Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.
The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
2022-01-24 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20220124:cobalt:b0b48ee,
author = {The DFIR Report},
title = {{Cobalt Strike, a Defender’s Guide – Part 2}},
date = {2022-01-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/},
language = {English},
urldate = {2022-01-25}
}
Cobalt Strike, a Defender’s Guide – Part 2
Cobalt Strike |
2022-01-20 ⋅ Morphisec ⋅ Michael Gorelik
@online{gorelik:20220120:log4j:99fd2e0,
author = {Michael Gorelik},
title = {{Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk}},
date = {2022-01-20},
organization = {Morphisec},
url = {https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk},
language = {English},
urldate = {2022-01-25}
}
Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk
Cobalt Strike |
2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17,
author = {The BlackBerry Research & Intelligence Team},
title = {{Kraken the Code on Prometheus}},
date = {2022-01-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus},
language = {English},
urldate = {2022-01-24}
}
Kraken the Code on Prometheus
BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk |
2022-01-19 ⋅ Sophos ⋅ Colin Cowie, Mat Gangwer, Stan Andic, Sophos MTR Team
@online{cowie:20220119:zloader:e87c22c,
author = {Colin Cowie and Mat Gangwer and Stan Andic and Sophos MTR Team},
title = {{Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike}},
date = {2022-01-19},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/},
language = {English},
urldate = {2022-01-25}
}
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike
Cobalt Strike Zloader |
2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
@online{ditch:20220119:collecting:696e5d0,
author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin},
title = {{Collecting Cobalt Strike Beacons with the Elastic Stack}},
date = {2022-01-19},
organization = {Elastic},
url = {https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/},
language = {English},
urldate = {2022-01-25}
}
Collecting Cobalt Strike Beacons with the Elastic Stack
Cobalt Strike |
2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
@online{ditch:20220119:extracting:39bd5e5,
author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin},
title = {{Extracting Cobalt Strike Beacon Configurations}},
date = {2022-01-19},
organization = {Elastic},
url = {https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/},
language = {English},
urldate = {2022-01-25}
}
Extracting Cobalt Strike Beacon Configurations
Cobalt Strike |
2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20220118:2021:9cff6fc,
author = {Insikt Group®},
title = {{2021 Adversary Infrastructure Report}},
date = {2022-01-18},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf},
language = {English},
urldate = {2022-01-24}
}
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot |
2022-01-16 ⋅ forensicitguy ⋅ Tony Lambert
@online{lambert:20220116:analyzing:2c8a9db,
author = {Tony Lambert},
title = {{Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike}},
date = {2022-01-16},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/},
language = {English},
urldate = {2022-01-25}
}
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
CACTUSTORCH Cobalt Strike |
2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
@online{refaeli:20220111:threat:fd22089,
author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro},
title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}},
date = {2022-01-11},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike},
language = {English},
urldate = {2022-01-18}
}
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle |
2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
@online{reaves:20220111:signed:0f32583,
author = {Jason Reaves and Joshua Platt},
title = {{Signed DLL campaigns as a service}},
date = {2022-01-11},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489},
language = {English},
urldate = {2022-01-25}
}
Signed DLL campaigns as a service
Cobalt Strike ISFB Zloader |
2022-01-11 ⋅ Twitter (@cglyer) ⋅ Christopher Glyer
@online{glyer:20220111:thread:ae5ec3d,
author = {Christopher Glyer},
title = {{Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware}},
date = {2022-01-11},
organization = {Twitter (@cglyer)},
url = {https://twitter.com/cglyer/status/1480742363991580674},
language = {English},
urldate = {2022-01-25}
}
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky |
2022-01-09 ⋅ forensicitguy ⋅ Tony Lambert
@online{lambert:20220109:inspecting:4681f0a,
author = {Tony Lambert},
title = {{Inspecting a PowerShell Cobalt Strike Beacon}},
date = {2022-01-09},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/},
language = {English},
urldate = {2022-01-25}
}
Inspecting a PowerShell Cobalt Strike Beacon
Cobalt Strike |
2022-01-06 ⋅ Sekoia ⋅ sekoia
@online{sekoia:20220106:nobeliums:de631e8,
author = {sekoia},
title = {{NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies}},
date = {2022-01-06},
organization = {Sekoia},
url = {https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/},
language = {English},
urldate = {2022-01-10}
}
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Cobalt Strike EnvyScout |
2021-12-29 ⋅ Blake's R&D ⋅ Blake
@online{blake:20211229:cobalt:b8c08bb,
author = {Blake},
title = {{Cobalt Strike DFIR: Listening to the Pipes}},
date = {2021-12-29},
organization = {Blake's R&D},
url = {https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes},
language = {English},
urldate = {2021-12-31}
}
Cobalt Strike DFIR: Listening to the Pipes
Cobalt Strike |
2021-12-29 ⋅ CrowdStrike ⋅ Benjamin Wiley, Falcon OverWatch Team
@online{wiley:20211229:overwatch:35d7dee,
author = {Benjamin Wiley and Falcon OverWatch Team},
title = {{OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt}},
date = {2021-12-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/},
language = {English},
urldate = {2021-12-31}
}
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt
Cobalt Strike AQUATIC PANDA |
2021-12-28 ⋅ Morphus Labs ⋅ Renato Marinho
@online{marinho:20211228:attackers:48320eb,
author = {Renato Marinho},
title = {{Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons}},
date = {2021-12-28},
organization = {Morphus Labs},
url = {https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42},
language = {English},
urldate = {2021-12-31}
}
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
Cobalt Strike |
2021-12-22 ⋅ Telsy ⋅ Telsy Research Team
@online{team:20211222:phishing:ffa707a,
author = {Telsy Research Team},
title = {{Phishing Campaign targeting citizens abroad using COVID-19 theme lures}},
date = {2021-12-22},
organization = {Telsy},
url = {https://www.telsy.com/download/5972/?uid=d7c082ba55},
language = {English},
urldate = {2022-01-25}
}
Phishing Campaign targeting citizens abroad using COVID-19 theme lures
Cobalt Strike |
2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team
@online{team:20211216:intelligence:f7bad55,
author = {The Red Canary Team},
title = {{Intelligence Insights: December 2021}},
date = {2021-12-16},
organization = {Red Canary},
url = {https://redcanary.com/blog/intelligence-insights-december-2021},
language = {English},
urldate = {2021-12-31}
}
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle |
2021-12-10 ⋅ Accenture ⋅ Accenture
@online{accenture:20211210:karakurt:5bb6d9c,
author = {Accenture},
title = {{Karakurt rises from its lair}},
date = {2021-12-10},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation},
language = {English},
urldate = {2021-12-15}
}
Karakurt rises from its lair
Cobalt Strike |
2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20211207:emotet:f33c999,
author = {Lawrence Abrams},
title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}},
date = {2021-12-07},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/},
language = {English},
urldate = {2021-12-08}
}
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet |
2021-12-06 ⋅ Mandiant ⋅ Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART)
@online{jenkins:20211206:suspected:d9da4ec,
author = {Luke Jenkins and Sarah Hawley and Parnian Najafi and Doug Bienstock and Luis Rocha and Marius Fodoreanu and Mitchell Clarke and Manfred Erjak and Josh Madeley and Ashraf Abdalhalim and Juraj Sucik and Wojciech Ledzion and Gabriella Roncone and Jonathan Leathery and Ben Read and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART)},
title = {{Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)}},
date = {2021-12-06},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/russian-targeting-gov-business},
language = {English},
urldate = {2021-12-07}
}
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot |
2021-12-06 ⋅ CERT-FR ⋅ CERT-FR
@online{certfr:20211206:phishing:c58da54,
author = {CERT-FR},
title = {{Phishing campaigns by the Nobelium intrusion set}},
date = {2021-12-06},
organization = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/},
language = {English},
urldate = {2021-12-07}
}
Phishing campaigns by the Nobelium intrusion set
Cobalt Strike |
2021-12-02 ⋅ CERT-FR ⋅ CERT-FR
@techreport{certfr:20211202:phishing:c22ef4f,
author = {CERT-FR},
title = {{Phishing Campaigns by the Nobelium Intrusion Set}},
date = {2021-12-02},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf},
language = {English},
urldate = {2021-12-07}
}
Phishing Campaigns by the Nobelium Intrusion Set
Cobalt Strike |
2021-11-30 ⋅ Broadcom ⋅ Symantec Threat Hunter Team
@online{team:20211130:yanluowang:538b90c,
author = {Symantec Threat Hunter Team},
title = {{Yanluowang: Further Insights on New Ransomware Threat}},
date = {2021-11-30},
organization = {Broadcom},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue},
language = {English},
urldate = {2021-11-30}
}
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands |
2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20211129:continuing:646e622,
author = {The DFIR Report},
title = {{CONTInuing the Bazar Ransomware Story}},
date = {2021-11-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/},
language = {English},
urldate = {2021-12-07}
}
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti |
2021-11-29 ⋅ Mandiant ⋅ Tyler McLellan, Brandan Schondorfer
@online{mclellan:20211129:kittengif:efb8036,
author = {Tyler McLellan and Brandan Schondorfer},
title = {{Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again}},
date = {2021-11-29},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/sabbath-ransomware-affiliate},
language = {English},
urldate = {2021-11-30}
}
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike |
2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
@online{fahmy:20211119:squirrelwaffle:1e8fa78,
author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar},
title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}},
date = {2021-11-19},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html},
language = {English},
urldate = {2021-11-25}
}
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle |
2021-11-17 ⋅ Trend Micro ⋅ Mohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque
@online{fahmy:20211117:analyzing:c6c52d1,
author = {Mohamed Fahmy and Abdelrhman Sharshar and Sherif Magdy and Ryan Maglaque},
title = {{Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR}},
date = {2021-11-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html},
language = {English},
urldate = {2021-11-18}
}
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT |
2021-11-17 ⋅ nviso ⋅ Didier Stevens
@online{stevens:20211117:cobalt:0b6ecf5,
author = {Didier Stevens},
title = {{Cobalt Strike: Decrypting Obfuscated Traffic – Part 4}},
date = {2021-11-17},
organization = {nviso},
url = {https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/},
language = {English},
urldate = {2021-11-18}
}
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
Cobalt Strike |
2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
@online{42:20211117:matanbuchus:9e3556c,
author = {Unit 42},
title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}},
date = {2021-11-17},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1461004489234829320},
language = {English},
urldate = {2021-11-25}
}
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot |
2021-11-16 ⋅ Blackberry ⋅ T.J. O'Leary, Tom Bonner, Marta Janus, Dean Given, Eoin Wickens, Jim Simpson
@techreport{oleary:20211116:finding:e8594dd,
author = {T.J. O'Leary and Tom Bonner and Marta Janus and Dean Given and Eoin Wickens and Jim Simpson},
title = {{Finding Beacons in the dark}},
date = {2021-11-16},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf},
language = {English},
urldate = {2021-11-18}
}
Finding Beacons in the dark
Cobalt Strike |
2021-11-16 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer, Asheer Malhotra
@online{raghuprasad:20211116:attackers:c31ad77,
author = {Chetan Raghuprasad and Vanja Svajcer and Asheer Malhotra},
title = {{Attackers use domain fronting technique to target Myanmar with Cobalt Strike}},
date = {2021-11-16},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html},
language = {English},
urldate = {2021-11-17}
}
Attackers use domain fronting technique to target Myanmar with Cobalt Strike
Cobalt Strike |
2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
@online{research:20211116:how:d7fdaf8,
author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski},
title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}},
date = {2021-11-16},
organization = {IronNet},
url = {https://www.ironnet.com/blog/ransomware-graphic-blog},
language = {English},
urldate = {2021-11-25}
}
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil |
2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani
@online{viggiani:20211115:proxyshell:bf17c6d,
author = {Fabio Viggiani},
title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}},
date = {2021-11-15},
organization = {TRUESEC},
url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks},
language = {English},
urldate = {2021-11-17}
}
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot |
2021-11-13 ⋅ Just Still ⋅ Still Hsu
@online{hsu:20211113:threat:597b1a0,
author = {Still Hsu},
title = {{Threat Spotlight - Domain Fronting}},
date = {2021-11-13},
organization = {Just Still},
url = {https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/},
language = {English},
urldate = {2021-11-18}
}
Threat Spotlight - Domain Fronting
Cobalt Strike |
2021-11-12 ⋅ Malwarebytes ⋅ Hossein Jazi
@online{jazi:20211112:multistage:e70f6d0,
author = {Hossein Jazi},
title = {{A multi-stage PowerShell based attack targets Kazakhstan}},
date = {2021-11-12},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/},
language = {English},
urldate = {2021-11-17}
}
A multi-stage PowerShell based attack targets Kazakhstan
Cobalt Strike |
2021-11-11 ⋅ Cynet ⋅ Max Malyutin
@online{malyutin:20211111:duck:897cc6f,
author = {Max Malyutin},
title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}},
date = {2021-11-11},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/},
language = {English},
urldate = {2021-11-25}
}
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot |
2021-11-10 ⋅ AT&T ⋅ Josh Gomez
@online{gomez:20211110:stories:4ce1168,
author = {Josh Gomez},
title = {{Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!}},
date = {2021-11-10},
organization = {AT&T},
url = {https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my},
language = {English},
urldate = {2021-11-17}
}
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti |
2021-11-10 ⋅ Sekoia ⋅ Cyber Threat Intelligence team
@online{team:20211110:walking:cc41f24,
author = {Cyber Threat Intelligence team},
title = {{Walking on APT31 infrastructure footprints}},
date = {2021-11-10},
organization = {Sekoia},
url = {https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/},
language = {English},
urldate = {2021-11-11}
}
Walking on APT31 infrastructure footprints
Rekoobe Unidentified ELF 004 Cobalt Strike |
2021-11-09 ⋅ Cybereason ⋅ Cybereason Global SOC Team
@online{team:20211109:threat:9f898c9,
author = {Cybereason Global SOC Team},
title = {{THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware}},
date = {2021-11-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware},
language = {English},
urldate = {2021-11-25}
}
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti |
2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
@online{42:20211105:ta551:98c564e,
author = {Unit 42},
title = {{Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops}},
date = {2021-11-05},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1458113934024757256},
language = {English},
urldate = {2021-11-17}
}
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike |
2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9,
author = {The BlackBerry Research & Intelligence Team},
title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}},
date = {2021-11-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/11/zebra2104},
language = {English},
urldate = {2021-11-08}
}
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity |
2021-11-03 ⋅ nviso ⋅ Didier Stevens
@online{stevens:20211103:cobalt:8f8223d,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3}},
date = {2021-11-03},
organization = {nviso},
url = {https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/},
language = {English},
urldate = {2021-11-08}
}
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
Cobalt Strike |
2021-11-03 ⋅ Didier Stevens ⋅ Didier Stevens
@online{stevens:20211103:new:6f8b92c,
author = {Didier Stevens},
title = {{New Tool: cs-extract-key.py}},
date = {2021-11-03},
organization = {Didier Stevens},
url = {https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/},
language = {English},
urldate = {2021-11-17}
}
New Tool: cs-extract-key.py
Cobalt Strike |
2021-11-02 ⋅ Intel 471 ⋅ Intel 471
@online{471:20211102:cybercrime:4d53035,
author = {Intel 471},
title = {{Cybercrime underground flush with shipping companies’ credentials}},
date = {2021-11-02},
organization = {Intel 471},
url = {https://intel471.com/blog/shipping-companies-ransomware-credentials},
language = {English},
urldate = {2021-11-03}
}
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti |
2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax
@online{cyb3rsn0rlax:20211102:detecting:a2828eb,
author = {Cyb3rSn0rlax},
title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2}},
