@online{037:20190320:apt38:4c7f1d4, author = {@037}, title = {{APT38 DYEPACK FRAMEWORK}}, date = {2019-03-20}, organization = {Github (649)}, url = {https://github.com/649/APT38-DYEPACK}, language = {English}, urldate = {2019-12-17} } @online{0verfl0w:20190115:analyzing:bf3b215, author = {0verfl0w_}, title = {{Analyzing COMmunication in Malware}}, date = {2019-01-15}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190205:revisiting:8e39d7e, author = {0verfl0w_}, title = {{Revisiting Hancitor in Depth}}, date = {2019-02-05}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190313:analysing:1f83706, author = {0verfl0w_}, title = {{Analysing ISFB – The First Loader}}, date = {2019-03-13}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190525:analyzing:84874ea, author = {0verfl0w_}, title = {{Analyzing ISFB – The Second Loader}}, date = {2019-05-25}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/}, language = {English}, urldate = {2020-01-13} } @online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } @online{0verfl0w:20190708:analyzing:b984acf, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190708:analyzing:f246b28, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20200607:dealing:b50665d, author = {0verfl0w_}, title = {{Dealing with Obfuscated Macros, Statically - NanoCore}}, date = {2020-06-07}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/}, language = {English}, urldate = {2020-06-11} } @online{0x09al:20181020:dropboxc2c:bf05a34, author = {0x09AL}, title = {{DropboxC2C}}, date = {2018-10-20}, url = {https://github.com/0x09AL/DropboxC2C}, language = {English}, urldate = {2020-03-06} } @online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } @online{0x0:20200404:nanocore:6649008, author = {Myrtus 0x0}, title = {{Nanocore & CypherIT}}, date = {2020-04-04}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/defeating-nanocore-and-cypherit/}, language = {English}, urldate = {2020-04-07} } @online{0xebfe:20130330:fooled:88d133a, author = {0xEBFE}, title = {{Fooled by Andromeda}}, date = {2013-03-30}, organization = {0xEBFE Blog about life}, url = {http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/}, language = {English}, urldate = {2019-07-27} } @online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } @online{0xffff0800:20190222:pe:ea39c56, author = {0xffff0800}, title = {{Tweet on PE}}, date = {2019-02-22}, organization = {Twitter}, url = {https://twitter.com/i/web/status/1099147896950185985}, language = {English}, urldate = {2020-01-08} } @online{0xffff0800:20190302:opjerusalm:4743e08, author = {@0xffff0800}, title = {{Tweet on #OpJerusalm Ransomware}}, date = {2019-03-02}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1102078898320302080}, language = {English}, urldate = {2019-07-08} } @online{1d8:20200713:remcos:531702d, author = {1d8}, title = {{Remcos RAT Macro Dropper Doc}}, date = {2020-07-13}, organization = {Github (1d8)}, url = {https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD}, language = {English}, urldate = {2020-07-16} } @online{20140313:20140313:energy:8736af5, author = {2014-03-13}, title = {{Energy Watering Hole Attack Used LightsOut Exploit Kit}}, date = {2014-03-13}, organization = {Threatpost}, url = {https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/}, language = {English}, urldate = {2020-01-08} } @online{360:20180712:blue:ca92dea, author = {360}, title = {{Blue Pork Mushroom (APT-C-12) targeted attack technical details revealed}}, date = {2018-07-12}, organization = {360 Threat Intelligence}, url = {https://mp.weixin.qq.com/s/S-hiGFNC6WXGrkjytAVbpA}, language = {Chinese}, urldate = {2020-04-06} } @online{360:20180921:poison:d1cab92, author = {Qihoo 360}, title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}}, date = {2018-09-21}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT_C_01_en.html}, language = {English}, urldate = {2019-11-29} } @online{360:20181205:operation:65a4907, author = {360}, title = {{Operation Poison Needles - APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day}}, date = {2018-12-05}, organization = {360}, url = {http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN}, language = {English}, urldate = {2020-01-06} } @online{360:20190228:urlzone:e1814da, author = {360威胁情报中心}, title = {{URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees}}, date = {2019-02-28}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA}, language = {Chinese}, urldate = {2019-11-27} } @online{360:20200302:cia:d88b9c9, author = {Qihoo 360}, title = {{The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China's Critical Industries for 11 Years}}, date = {2020-03-02}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT-C-39_CIA_EN.html}, language = {English}, urldate = {2020-03-03} } @online{360:20200406:darkhotel:78f0a7f, author = {Qihoo 360}, title = {{The DarkHotel (APT-C-06) Attacked Chinese Institutions Abroad via Exploiting SangFor VPN Vulnerability}}, date = {2020-04-06}, organization = {360.cn}, url = {https://blogs.360.cn/post/APT_Darkhotel_attacks_during_coronavirus_pandemic.html}, language = {English}, urldate = {2020-04-07} } @online{3xp0rt:20200405:lets:fb49d9f, author = {3xp0rt}, title = {{Let's check: Sorano Stealer}}, date = {2020-04-05}, url = {https://3xp0rt.xyz/lpmkikVic}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200407:decompiled:83e10aa, author = {3xp0rt}, title = {{Decompiled SoranoStealer}}, date = {2020-04-07}, organization = {Github (3xp0rt)}, url = {https://github.com/3xp0rt/SoranoStealer}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200624:new:6b725c2, author = {3xp0rt}, title = {{Tweet on new version of TaurusStealer (v1.4)}}, date = {2020-06-24}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1275746149719252992}, language = {English}, urldate = {2020-06-24} } @online{42:20171027:tracking:bde654e, author = {Unit 42}, title = {{Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository}}, date = {2017-10-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/}, language = {English}, urldate = {2019-12-20} } @online{42:20190222:new:7bda906, author = {Unit 42}, title = {{New BabyShark Malware Targets U.S. National Security Think Tanks}}, date = {2019-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/}, language = {English}, urldate = {2020-01-07} } @online{42:20190312:operation:3610bc8, author = {Unit 42}, title = {{Operation Comando: How to Run a Cheap and Effective Credit Card Business}}, date = {2019-03-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/}, language = {English}, urldate = {2019-10-23} } @online{42:20191202:imminent:462e901, author = {Unit 42}, title = {{Imminent Monitor – a RAT Down Under}}, date = {2019-12-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/}, language = {English}, urldate = {2020-01-06} } @online{471:20200331:revil:0e5226a, author = {Intel 471}, title = {{REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation}}, date = {2020-03-31}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/}, language = {English}, urldate = {2020-04-01} } @online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } @online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } @online{471:20200708:irans:0bc8398, author = {Intel 471}, title = {{Iran’s domestic espionage: Lessons from recent data leaks}}, date = {2020-07-08}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/08/irans-domestic-espionage-lessons-from-recent-data-leaks/}, language = {English}, urldate = {2020-07-11} } @online{471:20200715:flowspec:683a5a1, author = {Intel 471}, title = {{Flowspec – TA505’s bulletproof hoster of choice}}, date = {2020-07-15}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/}, language = {English}, urldate = {2020-07-16} } @online{471:20200812:prioritizing:83e5896, author = {Intel 471}, title = {{Prioritizing “critical” vulnerabilities: A threat intelligence perspective}}, date = {2020-08-12}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/08/12/prioritizing-critical-vulnerabilities-a-threat-intelligence-perspective/}, language = {English}, urldate = {2020-08-14} } @online{51ddh4r7h4:20180820:advanced:9eb6e5c, author = {51ddh4r7h4}, title = {{Advanced Brazilian Malware Analysis}}, date = {2018-08-20}, organization = {ReversingMinds' Blog}, url = {http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware}, language = {English}, urldate = {2020-01-13} } @online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } @online{9b:20180627:latest:5770e87, author = {9b}, title = {{Latest observed JS payload used for APT32 profiling}}, date = {2018-06-27}, organization = {Github (9b)}, url = {https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef}, language = {English}, urldate = {2020-01-09} } @online{:2010:trojandownloaderw32chyminea:30597d8, author = {_}, title = {{Trojan-Downloader:W32/Chymine.A}}, date = {2010}, organization = {F-Secure}, url = {https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml}, language = {English}, urldate = {2019-09-22} } @online{:20130203:forum:e9bf784, author = {小男孩}, title = {{Forum Post: GetPwd_K8 one-click to get the plain text password of the system login user based on French ...}}, date = {2013-02-03}, url = {https://ihonker.org/thread-1504-1-1.html}, language = {Chinese}, urldate = {2020-01-23} } @online{:20131217:bebloh:dcd1f5f, author = {}, title = {{Bebloh – a well-known banking Trojan with noteworthy innovations}}, date = {2013-12-17}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations}, language = {English}, urldate = {2019-10-28} } @online{:20141022:cryakl:aaecc86, author = {Артём Семенченко and Федор Синицын and Татьяна Куликова}, title = {{Шифровальщик Cryakl или Фантомас разбушевался}}, date = {2014-10-22}, organization = {Kaspersky Labs}, url = {https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/}, language = {Russian}, urldate = {2019-12-16} } @techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } @online{:20180602:hidden:674cfb9, author = {安全豹}, title = {{"Hidden Bee" strikes: Kingsoft Internet Security intercepts the world's first bootkit-level mining botnet (Part 1)}}, date = {2018-06-02}, organization = {Freebuf}, url = {https://www.freebuf.com/column/174581.html}, language = {Chinese}, urldate = {2020-01-13} } @online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } @online{:20181005:post:4890d7d, author = {_}, title = {{Post 0x17.2: Analyzing Turla’s Keylogger}}, date = {2018-10-05}, url = {https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/}, language = {English}, urldate = {2019-07-27} } @online{:20181225:bittertapt17:faf6bde, author = {腾讯电脑管家}, title = {{BITTER/T-APT-17 reports on the latest attacks on sensitive agencies such as military, nuclear, and government agencies in China}}, date = {2018-12-25}, organization = {Tencent}, url = {https://www.freebuf.com/articles/database/192726.html}, language = {Chinese}, urldate = {2020-03-02} } @online{:20190124:excel:2dd401c, author = {事件追踪}, title = {{Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently}}, date = {2019-01-24}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/}, language = {English}, urldate = {2019-12-02} } @online{:20190214:suspected:25adc45, author = {奇安信威胁情报中心}, title = {{Suspected Molerats New Attack in the Middle East}}, date = {2019-02-14}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/}, language = {Chinese}, urldate = {2019-10-12} } @online{:20190214:suspected:5df65f1, author = {事件追踪}, title = {{Suspected Molerats' New Attack in the Middle East}}, date = {2019-02-14}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/}, language = {English}, urldate = {2020-01-07} } @online{:20190306:taidoor:651efa6, author = {NTT セキュリティ and ジャパン株式会社}, title = {{Taidoor を用いた標的型攻撃}}, date = {2019-03-06}, organization = {Unit CANARY}, url = {https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1}, language = {English}, urldate = {2020-01-13} } @online{:20190319:aptc27:6ab4857, author = {奇安信威胁情报中心}, title = {{APT-C-27 (Goldmouse): Suspected Target Attack against the Middle East with WinRAR Exploit}}, date = {2019-03-19}, url = {https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/}, language = {English}, urldate = {2019-10-26} } @online{:20190813::eae3d10, author = {奇安信威胁情报中心}, title = {{洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露}}, date = {2019-08-13}, url = {https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts}, language = {Chinese}, urldate = {2020-01-13} } @online{:20200723::adadd32, author = {AhnLab ASEC 분석팀}, title = {{국내 인터넷 커뮤니티 사이트에서 악성코드 유포 (유틸리티 위장)}}, date = {2020-07-23}, organization = {AhnLab}, url = {https://asec.ahnlab.com/1360}, language = {Korean}, urldate = {2020-07-30} } @online{a:2016:cyber:140f384, author = {Monnappa K A}, title = {{CYBER ATTACK IMPERSONATING IDENTITY OF INDIAN THINK TANK TO TARGET CENTRAL BUREAU OF INVESTIGATION (CBI) AND POSSIBLY INDIAN ARMY OFFICIALS}}, date = {2016}, organization = {Cysinfo}, url = {https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials}, language = {English}, urldate = {2020-01-07} } @online{a:20180910:turla:c92b687, author = {Monnappa K A}, title = {{turla gazer backdoor code injection & winlogon shell persistence}}, date = {2018-09-10}, organization = {Youtube ( Monnappa K A)}, url = {https://www.youtube.com/watch?v=Pvzhtjl86wc}, language = {English}, urldate = {2020-01-13} } @online{a:20190513:chacha:840508a, author = {Amigo A}, title = {{ChaCha Ransomware}}, date = {2019-05-13}, url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html}, language = {Russian}, urldate = {2019-12-02} } @online{a:20200411:rhino:c3d7b04, author = {Amigo A}, title = {{Rhino Ransomware}}, date = {2020-04-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/rhino-ransomware.html}, language = {Russian}, urldate = {2020-05-18} } @online{abbasi:20180716:danabot:08d5942, author = {Fahim Abbasi}, title = {{DanaBot Riding Fake MYOB Invoice Emails}}, date = {2018-07-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/}, language = {English}, urldate = {2020-01-10} } @online{abbati:20161108:analysis:374eea4, author = {Amaud Abbati}, title = {{Analysis of IOS.GUIINJECT Adware Library}}, date = {2016-11-08}, organization = {SentinelOne}, url = {https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/}, language = {English}, urldate = {2020-01-08} } @online{abbati:20170823:cs:1ecb9bb, author = {Arnaud Abbati}, title = {{CS: Go Hacks for Mac – OSX.Pwnet.A}}, date = {2017-08-23}, organization = {SentinelOne}, url = {https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/}, language = {English}, urldate = {2019-08-07} } @online{abbati:20171128:osxcpumeaner:23f69f0, author = {Arnaud Abbati}, title = {{OSX.CPUMEANER: New Cryptocurrency Mining Trojan Targets MacOS}}, date = {2017-11-28}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/}, language = {English}, urldate = {2019-12-05} } @online{abel:20180720:malware:62e1c9e, author = {Robert Abel}, title = {{Malware author ‘Anarchy’ builds 18,000-strong Huawei router botnet}}, date = {2018-07-20}, url = {https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/}, language = {English}, urldate = {2019-11-27} } @online{abrams:20160214:padcrypt:626523d, author = {Lawrence Abrams}, title = {{PadCrypt: The first ransomware with Live Support Chat and an Uninstaller}}, date = {2016-02-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160408:cryptohost:d0f5780, author = {Lawrence Abrams}, title = {{CryptoHost Decrypted: Locks files in a password protected RAR File}}, date = {2016-04-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160722:stampado:207584f, author = {Lawrence Abrams}, title = {{Stampado Ransomware campaign decrypted before it Started}}, date = {2016-07-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160908:philadelphia:18b2e18, author = {Lawrence Abrams}, title = {{The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals}}, date = {2016-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160928:introducing:f09b941, author = {Lawrence Abrams}, title = {{Introducing Her Royal Highness, the Princess Locker Ransomware}}, date = {2016-09-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160930:hacked:760d56c, author = {Lawrence Abrams}, title = {{Hacked Steam accounts spreading Remote Access Trojan}}, date = {2016-09-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161027:indev:79b8937, author = {Lawrence Abrams}, title = {{In-Dev Ransomware forces you do to Survey before unlocking Computer}}, date = {2016-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161115:cryptoluck:19599ea, author = {Lawrence Abrams}, title = {{CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits}}, date = {2016-11-15}, organization = {Bleeping Computer}, url = {http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170207:erebus:2328bb9, author = {Lawrence Abrams}, title = {{Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment}}, date = {2017-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170315:revenge:b047d2f, author = {Lawrence Abrams}, title = {{Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit}}, date = {2017-03-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170816:locky:7445bd0, author = {Lawrence Abrams}, title = {{Locky Ransomware switches to the Lukitus extension for Encrypted Files}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170816:synccrypt:c8d0c48, author = {Lawrence Abrams}, title = {{SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170825:new:a2d73b9, author = {Lawrence Abrams}, title = {{New Arena Crysis Ransomware Variant Released}}, date = {2017-08-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170828:new:4c237c7, author = {Lawrence Abrams}, title = {{New Nuclear BTCWare Ransomware Released (Updated)}}, date = {2017-08-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171031:oni:b366161, author = {Lawrence Abrams}, title = {{ONI Ransomware Used in Month-Long Attacks Against Japanese Companies}}, date = {2017-10-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171213:work:d439b4b, author = {Lawrence Abrams}, title = {{WORK Cryptomix Ransomware Variant Released}}, date = {2017-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171222:new:eadbe96, author = {Lawrence Abrams}, title = {{New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway}}, date = {2017-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180121:evrial:5df289b, author = {Lawrence Abrams}, title = {{Evrial Trojan Switches Bitcoin Addresses Copied to Windows Clipboard}}, date = {2018-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180126:velso:4b06608, author = {Lawrence Abrams}, title = {{The Velso Ransomware Being Manually Installed by Attackers}}, date = {2018-01-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180129:gandcrab:9e003f9, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension}}, date = {2018-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180208:gandcrab:40fb494, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts}}, date = {2018-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:black:85fdc3c, author = {Lawrence Abrams}, title = {{Black Ruby Ransomware Skips Victims in Iran and Adds a Miner for Good Measure}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:dexcrypt:a7d1f62, author = {Lawrence Abrams}, title = {{DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180226:thanatos:546a986, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up Encryption}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180323:avcrypt:edb1b07, author = {Lawrence Abrams}, title = {{The AVCrypt Ransomware Tries To Uninstall Your AV Software}}, date = {2018-03-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180514:stalinlocker:5c9f91e, author = {Lawrence Abrams}, title = {{StalinLocker Deletes Your Files Unless You Enter the Right Code}}, date = {2018-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20180626:thanatos:bbe20fc, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Decryptor