Dyre |
2017-03-01 ⋅ FraudWatch International ⋅ FraudWatch International
@online{international:20170301:how:fb75ef9,
author = {FraudWatch International},
title = {{How Does the Trickbot Malware Work?}},
date = {2017-03-01},
organization = {FraudWatch International},
url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works},
language = {English},
urldate = {2020-01-08}
}
How Does the Trickbot Malware Work?
TrickBot |
2016-12-07 ⋅ Botconf ⋅ Joshua Adams
@techreport{adams:20161207:trickbot:fc3427c,
author = {Joshua Adams},
title = {{The TrickBot Evolution}},
date = {2016-12-07},
institution = {Botconf},
url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf},
language = {English},
urldate = {2020-01-09}
}
The TrickBot Evolution
TrickBot |
2016-12-06 ⋅ Fortinet ⋅ Xiaopeng Zhang
@online{zhang:20161206:deep:1f1521f,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of the Online Banking Botnet TrickBot}},
date = {2016-12-06},
organization = {Fortinet},
url = {http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot},
language = {English},
urldate = {2020-01-08}
}
Deep Analysis of the Online Banking Botnet TrickBot
TrickBot |
2016-11-09 ⋅ Lior Keshet
@online{keshet:20161109:tricks:c3ab510,
author = {Lior Keshet},
title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}},
date = {2016-11-09},
url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/},
language = {English},
urldate = {2019-10-17}
}
Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
TrickBot |
2016-11-07 ⋅ F5 Labs ⋅ Julia Karpin, Shaul Vilkomir-Preisman, Anna Dorfman
@online{karpin:20161107:little:598f939,
author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman},
title = {{Little Trickbot Growing Up: New Campaign}},
date = {2016-11-07},
organization = {F5 Labs},
url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412},
language = {English},
urldate = {2020-01-06}
}
Little Trickbot Growing Up: New Campaign
TrickBot |
2016-10-25 ⋅ NetScout ⋅ ASERT Team
@online{team:20161025:trickbot:dd465d9,
author = {ASERT Team},
title = {{TrickBot Banker Insights}},
date = {2016-10-25},
organization = {NetScout},
url = {https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/},
language = {English},
urldate = {2019-07-11}
}
TrickBot Banker Insights
TrickBot |
2016-10-24 ⋅ Malwarebytes ⋅ Malwarebytes Labs
@online{labs:20161024:introducing:e59ac27,
author = {Malwarebytes Labs},
title = {{Introducing TrickBot, Dyreza’s successor}},
date = {2016-10-24},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/},
language = {English},
urldate = {2019-12-20}
}
Introducing TrickBot, Dyreza’s successor
TrickBot |
2016-10-15 ⋅ Fidelis Cybersecurity ⋅ Threat Research Team
@online{team:20161015:trickbot:cc9f48f,
author = {Threat Research Team},
title = {{TrickBot: We Missed you, Dyre}},
date = {2016-10-15},
organization = {Fidelis Cybersecurity},
url = {https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre},
language = {English},
urldate = {2019-11-28}
}
TrickBot: We Missed you, Dyre
TrickBot |
2015-11-04 ⋅ Malwarebytes ⋅ hasherezade
@online{hasherezade:20151104:technical:abd2b27,
author = {hasherezade},
title = {{A Technical Look At Dyreza}},
date = {2015-11-04},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/},
language = {English},
urldate = {2019-12-20}
}
A Technical Look At Dyreza
Dyre |
2015-10-26 ⋅ Blueliv ⋅ Blueliv
@techreport{blueliv:20151026:chasing:975ef1a,
author = {Blueliv},
title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}},
date = {2015-10-26},
institution = {Blueliv},
url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf},
language = {English},
urldate = {2020-01-13}
}
Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers
Dridex Dyre |
2015-07-07 ⋅ FireEye ⋅ Sudeep Singh, Yu Wang
@online{singh:20150707:dyre:07242f2,
author = {Sudeep Singh and Yu Wang},
title = {{Dyre Banking Trojan Exploits CVE-2015-0057}},
date = {2015-07-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html},
language = {English},
urldate = {2020-06-08}
}
Dyre Banking Trojan Exploits CVE-2015-0057
Dyre |
2014-12-17 ⋅ Secureworks ⋅ Brett Stone-Gross, Pallav Khandhar
@online{stonegross:20141217:dyre:8486e19,
author = {Brett Stone-Gross and Pallav Khandhar},
title = {{Dyre Banking Trojan}},
date = {2014-12-17},
organization = {Secureworks},
url = {https://www.secureworks.com/research/dyre-banking-trojan},
language = {English},
urldate = {2021-05-28}
}
Dyre Banking Trojan
Dyre Vawtrak WIZARD SPIDER |