date = {2021-11-02},
organization = {unh4ck},
url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2},
language = {English},
urldate = {2021-11-03}
}
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti |
2021-11-02 ⋅ boschko.ca blog ⋅ Olivier Laflamme
@online{laflamme:20211102:cobalt:d09aa11,
author = {Olivier Laflamme},
title = {{Cobalt Strike Process Injection}},
date = {2021-11-02},
organization = {boschko.ca blog},
url = {https://boschko.ca/cobalt-strike-process-injection/},
language = {English},
urldate = {2021-11-29}
}
Cobalt Strike Process Injection
Cobalt Strike |
2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill
@online{larrieu:20211101:diving:a732a35,
author = {Heather Larrieu and Curt Wilson and Katrina Hill},
title = {{Diving into double extortion campaigns}},
date = {2021-11-01},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns},
language = {English},
urldate = {2021-11-03}
}
Diving into double extortion campaigns
Cobalt Strike MimiKatz |
2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o
@online{iiamaleks:20211101:from:2348d47,
author = {@iiamaleks and @samaritan_o},
title = {{From Zero to Domain Admin}},
date = {2021-11-01},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/},
language = {English},
urldate = {2021-11-03}
}
From Zero to Domain Admin
Cobalt Strike Hancitor |
2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України
@online{:20211029:cyberpolice:fc43b20,
author = {Національна поліція України},
title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}},
date = {2021-10-29},
organization = {Національна поліція України},
url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/},
language = {Ukrainian},
urldate = {2021-11-02}
}
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-29 ⋅ Europol ⋅ Europol
@online{europol:20211029:12:5c0fd59,
author = {Europol},
title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}},
date = {2021-10-29},
organization = {Europol},
url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure},
language = {English},
urldate = {2021-11-02}
}
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-27 ⋅ nviso ⋅ Didier Stevens
@online{stevens:20211027:cobalt:b91181a,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2}},
date = {2021-10-27},
organization = {nviso},
url = {https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/},
language = {English},
urldate = {2021-11-03}
}
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2
Cobalt Strike |
2021-10-26 ⋅ ANSSI
@techreport{anssi:20211026:identification:9444ac3,
author = {ANSSI},
title = {{Identification of a new cyber criminal group: Lockean}},
date = {2021-10-26},
institution = {},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf},
language = {English},
urldate = {2022-01-25}
}
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA
@online{ouadia:20211026:detecting:2a3e2fa,
author = {Hamza OUADIA},
title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1}},
date = {2021-10-26},
organization = {unh4ck},
url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1},
language = {English},
urldate = {2021-11-03}
}
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti |
2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis
@online{brumaghin:20211026:squirrelwaffle:88c5943,
author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis},
title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}},
date = {2021-10-26},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html},
language = {English},
urldate = {2021-11-02}
}
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle |
2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson
@online{clinton:20211021:stopping:3c26152,
author = {Alex Clinton and Tasha Robinson},
title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}},
date = {2021-10-21},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/},
language = {English},
urldate = {2021-11-02}
}
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet |
2021-10-21 ⋅ nviso ⋅ Didier Stevens
@online{stevens:20211021:cobalt:bfc8702,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1}},
date = {2021-10-21},
organization = {nviso},
url = {https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/},
language = {English},
urldate = {2021-10-26}
}
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
Cobalt Strike |
2021-10-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20211018:harvester:ad72962,
author = {Threat Hunter Team},
title = {{Harvester: Nation-state-backed group uses new toolset to target victims in South Asia}},
date = {2021-10-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia},
language = {English},
urldate = {2021-11-03}
}
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
Cobalt Strike Graphon |
2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan
@online{duncan:20211018:case:bdd95ff,
author = {Brad Duncan},
title = {{Case Study: From BazarLoader to Network Reconnaissance}},
date = {2021-10-18},
organization = {paloalto Netoworks: Unit42},
url = {https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/},
language = {English},
urldate = {2021-10-22}
}
Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike |
2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20211018:icedid:0b574b0,
author = {The DFIR Report},
title = {{IcedID to XingLocker Ransomware in 24 hours}},
date = {2021-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/},
language = {English},
urldate = {2021-10-22}
}
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker |
2021-10-14 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
@online{reaves:20211014:investigation:29ef29c,
author = {Jason Reaves},
title = {{Investigation into the state of NIM malware Part 2}},
date = {2021-10-14},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671},
language = {English},
urldate = {2021-12-15}
}
Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware) |
2021-10-12 ⋅ Mandiant ⋅ Alyssa Rahman
@online{rahman:20211012:defining:df3f43c,
author = {Alyssa Rahman},
title = {{Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis}},
date = {2021-10-12},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/defining-cobalt-strike-components},
language = {English},
urldate = {2021-11-02}
}
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
Cobalt Strike |
2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence
@online{intelligence:20211011:moving:3b0eaec,
author = {Accenture Cyber Threat Intelligence},
title = {{Moving Left of the Ransomware Boom}},
date = {2021-10-11},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom},
language = {English},
urldate = {2021-11-03}
}
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil |
2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong
@online{dong:20211008:squirrelwaffle:4549cd1,
author = {Chuong Dong},
title = {{SQUIRRELWAFFLE – Analysing The Main Loader}},
date = {2021-10-08},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/},
language = {English},
urldate = {2021-10-14}
}
SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle |
2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team
@online{team:20211007:fin12:505a3a8,
author = {Mandiant Research Team},
title = {{FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets}},
date = {2021-10-07},
organization = {Mandiant},
url = {https://www.mandiant.com/media/12596/download},
language = {English},
urldate = {2021-11-27}
}
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot |
2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211007:squirrelwaffle:3506816,
author = {Gustavo Palazolo and Ghanashyam Satpathy},
title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}},
date = {2021-10-07},
organization = {Netskope},
url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot},
language = {English},
urldate = {2021-10-11}
}
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle |
2021-10-06 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20211006:finding:50936df,
author = {Blackberry Research},
title = {{Finding Beacons in the Dark}},
date = {2021-10-06},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf},
language = {English},
urldate = {2021-11-08}
}
Finding Beacons in the Dark
Cobalt Strike |
2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20211005:drawing:e53477d,
author = {The BlackBerry Research & Intelligence Team},
title = {{Drawing a Dragon: Connecting the Dots to Find APT41}},
date = {2021-10-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41},
language = {English},
urldate = {2021-10-11}
}
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT |
2021-10-04 ⋅ Sophos ⋅ Sean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
@online{gallagher:20211004:atom:782b979,
author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah},
title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}},
date = {2021-10-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/},
language = {English},
urldate = {2021-10-11}
}
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike |
2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20211004:bazarloader:fe3adf3,
author = {The DFIR Report},
title = {{BazarLoader and the Conti Leaks}},
date = {2021-10-04},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/},
language = {English},
urldate = {2021-10-11}
}
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti |
2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne
@techreport{dnne:20211003:squirrelwaffle:3a35566,
author = {Joel Dönne},
title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}},
date = {2021-10-03},
institution = {Github (0xjxd)},
url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf},
language = {English},
urldate = {2021-10-07}
}
SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle |
2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong
@online{dong:20211001:squirrelwaffle:24c9b06,
author = {Chuong Dong},
title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}},
date = {2021-10-01},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/},
language = {English},
urldate = {2021-10-14}
}
SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle |
2021-09-30 ⋅ PT Expert Security Center
@online{center:20210930:masters:8707c00,
author = {PT Expert Security Center},
title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}},
date = {2021-09-30},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang},
language = {English},
urldate = {2021-10-14}
}
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike |
2021-09-30 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
@online{team:20210930:hunting:bc2e59d,
author = {Falcon OverWatch Team},
title = {{Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense}},
date = {2021-09-30},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/},
language = {English},
urldate = {2021-10-05}
}
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cobalt Strike |
2021-09-30 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210930:masters:4394504,
author = {PT ESC Threat Intelligence},
title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}},
date = {2021-09-30},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3},
language = {English},
urldate = {2021-11-29}
}
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike |
2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210929:backup:4aebe4e,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Backup “Removal” Solutions - From Conti Ransomware With Love}},
date = {2021-09-29},
organization = {Advanced Intelligence},
url = {https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love},
language = {English},
urldate = {2021-10-20}
}
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti |
2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
@online{duncan:20210929:20210929:e348fca,
author = {Brad Duncan},
title = {{2021-09-29 (Wednesday) - Hancitor with Cobalt Strike}},
date = {2021-09-29},
organization = {Malware Traffic Analysis},
url = {https://malware-traffic-analysis.net/2021/09/29/index.html},
language = {English},
urldate = {2021-11-03}
}
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor |
2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross
@online{kumar:20210928:squirrelwaffle:9b1cffc,
author = {Avinash Kumar and Brett Stone-Gross},
title = {{Squirrelwaffle: New Loader Delivering Cobalt Strike}},
date = {2021-09-28},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike},
language = {English},
urldate = {2021-10-11}
}
Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle |
2021-09-27 ⋅ Cynet ⋅ Max Malyutin
@online{malyutin:20210927:virtual:cd72501,
author = {Max Malyutin},
title = {{A Virtual Baffle to Battle Squirrelwaffle}},
date = {2021-09-27},
organization = {Cynet},
url = {https://www.cynet.com/understanding-squirrelwaffle/},
language = {English},
urldate = {2021-09-28}
}
A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle |
2021-09-26 ⋅ NSFOCUS ⋅ Jie Ji
@online{ji:20210926:insights:51c06b8,
author = {Jie Ji},
title = {{Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2}},
date = {2021-09-26},
organization = {NSFOCUS},
url = {https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/},
language = {English},
urldate = {2021-11-25}
}
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile |
2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas
@online{stotomas:20210924:examining:9165fe5,
author = {Warren Sto.Tomas},
title = {{Examining the Cring Ransomware Techniques}},
date = {2021-09-24},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html},
language = {English},
urldate = {2021-09-29}
}
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz |
2021-09-22 ⋅ CISA ⋅ US-CERT
@online{uscert:20210922:alert:50b9d38,
author = {US-CERT},
title = {{Alert (AA21-265A) Conti Ransomware}},
date = {2021-09-22},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-265a},
language = {English},
urldate = {2021-10-05}
}
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti |
2021-09-21 ⋅ GuidePoint Security ⋅ Drew Schmitt
@online{schmitt:20210921:ransomware:7c6144d,
author = {Drew Schmitt},
title = {{A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike}},
date = {2021-09-21},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/},
language = {English},
urldate = {2021-09-22}
}
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
Cobalt Strike |
2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem
@online{salem:20210921:squirrel:1254a9d,
author = {Eli Salem},
title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}},
date = {2021-09-21},
organization = {Medium elis531989},
url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9},
language = {English},
urldate = {2021-09-22}
}
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle |
2021-09-21 ⋅ Sophos ⋅ Andrew Brandt, Vikas Singh, Shefali Gupta, Krisztián Diriczi, Chaitanya Ghorpade
@online{brandt:20210921:cring:9bd4998,
author = {Andrew Brandt and Vikas Singh and Shefali Gupta and Krisztián Diriczi and Chaitanya Ghorpade},
title = {{Cring ransomware group exploits ancient ColdFusion server}},
date = {2021-09-21},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728},
language = {English},
urldate = {2021-09-24}
}
Cring ransomware group exploits ancient ColdFusion server
Cobalt Strike Cring |
2021-09-21 ⋅ skyblue.team blog ⋅ skyblue team
@online{team:20210921:scanning:5a0697f,
author = {skyblue team},
title = {{Scanning VirusTotal's firehose}},
date = {2021-09-21},
organization = {skyblue.team blog},
url = {https://skyblue.team/posts/scanning-virustotal-firehose/},
language = {English},
urldate = {2021-09-24}
}
Scanning VirusTotal's firehose
Cobalt Strike |
2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
@online{duncan:20210917:20210917:b995435,
author = {Brad Duncan},
title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}},
date = {2021-09-17},
organization = {Malware Traffic Analysis},
url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html},
language = {English},
urldate = {2021-09-20}
}
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle |
2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
@online{team:20210917:falcon:76aa03b,
author = {Falcon OverWatch Team},
title = {{Falcon OverWatch Hunts Down Adversaries Where They Hide}},
date = {2021-09-17},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/},
language = {English},
urldate = {2021-10-05}
}
Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike |
2021-09-17 ⋅ Medium inteloperator ⋅ Intel Operator
@online{operator:20210917:default:aaaa15c,
author = {Intel Operator},
title = {{The default: 63 6f 62 61 6c 74 strike}},
date = {2021-09-17},
organization = {Medium inteloperator},
url = {https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7},
language = {English},
urldate = {2021-09-19}
}
The default: 63 6f 62 61 6c 74 strike
Cobalt Strike |
2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Kevin Beaumont
@online{beaumont:20210916:some:550bbaa,
author = {Kevin Beaumont},
title = {{Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell}},
date = {2021-09-16},
organization = {Twitter (@GossiTheDog)},
url = {https://twitter.com/GossiTheDog/status/1438500100238577670},
language = {English},
urldate = {2021-09-20}
}
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot |
2021-09-16 ⋅ Medium Shabarkin ⋅ Pavel Shabarkin
@online{shabarkin:20210916:pointer:828998f,
author = {Pavel Shabarkin},
title = {{Pointer: Hunting Cobalt Strike globally}},
date = {2021-09-16},
organization = {Medium Shabarkin},
url = {https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a},
language = {English},
urldate = {2021-09-19}
}
Pointer: Hunting Cobalt Strike globally
Cobalt Strike |
2021-09-16 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20210916:untangling:d1e0f1b,
author = {RiskIQ},
title = {{Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit}},
date = {2021-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/c88cf7e6},
language = {English},
urldate = {2021-09-19}
}
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk |
2021-09-15 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20210915:analyzing:37b6528,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability}},
date = {2021-09-15},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/},
language = {English},
urldate = {2021-09-19}
}
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike |
2021-09-14 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210914:fullspectrum:fdc7b06,