Released by the Cisco Talos Group}}, date = {2018-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180912:feedify:7beba8a, author = {Lawrence Abrams}, title = {{Feedify Hacked with Magecart Information Stealing Script}}, date = {2018-09-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180914:kraken:643744c, author = {Lawrence Abrams}, title = {{Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program}}, date = {2018-09-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181001:roaming:3a9e1c5, author = {Lawrence Abrams}, title = {{Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181113:hookads:ef89e4e, author = {Lawrence Abrams}, title = {{HookAds Malvertising Installing Malware via the Fallout Exploit Kit}}, date = {2018-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181119:visiondirect:6c2560e, author = {Lawrence Abrams}, title = {{VisionDirect Data Breach Caused by MageCart Attack}}, date = {2018-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190104:how:8932d09, author = {Lawrence Abrams}, title = {{How to Decrypt the Aurora Ransomware with AuroraDecrypter}}, date = {2019-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/}, language = {English}, urldate = {2019-12-17} } @online{abrams:20190115:djvu:a8b1d06, author = {Lawrence Abrams}, title = {{Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles}}, date = {2019-01-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190117:blackrouter:2e83ebf, author = {Lawrence Abrams}, title = {{BlackRouter Ransomware Promoted as a RaaS by Iranian Developer}}, date = {2019-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20190426:closer:ba13483, author = {Lawrence Abrams}, title = {{A Closer Look at the RobbinHood Ransomware}}, date = {2019-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190601:gandcrab:cb581e3, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion}}, date = {2019-06-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190613:pylocky:15be611, author = {Lawrence Abrams}, title = {{pyLocky Decryptor Released by French Authorities}}, date = {2019-06-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20190906:lilocked:4042feb, author = {Lawrence Abrams}, title = {{Lilocked Ransomware Actively Targeting Servers and Web Sites}}, date = {2019-09-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190911:ryuk:8a18715, author = {Lawrence Abrams}, title = {{Ryuk Related Malware Steals Confidential Military, Financial Files}}, date = {2019-09-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190917:tflower:31c9072, author = {Lawrence Abrams}, title = {{TFlower Ransomware - The Latest Attack Targeting Businesses}}, date = {2019-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/}, language = {English}, urldate = {2019-10-15} } @online{abrams:20191010:nemty:319e3b7, author = {Lawrence Abrams}, title = {{Nemty Ransomware Decryptor Released, Recover Files for Free}}, date = {2019-10-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191025:new:f7feebd, author = {Lawrence Abrams}, title = {{New FuxSocy Ransomware Impersonates the Notorious Cerber}}, date = {2019-10-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } @online{abrams:20191121:allied:a3d69d7, author = {Lawrence Abrams}, title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}}, date = {2019-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20191211:maze:acb23da, author = {Lawrence Abrams}, title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}}, date = {2019-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191212:another:77246f4, author = {Lawrence Abrams}, title = {{Another Ransomware Will Now Publish Victims' Data If Not Paid}}, date = {2019-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/}, language = {English}, urldate = {2020-01-05} } @online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191224:maze:33a4e28, author = {Lawrence Abrams}, title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}}, date = {2019-12-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20200108:snake:aaf992f, author = {Lawrence Abrams}, title = {{SNAKE Ransomware Is the Next Threat Targeting Business Networks}}, date = {2020-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/}, language = {English}, urldate = {2020-01-12} } @online{abrams:20200109:sodinokibi:c0204cc, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another}}, date = {2020-01-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20200111:sodinokibi:8fe0ebe, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Publishes Stolen Data for the First Time}}, date = {2020-01-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20200114:united:a309baa, author = {Lawrence Abrams}, title = {{United Nations Targeted With Emotet Malware Phishing Attack}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200118:new:4ad3c25, author = {Lawrence Abrams}, title = {{New Jersey Synagogue Suffers Sodinokibi Ransomware Attack}}, date = {2020-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200121:bitpylock:ded9871, author = {Lawrence Abrams}, title = {{BitPyLock Ransomware Now Threatens to Publish Stolen Data}}, date = {2020-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200123:trickbot:5ca7827, author = {Lawrence Abrams}, title = {{TrickBot Now Steals Windows Active Directory Credentials}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/}, language = {English}, urldate = {2020-01-27} } @online{abrams:20200124:new:05d5a6a, author = {Lawrence Abrams}, title = {{New Ryuk Info Stealer Targets Government and Military Secrets}}, date = {2020-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } @online{abrams:20200129:malware:920dc7e, author = {Lawrence Abrams}, title = {{Malware Tries to Trump Security Software With POTUS Impeachment}}, date = {2020-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200130:trickbot:22db786, author = {Lawrence Abrams}, title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}}, date = {2020-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } @online{abrams:20200206:ransomware:8b6a606, author = {Lawrence Abrams}, title = {{Ransomware Exploits GIGABYTE Driver to Kill AV Processes}}, date = {2020-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20200213:parallax:9842604, author = {Lawrence Abrams}, title = {{Parallax RAT: Common Malware Payload After Hacker Forums Promotion}}, date = {2020-02-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/}, language = {English}, urldate = {2020-04-01} } @online{abrams:20200225:doppelpaymer:9ca20ab, author = {Lawrence Abrams}, title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}}, date = {2020-02-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20200226:sodinokibi:7d730ac, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices}}, date = {2020-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200302:new:e4cb07c, author = {Lawrence Abrams}, title = {{New PwndLocker Ransomware Targeting U.S. Cities, Enterprises}}, date = {2020-03-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } @online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } @online{abrams:20200305:pwndlocker:d9b200a, author = {Lawrence Abrams}, title = {{PwndLocker Ransomware Gets Pwned: Decryption Now Available}}, date = {2020-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/}, language = {English}, urldate = {2020-03-05} } @online{abrams:20200307:ransomware:f839049, author = {Lawrence Abrams}, title = {{Ransomware Threatens to Reveal Company's 'Dirty' Secrets}}, date = {2020-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/}, language = {English}, urldate = {2020-03-11} } @online{abrams:20200317:new:d6fa158, author = {Lawrence Abrams}, title = {{New Nefilim Ransomware Threatens to Release Victims' Data}}, date = {2020-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/}, language = {English}, urldate = {2020-03-19} } @online{abrams:20200319:redline:5966456, author = {Lawrence Abrams}, title = {{RedLine Info-Stealing Malware Spread by Folding@home Phishing}}, date = {2020-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } @online{abrams:20200411:sodinokibi:82f9f79, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware to stop taking Bitcoin to hide money trail}}, date = {2020-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/}, language = {English}, urldate = {2020-04-26} } @online{abrams:20200418:it:bb2d626, author = {Lawrence Abrams}, title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}}, date = {2020-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/}, language = {English}, urldate = {2020-04-20} } @online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } @online{abrams:20200608:new:c1f97ec, author = {Lawrence Abrams}, title = {{New Avaddon Ransomware launches in massive smiley spam campaign}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/}, language = {English}, urldate = {2020-06-10} } @online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } @online{abrams:20200626:new:d6e2d17, author = {Lawrence Abrams}, title = {{New Ransom X Ransomware used in Texas TxDOT cyberattack}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200626:ransom:9e453cd, author = {Lawrence Abrams}, title = {{Ransom .exx notes}}, date = {2020-06-26}, organization = {Github (Bleeping)}, url = {https://github.com/Bleeping/Ransom.exx}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200711:trickbot:7e70ad3, author = {Lawrence Abrams}, title = {{TrickBot malware mistakenly warns victims that they are infected}}, date = {2020-07-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200713:new:a9e2a62, author = {Lawrence Abrams}, title = {{New AgeLocker Ransomware uses Googler's utility to encrypt files}}, date = {2020-07-13}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-agelocker-ransomware-uses-googlers-utility-to-encrypt-files/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } @online{abusech:20130118:feodo:5354db0, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2013-01-18}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/?filter=version_e}, language = {English}, urldate = {2020-01-13} } @online{abusech:2018:feodo:3a9a017, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2018}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/}, language = {English}, urldate = {2019-11-17} } @online{abuseio:20190504:abuseio:d5062ca, author = {Abuse.io}, title = {{Abuse.io Report - Lockergoga}}, date = {2019-05-04}, organization = {Abuse.io}, url = {https://www.abuse.io/lockergoga.txt}, language = {English}, urldate = {2020-01-07} } @online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } @online{accenture:2018:hogfish:4bd6290, author = {Accenture}, title = {{HOGFISH REDLEAVES CAMPAIGN}}, date = {2018}, organization = {Accenture}, url = {http://blog.alyac.co.kr/1853}, language = {English}, urldate = {2020-01-06} } @online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } @online{ackerman:20190821:taking:3b8daac, author = {Pascal Ackerman}, title = {{Taking a Closer Look at the LookBack Malware Campaign – Part 1}}, date = {2019-08-21}, organization = {Threatgen}, url = {https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/}, language = {English}, urldate = {2020-01-13} } @online{acsc:20200523:summary:32bbf2b, author = {Australian Cyber Security Centre (ACSC)}, title = {{Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks}}, date = {2020-05-23}, organization = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/threats/summary-of-tradecraft-trends-for-2019-20-tactics-techniques-and-procedures-used-to-target-australian-networks}, language = {English}, urldate = {2020-05-23} } @techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } @online{action09:20181116:c0ld:89e6c06, author = {Action09}, title = {{(C)0ld Case : From Aerospace to China’s interests.}}, date = {2018-11-16}, organization = {CyberThreatIntelligence Blog}, url = {https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/}, language = {English}, urldate = {2020-01-07} } @online{actiondan:20180219:intro:0d978b0, author = {ActionDan}, title = {{Intro to Using GScript for Red Teams}}, date = {2018-02-19}, url = {http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html}, language = {English}, urldate = {2019-12-20} } @online{adair:20161109:powerduke:335bceb, author = {Steven Adair}, title = {{PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs}}, date = {2016-11-09}, organization = {Volexity}, url = {https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/}, language = {English}, urldate = {2019-12-24} } @online{adamitis:20181105:persian:5adf8c2, author = {Danny Adamitis and Warren Mercer and Paul Rascagnères and Vitor Ventura and Eric Kuhla}, title = {{Persian Stalker pillages Iranian users of Instagram and Telegram}}, date = {2018-11-05}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/11/persian-stalker.html}, language = {English}, urldate = {2019-11-27} } @online{adamitis:20190417:dns:0146532, author = {Danny Adamitis and David Maynor and Warren Mercer and Matthew Olney and Paul Rascagnères}, title = {{DNS Hijacking Abuses Trust In Core Internet Service}}, date = {2019-04-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/seaturtle.html}, language = {English}, urldate = {2020-01-09} } @online{adamitis:20190520:recent:4bb543f, author = {Danny Adamitis and David Maynor and Kendall McKay}, title = {{Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques}}, date = {2019-05-20}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html}, language = {English}, urldate = {2020-01-07} } @online{adamitis:20190709:sea:62515b8, author = {Danny Adamitis and Paul Rascagnères}, title = {{Sea Turtle Keeps on Swimming}}, date = {2019-07-09}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20200107:summer:637a53f, author = {Danny Adamitis}, title = {{Summer Mirage}}, date = {2020-01-07}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/01/summer-mirage.html}, language = {English}, urldate = {2020-01-12} } @online{adamitis:20200206:triune:ada8ad3, author = {Danny Adamitis}, title = {{The Triune Threat: MasterMana Returns}}, date = {2020-02-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html}, language = {English}, urldate = {2020-04-13} } @online{adamitis:20200506:phantom:2a752f7, author = {Danny Adamitis}, title = {{Phantom in the Command Shell}}, date = {2020-05-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html}, language = {English}, urldate = {2020-05-07} } @online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html}, language = {English}, urldate = {2020-06-08} } @online{adamov:20170502:targeted:31454f7, author = {Alexander Adamov}, title = {{Targeted attack against the Ukrainian military}}, date = {2017-05-02}, url = {https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html}, language = {English}, urldate = {2019-12-17} } @techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } @online{admin001:20191120:shadow:49b26ff, author = {admin001}, title = {{Shadow of the Circle Hovering Over Central Asia - The Golden Eagle (APT-C-34) Organizing Attack Revealed}}, date = {2019-11-20}, organization = {360}, url = {http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html}, language = {English}, urldate = {2020-01-10} } @techreport{advisory:20200528:sandworm:d509ae5, author = {Cybersecurity Advisory}, title = {{Sandworm Actors Exploiting Vulnerability in EXIM Mail Transfer Agent}}, date = {2020-05-28}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf}, language = {English}, urldate = {2020-05-29} } @online{affairs:20140202:us:872a22b, author = {Office of Public Affairs}, title = {{U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator}}, date = {2014-02-02}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware}, language = {English}, urldate = {2020-01-08} } @online{affairs:20170328:russian:e9c593c, author = {Office of Public Affairs}, title = {{Russian Citizen Pleads Guilty for Involvement in Global Botnet Conspiracy}}, date = {2017-03-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy}, language = {English}, urldate = {2020-01-07} } @online{affairs:20180523:justice:806d785, author = {Office of Public Affairs}, title = {{Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices}}, date = {2018-05-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected}, language = {English}, urldate = {2020-01-06} } @online{affairs:20180906:north:9b30dd0, author = {Office of Public Affairs}, title = {{North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions}}, date = {2018-09-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and}, language = {English}, urldate = {2020-01-07} } @online{affairs:20181128:two:9032b25, author = {Office of Public Affairs}, title = {{Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses}}, date = {2018-11-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public}, language = {English}, urldate = {2020-01-08} } @online{affairs:20190213:former:3518c47, author = {Office of Public Affairs}, title = {{Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues}}, date = {2019-02-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber}, language = {English}, urldate = {2019-10-14} } @online{affairs:20190411:two:8ce139a, author = {Office of Public Affairs}, title = {{Two Romanian Cybercriminals Convicted of All 21 Counts Relating to Infecting Over 400,000 Victim Computers with Malware and Stealing Millions of Dollars}}, date = {2019-04-11}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim}, language = {English}, urldate = {2019-10-13} } @online{affairs:20190516:goznym:714f938, author = {Office of Public Affairs}, title = {{GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation}}, date = {2019-05-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled}, language = {English}, urldate = {2020-01-08} } @online{agency:20191025:qsnatch:9631c95, author = {Finnish Transport & Communications Agency}, title = {{QSnatch - Malware designed for QNAP NAS devices}}, date = {2019-10-25}, organization = {Finnish Transport & Communications Agency}, url = {https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices}, language = {English}, urldate = {2020-01-10} } @techreport{agency:20200813:russian:c0ae2d5, author = {National Security Agency and Federal Bureau of Investigation}, title = {{Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware}}, date = {2020-08-13}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF}, language = {English}, urldate = {2020-08-14} } @online{ahl:20130807:breaking:aff06e9, author = {Ian Ahl and Tony Lee and Dennis Hanzlik}, title = {{Breaking Down the China Chopper Web Shell - Part I}}, date = {2013-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html}, language = {English}, urldate = {2019-12-20} } @online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } @online{ahn:20190304:kimsuky:e84d908, author = {Chang-Yong Ahn}, title = {{Kimsuky}}, date = {2019-03-04}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28102}, language = {Korean}, urldate = {2019-10-23} } @online{ahnlab:20180330:magniber:5d13799, author = {AhnLab}, title = {{Magniber}}, date = {2018-03-30}, organization = {AhnLab}, url = {http://asec.ahnlab.com/1124}, language = {English}, urldate = {2019-07-09} } @techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } @techreport{ahnlab:20180625:asec:dcc35cb, author = {AhnLab}, title = {{ASEC Report vol. 91 (2018)}}, date = {2018-06-25}, institution = {AhnLab}, url = {http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf}, language = {Korean}, urldate = {2020-01-10} } @techreport{ahnlab:20190221:operation:3e3c720, author = {AhnLab}, title = {{Operation Kabar Cobra}}, date = {2019-02-21}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/%5bAnalysis_Report%5dOperation_Kabar_Cobra.pdf}, language = {Korean}, urldate = {2019-12-02} } @techreport{ahnlab:20200302:analysis:c0c47c3, author = {AhnLab}, title = {{Analysis Report: MyKings Botnet}}, date = {2020-03-02}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf}, language = {Korean}, urldate = {2020-03-04} } @online{ahnlab:20200406:shadow:450342b, author = {AhnLab}, title = {{Shadow Force behind normal certificate reveals seven years}}, date = {2020-04-06}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=29129}, language = {Korean}, urldate = {2020-05-18} } @online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } @online{ajjan:20130305:russian:4bb6a48, author = {Anand Ajjan}, title = {{Russian ransomware takes advantage of Windows PowerShell}}, date = {2013-03-05}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/}, language = {English}, urldate = {2020-01-27} } @techreport{akamai:20160404:threat:14239df, author = {Akamai}, title = {{Threat Advisory: “BillGates” Botnet}}, date = {2016-04-04}, institution = {Akamai}, url = {https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{akamai:20161001:kaitenstd:40de1e6, author = {Akamai}, title = {{Kaiten/STD router DDoS Malware}}, date = {2016-10-01}, institution = {Akamai}, url = {https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{akamei:20171016:upnproxy:044596d, author = {Akamei}, title = {{UPnProxy: Blackhat Proxies via NAT Injections}}, date = {2017-10-16}, institution = {Akamai}, url = {https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf}, language = {English}, urldate = {2019-12-10} } @online{albassam:20160816:equation:e185e6b, author = {Mustafa Al-Bassam}, title = {{Equation Group firewall operations catalogue}}, date = {2016-08-16}, url = {https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html}, language = {English}, urldate = {2019-11-20} } @online{albors:20151216:nemucod:b1c1305, author = {Josep Albors}, title = {{Nemucod malware spreads ransomware Teslacrypt around the world}}, date = {2015-12-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/}, language = {English}, urldate = {2019-11-14} } @online{alert:20191203:threat:f7b8cb6, author = {Red Alert}, title = {{THREAT ACTOR TARGETING HONG KONG PRO-DEMOCRACY FIGURES}}, date = {2019-12-03}, organization = {NSHC}, url = {https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists}, language = {English}, urldate = {2020-06-03} } @techreport{alert:201912:cybercrime:b12d39c, author = {Visa Security Alert}, title = {{Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants}}, date = {2019-12}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf}, language = {English}, urldate = {2020-07-23} } @online{alexuiop1337:20190731:github:215c261, author = {Alexuiop1337}, title = {{Github Repository for SoranoStealer}}, date = {2019-07-31}, organization = {Github (Alexuiop1337)}, url = {https://github.com/Alexuiop1337/SoranoStealer}, language = {English}, urldate = {2020-01-06} } @online{algayar:20171224:lilyofthevalley:40d90c1, author = {Mustapha Algayar}, title = {{LilyOfTheValley Repository}}, date = {2017-12-24}, organization = {Github (LilyOfTheValley)}, url = {https://github.com/En14c/LilyOfTheValley}, language = {English}, urldate = {2020-01-10} } @online{alguacil:201911:vb2019:a565e76, author = {Alexandre Mundo Alguacil and John Fokker}, title = {{VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth}}, date = {2019-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/}, language = {English}, urldate = {2020-01-08} } @online{alienvault:20190801:hexane:3d63fd0, author = {AlienVault}, title = {{Hexane Targeting Oil and Gas}}, date = {2019-08-01}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f}, language = {English}, urldate = {2019-11-28} } @online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } @techreport{alintanahin:20150513:operation:a90911a, author = {Kervin Alintanahin}, title = {{Operation Tropic Trooper}}, date = {2015-05-13}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf}, language = {English}, urldate = {2020-01-06} } @online{allievi:20141028:threat:a302fbd, author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba}, title = {{Threat Spotlight: Group 72, Opening the ZxShell}}, date = {2014-10-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/talos/opening-zxshell}, language = {English}, urldate = {2019-10-15} } @online{allievi:20150320:threat:2f200b6, author = {Andrea Allievi and Ben Baker and Nick Biasini and JJ Cummings and Douglas Goddard and William Largent and Angel Villegas and Alain Zidouemba}, title = {{Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware}}, date = {2015-03-20}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/poseidon}, language = {English}, urldate = {2020-01-13} } @online{allievi:20150427:threat:3754b13, author = {Andrea Allievi and Earl Carter and Emmanuel Tacheau}, title = {{Threat Spotlight: TeslaCrypt – Decrypt It Yourself}}, date = {2015-04-27}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/teslacrypt}, language = {English}, urldate = {2019-10-15} } @online{alonso:20170224:hunting:073d36e, author = {Angel Alonso}, title = {{Hunting Retefe with Splunk - some interesting points}}, date = {2017-02-24}, organization = {Some stuff about security.. Blog}, url = {http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html}, language = {English}, urldate = {2020-01-06} } @online{alonsoparrizas:20151028:reversing:92cdf4f, author = {Angel Alonso-Parrizas}, title = {{Reversing the C2C HTTP Emmental communication}}, date = {2015-10-28}, url = {http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html}, language = {English}, urldate = {2019-12-05} } @online{alonsoparrizas:20151103:reversing:762708a, author = {Angel Alonso-Parrizas}, title = {{Reversing the SMS C&C protocol of Emmental (1st part - understanding the code)}}, date = {2015-11-03}, url = {http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html}, language = {English}, urldate = {2019-10-14} } @techreport{alperovitch:20140224:art:df5650c, author = {Dmitri Alperovitch}, title = {{The Art of Attribution Identifying and Pursuing your Cyber Adversaries}}, date = {2014-02-24}, institution = {RSA Conference}, url = {https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf}, language = {English}, urldate = {2020-04-06} } @online{alperovitch:20140707:deep:63e59f7, author = {Dmitri Alperovitch}, title = {{Deep in Thought: Chinese Targeting of National Security Think Tanks}}, date = {2014-07-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20141014:crowdstrike:9be6684, author = {Dmitri Alperovitch}, title = {{CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda}}, date = {2014-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20150413:cyber:93796f8, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20150413:cyber:9cee61c, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2019-12-20} } @online{alvares:20200622:comparative:270905b, author = {Marcos Alvares}, title = {{Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case}}, date = {2020-06-22}, organization = {security.neurolabs}, url = {http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html}, language = {English}, urldate = {2020-06-24} } @online{alvarez:20121203:compromised:1e6dcb7, author = {Raul Alvarez}, title = {{Compromised library}}, date = {2012-12-03}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library}, language = {English}, urldate = {2019-12-17} } @online{alvarez:20140718:birds:9f9e509, author = {Raul Alvarez}, title = {{Bird's nest}}, date = {2014-07-18}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest}, language = {English}, urldate = {2019-11-28} } @online{alyac:20190131:lazarus:bbb47f8, author = {Alyac}, title = {{Lazarus APT Organization Attacks with Operation Extreme Job}}, date = {2019-01-31}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2105}, language = {Korean}, urldate = {2019-10-21} } @online{alyac:20190327:lazarus:2172304, author = {Alyac}, title = {{라자루스(Lazarus) 그룹, 이스라엘 군수업체 대상 APT 역습}}, date = {2019-03-27}, url = {https://blog.alyac.co.kr/m/2219}, language = {Korean}, urldate = {2020-07-15} } @online{alyac:20190327:lazarus:df092d7, author = {Alyac}, title = {{Lazarus Group APT Counterattack Against Israeli Military}}, date = {2019-03-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2219}, language = {Korean}, urldate = {2020-06-29} } @online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } @online{alyac:20190627:lazarus:9afc51d, author = {Alyac}, title = {{Lazarus APT Group attacks with a malicious '진실겜.xls' via the Telegram messenger}}, date = {2019-06-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2388}, language = {Korean}, urldate = {2020-03-17} } @techreport{alyac:20200330:spy:e23215b, author = {Alyac}, title = {{The 'Spy Cloud' Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection}}, date = {2020-03-30}, institution = {EST Security}, url = {https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf}, language = {English}, urldate = {2020-04-07} } @online{alyac:20200725:special:ca84b90, author = {Alyac}, title = {{[Special Report] Thallium Group sued by Microsoft in the US, threatens 'Fake Striker' APT campaign against South Korea}}, date = {2020-07-25}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3120}, language = {Korean}, urldate = {2020-07-30} } @online{alyushin:20150914:shade:3558938, author = {Victor Alyushin and Fedor Sinitsyn}, title = {{The Shade Encryptor: a Double Threat}}, date = {2015-09-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-shade-encryptor-a-double-threat/72087/}, language = {English}, urldate = {2019-12-20} } @online{amawaka:20200310:apt40:2199052, author = {Asuna Amawaka}, title = {{APT40 goes from Template Injections to OLE-Linkings for payload delivery}}, date = {2020-03-10}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200315:dad:5cad035, author = {Asuna Amawaka}, title = {{Dad! There’s A Rat In Here!}}, date = {2020-03-15}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200506:shadows:889fc47, author = {Asuna Amawaka}, title = {{Shadows with a chance of BlackNix}}, date = {2020-05-06}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb}, language = {English}, urldate = {2020-06-12} } @online{amr:20190410:project:460b6e5, author = {AMR and GReAT}, title = {{Project TajMahal – a sophisticated new APT framework}}, date = {2019-04-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/project-tajmahal/90240/}, language = {English}, urldate = {2019-12-20} } @online{amr:20190925:ransomware:ec80bad, author = {AMR}, title = {{Ransomware: two pieces of good news}}, date = {2019-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomware-two-pieces-of-good-news/93355/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191101:chrome:4c689f4, author = {AMR and GReAT}, title = {{Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium}}, date = {2019-11-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191210:windows:1a5c25d, author = {AMR and GReAT}, title = {{Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium}}, date = {2019-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432}, language = {English}, urldate = {2020-05-05} } @online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } @online{analysis:20170314:rig:56f3334, author = {Broad Analysis}, title = {{Rig Exploit Kit via the EiTest delivers CryptoShield/REVENGE ransomware}}, date = {2017-03-14}, organization = {Broad Analysis}, url = {http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{analysis:20190412:rig:0230572, author = {Analysis}, title = {{Rig Exploit Kit delivers Bunitu Malware}}, date = {2019-04-12}, organization = {BroadAnalysis}, url = {https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/}, language = {English}, urldate = {2020-01-10} } @online{anand:20200521:blox:14090c1, author = {Chetan Anand}, title = {{Blox Tales #6: Subpoena-Themed Phishing With CAPTCHA Redirect}}, date = {2020-05-21}, organization = {Armorblox}, url = {https://www.armorblox.com/blog/blox-tales-6-subpoena-themed-phishing-with-captcha-redirect/}, language = {English}, urldate = {2020-05-23} } @online{anbalagan:20200605:new:9f3abf8, author = {Gayathri Anbalagan}, title = {{New Campaign Abusing StackBlitz Tool to Host Phishing Pages}}, date = {2020-06-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-campaign-abusing-stackblitz-tool-host-phishing-pages}, language = {English}, urldate = {2020-08-05} } @online{ancel:20150930:when:ed6915f, author = {Benoît Ancel}, title = {{When ELF.BillGates met Windows}}, date = {2015-09-30}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/}, language = {English}, urldate = {2020-01-13} } @online{ancel:20161020:nexter91:909eaee, author = {Benoît Ancel}, title = {{Tweet on nexter91 Panel}}, date = {2016-10-20}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/789006720668405760}, language = {English}, urldate = {2020-01-07} } @online{ancel:20170227:spambot:b40e584, author = {Benoît Ancel}, title = {{Spambot safari #2 - Online Mail System}}, date = {2017-02-27}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html}, language = {English}, urldate = {2020-01-09} } @online{ancel:20170816:quick:e3a37c1, author = {Benoît Ancel}, title = {{Quick look at another Alina fork: XBOT-POS}}, date = {2017-08-16}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html}, language = {English}, urldate = {2020-01-10} } @online{ancel:20170829:from:7ef6dac, author = {Benoît Ancel}, title = {{From Onliner Spambot to millions of email's lists and credentials}}, date = {2017-08-29}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html}, language = {English}, urldate = {2020-01-06} } @online{ancel:20190607:zeusaction:5977152, author = {Benoît Ancel}, title = {{Tweet on ZeusAction hashes}}, date = {2019-06-07}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1136983062699487232}, language = {English}, urldate = {2020-01-06} } @techreport{ancel:2019:dreambot:e29023e, author = {Benoît Ancel and Peter Kruse}, title = {{Dreambot Business overview 2019}}, date = {2019}, institution = {CSIS}, url = {http://benkow.cc/DreambotSAS19.pdf}, language = {English}, urldate = {2019-12-10} } @online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } @online{ancel:20200501:end:939414e, author = {Benoît Ancel}, title = {{The end of Dreambot? Obituary for a loved piece of Gozi.}}, date = {2020-05-01}, organization = {CSIS}, url = {https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122}, language = {English}, urldate = {2020-05-05} } @online{anderson:20170612:bahamut:9810646, author = {Collin Anderson}, title = {{Bahamut, Pursuing a Cyber Espionage Actor in the Middle East}}, date = {2017-06-12}, organization = {Bellingcat}, url = {https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/}, language = {English}, urldate = {2020-01-13} } @online{anderson:20171027:bahamut:e17abf8, author = {Collin Anderson}, title = {{Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia}}, date = {2017-10-27}, organization = {Bellingcat}, url = {https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/}, language = {English}, urldate = {2020-01-06} } @online{anderson:20180104:irans:dcad15c, author = {Collin Anderson and Karim Sadjapour}, title = {{Iran’s Cyber Ecosystem: Who Are the Threat Actors?}}, date = {2018-01-04}, organization = {Carnegie Endowment for International Peace}, url = {https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140}, language = {English}, urldate = {2020-04-25} } @online{anderson:20180703:iranian:8f4a4d5, author = {Collin Anderson}, title = {{Tweet on Iranian Malware}}, date = {2018-07-03}, organization = {Twitter (@CDA)}, url = {https://twitter.com/CDA/status/1014144988454772736}, language = {English}, urldate = {2020-01-07} } @online{andonov:20151207:thriving:196c5eb, author = {Dimiter Andonov and William Ballenthin and Nalani Fraser and Will Matson and Jay Taylor}, title = {{Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record}}, date = {2015-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html}, language = {English}, urldate = {2020-04-21} } @online{andrewjess:20191213:python:8af049c, author = {@AndrewJess}, title = {{Стиллер паролей на python с отправкой на почту}}, date = {2019-12-13}, url = {https://habr.com/en/sandbox/135410/}, language = {Russian}, urldate = {2020-03-04} } @techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } @online{ang:20180426:necurs:83d08fc, author = {Miguel Ang}, title = {{Necurs Evolves to Evade Spam Detection via Internet Shortcut File}}, date = {2018-04-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/}, language = {English}, urldate = {2020-01-10} } @online{ang:20200428:loki:169b27e, author = {Miguel Ang}, title = {{Loki Info Stealer Propagates through LZH Files}}, date = {2020-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files}, language = {English}, urldate = {2020-08-14} } @online{anishell:20110603:anishell:6870af0, author = {Ani-Shell}, title = {{Ani-Shell}}, date = {2011-06-03}, organization = {Sourceforge}, url = {http://ani-shell.sourceforge.net/}, language = {English}, urldate = {2020-01-13} } @online{anonymous:20170210:rebranding:877e1bd, author = {Anonymous}, title = {{Rebranding iSpy Keylogger: Gear Informer}}, date = {2017-02-10}, organization = {Wapack Labs}, url = {https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html}, language = {English}, urldate = {2020-01-07} } @techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } @techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } @online{antenucci:20190327:psixbot:9e1a258, author = {Stefano Antenucci and Antonio Parata}, title = {{PsiXBot: The Evolution Of A Modular .NET Bot}}, date = {2019-03-27}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/}, language = {English}, urldate = {2019-10-12} } @online{antil:20190912:innfirat:22e8987, author = {Sahil Antil and Rohit Chaturvedi}, title = {{InnfiRAT: A new RAT aiming for your cryptocurrency and more}}, date = {2019-09-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more}, language = {English}, urldate = {2020-01-10} } @online{antivirnews:20110120:beschreibung:678e455, author = {antivirnews}, title = {{Beschreibung des Virus Backdoor.Win32. Buterat.afj}}, date = {2011-01-20}, url = {http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html}, language = {Russian}, urldate = {2020-01-10} } @online{anton:20200602:hunting:5aa320f, author = {Anton}, title = {{Hunting Malicious Macros}}, date = {2020-06-02}, organization = {Pwntario Blog}, url = {https://blog.pwntario.com/team-posts/antons-posts/hunting-malicious-macros#first}, language = {English}, urldate = {2020-06-03} } @online{anubhav:20160923:hancitor:220140e, author = {Ankit Anubhav and Dileep Kumar Jallepalli}, title = {{Hancitor (AKA Chanitor) observed using multiple attack approaches}}, date = {2016-09-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html}, language = {English}, urldate = {2019-12-20} } @online{anubhav:20180718:huawai:e28ad1e, author = {Ankit Anubhav}, title = {{Tweet on Huawai Router Hacker Anarchy}}, date = {2018-07-18}, organization = {Twitter (@anit_anubhav)}, url = {https://twitter.com/ankit_anubhav/status/1019647993547550720}, language = {English}, urldate = {2020-01-13} } @techreport{anubislabs:20151015:dridex:4dafca8, author = {AnubisLabs}, title = {{Dridex: Chasing a botnet from the inside}}, date = {2015-10-15}, institution = {BitSight}, url = {https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf}, language = {English}, urldate = {2020-08-06} } @online{anurag:20200405:trojan:2bb6584, author = {Anurag}, title = {{Trojan Agent Tesla – Malware Analysis}}, date = {2020-04-05}, organization = {MalwrAnalysis}, url = {https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-04-08} } @online{anurag:20200622:njrat:381c066, author = {Anurag}, title = {{njRat Malware Analysis}}, date = {2020-06-22}, url = {https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/}, language = {English}, urldate = {2020-06-22} } @online{anxin:20190116:latest:60776ef, author = {Qi Anxin}, title = {{Latest