author = {Insikt Group®},
title = {{Full-Spectrum Cobalt Strike Detection}},
date = {2021-09-14},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf},
language = {English},
urldate = {2021-09-19}
}
Full-Spectrum Cobalt Strike Detection
Cobalt Strike |
2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210913:bazarloader:5073703,
author = {The DFIR Report},
title = {{BazarLoader to Conti Ransomware in 32 Hours}},
date = {2021-09-13},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/},
language = {English},
urldate = {2021-09-14}
}
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti |
2021-09-10 ⋅ Gigamon ⋅ Joe Slowik
@online{slowik:20210910:rendering:59082b0,
author = {Joe Slowik},
title = {{Rendering Threats: A Network Perspective}},
date = {2021-09-10},
organization = {Gigamon},
url = {https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/},
language = {English},
urldate = {2021-09-12}
}
Rendering Threats: A Network Perspective
Cobalt Strike |
2021-09-09 ⋅ Trend Micro ⋅ Trend Micro
@online{micro:20210909:remote:17382af,
author = {Trend Micro},
title = {{Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs}},
date = {2021-09-09},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html},
language = {English},
urldate = {2021-09-12}
}
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
Cobalt Strike |
2021-09-08 ⋅ Arash's Blog ⋅ Arash Parsa
@online{parsa:20210908:hook:4dff1b6,
author = {Arash Parsa},
title = {{Hook Heaps and Live Free}},
date = {2021-09-08},
organization = {Arash's Blog},
url = {https://www.arashparsa.com/hook-heaps-and-live-free/},
language = {English},
urldate = {2021-09-10}
}
Hook Heaps and Live Free
Cobalt Strike |
2021-09-07 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
@online{koczwara:20210907:cobalt:7af112e,
author = {Michael Koczwara},
title = {{Cobalt Strike C2 Hunting with Shodan}},
date = {2021-09-07},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike C2 Hunting with Shodan
Cobalt Strike |
2021-09-06 ⋅ kienmanowar Blog ⋅ m4n0w4r
@online{m4n0w4r:20210906:quick:0a892b2,
author = {m4n0w4r},
title = {{Quick analysis CobaltStrike loader and shellcode}},
date = {2021-09-06},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/},
language = {English},
urldate = {2021-09-10}
}
Quick analysis CobaltStrike loader and shellcode
Cobalt Strike |
2021-09-03 ⋅ Sophos ⋅ Sean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
@online{gallagher:20210903:conti:db20680,
author = {Sean Gallagher and Peter Mackenzie and Anand Ajjan and Andrew Ludgate and Gabor Szappanos and Sergio Bestulic and Syed Zaidi},
title = {{Conti affiliates use ProxyShell Exchange exploit in ransomware attacks}},
date = {2021-09-03},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/},
language = {English},
urldate = {2021-09-06}
}
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
@techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-09-02 ⋅ Twitter (@th3_protoCOL) ⋅ Colin, GaborSzappanos
@online{colin:20210902:confluence:5bbf2cb,
author = {Colin and GaborSzappanos},
title = {{Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)}},
date = {2021-09-02},
organization = {Twitter (@th3_protoCOL)},
url = {https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20},
language = {English},
urldate = {2021-09-06}
}
Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)
Cobalt Strike |
2021-09-02 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
@online{koczwara:20210902:cobalt:40a1888,
author = {Michael Koczwara},
title = {{Cobalt Strike PowerShell Payload Analysis}},
date = {2021-09-02},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike PowerShell Payload Analysis
Cobalt Strike |
2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li
@online{tseng:20210901:mem2img:7817a5d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-09-01},
organization = {YouTube (Black Hat)},
url = {https://www.youtube.com/watch?v=6SDdUVejR2w},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear |
2021-08-31 ⋅ BreakPoint Labs ⋅ BreakPoint Labs
@online{labs:20210831:cobalt:47e2c20,
author = {BreakPoint Labs},
title = {{Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign}},
date = {2021-08-31},
organization = {BreakPoint Labs},
url = {https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/},
language = {English},
urldate = {2021-09-23}
}
Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign
Cobalt Strike |
2021-08-30 ⋅ Qianxin ⋅ Red Raindrop Team
@online{team:20210830:operation:7b5be26,
author = {Red Raindrop Team},
title = {{Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss}},
date = {2021-08-30},
organization = {Qianxin},
url = {https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/},
language = {Chinese},
urldate = {2021-09-09}
}
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz |
2021-08-29 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210829:cobalt:1e4595e,
author = {The DFIR Report},
title = {{Cobalt Strike, a Defender’s Guide}},
date = {2021-08-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/},
language = {English},
urldate = {2021-08-31}
}
Cobalt Strike, a Defender’s Guide
Cobalt Strike |
2021-08-27 ⋅ Morphisec ⋅ Morphisec Labs
@online{labs:20210827:proxyshell:a4650f1,
author = {Morphisec Labs},
title = {{ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors}},
date = {2021-08-27},
organization = {Morphisec},
url = {https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors},
language = {English},
urldate = {2021-08-31}
}
ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors
Cobalt Strike |
2021-08-25 ⋅ Trend Micro ⋅ Hara Hiroaki, Ted Lee
@techreport{hiroaki:20210825:earth:776384f,
author = {Hara Hiroaki and Ted Lee},
title = {{Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor}},
date = {2021-08-25},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf},
language = {English},
urldate = {2021-08-31}
}
Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor
Cobalt Strike SideWalk |
2021-08-24 ⋅ ESET Research ⋅ Thibaut Passilly, Mathieu Tartare
@online{passilly:20210824:sidewalk:75d39db,
author = {Thibaut Passilly and Mathieu Tartare},
title = {{The SideWalk may be as dangerous as the CROSSWALK}},
date = {2021-08-24},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/},
language = {English},
urldate = {2021-08-31}
}
The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk |
2021-08-23 ⋅ FBI ⋅ FBI
@techreport{fbi:20210823:indicators:3308f26,
author = {FBI},
title = {{Indicators of Compromise Associated with OnePercent Group Ransomware}},
date = {2021-08-23},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2021/210823.pdf},
language = {English},
urldate = {2021-08-24}
}
Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz |
2021-08-23 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Chad Tilbury
@online{tilbury:20210823:keynote:23c0084,
author = {Chad Tilbury},
title = {{Keynote: Cobalt Strike Threat Hunting}},
date = {2021-08-23},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=borfuQGrB8g},
language = {English},
urldate = {2021-08-25}
}
Keynote: Cobalt Strike Threat Hunting
Cobalt Strike |
2021-08-19 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
@online{team:20210819:blackberry:2eec433,
author = {BlackBerry Research & Intelligence Team},
title = {{BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware}},
date = {2021-08-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware},
language = {English},
urldate = {2021-08-23}
}
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex |
2021-08-19 ⋅ Sekoia ⋅ sekoia
@online{sekoia:20210819:insider:ceb84de,
author = {sekoia},
title = {{An insider insights into Conti operations – Part two}},
date = {2021-08-19},
organization = {Sekoia},
url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/},
language = {English},
urldate = {2021-09-06}
}
An insider insights into Conti operations – Part two
Cobalt Strike Conti |
2021-08-18 ⋅ Intezer ⋅ Ryan Robinson
@online{robinson:20210818:cobalt:965e1a9,
author = {Ryan Robinson},
title = {{Cobalt Strike: Detect this Persistent Threat}},
date = {2021-08-18},
organization = {Intezer},
url = {https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/},
language = {English},
urldate = {2021-08-25}
}
Cobalt Strike: Detect this Persistent Threat
Cobalt Strike |
2021-08-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210817:hunting:1dc14d0,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration}},
date = {2021-08-17},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations},
language = {English},
urldate = {2021-08-31}
}
Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti |
2021-08-17 ⋅ Sekoia ⋅ sekoia
@online{sekoia:20210817:insider:3b427c7,
author = {sekoia},
title = {{An insider insights into Conti operations – Part one}},
date = {2021-08-17},
organization = {Sekoia},
url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one},
language = {English},
urldate = {2021-09-06}
}
An insider insights into Conti operations – Part one
Cobalt Strike Conti |
2021-08-17 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
@online{koczwara:20210817:cobalt:64689eb,
author = {Michael Koczwara},
title = {{Cobalt Strike Hunting — DLL Hijacking/Attack Analysis}},
date = {2021-08-17},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike Hunting — DLL Hijacking/Attack Analysis
Cobalt Strike |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
@techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez
@online{kremez:20210811:secret:5c5f06c,
author = {Vitali Kremez},
title = {{Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent}},
date = {2021-08-11},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent},
language = {English},
urldate = {2021-08-31}
}
Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti |
2021-08-09 ⋅ IstroSec ⋅ Ladislav Bačo
@online{bao:20210809:cobalt:fc98da7,
author = {Ladislav Bačo},
title = {{APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)}},
date = {2021-08-09},
organization = {IstroSec},
url = {https://www.istrosec.com/blog/apt-sk-cobalt/},
language = {English},
urldate = {2021-08-16}
}
APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)
Cobalt Strike |
2021-08-05 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Dan Cotton
@online{lambert:20210805:when:aeb7b10,
author = {Tony Lambert and Brian Donohue and Dan Cotton},
title = {{When Dridex and Cobalt Strike give you Grief}},
date = {2021-08-05},
organization = {Red Canary},
url = {https://redcanary.com/blog/grief-ransomware/},
language = {English},
urldate = {2021-09-10}
}
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer |
2021-08-05 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20210805:detecting:235fe13,
author = {Counter Threat Unit ResearchTeam},
title = {{Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)}},
date = {2021-08-05},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups},
language = {English},
urldate = {2021-08-06}
}
Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)
Cobalt Strike |
2021-08-04 ⋅ CrowdStrike ⋅ Falcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR
@online{team:20210804:prophet:e6e6a99,
author = {Falcon OverWatch Team and CrowdStrike Intelligence Team and CrowdStrike IR},
title = {{PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity}},
date = {2021-08-04},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/},
language = {English},
urldate = {2021-09-02}
}
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker |
2021-08-04 ⋅ Sentinel LABS ⋅ Gal Kristal
@online{kristal:20210804:hotcobalt:136e715,
author = {Gal Kristal},
title = {{Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations}},
date = {2021-08-04},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/},
language = {English},
urldate = {2021-08-06}
}
Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations
Cobalt Strike |
2021-08-04 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20210804:detecting:b379acb,
author = {Counter Threat Unit ResearchTeam},
title = {{Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)}},
date = {2021-08-04},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks},
language = {English},
urldate = {2021-08-06}
}
Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)
Cobalt Strike |
2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20210803:deadringer:908e8d5,
author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman},
title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}},
date = {2021-08-03},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos},
language = {English},
urldate = {2021-08-06}
}
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
2021-08-02 ⋅ Youtube (Forschungsinstitut Cyber Defense) ⋅ Alexander Rausch, Konstantin Klinger
@online{rausch:20210802:code:dee039d,
author = {Alexander Rausch and Konstantin Klinger},
title = {{The CODE 2021: Workshop presentation and demonstration about CobaltStrike}},
date = {2021-08-02},
organization = {Youtube (Forschungsinstitut Cyber Defense)},
url = {https://www.youtube.com/watch?v=y65hmcLIWDY},
language = {English},
urldate = {2021-08-25}
}
The CODE 2021: Workshop presentation and demonstration about CobaltStrike
Cobalt Strike |
2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210801:bazarcall:bb6829b,
author = {The DFIR Report},
title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}},
date = {2021-08-01},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/},
language = {English},
urldate = {2021-08-02}
}
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot |
2021-07-30 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
@online{42:20210730:bazarloader:43bdc2c,
author = {Unit 42},
title = {{Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability}},
date = {2021-07-30},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20},
language = {English},
urldate = {2021-08-02}
}
Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike |
2021-07-29 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
@online{team:20210729:bazacall:8d79cdf,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{BazaCall: Phony call centers lead to exfiltration and ransomware}},
date = {2021-07-29},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/},
language = {English},
urldate = {2021-08-02}
}
BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike |
2021-07-29 ⋅ Rasta Mouse ⋅ Rasta Mouse
@online{mouse:20210729:ntlm:7f97289,
author = {Rasta Mouse},
title = {{NTLM Relaying via Cobalt Strike}},
date = {2021-07-29},
organization = {Rasta Mouse},
url = {https://rastamouse.me/ntlm-relaying-via-cobalt-strike/},
language = {English},
urldate = {2021-07-29}
}
NTLM Relaying via Cobalt Strike
Cobalt Strike |
2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53,
author = {BlackBerry Research & Intelligence Team},
title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}},
date = {2021-07-27},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf},
language = {English},
urldate = {2021-07-27}
}
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy |
2021-07-25 ⋅ Medium svch0st ⋅ svch0st
@online{svch0st:20210725:guide:28267fd,
author = {svch0st},
title = {{Guide to Named Pipes and Hunting for Cobalt Strike Pipes}},
date = {2021-07-25},
organization = {Medium svch0st},
url = {https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575},
language = {English},
urldate = {2021-08-02}
}
Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Cobalt Strike |
2021-07-22 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
@online{koczwara:20210722:cobalt:f102b02,
author = {Michael Koczwara},
title = {{Cobalt Strike Hunting — simple PCAP and Beacon Analysis}},
date = {2021-07-22},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811},
language = {English},
urldate = {2021-07-22}
}
Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike |
2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210719:icedid:0365384,
author = {The DFIR Report},
title = {{IcedID and Cobalt Strike vs Antivirus}},
date = {2021-07-19},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/},
language = {English},
urldate = {2021-07-20}
}
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID |
2021-07-14 ⋅ MDSec ⋅ Chris Basnett
@online{basnett:20210714:investigating:585e2a1,
author = {Chris Basnett},
title = {{Investigating a Suspicious Service}},
date = {2021-07-14},
organization = {MDSec},
url = {https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/},
language = {English},
urldate = {2021-07-20}
}
Investigating a Suspicious Service
Cobalt Strike |
2021-07-14 ⋅ Kaspersky ⋅ Mark Lechtik, Paul Rascagnères, Aseel Kayal
@online{lechtik:20210714:luminousmoth:a5cf19d,
author = {Mark Lechtik and Paul Rascagnères and Aseel Kayal},
title = {{LuminousMoth APT: Sweeping attacks for the chosen few}},
date = {2021-07-14},
organization = {Kaspersky},
url = {https://securelist.com/apt-luminousmoth/103332/},
language = {English},
urldate = {2021-07-20}
}
LuminousMoth APT: Sweeping attacks for the chosen few
Cobalt Strike |
2021-07-14 ⋅ Google ⋅ Maddie Stone, Clement Lecigne, Google Threat Analysis Group
@online{stone:20210714:how:38dfdc6,
author = {Maddie Stone and Clement Lecigne and Google Threat Analysis Group},
title = {{How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)}},
date = {2021-07-14},
organization = {Google},
url = {https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/},
language = {English},
urldate = {2021-07-26}
}
How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)
Cobalt Strike |
2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman
@online{soseman:20210713:solarwinds:cb7df1d,
author = {Matt Soseman},
title = {{Solarwinds and SUNBURST attacks compromised my lab!}},
date = {2021-07-13},
organization = {YouTube ( Matt Soseman)},
url = {https://www.youtube.com/watch?v=GfbxHy6xnbA},
language = {English},
urldate = {2021-07-21}
}
Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20210709:hancitor:814e815,
author = {Brad Duncan},
title = {{Hancitor tries XLL as initial malware file}},
date = {2021-07-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/27618},
language = {English},
urldate = {2021-07-19}
}
Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor |
2021-07-08 ⋅ Avast Decoded ⋅ Threat Intelligence Team
@online{team:20210708:decoding:04acb98,
author = {Threat Intelligence Team},
title = {{Decoding Cobalt Strike: Understanding Payloads}},
date = {2021-07-08},
organization = {Avast Decoded},