Target Attack of DarkHydruns Group Against Middle East}}, date = {2019-01-16}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/}, language = {English}, urldate = {2019-12-15} } @online{anyrun:20180208:anyrun:611fc13, author = {ANY.RUN}, title = {{ANY.RUN analysis of MBRLock}}, date = {2018-02-08}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d}, language = {English}, urldate = {2020-01-13} } @online{anyrun:20180321:bandios:cd8a14c, author = {ANY.RUN}, title = {{Tweet on Bandios / Colony}}, date = {2018-03-21}, organization = {Twitter (@anyrun_app)}, url = {https://twitter.com/anyrun_app/status/976385355384590337}, language = {English}, urldate = {2020-01-07} } @online{anyrun:20190719:anyrun:890dfc0, author = {ANY.RUN}, title = {{ANY.RUN analysis on URL}}, date = {2019-07-19}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/}, language = {English}, urldate = {2020-01-08} } @online{anyrun:20190924:anyrun:649c085, author = {ANY.RUN}, title = {{ANY.RUN analysis on unidentified sample}}, date = {2019-09-24}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/4e48bcbf-015b-4a57-bb98-50f9531ff37a}, language = {English}, urldate = {2020-01-13} } @online{aprozper:20180322:ghostminer:711cbd2, author = {Asaf Aprozper and Gal Bitensky}, title = {{GhostMiner: Cryptomining Malware Goes Fileless}}, date = {2018-03-22}, organization = {Minerva}, url = {https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless}, language = {English}, urldate = {2020-01-07} } @online{aprozper:20190128:azorult:78563e2, author = {Asaf Aprozper and Gal Bitensky}, title = {{AZORult: Now, as A Signed “Google Update”}}, date = {2019-01-28}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update}, language = {English}, urldate = {2019-12-04} } @online{apvrille:20170315:teardown:76fb758, author = {Axelle Apvrille}, title = {{Teardown of a Recent Variant of Android/Ztorg (Part 1)}}, date = {2017-03-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1}, language = {English}, urldate = {2019-12-10} } @online{apvrille:20170315:teardown:e3c30e6, author = {Axelle Apvrille}, title = {{Teardown of Android/Ztorg (Part 2)}}, date = {2017-03-15}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2}, language = {English}, urldate = {2019-12-24} } @online{aquilino:20130715:signed:013bd1d, author = {Broderick Aquilino}, title = {{Signed Mac Malware Using Right-to-Left Override Trick}}, date = {2013-07-15}, organization = {F-Secure}, url = {https://archive.f-secure.com/weblog/archives/00002576.html}, language = {English}, urldate = {2020-05-19} } @online{aquino:20140306:siesta:9a574bc, author = {Maharlito Aquino}, title = {{The Siesta Campaign: A New Targeted Attack Awakens}}, date = {2014-03-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/}, language = {English}, urldate = {2020-01-13} } @online{ar6s:2019:rat:f0a6a2f, author = {Ar6s}, title = {{[RAT] DARK TRACK ALIEN 4.1}}, date = {2019}, organization = {Cracked.to Forum}, url = {https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1}, language = {English}, urldate = {2020-01-07} } @online{arada:20130924:osxleveragea:ba6e883, author = {Eduardo De La Arada}, title = {{OSX/Leverage.a Analysis}}, date = {2013-09-24}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis}, language = {English}, urldate = {2020-01-13} } @techreport{archer:20190531:qealler:2d73860, author = {Jeff Archer}, title = {{Qealler Unloaded}}, date = {2019-05-31}, institution = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf}, language = {English}, urldate = {2019-12-17} } @online{archer:20190815:micropsia:8ed52a1, author = {Jeff Archer}, title = {{MICROPSIA (APT-C-23)}}, date = {2019-08-15}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md}, language = {English}, urldate = {2019-12-10} } @online{archer:20190914:wsh:103aefa, author = {Jeff Archer}, title = {{WSH RAT (A variant of H-Worm/Houdini)}}, date = {2019-09-14}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20191103:dtrack:de46ce3, author = {Jeff Archer}, title = {{DTrack}}, date = {2019-11-03}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md}, language = {English}, urldate = {2019-12-18} } @online{archer:20191205:poshc2:3066e19, author = {Jeff Archer}, title = {{PoshC2 (specifically as used by APT33)}}, date = {2019-12-05}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20200211:metamorfo:663ae17, author = {Jeff Archer}, title = {{Metamorfo (aka Casbaneiro)}}, date = {2020-02-11}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md}, language = {English}, urldate = {2020-02-11} } @online{arkbirdsolg:20200505:operation:448dc4a, author = {@Arkbird_SOLG}, title = {{Operation Flash Cobra}}, date = {2020-05-05}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md}, language = {English}, urldate = {2020-05-07} } @online{arkbirdsolg:20200622:ftcode:1f79b62, author = {Twitter (@Arkbird_SOLG)}, title = {{FTcode targets European countries}}, date = {2020-06-22}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md}, language = {English}, urldate = {2020-06-24} } @online{armelli:20200708:named:c581e3d, author = {Matthew Armelli and Stuart Caudill and John Patrick Dees and Max Egar and Jennifer Keltz and Lan Pelekis and John Sakellariadis and Vipratap Vikram Singh and Katherine von Ofenheim and Neal Pollard}, title = {{Named But Hardly Shamed: What is the Impact of Information Disclosures on an APT Operations?}}, date = {2020-07-08}, organization = {COLUMBIA | SIPA}, url = {https://sipa.columbia.edu/file/12461/download?token=o5TRWZnI}, language = {English}, urldate = {2020-07-13} } @online{arneson:20190124:cisco:58d9a8f, author = {John Arneson}, title = {{Cisco AMP tracks new campaign that delivers Ursnif}}, date = {2019-01-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html}, language = {English}, urldate = {2019-10-12} } @online{arntz:20171031:analyzing:9d5c49e, author = {Pieter Arntz}, title = {{Analyzing malware by API calls}}, date = {2017-10-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/}, language = {English}, urldate = {2019-12-20} } @online{arntz:20200710:threat:f64cac0, author = {Pieter Arntz}, title = {{Threat spotlight: WastedLocker, customized ransomware}}, date = {2020-07-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/}, language = {English}, urldate = {2020-07-15} } @online{arntz:20200813:chrome:2120054, author = {Pieter Arntz}, title = {{Chrome extensions that lie about their permissions}}, date = {2020-08-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/puppum/2020/08/chrome-extensions-that-lie-about-their-permissions/}, language = {English}, urldate = {2020-08-14} } @online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } @online{arsene:20160808:possibly:55e5441, author = {Liviu Arsene}, title = {{Possibly Italy-Born Android RAT Reported in China, Find Bitdefender Researchers}}, date = {2016-08-08}, organization = {Bitdefender}, url = {https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html}, language = {English}, urldate = {2020-01-06} } @online{arsene:20171026:keranger:a908ea4, author = {Liviu Arsene}, title = {{Keranger: the first “in-the-wild” ransomware for Macs. But certainly not the last}}, date = {2017-10-26}, organization = {Macworld}, url = {https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html}, language = {English}, urldate = {2020-01-08} } @online{arsene:20200107:hold:b9c1aa4, author = {Liviu Arsene}, title = {{Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining}}, date = {2020-01-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/}, language = {English}, urldate = {2020-01-13} } @techreport{arsene:20200318:new:2d895da, author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu}, title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}}, date = {2020-03-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf}, language = {English}, urldate = {2020-03-19} } @online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200325:new:51ce027, author = {Liviu Arsene}, title = {{New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer}}, date = {2020-03-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/}, language = {English}, urldate = {2020-03-30} } @online{arsene:20200326:android:946032b, author = {Liviu Arsene}, title = {{Android Apps and Malware Capitalize on Coronavirus}}, date = {2020-03-26}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200513:global:6217d6f, author = {Liviu Arsene}, title = {{Global Ransomware and Cyberattacks on Healthcare Spike during Pandemic}}, date = {2020-05-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/05/global-ransomware-and-cyberattacks-on-healthcare-spike-during-pandemic/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-07-06} } @techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } @techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } @online{arzamendi:20180118:arc:384a9b0, author = {Pete Arzamendi and Matt Bing and Kirk Soluk}, title = {{The ARC of Satori}}, date = {2018-01-18}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/the-arc-of-satori/}, language = {English}, urldate = {2019-11-29} } @techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } @online{asec:20171016:operation:68f1182, author = {ASEC}, title = {{Operation Bitter Biscuit}}, date = {2017-10-16}, organization = {AhnLab}, url = {http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit}, language = {Korean}, urldate = {2020-01-13} } @techreport{asec:20191010:asec:6452cd4, author = {ASEC}, title = {{ASEC Report Vol. 96}}, date = {2019-10-10}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf}, language = {English}, urldate = {2020-01-13} } @online{ash:20180626:rancor:99f5616, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-20} } @online{ash:20180626:rancor:cc2a967, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-18} } @online{ashford:20180802:three:1fa3b70, author = {Warwick Ashford}, title = {{Three Carbanak cyber heist gang members arrested}}, date = {2018-08-02}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested}, language = {English}, urldate = {2020-01-10} } @online{ashman:20190605:upgraded:519af7d, author = {Ofir Ashman}, title = {{Upgraded JasperLoader Infecting Machines with New Targets & Functional Improvements: What You Need to Know}}, date = {2019-06-05}, organization = {ThreatStop}, url = {https://blog.threatstop.com/upgraded-jasperloader-infecting-machines}, language = {English}, urldate = {2020-01-08} } @online{asinovsky:20200618:ginp:724e3ef, author = {Pavel Asinovsky}, title = {{Ginp Malware Operations are on the Rise, Aiming to Expand in Turkey}}, date = {2020-06-18}, organization = {IBM Security}, url = {https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/}, language = {English}, urldate = {2020-06-19} } @online{askar:20200726:inmemory:5556cad, author = {Askar}, title = {{In-Memory shellcode decoding to evade AVs/EDRs}}, date = {2020-07-26}, organization = {Shells.System blog}, url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/}, language = {English}, urldate = {2020-07-30} } @online{asoltanei:20200331:infected:eaa940e, author = {Oana Asoltanei and Alin Mihai Barbatei and Ioan-Septimiu Dinulica}, title = {{Infected Zoom Apps for Android Target Work-From-Home Users}}, date = {2020-03-31}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users}, language = {English}, urldate = {2020-04-07} } @techreport{asoltanei:20200619:bitterapt:2e8e1d2, author = {Oana Asoltanei and Denis Cosmin Nutiu and Alin Mihai Barbatei}, title = {{BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool}}, date = {2020-06-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-06-21} } @online{asrar:201901:destructive:f4cc200, author = {Irfan Asrar}, title = {{Destructive Attack "Dustman" Technical Report}}, date = {2019-01}, organization = {LinkedIn Irfan Asrar}, url = {https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/}, language = {English}, urldate = {2020-01-13} } @online{asrar:20200104:dustman:8df5168, author = {Irfan Asrar}, title = {{Tweet on Dustman}}, date = {2020-01-04}, organization = {Twitter (@Irfan_Asrar)}, url = {https://twitter.com/Irfan_Asrar/status/1213544175355908096}, language = {English}, urldate = {2020-01-09} } @online{assante:20151230:current:342c55e, author = {Michael J. Assante}, title = {{Current Reporting on the Cyber Attack in Ukraine Resulting in Power Outage}}, date = {2015-12-30}, organization = {SANS}, url = {https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage}, language = {English}, urldate = {2019-12-17} } @online{aswanda:20180622:formbook:ce3c98b, author = {Aswanda}, title = {{FormBook stealer: Data theft made easy}}, date = {2018-06-22}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/}, language = {English}, urldate = {2020-01-09} } @online{attck:2019:admin338:c8e4d93, author = {MITRE ATT&CK}, title = {{Group description: admin@338}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0018/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt1:9f69f1f, author = {MITRE ATT&CK}, title = {{Group description: APT1}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0006/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt28:f03c2bd, author = {MITRE ATT&CK}, title = {{Group description: APT28}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0007/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt37:b488fef, author = {MITRE ATT&CK}, title = {{Group description: APT37}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0067/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt39:573abf3, author = {MITRE ATT&CK}, title = {{Group description: APT39}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0087/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:blackoasis:ceb12ff, author = {MITRE ATT&CK}, title = {{Group description: BlackOasis}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0063/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:bronze:b7965ff, author = {MITRE ATT&CK}, title = {{Group description: BRONZE BUTLER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0060/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:carbanak:0e2fe5c, author = {MITRE ATT&CK}, title = {{Group description: Carbanak}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0008/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:charming:f900c21, author = {MITRE ATT&CK}, title = {{Group description: Charming Kitten}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0058/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cleaver:ac864e2, author = {MITRE ATT&CK}, title = {{Group description: Cleaver}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0003/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cobalt:0e0496e, author = {MITRE ATT&CK}, title = {{Group description: Cobalt Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0080/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:copykittens:a691b76, author = {MITRE ATT&CK}, title = {{Group description: CopyKittens}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0052/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dark:01cd067, author = {MITRE ATT&CK}, title = {{Group description: Dark Caracal}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0070/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhotel:eab9170, author = {MITRE ATT&CK}, title = {{Group description: Darkhotel}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0012/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhydrus:b9db207, author = {MITRE ATT&CK}, title = {{Group description: DarkHydrus}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0079/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:deep:7220dc2, author = {MITRE ATT&CK}, title = {{Group description: Deep Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0009/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonfly:c84141f, author = {MITRE ATT&CK}, title = {{Group description: Dragonfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0035/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonok:f2cc4fa, author = {MITRE ATT&CK}, title = {{Group description: DragonOK}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0017/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dust:699660d, author = {MITRE ATT&CK}, title = {{Group description: Dust Storm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0031/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:elderwood:581a3e4, author = {MITRE ATT&CK}, title = {{Group description: Elderwood}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0066/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:equation:8b2ae74, author = {MITRE ATT&CK}, title = {{Group description: Equation}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin10:ae5d375, author = {MITRE ATT&CK}, title = {{Group description: FIN10}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0051/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin4:dd68444, author = {MITRE ATT&CK}, title = {{Group description: FIN4}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0085/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin5:48f7065, author = {MITRE ATT&CK}, title = {{Group description: FIN5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0053/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin6:791eaef, author = {MITRE ATT&CK}, title = {{Group description: FIN6}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0037/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin7:be45dfe, author = {MITRE ATT&CK}, title = {{Group description: FIN7}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0046/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin8:2b2b924, author = {MITRE ATT&CK}, title = {{Group description: FIN8}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0061}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gamaredon:982ecc4, author = {MITRE ATT&CK}, title = {{Group description: Gamaredon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0047/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gcman:23384a0, author = {MITRE ATT&CK}, title = {{Group description: GCMAN}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0036/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gorgon:f7c9936, author = {MITRE ATT&CK}, title = {{Group description: Gorgon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0078/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:group5:fcdeaa8, author = {MITRE ATT&CK}, title = {{Group description: Group5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:honeybee:9d1ffa6, author = {MITRE ATT&CK}, title = {{Group description: Honeybee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0072/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ke3chang:89a4a35, author = {MITRE ATT&CK}, title = {{Group description: Ke3chang}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0004/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lazarus:a298c2f, author = {MITRE ATT&CK}, title = {{Group description: Lazarus Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0032/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leafminer:c73518e, author = {MITRE ATT&CK}, title = {{Group description: Leafminer}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0077/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leviathan:249223a, author = {MITRE ATT&CK}, title = {{Group description: Leviathan}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0065/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lotus:98bf87a, author = {MITRE ATT&CK}, title = {{Group description: Lotus Blossom}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0030/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:magic:f2f07ab, author = {MITRE ATT&CK}, title = {{Group description: Magic Hound}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0059/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:menupass:8fde950, author = {MITRE ATT&CK}, title = {{Group description: menuPass}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0045/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:moafee:021312c, author = {MITRE ATT&CK}, title = {{Group description: Moafee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0002/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:molerats:9927c33, author = {MITRE ATT&CK}, title = {{Group description: Molerats}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0021/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:muddywater:b990d10, author = {MITRE ATT&CK}, title = {{Group description: MuddyWater}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:naikon:f6661ca, author = {MITRE ATT&CK}, title = {{Group description: Naikon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0019/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:neodymium:2979fa4, author = {MITRE ATT&CK}, title = {{Group description: NEODYMIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0055/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:night:45c6d39, author = {MITRE ATT&CK}, title = {{Group description: Night Dragon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0014/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:oilrig:40b5deb, author = {MITRE ATT&CK}, title = {{Group description: OilRig}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0049/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:orangeworm:7b6180d, author = {MITRE ATT&CK}, title = {{Group description: Orangeworm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0071/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:patchwork:b9fa9e1, author = {MITRE ATT&CK}, title = {{Group description: Patchwork}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0040/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:pittytiger:9fde514, author = {MITRE ATT&CK}, title = {{Group description: PittyTiger}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0011/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:platinum:7fbd5ec, author = {MITRE ATT&CK}, title = {{Group description: PLATINUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0068/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:poseidon:9c4e9d2, author = {MITRE ATT&CK}, title = {{Group description: Poseidon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0033/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:promethium:845588e, author = {MITRE ATT&CK}, title = {{Group description: PROMETHIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0056/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:putter:db997a2, author = {MITRE ATT&CK}, title = {{Group description: Putter Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0024/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rancor:d326bb1, author = {MITRE ATT&CK}, title = {{Group description: Rancor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0075/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rtm:24fd219, author = {MITRE ATT&CK}, title = {{Group description: RTM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0048/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sandworm:2c635f5, author = {MITRE ATT&CK}, title = {{Group description: Sandworm Team}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:scarlet:c7d064d, author = {MITRE ATT&CK}, title = {{Group description: Scarlet Mimic}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0029/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sowbug:1065fa1, author = {MITRE ATT&CK}, title = {{Group description: Sowbug}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0054/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stealth:5d9f9cd, author = {MITRE ATT&CK}, title = {{Group description: Stealth Falcon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0038/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stolen:1489d7d, author = {MITRE ATT&CK}, title = {{Group description: Stolen Pencil}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0086/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:strider:e8991a7, author = {MITRE ATT&CK}, title = {{Group description: Strider}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0041/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:suckfly:686a402, author = {MITRE ATT&CK}, title = {{Group description: Suckfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0039/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ta459:3a8408d, author = {MITRE ATT&CK}, title = {{Group description: TA459}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0062/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:taidoor:e2e9ac3, author = {MITRE ATT&CK}, title = {{Group description: Taidoor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0015/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tempveles:c62b7f7, author = {MITRE ATT&CK}, title = {{Group description: TEMP.Veles}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0088/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:threat:739dbdd, author = {MITRE ATT&CK}, title = {{Group description: Threat Group-3390}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0027/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:thrip:b7cf7c3, author = {MITRE ATT&CK}, title = {{Group description: Thrip}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0076/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:5022816, author = {MITRE ATT&CK}, title = {{Tool description: NanHaiShu}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0228/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ae50919, author = {MITRE ATT&CK}, title = {{Tool description: BUBBLEWRAP}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:aef0372, author = {MITRE ATT&CK}, title = {{Tool description: HALFBAKED}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0151/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:e80f843, author = {MITRE ATT&CK}, title = {{Tool description: ELMER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0064}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ebc79ce, author = {MITRE ATT&CK}, title = {{Tool description: BLACKCOFFEE}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:fd89dda, author = {MITRE ATT&CK}, title = {{Tool description: China Chopper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tropic:0324452, author = {MITRE ATT&CK}, title = {{Group description: Tropic Trooper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0081/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:turla:6c3dec8, author = {MITRE ATT&CK}, title = {{Group description: Turla}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0010/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:winnti:ad3b350, author = {MITRE ATT&CK}, title = {{Group description: Winnti Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0044/}, language = {English}, urldate = {2019-12-20} } @online{atweeteruser:20190726:malware:dce6863, author = {a_tweeter_user}, title = {{Tweet on Malware}}, date = {2019-07-26}, organization = {Twitter (@a_tweeter_user)}, url = {https://twitter.com/a_tweeter_user/status/1154764787823316993}, language = {English}, urldate = {2020-01-08} } @online{authos:20160320:hidden:151e4e4, author = {Tripwire Guest Authos}, title = {{Hidden Tear Project: Forbidden Fruit Is the Sweetest}}, date = {2016-03-20}, organization = {Tripwire}, url = {https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/}, language = {English}, urldate = {2020-01-08} } @online{avast:20171220:video:4c6aaa5, author = {Avast}, title = {{Video about Catelites Bot - Airbank Example}}, date = {2017-12-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=1LOy0ZyjEOk}, language = {English}, urldate = {2020-01-07} } @online{avast:2018:hide:cd78bb0, author = {Avast}, title = {{Hide 'N Seek}}, date = {2018}, organization = {Avast}, url = {https://threatlabs.avast.com/botnet}, language = {English}, urldate = {2019-12-17} } @online{aydinbas:20190502:formbook:d1ef715, author = {Johann Aydinbas}, title = {{FormBook - Hiding in plain sight}}, date = {2019-05-02}, organization = {Usual Suspect RE}, url = {https://usualsuspect.re/article/formbook-hiding-in-plain-sight}, language = {English}, urldate = {2020-01-13} } @techreport{ayers:20191113:through:70cc3b3, author = {Jen Ayers and Jason Rivera}, title = {{Through the Eyes of the Adversary}}, date = {2019-11-13}, institution = {CrowdStrike}, url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf}, language = {English}, urldate = {2020-03-22} } @online{babe:201904:analyzing:3a404ff, author = {Cafe Babe}, title = {{Analyzing Emotet with Ghidra — Part 1}}, date = {2019-04}, url = {https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69}, language = {English}, urldate = {2019-12-06} } @online{baca:20200326:would:a184711, author = {Alejandro Baca and Rodel Mendrez}, title = {{Would You Exchange Your Security for a Gift Card?}}, date = {2020-03-26}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/}, language = {English}, urldate = {2020-03-30} } @techreport{backdoor:201803:oceanlotus:a2c3636, author = {OceanLotus: Old techniques, new backdoor}, title = {{OceanLotus: Old techniques, new backdoor}}, date = {2018-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf}, language = {English}, urldate = {2020-01-07} } @online{bacurio:20160621:curious:8607f46, author = {Floser Bacurio and Roland Dela Paz}, title = {{The Curious Case of an Unknown Trojan Targeting German-Speaking Users}}, date = {2016-06-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html}, language = {English}, urldate = {2020-01-08} } @online{bacurio:20170214:remcos:e924c55, author = {Floser Bacurio and Joie Salvio}, title = {{REMCOS: A New RAT In The Wild}}, date = {2017-02-14}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2}, language = {English}, urldate = {2020-01-09} } @online{bacurio:20171207:peculiar:e4c095f, author = {Floser Bacurio and Joie Salvio}, title = {{A Peculiar Case of Orcus RAT Targeting Bitcoin Investors}}, date = {2017-12-07}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors}, language = {English}, urldate = {2020-01-08} } @online{bader:20150112:dga:b961e18, author = {Johannes Bader}, title = {{The DGA of Shiotob}}, date = {2015-01-12}, url = {https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/}, language = {English}, urldate = {2019-12-19} } @online{bader:20150210:dga:2ff5cf7, author = {Johannes Bader}, title = {{The DGA of Banjori}}, date = {2015-02-10}, organization = {Johannes Bader's Blog}, url = {https://www.johannesbader.ch/2015/02/the-dga-of-banjori/}, language = {English}, urldate = {2020-01-07} } @online{bader:20150306:dga:3673443, author = {Johannes Bader}, title = {{The DGA of DirCrypt}}, date = {2015-03-06}, url = {https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/}, language = {English}, urldate = {2019-11-28} } @online{bader:20150310:dga:4409507, author = {Johannes Bader}, title = {{The DGA of Pykspa}}, date = {2015-03-10}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/}, language = {English}, urldate = {2019-12-19} } @online{bader:20150522:dga:9ba1744, author = {Johannes Bader}, title = {{The DGA of Ranbyus}}, date = {2015-05-22}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/}, language = {English}, urldate = {2020-01-06} } @online{bader:20150610:win32upatrebi:36ea1eb, author = {Johannes Bader}, title = {{Win32/Upatre.BI - Part One}}, date = {2015-06-10}, url = {https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/}, language = {English}, urldate = {2019-12-02} } @online{bader:20150719:faulty:e287eee, author = {Johannes Bader}, title = {{The Faulty Precursor of Pykspa's DGA}}, date = {2015-07-19}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/}, language = {English}, urldate = {2020-01-09} } @online{bader:20160110:dga:cb8a5e5, author = {Johannes Bader}, title = {{The DGA in Alureon/DNSChanger}}, date = {2016-01-10}, url = {https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/}, language = {English}, urldate = {2019-12-17} } @online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/phorpiex/}, language = {English}, urldate = {2020-01-06} } @online{bader:20160224:dga:735ff10, author = {Johannes Bader}, title = {{The DGA of Qakbot.T}}, date = {2016-02-24}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/}, language = {English}, urldate = {2020-01-06} } @online{bader:20160306:dga:fe673b7, author = {Johannes Bader}, title = {{The DGA of PadCrypt}}, date = {2016-03-06}, url = {https://johannesbader.ch/2016/03/the-dga-of-padcrypt/}, language = {English}, urldate = {2019-12-06} } @online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } @online{bader:20170725:dridex:44f64d8, author = {Johannes Bader}, title = {{Dridex Loot}}, date = {2017-07-25}, organization = {Github (viql)}, url = {https://viql.github.io/dridex/}, language = {English}, urldate = {2020-01-07} } @online{bader:20180429:new:b8e7b59, author = {Johannes Bader}, title = {{The new Domain Generation Algorithm of Nymaim}}, date = {2018-04-29}, url = {https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/}, language = {English}, urldate = {2020-01-07} } @online{bader:20190708:dga:0c56ba3, author = {Johannes Bader}, title = {{The DGA of Pitou}}, date = {2019-07-08}, url = {https://johannesbader.ch/2019/07/the-dga-of-pitou/}, language = {English}, urldate = {2020-01-10} } @online{bader:20191112:dga:0a1d2c8, author = {Johannes Bader}, title = {{The DGA of QSnatch}}, date = {2019-11-12}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/the-dga-of-qsnatch/}, language = {English}, urldate = {2020-01-13} } @online{bader:20200123:dga:129802e, author = {Johannes Bader}, title = {{The DGA of a Monero Miner Downloader}}, date = {2020-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-a-monero-miner-downloader/}, language = {English}, urldate = {2020-01-27} } @online{bader:20200426:dga:edd448c, author = {Johannes Bader}, title = {{The DGA of Zloader}}, date = {2020-04-26}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-zloader/}, language = {English}, urldate = {2020-04-26} } @online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @techreport{bailey:201601:matryoshka:3c7753f, author = {Michael Bailey}, title = {{MATRYOSHKA MINING}}, date = {2016-01}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf}, language = {English}, urldate = {2019-11-27} } @online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20190423:carbanak:cbe986c, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis}}, date = {2019-04-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20200407:thinking:7ee19d0, author = {Michael Bailey}, title = {{Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation}}, date = {2020-04-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html}, language = {English}, urldate = {2020-05-05} } @online{baird:20170320:necurs:ee5da07, author = {Sean Baird and Edmund Brumaghin and Earl Carter and Jaeson Schultz}, title = {{Necurs Diversifies Its Portfolio}}, date = {2017-03-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/03/necurs-diversifies.html}, language = {English}, urldate = {2020-01-07} } @online{baker:20150318:feds:e9fe961, author = {Mike Baker}, title = {{Feds warned Premera about security flaws before breach}}, date = {2015-03-18}, organization = {Seattle Times}, url = {https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/}, language = {English}, urldate = {2020-01-10} } @online{baker:20150504:threat:726f1f2, author = {Ben Baker and Alex Chiu}, title = {{Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors}}, date = {2015-05-04}, organization = {Cisco Talos}, url = {http://blogs.cisco.com/security/talos/rombertik}, language = {English}, urldate = {2020-01-06} } @online{baker:20161207:floki:69ffd12, author = {Ben Baker and Edmund Brumaghin and Mariano Graziano and Jonas Zaddach}, title = {{Floki Bot Strikes, Talos and Flashpoint Respond}}, date = {2016-12-07}, organization = {Cisco Talos}, url = {http://blog.talosintel.com/2016/12/flokibot-collab.html#more}, language = {English}, urldate = {2020-01-09} } @online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } @online{baker:20200706:wastedlocker:f33e129, author = {Ben Baker and Edmund Brumaghin and JJ Cummings and Arnaud Zobec}, title = {{WastedLocker Goes "Big-Game Hunting" in 2020}}, date = {2020-07-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html}, language = {English}, urldate = {2020-07-07} } @online{ballenthin:20200117:404:cc95f5f, author = {William Ballenthin and Josh Madeley}, title = {{404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor}}, date = {2020-01-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html}, language = {English}, urldate = {2020-01-17} } @online{bambenek:20160502:osint:54b6791, author = {John Bambenek}, title = {{OSINT Feed}}, date = {2016-05-02}, organization = {John Bambenek}, url = {http://osint.bambenekconsulting.com/feeds/}, language = {English}, urldate = {2020-01-06} } @online{bambenek:20190207:inside:2a18c89, author = {John Bambenek}, title = {{An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group}}, date = {2019-02-07}, organization = {ThreatStop}, url = {https://blog.threatstop.com/russian-apt-gamaredon-group}, language = {English}, urldate = {2020-01-06} } @online{bancal:20200130:cyber:0a267d4, author = {Damien Bancal}, title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}}, date = {2020-01-30}, organization = {ZATAZ}, url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/}, language = {French}, urldate = {2020-02-03} } @online{banksecurity:20190601:new:3ddfbf1, author = {Bank_Security}, title = {{New ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@Bank_Security)}, url = {https://twitter.com/Bank_Security/status/1134850646413385728}, language = {English}, urldate = {2019-11-17} } @online{bao:20200707:cobalt:cf80aa8, author = {Ladislav Bačo}, title = {{Cobalt Strike stagers used by FIN6}}, date = {2020-07-07}, organization = {MWLab}, url = {https://malwarelab.eu/posts/fin6-cobalt-strike/}, language = {English}, urldate = {2020-07-11} } @online{bar:20160502:prince:7769673, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-01-06} } @online{bar:20160502:prince:8b14d7f, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{bar:20160502:prince:cfd5940, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-04-06} } @online{bar:20160628:prince:b1d2cdd, author = {Tomer Bar and Lior Efraim and Simon Conant}, title = {{Prince of Persia – Game Over}}, date = {2016-06-28}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/}, language = {English}, urldate = {2019-10-28} } @online{bar:20170405:targeted:49e76a6, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-10} } @online{bar:20170405:targeted:feb4b54, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:db6038a, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:e7d5542, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2020-01-08} } @online{barabosch:20200203:dissecting:c1a6bca, author = {Thomas Barabosch}, title = {{Dissecting Emotet – Part 1}}, date = {2020-02-03}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612}, language = {English}, urldate = {2020-02-07} } @online{barabosch:20200306:dissecting:809bc54, author = {Thomas Barabosch}, title = {{Dissecting Emotet - Part 2}}, date = {2020-03-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128}, language = {English}, urldate = {2020-03-09} } @online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } @online{barabosch:20200514:lolsnif:c7a2736, author = {Thomas Barabosch}, title = {{LOLSnif – Tracking Another Ursnif-Based Targeted Campaign}}, date = {2020-05-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062}, language = {English}, urldate = {2020-05-14} } @online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } @online{baranov:20161003:remsec:3877dab, author = {Artem Baranov}, title = {{Remsec driver analysis}}, date = {2016-10-03}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161010:remsec:9ed5754, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 