url = {https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/},
language = {English},
urldate = {2021-07-08}
}
Decoding Cobalt Strike: Understanding Payloads
Cobalt Strike Empire Downloader |
2021-07-07 ⋅ Trend Micro ⋅ Joseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
@online{chen:20210707:biopass:88dcdc2,
author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen},
title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}},
date = {2021-07-07},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html},
language = {English},
urldate = {2021-07-19}
}
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi |
2021-07-07 ⋅ McAfee ⋅ McAfee Labs
@techreport{labs:20210707:ryuk:ee88024,
author = {McAfee Labs},
title = {{Ryuk Ransomware Now Targeting Webservers}},
date = {2021-07-07},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf},
language = {English},
urldate = {2021-07-11}
}
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk |
2021-07-07 ⋅ Trustwave ⋅ Rodel Mendrez, Nikita Kazymirskyi
@online{mendrez:20210707:diving:1c04c81,
author = {Rodel Mendrez and Nikita Kazymirskyi},
title = {{Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails}},
date = {2021-07-07},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/},
language = {English},
urldate = {2021-07-09}
}
Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil |
2021-07-06 ⋅ Twitter (@MBThreatIntel) ⋅ Malwarebytes Threat Intelligence
@online{intelligence:20210706:malspam:083ba5a,
author = {Malwarebytes Threat Intelligence},
title = {{Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike}},
date = {2021-07-06},
organization = {Twitter (@MBThreatIntel)},
url = {https://twitter.com/MBThreatIntel/status/1412518446013812737},
language = {English},
urldate = {2021-07-09}
}
Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike
Cobalt Strike |
2021-07-05 ⋅ Trend Micro ⋅ Abraham Camba, Catherine Loveria, Ryan Maglaque, Buddy Tancio
@online{camba:20210705:tracking:6ae6ad5,
author = {Abraham Camba and Catherine Loveria and Ryan Maglaque and Buddy Tancio},
title = {{Tracking Cobalt Strike: A Trend Micro Vision One Investigation}},
date = {2021-07-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html},
language = {English},
urldate = {2021-07-19}
}
Tracking Cobalt Strike: A Trend Micro Vision One Investigation
Cobalt Strike |
2021-07-02 ⋅ MalwareBookReports ⋅ muzi
@online{muzi:20210702:skip:09c3cd8,
author = {muzi},
title = {{Skip the Middleman: Dridex Document to Cobalt Strike}},
date = {2021-07-02},
organization = {MalwareBookReports},
url = {https://malwarebookreports.com/cryptone-cobalt-strike/},
language = {English},
urldate = {2021-07-06}
}
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex |
2021-07-01 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210701:mongolian:1fd57de,
author = {Catalin Cimpanu},
title = {{Mongolian certificate authority hacked eight times, compromised with malware}},
date = {2021-07-01},
organization = {The Record},
url = {https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/},
language = {English},
urldate = {2021-07-02}
}
Mongolian certificate authority hacked eight times, compromised with malware
Cobalt Strike |
2021-07-01 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern, Jan Vojtěšek
@online{camastra:20210701:backdoored:6f26c16,
author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek},
title = {{Backdoored Client from Mongolian CA MonPass}},
date = {2021-07-01},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/},
language = {English},
urldate = {2021-07-02}
}
Backdoored Client from Mongolian CA MonPass
Cobalt Strike |
2021-06-30 ⋅ Group-IB ⋅ Oleg Skulkin
@online{skulkin:20210630:revil:63bb524,
author = {Oleg Skulkin},
title = {{REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs}},
date = {2021-06-30},
organization = {Group-IB},
url = {https://blog.group-ib.com/REvil_RaaS},
language = {English},
urldate = {2021-07-02}
}
REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil |
2021-06-29 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford
@online{larson:20210629:cobalt:99ad5a0,
author = {Selena Larson and Daniel Blackford},
title = {{Cobalt Strike: Favorite Tool from APT to Crimeware}},
date = {2021-06-29},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware},
language = {English},
urldate = {2021-06-29}
}
Cobalt Strike: Favorite Tool from APT to Crimeware
Cobalt Strike |
2021-06-29 ⋅ Accenture ⋅ Accenture Security
@online{security:20210629:hades:2d4c606,
author = {Accenture Security},
title = {{HADES ransomware operators continue attacks}},
date = {2021-06-29},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades},
language = {English},
urldate = {2021-07-01}
}
HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz |
2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210628:hancitor:b21cdd2,
author = {The DFIR Report},
title = {{Hancitor Continues to Push Cobalt Strike}},
date = {2021-06-28},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/},
language = {English},
urldate = {2021-06-29}
}
Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor |
2021-06-22 ⋅ CrowdStrike ⋅ The Falcon Complete Team
@online{team:20210622:response:13a8ee6,
author = {The Falcon Complete Team},
title = {{Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators}},
date = {2021-06-22},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/},
language = {English},
urldate = {2021-06-24}
}
Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
Cobalt Strike |
2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si
@online{cryptolaemus:20210622:ta575:895ac37,
author = {Cryptolaemus and Kirk Sayre and dao ming si},
title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}},
date = {2021-06-22},
organization = {Twitter (@Cryptolaemus1)},
url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680},
language = {English},
urldate = {2021-06-22}
}
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex |
2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210620:from:aadb7e8,
author = {The DFIR Report},
title = {{From Word to Lateral Movement in 1 Hour}},
date = {2021-06-20},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/},
language = {English},
urldate = {2021-06-22}
}
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID |
2021-06-18 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff
@online{sherstobitoff:20210618:securityscorecard:0000641,
author = {Ryan Sherstobitoff},
title = {{SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought}},
date = {2021-06-18},
organization = {SecurityScorecard},
url = {https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought},
language = {English},
urldate = {2021-06-22}
}
SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought
Cobalt Strike |
2021-06-17 ⋅ Binary Defense ⋅ Brandon George
@online{george:20210617:analysis:6e4b8ac,
author = {Brandon George},
title = {{Analysis of Hancitor – When Boring Begets Beacon}},
date = {2021-06-17},
organization = {Binary Defense},
url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon},
language = {English},
urldate = {2021-06-22}
}
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor |
2021-06-16 ⋅ Mandiant ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson, Jordan Nuce
@online{mclellan:20210616:smoking:a03a78c,
author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson and Jordan Nuce},
title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}},
date = {2021-06-16},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise},
language = {English},
urldate = {2021-12-01}
}
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM |
2021-06-16 ⋅ FireEye ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson
@online{mclellan:20210616:smoking:fa6559d,
author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson},
title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}},
date = {2021-06-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html},
language = {English},
urldate = {2021-12-01}
}
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM |
2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України
@online{:20210616:cyberpolice:f455d86,
author = {Національна поліція України},
title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}},
date = {2021-06-16},
organization = {Національної поліції України},
url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/},
language = {Ukrainian},
urldate = {2021-06-21}
}
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy |
2021-06-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20210615:hades:e1734d8,
author = {Counter Threat Unit ResearchTeam},
title = {{Hades Ransomware Operators Use Distinctive Tactics and Infrastructure}},
date = {2021-06-15},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure},
language = {English},
urldate = {2021-06-21}
}
Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Cobalt Strike Hades |
2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
@online{mackenzie:20210612:thread:eac742a,
author = {Peter Mackenzie},
title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}},
date = {2021-06-12},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095},
language = {English},
urldate = {2021-06-21}
}
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker |
2021-06-10 ⋅ Group-IB ⋅ Nikita Rostovcev
@online{rostovcev:20210610:big:4d0a5f2,
author = {Nikita Rostovcev},
title = {{Big airline heist APT41 likely behind massive supply chain attack}},
date = {2021-06-10},
organization = {Group-IB},
url = {https://blog.group-ib.com/colunmtk_apt41},
language = {English},
urldate = {2021-06-16}
}
Big airline heist APT41 likely behind massive supply chain attack
Cobalt Strike |
2021-06-09 ⋅ Twitter (@RedDrip7) ⋅ RedDrip7
@online{reddrip7:20210609:in:74f9bac,
author = {RedDrip7},
title = {{Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)}},
date = {2021-06-09},
organization = {Twitter (@RedDrip7)},
url = {https://twitter.com/RedDrip7/status/1402640362972147717?s=20},
language = {English},
urldate = {2021-06-21}
}
Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)
Cobalt Strike |
2021-06-04 ⋅ Inky ⋅ Roger Kay
@online{kay:20210604:colonial:959c12f,
author = {Roger Kay},
title = {{Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts}},
date = {2021-06-04},
organization = {Inky},
url = {https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts},
language = {English},
urldate = {2021-06-16}
}
Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts
Cobalt Strike |
2021-06-04 ⋅ Twitter (@alex_lanstein) ⋅ Alex Lanstein
@online{lanstein:20210604:unc2652nobelium:460c6ab,
author = {Alex Lanstein},
title = {{Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879}},
date = {2021-06-04},
organization = {Twitter (@alex_lanstein)},
url = {https://twitter.com/alex_lanstein/status/1399829754887524354},
language = {English},
urldate = {2021-07-26}
}
Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879
Cobalt Strike |
2021-06-02 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
@online{corp:20210602:chinalinked:487955f,
author = {CyCraft Technology Corp},
title = {{China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware}},
date = {2021-06-02},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5},
language = {English},
urldate = {2021-06-09}
}
China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware
Cobalt Strike ColdLock |
2021-06-02 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20210602:amsi:084d0ba,
author = {Sean Gallagher},
title = {{AMSI bypasses remain tricks of the malware trade}},
date = {2021-06-02},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/},
language = {English},
urldate = {2021-06-09}
}
AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter |
2021-06-01 ⋅ Department of Justice ⋅ Office of Public Affairs
@online{affairs:20210601:justice:1ed9656,
author = {Office of Public Affairs},
title = {{Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development}},
date = {2021-06-01},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear},
language = {English},
urldate = {2021-06-09}
}
Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
Cobalt Strike |
2021-06-01 ⋅ SANS ⋅ Kevin Haley, Jake Williams
@online{haley:20210601:contrarian:6aff18c,
author = {Kevin Haley and Jake Williams},
title = {{A Contrarian View on SolarWinds}},
date = {2021-06-01},
organization = {SANS},
url = {https://www.sans.org/webcasts/contrarian-view-solarwinds-119515},
language = {English},
urldate = {2021-06-21}
}
A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-06-01 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade
@online{guerrerosaade:20210601:noblebaron:20dd227,
author = {Juan Andrés Guerrero-Saade},
title = {{NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks}},
date = {2021-06-01},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/},
language = {English},
urldate = {2021-06-09}
}
NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks
Cobalt Strike |
2021-06-01 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
@online{mstic:20210601:new:83aee4c,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team},
title = {{New sophisticated email-based attack from NOBELIUM}},
date = {2021-06-01},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/},
language = {English},
urldate = {2021-06-09}
}
New sophisticated email-based attack from NOBELIUM
Cobalt Strike |
2021-05-29 ⋅ Twitter (@elisalem9) ⋅ Eli Salem
@online{salem:20210529:obfuscation:f1b68f3,
author = {Eli Salem},
title = {{Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452}},
date = {2021-05-29},
organization = {Twitter (@elisalem9)},
url = {https://twitter.com/elisalem9/status/1398566939656601606},
language = {English},
urldate = {2021-08-02}
}
Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452
Cobalt Strike |
2021-05-28 ⋅ CISA ⋅ US-CERT
@online{uscert:20210528:alert:be89c5f,
author = {US-CERT},
title = {{Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs}},
date = {2021-05-28},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-148a},
language = {English},
urldate = {2021-07-27}
}
Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs
Cobalt Strike |
2021-05-28 ⋅ CISA ⋅ US-CERT
@online{uscert:20210528:malware:0913332,
author = {US-CERT},
title = {{Malware Analysis Report (AR21-148A): Cobalt Strike Beacon}},
date = {2021-05-28},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a},
language = {English},
urldate = {2021-07-19}
}
Malware Analysis Report (AR21-148A): Cobalt Strike Beacon
Cobalt Strike |
2021-05-27 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
@online{cash:20210527:suspected:beb9dd9,
author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster},
title = {{Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns}},
date = {2021-05-27},
organization = {Volexity},
url = {https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/},
language = {English},
urldate = {2021-06-09}
}
Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
Cobalt Strike |
2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
@online{yizhak:20210526:deep:c123a19,
author = {Ron Ben Yizhak},
title = {{A Deep Dive into Packing Software CryptOne}},
date = {2021-05-26},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/},
language = {English},
urldate = {2021-06-22}
}
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
2021-05-25 ⋅ Huntress Labs ⋅ Matthew Brennan
@online{brennan:20210525:cobalt:c428be0,
author = {Matthew Brennan},
title = {{Cobalt Strikes Again: An Analysis of Obfuscated Malware}},
date = {2021-05-25},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware},
language = {English},
urldate = {2021-06-09}
}
Cobalt Strikes Again: An Analysis of Obfuscated Malware
Cobalt Strike |
2021-05-21 ⋅ blackarrow ⋅ Pablo Ambite
@online{ambite:20210521:leveraging:55f56da,
author = {Pablo Ambite},
title = {{Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic}},
date = {2021-05-21},
organization = {blackarrow},
url = {https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/},
language = {English},
urldate = {2021-06-22}
}
Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Cobalt Strike |
2021-05-19 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene
@online{ergene:20210519:enterprise:f7fb481,
author = {Mehmet Ergene},
title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2}},
date = {2021-05-19},
organization = {Medium Mehmet Ergene},
url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e},
language = {English},
urldate = {2021-05-26}
}
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2
Cobalt Strike |
2021-05-19 ⋅ Intel 471 ⋅ Intel 471
@online{471:20210519:look:5ba9516,
author = {Intel 471},
title = {{Look how many cybercriminals love Cobalt Strike}},
date = {2021-05-19},
organization = {Intel 471},
url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor},
language = {English},
urldate = {2021-05-19}
}
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot |
2021-05-18 ⋅ Sophos ⋅ John Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
@online{shier:20210518:active:f313ac5,
author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie},
title = {{The Active Adversary Playbook 2021}},
date = {2021-05-18},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153},
language = {English},
urldate = {2021-05-25}
}
The Active Adversary Playbook 2021
Cobalt Strike MimiKatz |
2021-05-17 ⋅ Talos ⋅ Brad Garnett
@online{garnett:20210517:case:a8ef9cf,
author = {Brad Garnett},
title = {{Case Study: Incident Response is a relationship-driven business}},
date = {2021-05-17},
organization = {Talos},
url = {https://blog.talosintelligence.com/2021/05/ctir-case-study.html},
language = {English},
urldate = {2021-05-25}
}
Case Study: Incident Response is a relationship-driven business
Cobalt Strike |
2021-05-16 ⋅ NCSC Ireland ⋅ NCSC Ireland
@techreport{ireland:20210516:ransomware:b091d9b,
author = {NCSC Ireland},
title = {{Ransomware Attack on Health Sector - UPDATE 2021-05-16}},
date = {2021-05-16},
institution = {NCSC Ireland},
url = {https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf},
language = {English},
urldate = {2021-05-17}
}
Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti |
2021-05-14 ⋅ Blue Team Blog ⋅ Auth 0r
@online{0r:20210514:darkside:bf9c5bc,
author = {Auth 0r},
title = {{DarkSide Ransomware Operations – Preventions and Detections.}},
date = {2021-05-14},
organization = {Blue Team Blog},
url = {https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections},
language = {English},
urldate = {2021-05-17}
}
DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide |
2021-05-14 ⋅ GuidePoint Security ⋅ Drew Schmitt
@online{schmitt:20210514:from:944b5f1,
author = {Drew Schmitt},
title = {{From ZLoader to DarkSide: A Ransomware Story}},
date = {2021-05-14},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/},
language = {English},
urldate = {2021-05-17}
}
From ZLoader to DarkSide: A Ransomware Story
DarkSide Cobalt Strike Zloader |
2021-05-13 ⋅ AWAKE ⋅ Kieran Evans
@online{evans:20210513:catching:eaa13e2,
author = {Kieran Evans},
title = {{Catching the White Stork in Flight}},
date = {2021-05-13},
organization = {AWAKE},
url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/},
language = {English},
urldate = {2021-09-19}
}
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS |
2021-05-12 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene
@online{ergene:20210512:enterprise:09742df,
author = {Mehmet Ergene},
title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1}},
date = {2021-05-12},
organization = {Medium Mehmet Ergene},
url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f},
language = {English},
urldate = {2021-05-26}
}
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1
Cobalt Strike |
2021-05-12 ⋅ The DFIR Report
@online{report:20210512:conti:598c5f2,
author = {The DFIR Report},
title = {{Conti Ransomware}},
date = {2021-05-12},
url = {https://thedfirreport.com/2021/05/12/conti-ransomware/},
language = {English},
urldate = {2021-05-13}
}
Conti Ransomware
Cobalt Strike Conti IcedID |
2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
@online{maleats:20210511:campo:0305ab9,
author = {mal_eats},
title = {{Campo, a New Attack Campaign Targeting Japan}},
date = {2021-05-11},
organization = {Mal-Eats},
url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-06-01}
}
Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader |
2021-05-11 ⋅ FireEye ⋅ Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson
@online{nuce:20210511:shining:339d137,
author = {Jordan Nuce and Jeremy Kennelly and Kimberly Goody and Andrew Moore and Alyssa Rahman and Brendan McKeague and Jared Wilson},
title = {{Shining a Light on DARKSIDE Ransomware Operations}},
date = {2021-05-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html},
language = {English},
urldate = {2021-05-13}
}
Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide |
2021-05-10 ⋅ ZERO.BS ⋅ ZEROBS
@online{zerobs:20210510:cobaltstrikebeacons:b7fee54,
author = {ZEROBS},
title = {{Cobaltstrike-Beacons analyzed}},
date = {2021-05-10},
organization = {ZERO.BS},
url = {https://zero.bs/cobaltstrike-beacons-analyzed.html},
language = {English},
urldate = {2021-05-11}
}
Cobaltstrike-Beacons analyzed
Cobalt Strike |
2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
@online{maleats:20210510:overview:50ff3b3,
author = {mal_eats},
title = {{Overview of Campo, a new attack campaign targeting Japan}},
date = {2021-05-10},
organization = {Mal-Eats},
url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-05-13}
}
Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li
@techreport{tseng:20210507:mem2img:494799d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-05-07},
institution = {TEAMT5},
url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear |
2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj
@online{nataraj:20210507:new:79ec788,
author = {Rajesh Nataraj},
title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}},
date = {2021-05-07},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728},
language = {English},
urldate = {2021-05-11}
}
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike |
2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81,
author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin},
title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}},
date = {2021-05-07},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html},
language = {English},
urldate = {2021-05-11}
}
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike |
2021-05-07 ⋅ Medium svch0st ⋅ svch0st
@online{svch0st:20210507:stats:11919e5,
author = {svch0st},
title = {{Stats from Hunting Cobalt Strike Beacons}},
date = {2021-05-07},
organization = {Medium svch0st},
url = {https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b},
language = {English},
urldate = {2021-05-08}
}
Stats from Hunting Cobalt Strike Beacons
Cobalt Strike |
2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4,
author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre},
title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}},
date = {2021-05-06},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html},
language = {English},
urldate = {2021-05-11}
}
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
Prometei BlackKingdom Ransomware CHINACHOPPER Cobalt Strike |
2021-05-05 ⋅ TRUESEC ⋅ Mattias Wåhlén
@online{whln:20210505:are:61bb8a0,
author = {Mattias Wåhlén},
title = {{Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?}},
date = {2021-05-05},
organization = {TRUESEC},
url = {https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/},
language = {English},
urldate = {2021-05-08}
}
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker |
2021-05-05 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie, Vikas Singh, Gabor Szappanos
@online{brandt:20210505:intervention:f548dee,
author = {Andrew Brandt and Peter Mackenzie and Vikas Singh and Gabor Szappanos},
title = {{Intervention halts a ProxyLogon-enabled attack}},
date = {2021-05-05},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack},
language = {English},
urldate = {2021-05-07}
}
Intervention halts a ProxyLogon-enabled attack
Cobalt Strike |
2021-05-04 ⋅ Medium sergiusechel ⋅ Sergiu Sechel
@online{sechel:20210504:improving:ce4da6d,
author = {Sergiu Sechel},
title = {{Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives}},
date = {2021-05-04},
organization = {Medium sergiusechel},
url = {https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468},
language = {English},
urldate = {2021-05-04}
}
Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives
Cobalt Strike |
2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210502:trickbot:242b786,
author = {The DFIR Report},
title = {{Trickbot Brief: Creds and Beacons}},
date = {2021-05-02},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/},
language = {English},
urldate = {2021-05-04}
}
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot |
2021-04-29 ⋅ NTT ⋅ Threat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4,
author = {Threat Detection NTT Ltd.},
title = {{The Operations of Winnti group}},
date = {2021-04-29},
institution = {NTT},
url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf},
language = {English},
urldate = {2021-08-09}
}
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili, Earle Earnshaw
@online{agcaoili:20210427:legitimate:b293526,
author = {Janus Agcaoili and Earle Earnshaw},
title = {{Legitimate Tools Weaponized for Ransomware in 2021}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021},
language = {English},
urldate = {2021-05-03}
}
Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili
@online{agcaoili:20210427:hello:b3c5de5,
author = {Janus Agcaoili},
title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html},
language = {English},
urldate = {2021-04-29}
}
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike |
2021-04-26 ⋅ getrevue ⋅ Twitter (@80vul)
@online{80vul:20210426:hunting:e8be278,
author = {Twitter (@80vul)},
title = {{Hunting Cobalt Strike DNS redirectors by using ZoomEye}},
date = {2021-04-26},
organization = {getrevue},
url = {https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734},
language = {English},
urldate = {2021-04-29}
}
Hunting Cobalt Strike DNS redirectors by using ZoomEye
Cobalt Strike |
2021-04-26 ⋅ nviso ⋅ Maxime Thiebaut
@online{thiebaut:20210426:anatomy:0ade0a5,
author = {Maxime Thiebaut},
title = {{Anatomy of Cobalt Strike’s DLL Stager}},
date = {2021-04-26},
organization = {nviso},
url = {https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/},
language = {English},
urldate = {2021-04-29}
}
Anatomy of Cobalt Strike’s DLL Stager
Cobalt Strike |
2021-04-24 ⋅ Non-offensive security ⋅ Non-offensive security team
@online{team:20210424:detect:4fab11a,
author = {Non-offensive security team},
title = {{Detect Cobalt Strike server through DNS protocol}},
date = {2021-04-24},
organization = {Non-offensive security},
url = {https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ},
language = {Chinese},
urldate = {2021-04-29}
}
Detect Cobalt Strike server through DNS protocol
Cobalt Strike |
2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh
@online{singh:20210423:doppel:1bfd6da,
author = {Vikas Singh},
title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}},
date = {2021-04-23},
organization = {Twitter (@vikas891)},
url = {https://twitter.com/vikas891/status/1385306823662587905},
language = {English},
urldate = {2021-05-25}
}
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer |
2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
@online{mackenzie:20210422:twwet:62355c6,
author = {Peter Mackenzie},
title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}},
date = {2021-04-22},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688},
language = {English},
urldate = {2021-05-25}
}
Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer |
2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
@online{gallagher:20210421:nearly:53964a7,
author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt},
title = {{Nearly half of malware now use TLS to conceal communications}},
date = {2021-04-21},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/},
language = {English},
urldate = {2021-04-28}
}
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC |
2021-04-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
@online{reaves:20210420:cobaltstrike:d18d4c4,
author = {Jason Reaves},
title = {{CobaltStrike Stager Utilizing Floating Point Math}},
date = {2021-04-20},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718},
language = {English},
urldate = {2021-04-20}
}
CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike |
2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49,
author = {Erik Hjelmvik},
title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}},
date = {2021-04-19},
organization = {Netresec},
url = {https://netresec.com/?b=214d7ff},
language = {English},
urldate = {2021-04-20}
}
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID |
2021-04-18 ⋅ YouTube (dist67) ⋅ Didier Stevens
@online{stevens:20210418:decoding:18e5319,
author = {Didier Stevens},
title = {{Decoding Cobalt Strike Traffic}},
date = {2021-04-18},
organization = {YouTube (dist67)},
url = {https://www.youtube.com/watch?v=ysN-MqyIN7M},
language = {English},
urldate = {2021-04-20}
}
Decoding Cobalt Strike Traffic
Cobalt Strike |
2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20210414:april:4a29cb5,
author = {Brad Duncan},
title = {{April 2021 Forensic Quiz: Answers and Analysis}},
date = {2021-04-14},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/27308},
language = {English},
urldate = {2021-04-14}
}
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike |
2021-04-09 ⋅ F-Secure ⋅ Riccardo Ancarani, Giulio Ginesi
@online{ancarani:20210409:detecting:01d28ed,
author = {Riccardo Ancarani and Giulio Ginesi},
title = {{Detecting Exposed Cobalt Strike DNS Redirectors}},
date = {2021-04-09},
organization = {F-Secure},
url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors},
language = {English},
urldate = {2021-04-14}
}
Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike |
2021-04-07 ⋅ Medium sixdub ⋅ Justin Warner
@online{warner:20210407:using:a7d19fd,
author = {Justin Warner},
title = {{Using Kaitai Struct to Parse Cobalt Strike Beacon Configs}},
date = {2021-04-07},
organization = {Medium sixdub},
url = {https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e},
language = {English},
urldate = {2021-04-09}
}
Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike |
2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
@online{reaves:20210405:trickbot:a6b0592,
author = {Jason Reaves and Joshua Platt},
title = {{TrickBot Crews New CobaltStrike Loader}},
date = {2021-04-05},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c},
language = {English},
urldate = {2021-04-06}
}
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot |
2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
@online{duncan:20210401:hancitors:8876ca1,
author = {Brad Duncan},
title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}},
date = {2021-04-01},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/},
language = {English},
urldate = {2021-04-06}
}
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor |
2021-04-01 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20210401:covid19:6a96e45,
author = {Joe Slowik},
title = {{COVID-19 Phishing With a Side of Cobalt Strike}},
date = {2021-04-01},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#},
language = {English},
urldate = {2021-04-06}
}
COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike |
2021-03-31 ⋅ Red Canary ⋅ Red Canary
@techreport{canary:20210331:2021:cd81f2d,
author = {Red Canary},
title = {{2021 Threat Detection Report}},
date = {2021-03-31},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf},
language = {English},
urldate = {2021-04-06}
}
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
2021-03-30 ⋅ GuidePoint Security ⋅ Drew Schmitt
@online{schmitt:20210330:yet:9855592,
author = {Drew Schmitt},
title = {{Yet Another Cobalt Strike Stager: GUID Edition}},
date = {2021-03-30},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/},
language = {English},
urldate = {2021-04-06}
}
Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike |
2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210329:sodinokibi:4c63e20,
author = {The DFIR Report},
title = {{Sodinokibi (aka REvil) Ransomware}},
date = {2021-03-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/},
language = {English},
urldate = {2021-03-30}
}
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil |
2021-03-21 ⋅ YouTube (dist67) ⋅ Didier Stevens
@online{stevens:20210321:finding:92a9a4d,
author = {Didier Stevens},
title = {{Finding Metasploit & Cobalt Strike URLs}},
date = {2021-03-21},
organization = {YouTube (dist67)},
url = {https://www.youtube.com/watch?v=WW0_TgWT2gs},
language = {English},
urldate = {2021-03-25}
}
Finding Metasploit & Cobalt Strike URLs
Cobalt Strike |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-18 ⋅ DeepInstinct ⋅ Ben Gross
@online{gross:20210318:cobalt:5392fb0,
author = {Ben Gross},
title = {{Cobalt Strike – Post-Exploitation Attackers Toolkit}},
date = {2021-03-18},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/},
language = {English},
urldate = {2021-06-22}
}
Cobalt Strike – Post-Exploitation Attackers Toolkit
Cobalt Strike |
2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
@techreport{prodaft:20210318:silverfish:f203208,
author = {PRODAFT},
title = {{SilverFish GroupThreat Actor Report}},
date = {2021-03-18},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf},
language = {English},
urldate = {2021-04-06}
}
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic |
2021-03-16 ⋅ McAfee ⋅ McAfee ATR
@techreport{atr:20210316:technical:8c4909a,
author = {McAfee ATR},
title = {{Technical Analysis of Operation Diànxùn}},
date = {2021-03-16},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf},
language = {English},
urldate = {2021-03-22}
}
Technical Analysis of Operation Diànxùn
Cobalt Strike |
2021-03-16 ⋅ Elastic ⋅ Joe Desimone
@online{desimone:20210316:detecting:4091130,
author = {Joe Desimone},
title = {{Detecting Cobalt Strike with memory signatures}},
date = {2021-03-16},
organization = {Elastic},
url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures},
language = {English},
urldate = {2021-03-22}
}
Detecting Cobalt Strike with memory signatures
Cobalt Strike |
2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell
@online{campbell:20210311:you:7bd2342,
author = {Josh Campbell},
title = {{You Don't Know the HAFNIUM of it...}},
date = {2021-03-11},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/},
language = {English},
urldate = {2021-03-16}
}
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat |
2021-03-11 ⋅ Qurium ⋅ Qurium
@online{qurium:20210311:myanmar:7bfc8ce,
author = {Qurium},
title = {{Myanmar – Multi-stage malware attack targets elected lawmakers}},
date = {2021-03-11},
organization = {Qurium},
url = {https://www.qurium.org/alerts/targeted-malware-against-crph/},
language = {English},
urldate = {2021-06-21}
}
Myanmar – Multi-stage malware attack targets elected lawmakers
Cobalt Strike |
2021-03-10 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
@online{schwarz:20210310:nimzaloader:f6960d4,
author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team},
title = {{NimzaLoader: TA800’s New Initial Access Malware}},
date = {2021-03-10},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware},
language = {English},
urldate = {2021-03-12}
}
NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike |
2021-03-09 ⋅ splunk ⋅ Security Research Team
@online{team:20210309:cloud:4deeb78,
author = {Security Research Team},
title = {{Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021}},
date = {2021-03-09},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html},
language = {English},
urldate = {2021-03-11}
}
Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike |
2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210308:bazar:ba050d7,
author = {The DFIR Report},
title = {{Bazar Drops the Anchor}},
date = {2021-03-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/},
language = {English},
urldate = {2021-03-10}
}
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike |
2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Katie Nickels, Adam Pennington, Jen Burns
@online{nickels:20210308:star:083eb29,
author = {Katie Nickels and Adam Pennington and Jen Burns},
title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}},
date = {2021-03-08},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU},
language = {English},
urldate = {2021-03-11}
}
STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP |
2021-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Didier Stevens