2}}, date = {2016-10-10}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161011:remsec:02eae63, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 3}}, date = {2016-10-11}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20170113:finfisher:436b89e, author = {Artem Baranov}, title = {{Finfisher rootkit analysis}}, date = {2017-01-13}, url = {https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html}, language = {English}, urldate = {2019-11-26} } @online{baranov:20170330:equationdrug:7255a48, author = {Artem Baranov}, title = {{EquationDrug rootkit analysis (mstcp32.sys)}}, date = {2017-03-30}, url = {http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html}, language = {English}, urldate = {2020-01-07} } @online{baranov:20170413:stuxnet:c221f57, author = {Artem Baranov}, title = {{Stuxnet drivers: detailed analysis}}, date = {2017-04-13}, organization = {A blog about rootkits research and the Windows kernel}, url = {http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html}, language = {English}, urldate = {2020-01-08} } @online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } @online{barc:20180619:backswap:f0869a4, author = {Hubert Barc}, title = {{Backswap malware analysis}}, date = {2018-06-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/backswap-malware-analysis/}, language = {English}, urldate = {2019-12-10} } @online{barrett:20091029:twoheaded:0032db0, author = {Larry Barrett}, title = {{Two-Headed Trojan Targets Online Banks}}, date = {2009-10-29}, organization = {InternetNews}, url = {http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm}, language = {English}, urldate = {2020-01-08} } @online{bartblaze:20141110:thoughts:d7d0d68, author = {BartBlaze}, title = {{Thoughts on Absolute Computrace}}, date = {2014-11-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html}, language = {English}, urldate = {2019-11-26} } @online{bartblaze:20150303:c99shell:a7f3a5b, author = {BartBlaze}, title = {{C99Shell not dead}}, date = {2015-03-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20150925:notes:79b37fe, author = {BartBlaze}, title = {{Notes on Linux/Xor.DDoS}}, date = {2015-09-25}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html}, language = {English}, urldate = {2020-01-08} } @online{bartblaze:20160726:otx:b95458e, author = {BartBlaze}, title = {{OTX Pulse on R980 ransomware}}, date = {2016-07-26}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } @online{bartblaze:20171203:notes:53a752f, author = {BartBlaze}, title = {{Notes on Linux/BillGates}}, date = {2017-12-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20180320:unlock92:863a267, author = {BartBlaze}, title = {{Tweet on Unlock92 Ransomware}}, date = {2018-03-20}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/976188821078462465}, language = {English}, urldate = {2020-01-07} } @online{bartblaze:20180410:maktub:e67ade0, author = {BartBlaze}, title = {{Maktub ransomware: possibly rebranded as Iron}}, date = {2018-04-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html}, language = {English}, urldate = {2019-07-10} } @online{bartblaze:20180415:this:1eaf3ba, author = {BartBlaze}, title = {{This is Spartacus: new ransomware on the block}}, date = {2018-04-15}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html}, language = {English}, urldate = {2020-01-22} } @online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } @online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } @techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } @online{bartholomew:20170202:kopiluwak:d5c0245, author = {Brian Bartholomew}, title = {{KopiLuwak: A New JavaScript Payload from Turla}}, date = {2017-02-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/}, language = {English}, urldate = {2019-12-20} } @online{bartholomew:20191105:dadjoke:81e2a63, author = {Brian Bartholomew}, title = {{DADJOKE}}, date = {2019-11-05}, url = {https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/}, language = {English}, urldate = {2020-01-07} } @online{bartholomew:20200103:nice:ddc5c57, author = {Brian Bartholomew}, title = {{Nice One, Dad: Dissecting A Rare Malware Used By Leviathan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=vx9IB88wXSE}, language = {English}, urldate = {2020-01-13} } @online{bary:20200115:analyzing:02aabc4, author = {Guy Bary}, title = {{Analyzing Magecart Malware – From Zero to Hero}}, date = {2020-01-15}, organization = {PerimeterX}, url = {https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/}, language = {English}, urldate = {2020-01-17} } @online{bashis:20170306:0day:e03d5c7, author = {bashis}, title = {{0-Day: Dahua backdoor Generation 2 and 3}}, date = {2017-03-06}, url = {http://seclists.org/fulldisclosure/2017/Mar/7}, language = {English}, urldate = {2019-12-18} } @online{baskin:20200603:medusa:8d92754, author = {Brian Baskin}, title = {{Medusa Locker Ransomware}}, date = {2020-06-03}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/}, language = {English}, urldate = {2020-06-04} } @online{baskin:20200708:tau:4b05a00, author = {Brian Baskin}, title = {{TAU Threat Discovery: Conti Ransomware}}, date = {2020-07-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/}, language = {English}, urldate = {2020-07-08} } @online{bassat:20170807:new:d776333, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2}}, date = {2017-08-07}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found/}, language = {English}, urldate = {2019-12-17} } @online{bassat:20170913:new:376f00f, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2}}, date = {2017-09-13}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/}, language = {English}, urldate = {2019-12-24} } @online{bassat:20180529:iron:5943a09, author = {Omri Ben Bassat}, title = {{Iron Cybercrime Group Under The Scope}}, date = {2018-05-29}, organization = {Intezer}, url = {https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/}, language = {English}, urldate = {2019-12-05} } @techreport{bataille:201810:hunting:c5ffe40, author = {Adrian Bataille and Matias Bevilacqua}, title = {{Hunting for PLATINUM}}, date = {2018-10}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf}, language = {English}, urldate = {2020-01-07} } @online{batsec:20200811:defending:7710531, author = {batsec}, title = {{Defending Your Malware}}, date = {2020-08-11}, organization = {Dylan Codes Blog}, url = {https://blog.dylan.codes/defending-your-malware/}, language = {English}, urldate = {2020-08-12} } @online{baumgartner:20141103:be2:ea8544a, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 custom plugins, router abuse, and target profiles}}, date = {2014-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20141208:penquin:afd9ae5, author = {Kurt Baumgartner and Costin Raiu}, title = {{The ‘Penquin’ Turla}}, date = {2014-12-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/67962/the-penquin-turla-2/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150217:be2:f7ce288, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 extraordinary plugins, Siemens targeting, dev fails}}, date = {2015-02-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150304:whos:0b8331c, author = {Kurt Baumgartner and Juan Andrés Guerrero-Saade}, title = {{Who’s Really Spreading through the Bright Star?}}, date = {2015-03-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-really-spreading-through-the-bright-star/68978/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150331:sinkholing:7a359b4, author = {Kurt Baumgartner and Costin Raiu}, title = {{Sinkholing Volatile Cedar DGA Infrastructure}}, date = {2015-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150514:naikon:9edea2f, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The Naikon APT}}, date = {2015-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69953/the-naikon-apt/}, language = {English}, urldate = {2019-12-20} } @techreport{baumgartner:20150529:msnmm:3d6b500, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{THE MsnMM CAMPAIGNS: The Earliest Naikon APT Campaigns}}, date = {2015-05-29}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{baumgartner:201505:msnmm:13a9145, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The MsnMM Campaigns - The Earliest Naikon APTCampaigns}}, date = {2015-05}, institution = {Kaspersky Labs}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2019-07-11} } @online{baumgartner:20150617:spring:dc116aa, author = {Kurt Baumgartner}, title = {{The Spring Dragon APT}}, date = {2015-06-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70726/the-spring-dragon-apt/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161006:strongpity:898bc2b, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-06}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users}, language = {English}, urldate = {2020-01-09} } @online{bautista:20190110:pylocky:92bf2fc, author = {Mike Bautista}, title = {{Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor}}, date = {2019-01-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html}, language = {English}, urldate = {2019-10-15} } @online{baz:20170228:dridexs:f72a5ec, author = {Magal Baz and Or Safran}, title = {{Dridex’s Cold War: Enter AtomBombing}}, date = {2017-02-28}, organization = {Security Intelligence}, url = {https://securityintelligence.com/dridexs-cold-war-enter-atombombing/}, language = {English}, urldate = {2019-12-16} } @online{bazally:20161227:pegasus:9fd5170, author = {Max Bazally}, title = {{Pegasus internals: Technical Teardown of the Pegasus malware and Trident exploit chain}}, date = {2016-12-27}, organization = {CCC}, url = {https://media.ccc.de/v/33c3-7901-pegasus_internals}, language = {English}, urldate = {2020-01-08} } @online{beaumont:20190321:how:ecfbbf1, author = {Kevin Beaumont}, title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}}, date = {2019-03-21}, organization = {DoublePulsar}, url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}, language = {English}, urldate = {2019-11-29} } @online{beckman:20171208:gratefulpos:0ba1053, author = {Kent Beckman}, title = {{GratefulPOS credit card stealing malware - just in time for the shopping season}}, date = {2017-12-08}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season}, language = {English}, urldate = {2020-01-08} } @online{beer:20190829:implant:f25a696, author = {Ian Beer and Project Zero}, title = {{Implant Teardown}}, date = {2019-08-29}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html}, language = {English}, urldate = {2020-01-06} } @online{bekerman:20170329:new:e4007ca, author = {Dima Bekerman}, title = {{New Mirai Variant Launches 54 Hour DDoS Attack against US College}}, date = {2017-03-29}, organization = {Imperva}, url = {https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html}, language = {English}, urldate = {2020-01-05} } @online{bencsath:20170103:technical:1c2e81e, author = {Boldizsar Bencsath}, title = {{Technical details on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-01-03}, organization = {CrySyS Lab}, url = {http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2020-01-09} } @online{bencsath:20170302:update:0e03ee6, author = {Boldizsar Bencsath}, title = {{Update on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-03-02}, organization = {Laboratory of Cryptography and System Security}, url = {http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2019-10-13} } @techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } @online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } @online{benkow:20140820:command:ec27583, author = {Benkow}, title = {{Command Line Confusion}}, date = {2014-08-20}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/}, language = {English}, urldate = {2020-01-07} } @online{bennett:20130213:number:c947ab9, author = {James T. Bennett}, title = {{The Number of the Beast}}, date = {2013-02-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20130228:its:1534b7e, author = {James T. Bennett}, title = {{It's a Kind of Magic}}, date = {2013-02-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } @online{bennett:20190425:carbanak:be237af, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Four: The CARBANAK Desktop Video Player}}, date = {2019-04-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html}, language = {English}, urldate = {2019-12-20} } @online{berchem:20170810:weltweite:5df6bfa, author = {Tom Berchem}, title = {{Weltweite Spamwelle verbreitet teuflische Variante des Locky}}, date = {2017-08-10}, organization = {botfrei Blog}, url = {https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/}, language = {German}, urldate = {2019-12-10} } @online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } @techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } @online{berdnikov:20190313:fourth:98b1131, author = {Vasily Berdnikov and Boris Larin}, title = {{The fourth horseman: CVE-2019-0797 vulnerability}}, date = {2019-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/}, language = {English}, urldate = {2019-12-20} } @online{bergbom:20180206:danderspritzpeddlecheap:b09bc8f, author = {John Bergbom}, title = {{DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)}}, date = {2018-02-06}, organization = {Forcepoint}, url = {https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#}, language = {English}, urldate = {2020-05-07} } @online{bergin:20160520:special:46b3cc4, author = {Tom Bergin and Nathan Layne}, title = {{Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network}}, date = {2016-05-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD}, language = {English}, urldate = {2019-12-17} } @online{bermejo:20170622:following:7126b3b, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/}, language = {English}, urldate = {2019-12-24} } @techreport{bermejo:201706:following:61e6dae, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf}, language = {English}, urldate = {2020-01-07} } @online{bermejo:20170717:android:593475f, author = {Lenart Bermejo and Jordan Pan and Cedric Pernet}, title = {{Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More}}, date = {2017-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/}, language = {English}, urldate = {2020-01-13} } @online{bermejo:20170807:backdoorcarrying:317ebe3, author = {Lenart Bermejo and Ronnie Giagone and Rubio Wu and Fyodor Yarochkin}, title = {{Backdoor-carrying Emails Set Sights on Russian-speaking Businesses}}, date = {2017-08-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/}, language = {English}, urldate = {2020-01-09} } @online{bermejo:20181120:lazarus:1d8d3b3, author = {Lenart Bermejo and Joelson Soares}, title = {{Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America}}, date = {2018-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } @online{berninger:20200528:masked:44cad71, author = {Matthew Berninger}, title = {{The Masked SYNger: Investigating a Traffic Phenomenon}}, date = {2020-05-28}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2020/05/28/the-masked-synger-investigating-a-traffic-phenomenon/}, language = {English}, urldate = {2020-05-29} } @online{best:20150912:stuxnet:c9b43da, author = {Emma Best}, title = {{Stuxnet code}}, date = {2015-09-12}, organization = {Archive-org}, url = {https://archive.org/details/Stuxnet}, language = {English}, urldate = {2020-01-09} } @online{beukema:20200622:hijacking:b46d971, author = {Wietze Beukema}, title = {{Hijacking DLLs in Windows}}, date = {2020-06-22}, organization = {wietzebeukema.nl}, url = {https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows}, language = {English}, urldate = {2020-06-24} } @online{beuth:20200617:die:4272009, author = {Patrick Beuth}, title = {{Die erste Cyberwaffe und ihre Folgen}}, date = {2020-06-17}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147}, language = {German}, urldate = {2020-06-18} } @online{bhat:20160201:tracking:f5fa1f1, author = {Raashid Bhat}, title = {{Tracking the footprints of PushDo Trojan}}, date = {2016-02-01}, organization = {Blueliv}, url = {https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/}, language = {English}, urldate = {2019-11-20} } @online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } @online{bhat:20180906:dissecting:8c82fb5, author = {Raashid Bhat}, title = {{Dissecting DEloader malware with obfuscation}}, date = {2018-09-06}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware}, language = {English}, urldate = {2020-01-06} } @online{bhat:20180918:taste:e7dd98d, author = {Raashid Bhat}, title = {{A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait}}, date = {2018-09-18}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait}, language = {English}, urldate = {2020-01-10} } @online{bhat:20190422:dissecting:ffba987, author = {Raashid Bhat}, title = {{Dissecting Emotet’s network communication protocol}}, date = {2019-04-22}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol}, language = {English}, urldate = {2020-01-06} } @online{bhat:20190730:practical:d049779, author = {Raashid Bhat}, title = {{Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection}}, date = {2019-07-30}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection}, language = {English}, urldate = {2020-01-08} } @online{bhat:20200311:emotet:c178008, author = {Raashid Bhat}, title = {{Tweet on Emotet Deobfuscation with Video}}, date = {2020-03-11}, organization = {Twitter (@raashidbhatt)}, url = {https://twitter.com/raashidbhatt/status/1237853549200936960}, language = {English}, urldate = {2020-03-13} } @online{bhat:20200331:emotet:50264e0, author = {Raashid Bhat}, title = {{Emotet Binary Deobfuscation | Coconut Paradise | Episode 1}}, date = {2020-03-31}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=_mGMJFNJWSk}, language = {English}, urldate = {2020-04-23} } @online{bhat:20200422:flattenthecurve:0bdf5a3, author = {Raashid Bhat}, title = {{FlattenTheCurve - Emotet Control Flow Unflattening | Episode 2}}, date = {2020-04-22}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=8PHCZdpNKrw}, language = {English}, urldate = {2020-04-23} } @online{biasini:20171024:threat:7bd8515, author = {Nick Biasini}, title = {{Threat Spotlight: Follow the Bad Rabbit}}, date = {2017-10-24}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/bad-rabbit.html}, language = {English}, urldate = {2019-12-10} } @online{biasini:20180509:gandcrab:50296a6, author = {Nick Biasini and Nick Lister and Christopher Marczewski}, title = {{Gandcrab Ransomware Walks its Way onto Compromised Sites}}, date = {2018-05-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html}, language = {English}, urldate = {2019-10-21} } @online{biasini:20190220:combing:bdc059c, author = {Nick Biasini and Edmund Brumaghin and Matthew Molyett}, title = {{Combing Through Brushaloader Amid Massive Detection Uptick}}, date = {2019-02-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html}, language = {English}, urldate = {2019-11-29} } @online{biasini:20190425:jasperloader:ebe50ca, author = {Nick Biasini and Edmund Brumaghin and Andrew Williams}, title = {{JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan}}, date = {2019-04-25}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html}, language = {English}, urldate = {2020-01-09} } @online{biasini:20190523:sorpresa:e7cbd9d, author = {Nick Biasini and Edmund Brumaghin}, title = {{Sorpresa! JasperLoader targets Italy with a new bag of tricks}}, date = {2019-05-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html}, language = {English}, urldate = {2020-01-06} } @online{biasini:20200213:threat:443d687, author = {Nick Biasini and Edmund Brumaghin}, title = {{Threat actors attempt to capitalize on coronavirus outbreak}}, date = {2020-02-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html}, language = {English}, urldate = {2020-03-19} } @online{biasini:20200511:astaroth:f325070, author = {Nick Biasini and Edmund Brumaghin and Nick Lister}, title = {{Astaroth - Maze of obfuscation and evasion reveals dark stealer}}, date = {2020-05-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/05/astaroth-analysis.html}, language = {English}, urldate = {2020-05-11} } @techreport{bilodeau:201403:operation:40b7f42, author = {Olivier Bilodeau and Pierre-Marc Bureau and Joan Calvet and Alexis Dorais-Joncas and Marc-Etienne M.Léveillé and Benjamin Vanheuverzwijn}, title = {{OPERATION WINDIGO}}, date = {2014-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf}, language = {English}, urldate = {2020-01-08} } @online{bing:20170418:shadow:f8c81a6, author = {Chris Bing}, title = {{Shadow Brokers leaks show U.S. spies successfully hacked Russian, Iranian targets}}, date = {2017-04-18}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/}, language = {English}, urldate = {2020-01-12} } @online{bing:20180320:kasperskys:9cf65c1, author = {Chris Bing and Patrick Howell O'Neill}, title = {{Kaspersky's 'Slingshot' report burned an ISIS-focused intelligence operation}}, date = {2018-03-20}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/}, language = {English}, urldate = {2019-07-11} } @techreport{biradar:20150120:reversing:8a25caf, author = {Basavaraj K. Biradar}, title = {{Reversing the Inception APT malware}}, date = {2015-01-20}, institution = {Blue Coat}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf}, language = {English}, urldate = {2020-04-21} } @online{bishopfox:20190117:sliver:915fc7e, author = {BishopFox}, title = {{Sliver Implant Framework}}, date = {2019-01-17}, organization = {Github (BishopFox)}, url = {https://github.com/BishopFox/sliver}, language = {English}, urldate = {2020-01-07} } @techreport{bissell:2018:latest:1c1fba4, author = {Kelly Bissell and Joshua Ray and Uwe Kissman and Ryan LaSalle and Gareth Russell}, title = {{LATEST CYBER ESPIONAGE MALWARE ATTACKS}}, date = {2018}, institution = {Accenture Security}, url = {https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{bitdefender:20151217:apt28:fca586f, author = {Bitdefender}, title = {{APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information}}, date = {2015-12-17}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20160630:pacifier:2b7078c, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{bitdefender:20160630:pacifier:642af11, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20170221:dissecting:eec4e1f, author = {Bitdefender}, title = {{Dissecting the APT28 Mac OS X Payload}}, date = {2017-02-21}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } @techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } @online{bitensky:20170518:uiwix:4cc9aa8, author = {Gal Bitensky}, title = {{UIWIX – Evasive Ransomware Exploiting ETERNALBLUE}}, date = {2017-05-18}, organization = {Minerva}, url = {https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue}, language = {English}, urldate = {2020-01-08} } @online{bitensky:20180517:analyzing:c25d2ac, author = {Gal Bitensky}, title = {{Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers}}, date = {2018-05-17}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers}, language = {English}, urldate = {2019-10-14} } @online{bizeul:20140711:eye:3cb48c1, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-25} } @online{bizeul:20140711:eye:bdaf0a0, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-29} } @online{bkmsft:20190724:apt17:8b88bcb, author = {Ben K (bkMSFT)}, title = {{Tweet on APT17}}, date = {2019-07-24}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1153994428949749761}, language = {English}, urldate = {2020-01-07} } @online{bkmsft:20191203:zirconium:c025731, author = {Ben K (bkMSFT)}, title = {{Tweet on ZIRCONIUM alias for APT31}}, date = {2019-12-03}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1201876664667582466}, language = {English}, urldate = {2020-06-16} } @online{black:20180703:iranian:2e94ec4, author = {Samantha Black}, title = {{Iranian APT Charming Kitten impersonates ClearSky, the security firm that uncovered its campaigns}}, date = {2018-07-03}, organization = {Cyware}, url = {https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f}, language = {English}, urldate = {2020-01-08} } @online{blackhacker511:20190104:github:e7e5d16, author = {BlackHacker511}, title = {{Github Repository: BlackNET}}, date = {2019-01-04}, organization = {Github (BlackHacker511)}, url = {https://github.com/FarisCode511/BlackNET/}, language = {English}, urldate = {2020-07-13} } @online{blackhacker511:20191123:blackworm:9cf1955, author = {BlackHacker511}, title = {{BlackWorm v6.0 Black Ninja}}, date = {2019-11-23}, organization = {Github (BlackHacker511)}, url = {https://github.com/BlackHacker511/BlackWorm}, language = {English}, urldate = {2020-01-13} } @techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } @online{blackorbird:20200408:wannaren:8da1d44, author = {blackorbird}, title = {{Tweet on WannaRen}}, date = {2020-04-08}, organization = {Twitter (@blackorbird)}, url = {https://twitter.com/blackorbird/status/1247834024711577601}, language = {English}, urldate = {2020-05-05} } @techreport{blaich:20180118:dark:31c31f6, author = {Andrew Blaich and Apurva Kumar and Jeremy Richards and Michael Flossman and Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: Cyber-espionage at a Global Scal}}, date = {2018-01-18}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf}, language = {English}, urldate = {2020-06-08} } @online{blasco:20120702:sykipot:09eeec7, author = {Jaime Blasco}, title = {{Sykipot is back}}, date = {2012-07-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/sykipot-is-back}, language = {English}, urldate = {2019-12-18} } @online{blasco:20130321:new:511f1a7, author = {Jaime Blasco}, title = {{New Sykipot developments}}, date = {2013-03-21}, organization = {AT&T}, url = {https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments}, language = {English}, urldate = {2020-01-12} } @online{blasco:20140828:scanbox:a0cc92a, author = {Jaime Blasco}, title = {{Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks}}, date = {2014-08-28}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks}, language = {English}, urldate = {2019-12-06} } @online{blasco:20190402:xwo:11817a2, author = {Jaime Blasco and Chris Doman}, title = {{Xwo - A Python-based bot scanner}}, date = {2019-04-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner}, language = {English}, urldate = {2020-01-06} } @online{bleepingcomputer:20170417:remove:4727489, author = {BleepingComputer}, title = {{Remove Search.searchetan.com Chrome New Tab Page}}, date = {2017-04-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page}, language = {English}, urldate = {2020-01-06} } @online{blog:20081124:iwormnuwarw:424455b, author = {NoVirusThanks Blog}, title = {{I-Worm/Nuwar.W + Rustock.E Variant – Analysis}}, date = {2008-11-24}, organization = {NoVirusThanks Blog}, url = {http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/}, language = {English}, urldate = {2019-10-15} } @online{blog:20170413:decrypting:c59a1bd, author = {Koodous Blog}, title = {{Decrypting Bankbot communications.}}, date = {2017-04-13}, organization = {Koodous}, url = {http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html}, language = {English}, urldate = {2019-08-07} } @techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{blueliv:201609:chasing:1c02f62, author = {Blueliv}, title = {{Chasing Cybercrime: Network insights into Vawtrak v2}}, date = {2016-09}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf}, language = {English}, urldate = {2020-01-07} } @online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } @techreport{blueliv:201807:necurs:652cee2, author = {Blueliv}, title = {{Necurs Malware Overview}}, date = {2018-07}, institution = {Blueliv}, url = {https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf}, language = {English}, urldate = {2019-12-10} } @online{boczan:20180605:evolution:372e566, author = {Tamas Boczan}, title = {{The Evolution of GandCrab Ransomware}}, date = {2018-06-05}, organization = {VMRay}, url = {http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/}, language = {English}, urldate = {2019-11-20} } @online{boczan:20190625:analyzing:fe5a161, author = {Tamas Boczan}, title = {{Analyzing Ursnif’s Behavior Using a Malware Sandbox}}, date = {2019-06-25}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/}, language = {English}, urldate = {2019-12-17} } @online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } @online{boguslavskiy:20200715:inside:f9b95b1, author = {Yelisey Boguslavskiy and Samantha van de Ven}, title = {{Inside REvil Extortionist “Machine”: Predictive Insights}}, date = {2020-07-15}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights}, language = {English}, urldate = {2020-07-16} } @online{boldewin:20181231:fastcashmalwaredissected:d72e332, author = {Frank Boldewin}, title = {{FastCashMalwareDissected}}, date = {2018-12-31}, organization = {Github Repository}, url = {https://github.com/fboldewin/FastCashMalwareDissected/}, language = {English}, urldate = {2019-07-10} } @online{boldewin:20190328:javadispcash:8899167, author = {Frank Boldewin}, title = {{Tweet on JavaDispCash}}, date = {2019-03-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1111254169623674882}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190601:atm:7c1d0c2, author = {Frank Boldewin}, title = {{Tweet on ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1135606944427905025}, language = {English}, urldate = {2019-11-26} } @online{boldewin:20190710:xfs:aa523ad, author = {Frank Boldewin}, title = {{Tweet on XFS ATM malware}}, date = {2019-07-10}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1149043362244308992}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190828:atm:b393cb8, author = {Frank Boldewin}, title = {{Tweet on ATM Malware}}, date = {2019-08-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1166773324548063232}, language = {English}, urldate = {2019-12-05} } @online{boldewin:20191129:libertad:974f5d8, author = {Frank Boldewin}, title = {{Libertad y gloria - A Mexican cyber heist story - CyberCrimeCon19 Singapore}}, date = {2019-11-29}, organization = {Github (fboldewin)}, url = {https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore}, language = {English}, urldate = {2019-12-17} } @online{boldewin:20200227:dispcashbr:7dda1c8, author = {Frank Boldewin}, title = {{Tweet on DispCashBR}}, date = {2020-02-27}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1232944566208286720}, language = {English}, urldate = {2020-02-27} } @online{bone:20200617:detecting:be87469, author = {Rob Bone}, title = {{Detecting PoshC2 – Indicators of Compromise}}, date = {2020-06-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/}, language = {English}, urldate = {2020-06-18} } @online{bonfa:20101115:tracing:4f23185, author = {Giuseppe Bonfa}, title = {{Tracing the Crimeware Origins by Reversing Injected Code}}, date = {2010-11-15}, organization = {Infosec}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/}, language = {English}, urldate = {2020-01-05} } @online{bonfa:20101116:zeroaccess:14293db, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 3: The Device Driver Process Injection Rootkit}}, date = {2010-11-16}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/}, language = {English}, urldate = {2020-01-08} } @online{bonfa:20101120:kernelmode:b6d039e, author = {Giuseppe Bonfa}, title = {{The Kernel-Mode Device Driver Stealth Rootkit}}, date = {2010-11-20}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/}, language = {English}, urldate = {2020-01-13} } @online{bonfa:201011:zeroaccess:fd02426, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 1: De-Obfuscating and Reversing the User-Mode Agent Dropper}}, date = {2010-11}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/}, language = {English}, urldate = {2019-12-17} } @online{borders:20190329:exodus:e3044af, author = {Security without Borders}, title = {{Exodus: New Android Spyware Made in Italy}}, date = {2019-03-29}, organization = {Security Without Borders}, url = {https://securitywithoutborders.org/blog/2019/03/29/exodus.html}, language = {English}, urldate = {2019-07-09} } @techreport{boris:20141113:computer:290f01d, author = {Ivanov Boris}, title = {{Computer Forensic Investigation of mobile Banking Trojan}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf}, language = {English}, urldate = {2019-11-27} } @online{boscovich:20120913:microsoft:da601a2, author = {Richard Domingues Boscovich}, title = {{Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain}}, date = {2012-09-13}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/}, language = {English}, urldate = {2020-01-13} } @online{botezatu:20170505:inside:0cff0e6, author = {Bogdan Botezatu and Alexandru Maximciuc and Cristina Vatamanu and Adrian Schipur}, title = {{Inside Netrepser – a JavaScript-based Targeted Attack}}, date = {2017-05-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180124:new:f993782, author = {Bogdan Botezatu}, title = {{New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild}}, date = {2018-01-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180413:radrat:e2bc7ad, author = {Bogdan Botezatu and Eduard Budaca}, title = {{RadRAT: An all-in-one toolkit for complex espionage ops}}, date = {2018-04-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/}, language = {English}, urldate = {2020-01-09} } @online{botezatu:20180507:hide:0fd8d9a, author = {Bogdan Botezatu}, title = {{Hide and Seek IoT Botnet resurfaces with new tricks, persistence}}, date = {2018-05-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/}, language = {English}, urldate = {2020-01-06} } @online{botezatu:20181025:gandcrab:4e85fe9, author = {Bogdan Botezatu}, title = {{GandCrab Ransomware decryption tool}}, date = {2018-10-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/}, language = {English}, urldate = {2020-01-10} } @online{botezatu:20190219:new:21079a9, author = {Bogdan Botezatu}, title = {{New GandCrab v5.1 Decryptor Available Now}}, date = {2019-02-19}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/}, language = {English}, urldate = {2019-10-15} } @online{botezatu:20190416:inside:8302b5d, author = {Bogdan Botezatu and Cristofor Ochinca and Andrei Ardelean}, title = {{Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation}}, date = {2019-04-16}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/}, language = {English}, urldate = {2019-12-18} } @online{botezatu:20190617:good:c24ed06, author = {Bogdan Botezatu}, title = {{Good riddance, GandCrab! We’re still fixing the mess you left behind}}, date = {2019-06-17}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind}, language = {English}, urldate = {2020-01-10} } @techreport{botezatu:20190625:scranos:13c5096, author = {Bogdan Botezatu and Andrei Ardelean and Cristofor Ochinca and Cristian Alexandru and Istrate and Claudiu Stefan Coblis}, title = {{Scranos Revisited – Rethinking persistence to keep established network alive}}, date = {2019-06-25}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf}, language = {English}, urldate = {2020-01-08} } @online{bousseaden:20200625:close:be8a8b2, author = {Samir Bousseaden and Daniel Stepanic}, title = {{A close look at the advanced techniques used in a Malaysian-focused APT campaign}}, date = {2020-06-25}, organization = {Elastic}, url = {https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign}, language = {English}, urldate = {2020-06-25} } @online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20150409:operation:077f5fe, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap, the trap for Russian accountants}}, date = {2015-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/04/09/operation-buhtrap/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20151111:operation:baffed9, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap malware distributed via ammyy.com}}, date = {2015-11-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/}, language = {English}, urldate = {2020-01-08} } @online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20181105:bluehat:65f6d65, author = {Jean-Ian Boutin and Frédéric Vachon}, title = {{BlueHat v18 || First STRONTIUM UEFI Rootkit Unveiled}}, date = {2018-11-05}, organization = {Youtube (MSRC)}, url = {https://www.youtube.com/watch?v=VeoXT0nEcFU}, language = {English}, urldate = {2019-12-17} } @online{boutin:20190711:buhtrap:ec174bc, author = {Jean-Ian Boutin}, title = {{Buhtrap group uses zero‑day in latest espionage campaigns}}, date = {2019-07-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20200611:gamaredon:14a96c2, author = {Jean-Ian Boutin}, title = {{Gamaredon group grows its game}}, date = {2020-06-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/}, language = {English}, urldate = {2020-06-11} } @online{brad:20180117:reviewing:49ad844, author = {brad}, title = {{Reviewing the spam filters: Malspam pushing Gozi-ISFB}}, date = {2018-01-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245}, language = {English}, urldate = {2019-12-20} } @online{brady:20190117:pond:572e6e8, author = {Matthew Brady}, title = {{Pond Loach delivers BadCake malware}}, date = {2019-01-17}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware}, language = {English}, urldate = {2020-03-03} } @online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } @online{brandt:20200206:living:811742c, author = {Andrew Brandt and Mark Loman}, title = {{Living off another land: Ransomware borrows vulnerable driver to remove security software}}, date = {2020-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/}, language = {English}, urldate = {2020-02-13} } @online{brandt:20200624:glupteba:fc4095d, author = {Andrew Brandt}, title = {{Glupteba malware hides in plain sight}}, date = {2020-06-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728}, language = {English}, urldate = {2020-06-24} } @online{brandt:20200729:emotets:cb1de9b, author = {Andrew Brandt}, title = {{Emotet’s return is the canary in the coal mine}}, date = {2020-07-29}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728}, language = {English}, urldate = {2020-07-30} } @techreport{brave:20180515:human:b4396ac, author = {Brave}, title = {{HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN}}, date = {2018-05-15}, institution = {Amnesty International}, url = {https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF}, language = {English}, urldate = {2019-12-10} } @online{breach:20200130:tracking:bfa4550, author = {Under The Breach}, title = {{Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods}}, date = {2020-01-30}, organization = {Under The Breach}, url = {https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80}, language = {English}, urldate = {2020-01-31} } @online{breakdown:20170403:shadow:962f78d, author = {Malware Breakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/}, language = {English}, urldate = {2019-12-18} } @online{breakdown:20170724:seamless:7e55e6a, author = {Malware Breakdown}, title = {{The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.