@online{stevens:20210307:pcaps:980212d,
author = {Didier Stevens},
title = {{PCAPs and Beacons}},
date = {2021-03-07},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/27176},
language = {English},
urldate = {2021-03-11}
}
PCAPs and Beacons
Cobalt Strike |
2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
@online{platt:20210301:nimar:c26af08,
author = {Joshua Platt and Jason Reaves},
title = {{Nimar Loader}},
date = {2021-03-01},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e},
language = {English},
urldate = {2021-03-04}
}
Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike |
2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
@online{platt:20210301:investigation:a7851d5,
author = {Joshua Platt and Jason Reaves},
title = {{Investigation into the state of Nim malware}},
date = {2021-03-01},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811},
language = {English},
urldate = {2021-03-04}
}
Investigation into the state of Nim malware
BazarNimrod Cobalt Strike |
2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c,
author = {Eric Loui and Sergei Frankoff},
title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}},
date = {2021-02-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout},
language = {English},
urldate = {2021-05-26}
}
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil |
2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400,
author = {Bryce Abdo and Brendan McKeague and Van Ta},
title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}},
date = {2021-02-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html},
language = {English},
urldate = {2021-03-02}
}
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC |
2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International
@online{international:20210224:overview:95b80e0,
author = {Amnesty International},
title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}},
date = {2021-02-24},
organization = {Github (AmnestyTech)},
url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam},
language = {English},
urldate = {2021-02-25}
}
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown |
2021-02-24 ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama
@techreport{haruyama:20210224:knock:f4903a2,
author = {Takahiro Haruyama},
title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}},
date = {2021-02-24},
institution = {VMWare Carbon Black},
url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf},
language = {Japanese},
urldate = {2021-02-26}
}
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
@online{report:20210211:hancitor:9fa527e,
author = {The DFIR Report},
title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}},
date = {2021-02-11},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1359669513520873473},
language = {English},
urldate = {2021-02-18}
}
Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor |
2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20210209:learn:c08b657,
author = {Raphael Mudge},
title = {{Learn Pipe Fitting for all of your Offense Projects}},
date = {2021-02-09},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/},
language = {English},
urldate = {2021-02-10}
}
Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike |
2021-02-09 ⋅ Securehat ⋅ Securehat
@online{securehat:20210209:extracting:0f4ae2f,
author = {Securehat},
title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}},
date = {2021-02-09},
organization = {Securehat},
url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader},
language = {English},
urldate = {2021-02-10}
}
Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP |
2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20210203:excel:8e949c9,
author = {Brad Duncan},
title = {{Excel spreadsheets push SystemBC malware}},
date = {2021-02-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/},
language = {English},
urldate = {2021-02-04}
}
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC |
2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp
@online{earp:20210202:how:923f969,
author = {Madeline Earp},
title = {{How Vietnam-based hacking operation OceanLotus targets journalists}},
date = {2021-02-02},
organization = {Committee to Protect Journalists},
url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists},
language = {English},
urldate = {2021-02-04}
}
How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike |
2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
@online{fernndez:20210202:de:6ff4f3a,
author = {Germán Fernández},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-03-02}
}
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
@online{report:20210202:recent:5272ed0,
author = {The DFIR Report},
title = {{Tweet on recent dridex post infection activity}},
date = {2021-02-02},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1356729371931860992},
language = {English},
urldate = {2021-02-04}
}
Tweet on recent dridex post infection activity
Cobalt Strike Dridex |
2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis
@online{koutroumpis:20210201:relay:596413f,
author = {Petros Koutroumpis},
title = {{Relay Attacks via Cobalt Strike Beacons}},
date = {2021-02-01},
organization = {pkb1s.github.io},
url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/},
language = {English},
urldate = {2021-02-04}
}
Relay Attacks via Cobalt Strike Beacons
Cobalt Strike |
2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team
@online{team:20210201:bluecrab:df21c0a,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}},
date = {2021-02-01},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19860/},
language = {English},
urldate = {2021-02-06}
}
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil |
2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210131:bazar:c3b3859,
author = {The DFIR Report},
title = {{Bazar, No Ryuk?}},
date = {2021-01-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/},
language = {English},
urldate = {2021-02-02}
}
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk |
2021-01-28 ⋅ TrustedSec ⋅ Adam Chester
@online{chester:20210128:tailoring:d3f973c,
author = {Adam Chester},
title = {{Tailoring Cobalt Strike on Target}},
date = {2021-01-28},
organization = {TrustedSec},
url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/},
language = {English},
urldate = {2021-01-29}
}
Tailoring Cobalt Strike on Target
Cobalt Strike |
2021-01-28 ⋅ AhnLab ⋅ ASEC Analysis Team
@online{team:20210128:bluecrab:44d2e64,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware constantly trying to bypass detection}},
date = {2021-01-28},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19640/},
language = {Korean},
urldate = {2021-02-04}
}
BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil |
2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT
@online{csirt:20210126:cring:f12c487,
author = {Swisscom CSIRT},
title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}},
date = {2021-01-26},
organization = {Twitter (@swisscom_csirt)},
url = {https://twitter.com/swisscom_csirt/status/1354052879158571008},
language = {English},
urldate = {2021-01-27}
}
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz |
2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC)
@online{team:20210120:deep:1cc0551,
author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)},
title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}},
date = {2021-01-20},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/},
language = {English},
urldate = {2021-01-21}
}
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP |
2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210118:raindrop:9ab1262,
author = {Threat Hunter Team},
title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}},
date = {2021-01-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware},
language = {English},
urldate = {2021-01-21}
}
Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
@online{mackenzie:20210117:conti:db7f1cb,
author = {Peter Mackenzie},
title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}},
date = {2021-01-17},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352},
language = {English},
urldate = {2021-01-21}
}
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti |
2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier
@online{lussier:20210115:detecting:fecd6c3,
author = {Dan Lussier},
title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}},
date = {2021-01-15},
organization = {Medium Dansec},
url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64},
language = {English},
urldate = {2021-01-21}
}
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist
@online{read:20210112:unc2452:6e54c6c,
author = {Ben Read and John Hultquist},
title = {{UNC2452: What We Know So Far}},
date = {2021-01-12},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/462719},
language = {English},
urldate = {2021-01-18}
}
UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP |
2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen
@online{jansen:20210112:abusing:c38eeb6,
author = {Wouter Jansen},
title = {{Abusing cloud services to fly under the radar}},
date = {2021-01-12},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/},
language = {English},
urldate = {2021-01-18}
}
Abusing cloud services to fly under the radar
Cobalt Strike |
2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210111:trickbot:d1011f9,
author = {The DFIR Report},
title = {{Trickbot Still Alive and Well}},
date = {2021-01-11},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/},
language = {English},
urldate = {2021-01-11}
}
Trickbot Still Alive and Well
Cobalt Strike TrickBot |
2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna
@online{ramakrishna:20210111:new:296b621,
author = {Sudhakar Ramakrishna},
title = {{New Findings From Our Investigation of SUNBURST}},
date = {2021-01-11},
organization = {SolarWinds},
url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/},
language = {English},
urldate = {2021-01-18}
}
New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP |
2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
@online{reaves:20210110:man1:54a4162,
author = {Jason Reaves},
title = {{MAN1, Moskal, Hancitor and a side of Ransomware}},
date = {2021-01-10},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618},
language = {English},
urldate = {2021-01-11}
}
MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
@online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr
@online{mcgarr:20210109:malware:dde1353,
author = {Connor McGarr},
title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}},
date = {2021-01-09},
organization = {Connor McGarr's Blog},
url = {https://connormcgarr.github.io/thread-hijacking/},
language = {English},
urldate = {2021-01-11}
}
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike |
2021-01-07 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210107:aversary:9771829,
author = {Insikt Group®},
title = {{Aversary Infrastructure Report 2020: A Defender's View}},
date = {2021-01-07},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf},
language = {English},
urldate = {2021-01-11}
}
Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-06 ⋅ Red Canary ⋅ Tony Lambert
@online{lambert:20210106:hunting:272410b,
author = {Tony Lambert},
title = {{Hunting for GetSystem in offensive security tools}},
date = {2021-01-06},
organization = {Red Canary},
url = {https://redcanary.com/blog/getsystem-offsec/},
language = {English},
urldate = {2021-01-11}
}
Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research
@online{research:20210105:earth:d7bb547,
author = {Trend Micro Research},
title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}},
date = {2021-01-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html},
language = {English},
urldate = {2021-01-10}
}
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike |
2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag
@online{haag:20210104:malleable:ab64356,
author = {Michael Haag},
title = {{Malleable C2 Profiles and You}},
date = {2021-01-04},
organization = {Medium haggis-m},
url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929},
language = {English},
urldate = {2021-01-05}
}
Malleable C2 Profiles and You
Cobalt Strike |
2021 ⋅ Mandiant ⋅ Mandiant
@online{mandiant:2021:mtrends:4d981a4,
author = {Mandiant},
title = {{M-TRENDS 2021}},
date = {2021},
organization = {Mandiant},
url = {https://www.mandiant.com/media/10916/download},
language = {English},
urldate = {2021-11-02}
}
M-TRENDS 2021
Cobalt Strike SUNBURST |
2021 ⋅ Talos ⋅ Talos Incident Response
@techreport{response:2021:evicting:c795470,
author = {Talos Incident Response},
title = {{Evicting Maze}},
date = {2021},
institution = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf},
language = {English},
urldate = {2021-05-26}
}
Evicting Maze
Cobalt Strike Maze |
2021 ⋅ Github (WBGlIl) ⋅ WBGlIl
@online{wbglil:2021:book:7ff34b3,
author = {WBGlIl},
title = {{A book on cobaltstrike}},
date = {2021},
organization = {Github (WBGlIl)},
url = {https://wbglil.gitbook.io/cobalt-strike/},
language = {Chinese},
urldate = {2021-11-29}
}
A book on cobaltstrike
Cobalt Strike |
2021 ⋅ Talos ⋅ Talos Incident Response
@techreport{response:2021:cobalt:f4412fa,
author = {Talos Incident Response},
title = {{Cobalt Strikes Out}},
date = {2021},
institution = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf},
language = {English},
urldate = {2021-05-26}
}
Cobalt Strikes Out
Cobalt Strike |
2021 ⋅ SecureWorks
@online{secureworks:2021:threat:dbd7ed7,
author = {SecureWorks},
title = {{Threat Profile: GOLD DRAKE}},
date = {2021},
url = {http://www.secureworks.com/research/threat-profiles/gold-drake},
language = {English},
urldate = {2021-05-28}
}
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp |
2021 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2021:threat:bce1d06,
author = {SecureWorks},
title = {{Threat Profile: GOLD WINTER}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-winter},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER |
2021 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2021:threat:45f61e0,
author = {SecureWorks},
title = {{Threat Profile: GOLD WATERFALL}},
date = {2021},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-waterfall},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL |
2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck
@online{grimminck:20201226:spoofing:a0a5622,
author = {Stefan Grimminck},
title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}},
date = {2020-12-26},
organization = {Medium grimminck},
url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b},
language = {English},
urldate = {2021-01-01}
}
Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike |
2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28,
author = {Mattias Wåhlén},
title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}},
date = {2020-12-22},
organization = {TRUESEC},
url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/},
language = {English},
urldate = {2021-01-01}
}
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk |
2020-12-21 ⋅ Fortinet ⋅ Udi Yavo
@online{yavo:20201221:what:716b31d,
author = {Udi Yavo},
title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}},
date = {2020-12-21},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack},
language = {English},
urldate = {2021-01-18}
}
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP |
2020-12-20 ⋅ Randhome ⋅ Etienne Maynier
@online{maynier:20201220:analyzing:3e15960,
author = {Etienne Maynier},
title = {{Analyzing Cobalt Strike for Fun and Profit}},
date = {2020-12-20},
organization = {Randhome},
url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/},
language = {English},
urldate = {2020-12-23}
}
Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike |
2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team
@online{team:20201215:solarwindsthreathunt:4357421,
author = {Sophos Cyber Security Team},
title = {{solarwinds-threathunt}},
date = {2020-12-15},
organization = {Github (sophos-cybersecurity)},
url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt},
language = {English},
urldate = {2020-12-15}
}
solarwinds-threathunt
Cobalt Strike SUNBURST |
2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan
@online{zarslan:20201215:tactics:bba1b4f,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}},
date = {2020-12-15},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach},
language = {English},
urldate = {2020-12-17}
}
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST |
2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20201214:threat:032b92d,
author = {Unit 42},
title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}},
date = {2020-12-14},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST |
2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team
@online{team:20201211:mountlocker:9c495cb,
author = {BlackBerry Research and Intelligence team},
title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}},
date = {2020-12-11},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates},
language = {English},
urldate = {2020-12-14}
}
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker |
2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
@online{unit42:20201210:threat:6ac31af,
author = {Unit42},
title = {{Threat Brief: FireEye Red Team Tool Breach}},
date = {2020-12-10},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}},
date = {2020-12-09},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf},
language = {English},
urldate = {2020-12-15}
}
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20201209:recent:0992506,
author = {Brad Duncan},
title = {{Recent Qakbot (Qbot) activity}},
date = {2020-12-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/26862},
language = {English},
urldate = {2020-12-10}
}
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot |
2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20201208:red:8ccdfcf,
author = {Raphael Mudge},
title = {{A Red Teamer Plays with JARM}},
date = {2020-12-08},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/},
language = {English},
urldate = {2021-01-11}
}
A Red Teamer Plays with JARM
Cobalt Strike |
2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce,
author = {twitter (@redcanary)},
title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}},
date = {2020-12-02},
organization = {Red Canary},
url = {https://twitter.com/redcanary/status/1334224861628039169},
language = {English},
urldate = {2020-12-08}
}
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot |
2020-12-01 ⋅ 360.cn ⋅ jindanlong
@online{jindanlong:20201201:hunting:b9e2674,
author = {jindanlong},
title = {{Hunting Beacons}},
date = {2020-12-01},
organization = {360.cn},
url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950},
language = {English},
urldate = {2021-01-10}
}
Hunting Beacons
Cobalt Strike |
2020-12-01 ⋅ mez0.cc ⋅ mez0
@online{mez0:20201201:cobalt:38336ed,
author = {mez0},
title = {{Cobalt Strike PowerShell Execution}},
date = {2020-12-01},
organization = {mez0.cc},
url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/},
language = {English},
urldate = {2020-12-14}
}
Cobalt Strike PowerShell Execution
Cobalt Strike |
2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201130:threat:2633df5,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}},
date = {2020-11-30},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/},
language = {English},
urldate = {2020-12-01}
}
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi
@online{takeuchi:20201127:analyzing:4089f84,
author = {Hiroshi Takeuchi},
title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}},
date = {2020-11-27},
organization = {Macnica},
url = {https://blog.macnica.net/blog/2020/11/dtrack.html},
language = {Japanese},
urldate = {2020-12-08}
}
Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack |
2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb,
author = {Lior Rochberger and Cybereason Nocturnus},
title = {{Cybereason vs. Egregor Ransomware}},
date = {2020-11-26},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware},
language = {English},
urldate = {2020-12-08}
}
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot |
2020-11-25 ⋅ SentinelOne ⋅ Jim Walter
@online{walter:20201125:egregor:5727f7a,
author = {Jim Walter},
title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}},
date = {2020-11-25},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/},
language = {English},
urldate = {2020-12-08}
}
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani
@online{ancarani:20201120:detecting:79afa40,
author = {Riccardo Ancarani},
title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}},
date = {2020-11-20},
organization = {F-Secure Labs},
url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis},
language = {English},
urldate = {2020-11-23}
}
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike |
2020-11-20 ⋅ 360 netlab ⋅ JiaYu
@online{jiayu:20201120:blackrota:ee43da1,
author = {JiaYu},
title = {{Blackrota, a highly obfuscated backdoor developed by Go}},
date = {2020-11-20},
organization = {360 netlab},
url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/},
language = {Chinese},
urldate = {2020-11-23}
}
Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike |
2020-11-17 ⋅ cyble ⋅ Cyble
@online{cyble:20201117:oceanlotus:d33eb97,
author = {Cyble},
title = {{OceanLotus Continues With Its Cyber Espionage Operations}},
date = {2020-11-17},
organization = {cyble},
url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/},
language = {English},
urldate = {2020-11-18}
}
OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter |
2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse
@online{althouse:20201117:easily:172bd6d,
author = {John Althouse},
title = {{Easily Identify Malicious Servers on the Internet with JARM}},
date = {2020-11-17},
organization = {Salesforce Engineering},
url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a},
language = {English},
urldate = {2020-12-03}
}
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot |
2020-11-15 ⋅ Trustnet ⋅ Michael Wainshtain
@online{wainshtain:20201115:from:719b7ff,
author = {Michael Wainshtain},
title = {{From virus alert to PowerShell Encrypted Loader}},
date = {2020-11-15},
organization = {Trustnet},
url = {https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/},
language = {English},
urldate = {2021-07-26}
}
From virus alert to PowerShell Encrypted Loader
Cobalt Strike |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20201106:oceanlotus:f7b11ac,
author = {Steven Adair and Thomas Lancaster and Volexity Threat Research},
title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}},
date = {2020-11-06},
organization = {Volexity},
url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/},
language = {English},
urldate = {2020-11-09}
}
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32 |
2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20201106:cobalt:05fe8fc,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}},
date = {2020-11-06},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/},
language = {English},
urldate = {2020-11-09}
}
Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike |
2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384,
author = {Ryan Tracey and Drew Schmitt and CRYPSIS},
title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}},
date = {2020-11-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/},
language = {English},
urldate = {2020-11-12}
}
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX |
2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae,
author = {Vitali Kremez},
title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}},
date = {2020-11-06},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike},
language = {English},
urldate = {2020-11-09}
}
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk |
2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201105:ryuk:ceaa823,
author = {The DFIR Report},
title = {{Ryuk Speed Run, 2 Hours to Ransom}},
date = {2020-11-05},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/},
language = {English},
urldate = {2020-11-06}
}
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk |
2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85,
author = {TheAnalyst},
title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}},
date = {2020-11-05},
organization = {Twitter (@ffforward)},
url = {https://twitter.com/ffforward/status/1324281530026524672},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader |
2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
@online{vigna:20201104:trick:a59a333,
author = {Giovanni Vigna},
title = {{Trick or Threat: Ryuk ransomware targets the health care industry}},
date = {2020-11-04},
organization = {VMRay},
url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/},
language = {English},
urldate = {2020-11-06}
}
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Renato Marinho
@online{marinho:20201103:attackers:9b3762b,
author = {Renato Marinho},
title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}},
date = {2020-11-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/26752},
language = {English},
urldate = {2020-11-06}
}
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0,
author = {ThreatConnect},
title = {{UNC 1878 Indicators from Threatconnect}},
date = {2020-10-30},
organization = {Github (ThreatConnect-Inc)},
url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv},
language = {English},
urldate = {2020-11-06}
}
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk |
2020-10-29 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20201029:ryuk:0643968,
author = {RiskIQ},
title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}},
date = {2020-10-29},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/0bcefe76},
language = {English},
urldate = {2020-11-02}
}
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk |
2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
@online{team:20201029:bazar:1846b93,
author = {The Red Canary Team},
title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}},
date = {2020-10-29},
organization = {Red Canary},
url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/},
language = {English},
urldate = {2020-11-02}
}
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot |
2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT
@online{csirt:20201029:list:5fb0206,
author = {Swisscom CSIRT},
title = {{List of CobaltStrike C2's used by RYUK}},
date = {2020-10-29},
organization = {Github (Swisscom)},
url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt},
language = {English},
urldate = {2020-11-02}
}
List of CobaltStrike C2's used by RYUK
Cobalt Strike |
2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock},
title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}},
date = {2020-10-28},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html},
language = {English},
urldate = {2020-11-02}
}
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878 |
2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon
@online{iddon:20201027:mtr:3b62ca9,
author = {Greg Iddon},
title = {{MTR Casebook: An active adversary caught in the act}},
date = {2020-10-27},
organization = {Sophos Managed Threat Response (MTR)},
url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/},
language = {English},
urldate = {2020-11-02}
}
MTR Casebook: An active adversary caught in the act
Cobalt Strike |
2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201018:ryuk:fbaadb8,
author = {The DFIR Report},
title = {{Ryuk in 5 Hours}},
date = {2020-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/},
language = {English},
urldate = {2020-10-19}
}
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk |
2020-10-14 ⋅ RiskIQ ⋅ Steve Ginty, Jon Gross
@online{ginty:20201014:wellmarked:9176303,
author = {Steve Ginty and Jon Gross},
title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}},
date = {2020-10-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/f0320980},
language = {English},
urldate = {2020-10-23}
}
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike |
2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20201014:theyre:99f5d1e,
author = {Sean Gallagher},
title = {{They’re back: inside a new Ryuk ransomware attack}},
date = {2020-10-14},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-16}
}
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC |
2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1,
author = {Roman Marshanski and Vitali Kremez},
title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}},
date = {2020-10-12},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon},
language = {English},
urldate = {2020-10-13}
}
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk |
2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07,
author = {StrangerealIntel},
title = {{Chimera, APT19 under the radar ?}},
date = {2020-10-11},
organization = {Github (StrangerealIntel)},
url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md},
language = {English},
urldate = {2020-10-15}
}
Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter |
2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201008:ryuks:e47d8fa,
author = {The DFIR Report},
title = {{Ryuk’s Return}},
date = {2020-10-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/08/ryuks-return/},
language = {English},
urldate = {2020-10-09}
}
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk |
2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen
@online{tanriverdi:20201008:there:620f4e7,
author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen},
title = {{There is no safe place}},
date = {2020-10-08},
organization = {Bayerischer Rundfunk},
url = {https://web.br.de/interaktiv/ocean-lotus/en/},
language = {English},
urldate = {2020-10-12}
}
There is no safe place
Cobalt Strike |
2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f,
author = {Health Sector Cybersecurity Coordination Center (HC3)},
title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}},
date = {2020-10-02},
institution = {Health Sector Cybersecurity Coordination Center (HC3)},
url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf},
language = {English},
urldate = {2020-11-02}
}
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-01 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20201001:russias:3440982,
author = {Andy Greenberg},
title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}},
date = {2020-10-01},
organization = {Wired},
url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/},
language = {English},
urldate = {2020-10-05}
}
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter |
2020-10-01 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller
@online{hamdan:20200929:getting:c01923a,
author = {Kareem Hamdan and Lucas Miller},
title = {{Getting the Bacon from the Beacon}},
date = {2020-09-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/},
language = {English},
urldate = {2020-10-05}
}
Getting the Bacon from the Beacon
Cobalt Strike |
2020-09-29 ⋅ Github (Apr4h) ⋅ Apra
@online{apra:20200929:cobaltstrikescan:ab5f221,
author = {Apra},
title = {{CobaltStrikeScan}},
date = {2020-09-29},
organization = {Github (Apr4h)},
url = {https://github.com/Apr4h/CobaltStrikeScan},
language = {English},
urldate = {2020-10-05}
}
CobaltStrikeScan
Cobalt Strike |
2020-09-24 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20200924:analysis:e1e4cc0,
author = {US-CERT},
title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}},
date = {2020-09-24},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a},
language = {English},
urldate = {2020-10-13}
}
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter |
2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW
@techreport{mavis:20200921:art:d9702a4,
author = {Nick Mavis and Joe Marshall and JON MUNSHAW},
title = {{The art and science of detecting Cobalt Strike}},
date = {2020-09-21},
institution = {Cisco Talos},
url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf},
language = {English},
urldate = {2020-09-23}
}
The art and science of detecting Cobalt Strike
Cobalt Strike |
2020-09-18 ⋅ Trend Micro ⋅ Trend Micro
@online{micro:20200918:us:7900e6a,
author = {Trend Micro},
title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}},
date = {2020-09-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html},
language = {English},
urldate = {2020-09-23}
}
U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
Cobalt Strike ColdLock |
2020-09-03 ⋅ Viettel Cybersecurity ⋅ vuonglvm
@online{vuonglvm:20200903:apt32:02bd8fc,
author = {vuonglvm},
title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}},
date = {2020-09-03},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/},
language = {Vietnamese},
urldate = {2020-09-09}
}
APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)
Cobalt Strike |
2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends in Summer 2020}},
date = {2020-09-01},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html},
language = {English},
urldate = {2020-09-03}
}
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk |
2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20200831:netwalker:29a1511,
author = {The DFIR Report},
title = {{NetWalker Ransomware in 1 Hour}},
date = {2020-08-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/},
language = {English},
urldate = {2020-08-31}
}
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz |
2020-08-20 ⋅ Seebug Paper ⋅ Malayke
@online{malayke:20200820:use:77d3957,
author = {Malayke},
title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}},
date = {2020-08-20},
organization = {Seebug Paper},
url = {https://paper.seebug.org/1301/},
language = {Chinese},
urldate = {2020-08-24}
}
Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2 |
2020-08-19 ⋅ TEAMT5 ⋅ TeamT5
@online{teamt5:20200819:0819:e955419,
author = {TeamT5},
title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}},
date = {2020-08-19},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/},
language = {Chinese},
urldate = {2021-05-03}
}
調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike Waterbear |
2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez
@online{kremez:20200814:zloader:cbd9ad5,
author = {Vitali Kremez},
title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}},
date = {2020-08-14},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1294320579311435776},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader |
2020-08-06 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20200806:chinese:32c43e3,
author = {Andy Greenberg},
title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}},
date = {2020-08-06},
organization = {Wired},
url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/},
language = {English},
urldate = {2020-11-04}
}
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f,
author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang},
title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}},
date = {2020-08-04},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf},
language = {English},
urldate = {2020-11-04}
}
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-26 ⋅ Shells.System blog ⋅ Askar
@online{askar:20200726:inmemory:5556cad,
author = {Askar},
title = {{In-Memory shellcode decoding to evade AVs/EDRs}},
date = {2020-07-26},
organization = {Shells.System blog},
url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/},
language = {English},
urldate = {2020-07-30}
}
In-Memory shellcode decoding to evade AVs/EDRs
Cobalt Strike |
2020-07-22 ⋅ On the Hunt ⋅ Newton Paul
@online{paul:20200722:analysing:2de83d7,
author = {Newton Paul},
title = {{Analysing Fileless Malware: Cobalt Strike Beacon}},
date = {2020-07-22},
organization = {On the Hunt},
url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/},
language = {English},
urldate = {2020-07-24}
}
Analysing Fileless Malware: Cobalt Strike Beacon
Cobalt Strike |
2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
@online{jazi:20200721:chinese:da6a239,
author = {Hossein Jazi and Jérôme Segura},
title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}},
date = {2020-07-21},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/},
language = {English},
urldate = {2020-07-22}
}
Chinese APT group targets India and Hong Kong using new variant of MgBot malware
KSREMOTE Cobalt Strike MgBot |
2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo
@online{bao:20200707:cobalt:cf80aa8,
author = {Ladislav Bačo},
title = {{Cobalt Strike stagers used by FIN6}},
date = {2020-07-07},
organization = {MWLab},
url = {https://malwarelab.eu/posts/fin6-cobalt-strike/},
language = {English},
urldate = {2020-07-11}
}
Cobalt Strike stagers used by FIN6
Cobalt Strike |
2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3,
author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee},
title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}},
date = {2020-06-23},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/},
language = {English},
urldate = {2020-06-23}
}
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker |
2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
@online{team:20200623:sodinokibi:7eff193,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}},
date = {2020-06-23},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos},
language = {English},
urldate = {2020-06-23}
}
Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil |
2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5,
author = {Joshua Platt and Jason Reaves},
title = {{Inside a TrickBot Cobalt Strike Attack Server}},
date = {2020-06-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/},
language = {English},
urldate = {2020-06-23}
}
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot |
2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra
@online{malhotra:20200622:indigodrop:6d5e7e1,
author = {Asheer Malhotra},
title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}},
date = {2020-06-22},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html},
language = {English},
urldate = {2020-06-24}
}
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Cobalt Strike IndigoDrop |
2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil
@online{singh:20200619:targeted:05d8d31,
author = {Atinderpal Singh and Nirmal Singh and Sahil Antil},
title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}},
date = {2020-06-19},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims},
language = {English},
urldate = {2020-06-21}
}
Targeted Attack Leverages India-China Border Dispute to Lure Victims
Cobalt Strike |
2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge
@online{mudge:20200619:beacon:bc8ae77,
author = {Raphael Mudge},
title = {{Beacon Object Files - Luser Demo}},
date = {2020-06-19},
organization = {Youtube (Raphael Mudge)},
url = {https://www.youtube.com/watch?v=gfYswA_Ronw},
language = {English},
urldate = {2020-06-23}
}
Beacon Object Files - Luser Demo
Cobalt Strike |
2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)
@techreport{acsc:20200618:advisory:ed0f53c,
author = {Australian Cyber Security Centre (ACSC)},
title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}},
date = {2020-06-18},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf},
language = {English},
urldate = {2020-06-19}
}
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader |
2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
@online{jazi:20200617:multistage:6358f3f,
author = {Hossein Jazi and Jérôme Segura},
title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}},
date = {2020-06-17},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/},
language = {English},
urldate = {2020-06-19}
}
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
Cobalt Strike |
2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group
@online{group:20200615:striking:8fdf4bb,
author = {Exploit Development Group},
title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}},
date = {2020-06-15},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/},
language = {English},
urldate = {2020-06-16}
}
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Cobalt Strike |
2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal
@online{kristal:20200609:cobaltstrikeparser:a023ac8,
author = {Gal Kristal},
title = {{CobaltStrikeParser}},
date = {2020-06-09},
organization = {Github (Sentinel-One)},
url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py},
language = {English},
urldate = {2020-09-15}
}
CobaltStrikeParser
Cobalt Strike |
2020-05-28 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC)
@online{mstic:20200528:breaking:f55e372,
author = {Microsoft Threat Intelligence Center (MSTIC)},
title = {{Breaking down NOBELIUM’s latest early-stage toolset}},
date = {2020-05-28},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/},
language = {English},
urldate = {2021-06-09}
}
Breaking down NOBELIUM’s latest early-stage toolset
Cobalt Strike |
2020-05-14 ⋅ Lab52 ⋅ Dex
@online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal
@online{kristal:20200511:anatomy:4ece947,
author = {Gal Kristal},
title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}},
date = {2020-05-11},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/},
language = {English},
urldate = {2020-05-13}
}
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike |
2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20200424:ursnif:e983798,
author = {The DFIR Report},
title = {{Ursnif via LOLbins}},
date = {2020-04-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/},
language = {English},
urldate = {2021-03-16}
}
Ursnif via LOLbins
Cobalt Strike LOLSnif TeamSpy |
2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
@online{corp:20200416:taiwan:3029f53,
author = {CyCraft Technology Corp},
title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}},
date = {2020-04-16},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730},
language = {English},
urldate = {2020-11-04}
}
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Operation Skeleton Key |
2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer
@online{heinemeyer:20200402:catching:b7f137d,
author = {Max Heinemeyer},
title = {{Catching APT41 exploiting a zero-day vulnerability}},
date = {2020-04-02},
organization = {Darktrace},
url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/},
language = {English},
urldate = {2020-04-13}
}
Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike |
2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight
@online{knight:20200326:dukes:df85f94,
author = {Scott Knight},
title = {{The Dukes of Moscow}},
date = {2020-03-26},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/},
language = {English},
urldate = {2020-05-18}
}
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
2020-03-25 ⋅ Wilbur Security ⋅ JW
@online{jw:20200325:trickbot:17b0dc3,
author = {JW},
title = {{Trickbot to Ryuk in Two Hours}},
date = {2020-03-25},
organization = {Wilbur Security},
url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/},
language = {English},
urldate = {2020-03-26}
}
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot |
2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller
@online{glyer:20200325:this:0bc322f,
author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller},
title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}},
date = {2020-03-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html},
language = {English},
urldate = {2020-04-14}
}
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike |
2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch
@online{klopsch:20200322:mustang:56f3768,
author = {Andreas Klopsch},
title = {{Mustang Panda joins the COVID-19 bandwagon}},
date = {2020-03-22},
organization = {Malware and Stuff},
url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/},
language = {English},
urldate = {2020-03-27}
}
Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike |
2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten
@online{rusten:20200320:analysis:f82a963,
author = {Luke Rusten},
title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}},
date = {2020-03-20},
organization = {RECON INFOSEC},
url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/},
language = {English},
urldate = {2020-06-22}
}
Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)
Cobalt Strike |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20200304:cobalt:176b61e,
author = {Raphael Mudge},
title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}},
date = {2020-03-04},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/},
language = {English},
urldate = {2020-03-04}
}
Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom |
2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Eamonn Ryan, Darren Fitzpatrick
@online{beek:20200220:csi:8525a7b,
author = {Christiaan Beek and Eamonn Ryan and Darren Fitzpatrick},
title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II}},
date = {2020-02-20},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/},
language = {English},
urldate = {2021-05-13}
}
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex |
2020-02-19 ⋅ FireEye ⋅ FireEye
@online{fireeye:20200219:mtrends:193613a,
author = {FireEye},
title = {{M-Trends 2020}},
date = {2020-02-19},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020},
language = {English},
urldate = {2020-02-20}
}
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer
@online{svajcer:20200218:building:0a80664,
author = {Vanja Svajcer},
title = {{Building a bypass with MSBuild}},
date = {2020-02-18},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html},
language = {English},
urldate = {2020-02-20}
}
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:1892bc8,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:983570b,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:97e5784,
author = {SecureWorks},
title = {{GOLD NIAGARA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-niagara},
language = {English},
urldate = {2020-05-23}
}
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:tin:ccd6795,
author = {SecureWorks},
title = {{TIN WOODLAWN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn},
language = {English},
urldate = {2020-05-23}
}
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:8050e44,
author = {SecureWorks},
title = {{GOLD DUPONT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-dupont},
language = {English},
urldate = {2020-05-23}
}
GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird
@techreport{blackorbird:20191205:apt32:0afe4e7,
author = {blackorbird},
title = {{APT32 Report}},
date = {2019-12-05},
institution = {Github (blackorbird)},
url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf},
language = {Japanese},
urldate = {2020-01-10}
}
APT32 Report
Cobalt Strike |
2019-12-05 ⋅ Raphael Mudge
@online{mudge:20191205:cobalt:219044e,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}},
date = {2019-12-05},
url = {https://blog.cobaltstrike.com/},
language = {English},
urldate = {2019-12-06}
}
Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike |
2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen
@techreport{thomasen:20191129:cyber:1aae987,
author = {Thomas Thomasen},
title = {{Cyber Threat Intelligence & Incident Response}},
date = {2019-11-29},
institution = {Deloitte},
url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf},
language = {English},
urldate = {2020-03-04}
}
Cyber Threat Intelligence & Incident Response
Cobalt Strike |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-11-05 ⋅ tccontre Blog ⋅ tccontre
@online{tccontre:20191105:cobaltstrike:02e37af,
author = {tccontre},
title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}},
date = {2019-11-05},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html},
language = {English},
urldate = {2019-12-17}
}
CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike |
2019-06-13 ⋅ Sekoia ⋅ sekoia
@online{sekoia:20190613:hunting:201a07e,
author = {sekoia},
title = {{Hunting and detecting Cobalt Strike}},
date = {2019-06-13},
organization = {Sekoia},
url = {https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/},
language = {English},
urldate = {2021-08-02}
}
Hunting and detecting Cobalt Strike
Cobalt Strike |
2019-06-04 ⋅ Bitdefender ⋅ Bitdefender
@techreport{bitdefender:20190604:blueprint:ce0583c,
author = {Bitdefender},
title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}},
date = {2019-06-04},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf},
language = {English},
urldate = {2019-12-18}
}
An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike |
2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b,
author = {Verizon Communications Inc.},
title = {{2019 Data Breach Investigations Report}},
date = {2019-05-08},
institution = {Verizon Communications Inc.},
url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf},
language = {English},
urldate = {2020-05-10}
}
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam |
2019-04-24 ⋅ Weixin ⋅ Tencent
@online{tencent:20190424:sea:a722d68,
author = {Tencent},
title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}},
date = {2019-04-24},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A},
language = {English},
urldate = {2020-01-13}
}
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE |
2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines
@online{lines:20190415:cobalt:7b3c086,
author = {Neil Lines},
title = {{Cobalt Strike. Walkthrough for Red Teamers}},
date = {2019-04-15},
organization = {PenTestPartners},
url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/},
language = {English},
urldate = {2019-12-17}
}
Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike |
2019-04 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:201904:oceanlotus:8ceeac3,
author = {Macnica Networks},
title = {{OceanLotus Attack on Southeast Asian Automotive Industry}},
date = {2019-04},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpression_automobile.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
OceanLotus Attack on Southeast Asian Automotive Industry
CACTUSTORCH Cobalt Strike |
2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20190401:trends:cf738dc,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 2nd Half of 2018}},
date = {2019-04-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow
@online{perlow:20190324:jeshell:439ae8b,
author = {Kevin Perlow},
title = {{JEShell: An OceanLotus (APT32) Backdoor}},
date = {2019-03-24},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/},
language = {English},
urldate = {2020-05-19}
}
JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown |
2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman
@online{gorelik:20190227:new:5296a0b,
author = {Michael Gorelik and Alon Groisman},
title = {{New Global Cyber Attack on Point of Sale Sytem}},
date = {2019-02-27},
organization = {Morphisec},
url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems},
language = {English},
urldate = {2020-01-09}
}
New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike |
2019-02-26 ⋅ Fox-IT ⋅ Fox IT
@online{it:20190226:identifying:689104d,
author = {Fox IT},
title = {{Identifying Cobalt Strike team servers in the wild}},
date = {2019-02-26},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/},
language = {English},
urldate = {2020-10-25}
}
Identifying Cobalt Strike team servers in the wild
Cobalt Strike |
2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr
@online{dunwoody:20181119:not:e581291,
author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr},
title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}},
date = {2018-11-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html},
language = {English},
urldate = {2019-12-20}
}
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike |
2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe
@online{joe:20181118:cozybear:4801301,
author = {Joe},
title = {{CozyBear – In from the Cold?}},
date = {2018-11-18},
organization = {Stranded on Pylos Blog},
url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/},
language = {English},
urldate = {2020-01-09}
}
CozyBear – In from the Cold?
Cobalt Strike APT 29 |
2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20181001:trends:17b1db5,
author = {Macnica Networks},
title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}},
date = {2018-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm |
2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888,
author = {Regina Elwell and Katie Nickels},
title = {{ATT&CKing FIN7}},
date = {2018-10-01},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf},
language = {English},
urldate = {2020-06-25}
}
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot |
2018-10 ⋅ Group-IB ⋅ Group-IB
@techreport{groupib:201810:hitech:420711f,
author = {Group-IB},
title = {{Hi-Tech Crime Trends 2018}},
date = {2018-10},
institution = {Group-IB},
url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf},
language = {English},
urldate = {2021-02-09}
}
Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter |
2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida
@online{endo:20180803:volatility:4597ce0,
author = {Takuya Endo and Yukako Uchida},
title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}},
date = {2018-08-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html},
language = {English},
urldate = {2019-07-11}
}
Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike |
2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC
@online{jpcertcc:20180731:scanner:d1757d9,
author = {JPCERT/CC},
title = {{Scanner for CobaltStrike}},
date = {2018-07-31},
organization = {Github (JPCERTCC)},
url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py},
language = {English},
urldate = {2020-01-13}
}
Scanner for CobaltStrike
Cobalt Strike |
2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa
@online{ishikawa:20180521:confirmed:ad336b5,
author = {Yoshihiro Ishikawa},
title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}},
date = {2018-05-21},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html},
language = {Japanese},
urldate = {2019-10-27}
}
Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike |
2017-06-06 ⋅ FireEye ⋅ Ian Ahl
@online{ahl:20170606:privileges:9598d5f,
author = {Ian Ahl},
title = {{Privileges and Credentials: Phished at the Request of Counsel}},
date = {2017-06-06},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html},
language = {English},
urldate = {2019-12-20}
}
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike |
2016-10-11 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20161011:odinaff:36b35db,
author = {Symantec Security Response},
title = {{Odinaff: New Trojan used in high level financial attacks}},
date = {2016-10-11},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks},
language = {English},
urldate = {2019-12-05}
}
Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff |
2012 ⋅ Cobalt Strike ⋅ Cobalt Strike
@online{strike:2012:cobalt:8522cdd,
author = {Cobalt Strike},
title = {{Cobalt Strike Website}},
date = {2012},
organization = {Cobalt Strike},
url = {https://www.cobaltstrike.com/support},
language = {English},
urldate = {2020-01-13}
}
Cobalt Strike Website
Cobalt Strike |