}}, date = {2017-07-24}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/}, language = {English}, urldate = {2020-01-10} } @online{breakdown:20170823:seamless:3a2c794, author = {Malware Breakdown}, title = {{The Seamless Campaign Isn’t Losing Any Steam}}, date = {2017-08-23}, url = {https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/}, language = {English}, urldate = {2019-12-04} } @online{breakdown:20170911:re:5d563f4, author = {Malware Breakdown}, title = {{“Re: Details” Malspam Downloads CoreBot Banking Trojan}}, date = {2017-09-11}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/}, language = {English}, urldate = {2020-01-08} } @online{breakdown:20180321:fobos:15877e7, author = {Malware Breakdown}, title = {{Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK}}, date = {2018-03-21}, organization = {Malware Breakdown Blog}, url = {https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/}, language = {English}, urldate = {2019-10-13} } @techreport{breitenbacher:20200617:operation:7969e3a, author = {Dominik Breitenbacher and Kaspars Osis}, title = {{Operation In(ter)ception: Targeted Attacks against European Aerospace and Military Companies}}, date = {2020-06-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf}, language = {English}, urldate = {2020-06-17} } @online{brenner:20170626:how:b5978ec, author = {Bill Brenner}, title = {{How Spora ransomware tries to fool antivirus}}, date = {2017-06-26}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/}, language = {English}, urldate = {2019-10-14} } @online{brewster:20140807:sophisticated:5f484c8, author = {Tom Brewster}, title = {{Sophisticated 'Turla' hackers spying on European governments, say researchers}}, date = {2014-08-07}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec}, language = {English}, urldate = {2020-01-05} } @online{brewster:20170215:inside:8b5faed, author = {Thomas Brewster}, title = {{Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage}}, date = {2017-02-15}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a}, language = {English}, urldate = {2020-01-13} } @online{brewster:20170504:behind:4da1ded, author = {Thomas Brewster}, title = {{Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business}}, date = {2017-05-04}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates}, language = {English}, urldate = {2020-01-09} } @online{brewster:20170727:with:b21b072, author = {Thomas Brewster}, title = {{With Fake News And Femmes Fatales, Iran's Spies Learn To Love Facebook}}, date = {2017-07-27}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/}, language = {English}, urldate = {2020-01-07} } @online{brewster:20180830:hackers:d006ceb, author = {Thomas Brewster}, title = {{Hackers Are Exposing An Apple Mac Weakness In Middle East Espionage}}, date = {2018-08-30}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/}, language = {English}, urldate = {2019-11-26} } @online{bromiley:20161007:attacking:0d71422, author = {Matt Bromiley and Preston Lewis}, title = {{Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years}}, date = {2016-10-07}, organization = {FireEye}, url = {https://www.youtube.com/watch?v=fevGZs0EQu8}, language = {English}, urldate = {2020-04-17} } @online{bromiley:20190718:hard:7a6144e, author = {Matt Bromiley and Noah Klapprodt and Nick Schroeder and Jessica Rocchio}, title = {{Hard Pass: Declining APT34’s Invite to Join Their Professional Network}}, date = {2019-07-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html}, language = {English}, urldate = {2019-12-20} } @online{brook:20120725:new:67f3d60, author = {Chris Brook}, title = {{New and Improved Madi Spyware Campaign Continues}}, date = {2012-07-25}, organization = {Threatpost}, url = {https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/}, language = {English}, urldate = {2019-12-17} } @online{brook:20160425:attackers:61e599a, author = {Chris Brook}, title = {{Attackers Behind GozNym Trojan Set Sights on Europe}}, date = {2016-04-25}, organization = {Threat Post}, url = {https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/}, language = {English}, urldate = {2019-11-23} } @online{brook:20160823:goznym:29466b9, author = {Chris Brook}, title = {{GozNym Banking Trojan Targeting German Banks}}, date = {2016-08-23}, organization = {Threatpost}, url = {https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/}, language = {English}, urldate = {2020-01-08} } @online{brook:20171114:iceid:5a074d2, author = {Chris Brook}, title = {{IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites}}, date = {2017-11-14}, organization = {Digital Guardian}, url = {https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites}, language = {English}, urldate = {2019-07-10} } @online{brooks:20200602:malware:bc0b560, author = {Casey Brooks}, title = {{tweet on malware called dnstunnel RAT}}, date = {2020-06-02}, organization = {Twitter (@DrunkBinary)}, url = {https://twitter.com/DrunkBinary/status/1267568386516692992}, language = {English}, urldate = {2020-06-05} } @online{brown:20181025:new:7234825, author = {Sophia Brown}, title = {{New sLoad malware downloader being leveraged by APT group TA554 to spread Ramnit}}, date = {2018-10-25}, url = {https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9}, language = {English}, urldate = {2019-11-22} } @online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } @online{brown:20200507:detecting:5059f43, author = {Jesse Brown}, title = {{Detecting COR_PROFILER manipulation for persistence}}, date = {2020-05-07}, organization = {Red Canary}, url = {https://redcanary.com/blog/cor_profiler-for-persistence/}, language = {English}, urldate = {2020-06-02} } @online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } @online{brumaghin:20160711:when:0155a0a, author = {Edmund Brumaghin and Warren Mercer}, title = {{When Paying Out Doesn't Pay Off}}, date = {2016-07-11}, organization = {Talos}, url = {http://blog.talosintel.com/2016/07/ranscam.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20170502:covert:32e078f, author = {Edmund Brumaghin and Colin Grady}, title = {{Covert Channels and Poor Decisions: The Tale of DNSMessenger}}, date = {2017-05-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2017/03/dnsmessenger.html}, language = {English}, urldate = {2019-11-26} } @online{brumaghin:20170918:ccleanup:5ba0369, author = {Edmund Brumaghin and Ross Gibb and Warren Mercer and Matthew Molyett and Craig Williams}, title = {{CCleanup: A Vast Number of Machines at Risk}}, date = {2017-09-18}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20170920:ccleaner:e034063, author = {Edmund Brumaghin and Earl Carter and Warren Mercer and Matthew Molyett and Matthew Olney and Paul Rascagnères and Craig Williams}, title = {{CCleaner Command and Control Causes Concern}}, date = {2017-09-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20171011:spoofed:9f0fc69, author = {Edmund Brumaghin and Colin Grady and Dave Maynor and @Simpo13}, title = {{Spoofed SEC Emails Distribute Evolved DNSMessenger}}, date = {2017-10-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } @online{brumaghin:20180306:gozi:6146f77, author = {Edmund Brumaghin and Holger Unterbrink and Adam Weller}, title = {{Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution}}, date = {2018-03-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20180626:files:661b639, author = {Edmund Brumaghin and Earl Carter and Andrew Williams}, title = {{Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor}}, date = {2018-06-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20180822:picking:925912d, author = {Edmund Brumaghin and Holger Unterbrink and Eric Kuhla and Lilia Gonzalez Medina}, title = {{Picking Apart Remcos Botnet-In-A-Box}}, date = {2018-08-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html}, language = {English}, urldate = {2019-10-23} } @online{brumaghin:20180926:vpnfilter:343892a, author = {Edmund Brumaghin}, title = {{VPNFilter III: More Tools for the Swiss Army Knife of Malware}}, date = {2018-09-26}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20181108:metamorfo:d12fe7e, author = {Edmund Brumaghin and Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{Metamorfo Banking Trojan Keeps Its Sights on Brazil}}, date = {2018-11-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20190130:fake:3499d4e, author = {Edmund Brumaghin and Paul Rascagnères and Jungsoo An}, title = {{Fake Cisco Job Posting Targets Korean Candidates}}, date = {2019-01-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html}, language = {English}, urldate = {2020-01-10} } @online{brumaghin:20190415:new:bf931b1, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{New HawkEye Reborn Variant Emerges Following Ownership Change}}, date = {2019-04-15}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20190828:rat:dadd9c5, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{RAT Ratatouille: Backdooring PCs with leaked RATs}}, date = {2019-08-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html}, language = {English}, urldate = {2020-01-13} } @online{brumaghin:20190926:divergent:2d282a0, author = {Edmund Brumaghin}, title = {{Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host}}, date = {2019-09-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/09/divergent-analysis.html}, language = {English}, urldate = {2019-10-24} } @online{brumaghin:20200423:threat:4f7f840, author = {Edmund Brumaghin and Amit Raut}, title = {{Threat Spotlight: MedusaLocker}}, date = {2020-04-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/medusalocker.html}, language = {English}, urldate = {2020-04-26} } @online{bryant:20190213:hunting:8c671bf, author = {Josh Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018}}, date = {2019-02-13}, organization = {Youtube (SANS Digital Forensics & Incident Response)}, url = {https://www.youtube.com/watch?v=GjquFKa4afU}, language = {English}, urldate = {2020-01-13} } @techreport{bryant:20190708:hunting:7ce53d5, author = {Josh M. Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace}}, date = {2019-07-08}, institution = {SANS}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf}, language = {English}, urldate = {2020-01-09} } @online{buchka:20160303:attack:fa7a7ba, author = {Nikita Buchka and Mikhail Kuzin}, title = {{Attack on Zygote: a new twist in the evolution of mobile threats}}, date = {2016-03-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20161228:switcher:a2408dd, author = {Nikita Buchka}, title = {{Switcher: Android joins the ‘attack-the-router’ club}}, date = {2016-12-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20171218:jack:5842578, author = {Nikita Buchka and Anton Kivva and Dmitry Galov}, title = {{Jack of all trades}}, date = {2017-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/jack-of-all-trades/83470/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20180116:skygofree:4e0990c, author = {Nikita Buchka and Alexey Firsh}, title = {{Skygofree: Following in the footsteps of HackingTeam}}, date = {2018-01-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/}, language = {English}, urldate = {2019-12-20} } @online{bucket:20140330:ioc:053d0b0, author = {IOC Bucket}, title = {{IOC Bucket for Putter Panda}}, date = {2014-03-30}, organization = {IOC Bucket}, url = {https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31}, language = {English}, urldate = {2020-01-09} } @online{budd:20150916:operation:7889703, author = {Christopher Budd}, title = {{Operation Iron Tiger: Attackers Shift from East Asia to the United States}}, date = {2015-09-16}, organization = {Trend Micro}, url = {http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states}, language = {English}, urldate = {2019-12-17} } @techreport{buggenhout:2014:history:049d4d1, author = {Erik Van Buggenhout}, title = {{A history of ATM violence}}, date = {2014}, institution = {nviso}, url = {http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf}, language = {English}, urldate = {2020-01-08} } @online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } @online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } @online{bunce:20190815:gootkit:1052b18, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2019-12-20} } @online{bunce:20190815:gootkit:480c7e8, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2020-06-18} } @online{bunce:20190829:gootkit:b379f2c, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities}}, date = {2019-08-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/}, language = {English}, urldate = {2020-01-08} } @online{bunce:20200622:unpacking:8a02d84, author = {Daniel Bunce}, title = {{Unpacking Visual Basic Packers – IcedID}}, date = {2020-06-22}, organization = {zero2auto}, url = {https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/}, language = {English}, urldate = {2020-06-24} } @online{buonopane:20190201:information:2fbf14a, author = {Paul Buonopane}, title = {{Information about lnkr5, malware distributed via Chrome extensions}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr}, language = {English}, urldate = {2020-05-05} } @online{buonopane:20190201:lnkr:f79885e, author = {Paul Buonopane}, title = {{LNKR - Extension analysis - Flash Playlist}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md}, language = {English}, urldate = {2020-05-05} } @online{burbage:20180416:rat:3c30776, author = {Paul Burbage and Mike Mimoso}, title = {{RAT Gone Rogue: Meet ARS VBS Loader}}, date = {2018-04-16}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/}, language = {English}, urldate = {2019-12-17} } @online{burbage:20180912:malware:5b7d58a, author = {Paul Burbage and Mike Mimoso}, title = {{Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down}}, date = {2018-09-12}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/}, language = {English}, urldate = {2020-01-08} } @online{burbage:20181102:new:4781b19, author = {Paul Burbage}, title = {{Tweet on New Stealer}}, date = {2018-11-02}, organization = {Twitter (@hexlax)}, url = {https://twitter.com/hexlax/status/1058356670835908610}, language = {English}, urldate = {2020-01-07} } @online{burbage:20191228:tale:2e5f361, author = {Paul Burbage}, title = {{The Tale of the Pija-Droid Firefinch}}, date = {2019-12-28}, url = {https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2}, language = {English}, urldate = {2020-02-14} } @online{burchard:20200528:berlin:c5c42b4, author = {Hans von der Burchard and Laurens Cerulus}, title = {{Berlin seeks sanctions against Russian hackers over Bundestag cyberattack}}, date = {2020-05-28}, organization = {POLITICO}, url = {https://www.politico.eu/article/berlin-sanctions-against-russian-hacker-bundestag-cyberattack-angela-merkel-gru/}, language = {English}, urldate = {2020-05-29} } @online{bureau:20121218:malicious:c863bcf, author = {Pierre-Marc Bureau}, title = {{Malicious Apache module used for content injection: Linux/Chapro.A}}, date = {2012-12-18}, organization = {ESET Research}, url = {http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a}, language = {English}, urldate = {2019-12-20} } @online{bureau:20130426:linuxcdorkeda:ab3e321, author = {Pierre-Marc Bureau}, title = {{Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole}}, date = {2013-04-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20130925:win32napolar:aba54b1, author = {Pierre-Marc Bureau}, title = {{Win32/Napolar – A new bot on the block}}, date = {2013-09-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20140318:operation:1b1bd17, author = {Pierre-Marc Bureau}, title = {{Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign}}, date = {2014-03-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20200305:vietnam:23ec4c0, author = {Microstep Intelligence Bureau}, title = {{Vietnam National Background APT organization "Sea Lotus" used the topic of the epidemic to attack our government agencies}}, date = {2020-03-05}, organization = {Microstep Intelligence Bureau}, url = {https://m.threatbook.cn/detail/2527}, language = {Chinese}, urldate = {2020-04-26} } @online{burt:20190327:new:9ba6b3b, author = {Tom Burt}, title = {{New steps to protect customers from hacking}}, date = {2019-03-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/}, language = {English}, urldate = {2020-01-13} } @online{burt:20200310:new:251948a, author = {Tom Burt}, title = {{New action to disrupt world’s largest online criminal network}}, date = {2020-03-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/}, language = {English}, urldate = {2020-03-11} } @online{burt:20200707:microsoft:3300f46, author = {Tom Burt}, title = {{Microsoft takes legal action against COVID-19-related cybercrime}}, date = {2020-07-07}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/}, language = {English}, urldate = {2020-07-08} } @online{bushidotoken:20200509:turkey:a764ff0, author = {BushidoToken}, title = {{Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns}}, date = {2020-05-09}, organization = {BushidoToken}, url = {https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html}, language = {English}, urldate = {2020-05-13} } @online{bushidotoken:20200528:ozh:d9cd398, author = {BushidoToken}, title = {{Tweet on OZH RAT}}, date = {2020-05-28}, organization = {Twitter (@BushidoToken)}, url = {https://twitter.com/BushidoToken/status/1266075992679948289}, language = {English}, urldate = {2020-05-29} } @online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } @online{byteatlas:20150415:knowledge:0d028a7, author = {ByteAtlas}, title = {{Knowledge Fragment: Bruteforcing Andromeda Configuration Buffers}}, date = {2015-04-15}, url = {https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html}, language = {English}, urldate = {2020-01-07} } @online{byteraptors:20200603:wizardopium:b83073d, author = {ByteRaptors}, title = {{The WizardOpium LPE: Exploiting CVE-2019-1458}}, date = {2020-06-03}, organization = {ByteRaptors Blog}, url = {https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html}, language = {English}, urldate = {2020-06-12} } @online{c0d3inj3ct:20180524:javascript:af29dab, author = {c0d3inj3cT}, title = {{JavaScript based Bot using Github C&C}}, date = {2018-05-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html}, language = {English}, urldate = {2020-05-23} } @online{c0d3inj3ct:20191224:unpacking:3102f76, author = {c0d3inj3cT}, title = {{Unpacking Payload used in Bottle EK}}, date = {2019-12-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html}, language = {English}, urldate = {2020-03-11} } @online{c0d3inj3ct:20191225:blacknet:80468eb, author = {c0d3inj3cT}, title = {{BlackNet RAT - When you leave the Panel unprotected}}, date = {2019-12-25}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html}, language = {English}, urldate = {2020-03-11} } @online{c4i:20170216:breaking:b65439a, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/}, language = {English}, urldate = {2019-12-20} } @online{c4i:20170216:breaking:cc7bead, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/}, language = {English}, urldate = {2019-12-20} } @online{c:20200608:tau:f5b25ff, author = {A C}, title = {{TAU Threat Analysis: Hakbit Ransomware}}, date = {2020-06-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/}, language = {English}, urldate = {2020-06-10} } @online{c:20200615:tau:c60e41f, author = {A C}, title = {{TAU Threat Analysis: Relations to Hakbit Ransomware}}, date = {2020-06-15}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/}, language = {English}, urldate = {2020-06-16} } @online{caban:20180707:youve:b02f5ff, author = {Dan Caban and Muks Hirani}, title = {{You’ve Got Mail!}}, date = {2018-07-07}, organization = {Youtube (SteelCon)}, url = {https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI}, language = {English}, urldate = {2020-01-08} } @online{cadieux:20190430:sodinokibi:d04e315, author = {Pierre Cadieux and Colin Grady and Jaeson Schultz and Matt Valites}, title = {{Sodinokibi ransomware exploits WebLogic Server vulnerability}}, date = {2019-04-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html}, language = {English}, urldate = {2019-12-17} } @online{calvet:20150305:casper:be062ed, author = {Joan Calvet}, title = {{Casper Malware: After Babar and Bunny, Another Espionage Cartoon}}, date = {2015-03-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/}, language = {English}, urldate = {2019-11-14} } @online{camastra:20190220:spoofing:f2e825b, author = {Luigino Camastra and Jan Širmer and Adolf Středa and Lukáš Obrdlík}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-02-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/}, language = {English}, urldate = {2020-01-06} } @online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } @online{camba:20121009:bkdrsarhusta:92d2b93, author = {Abraham Latimer Camba}, title = {{BKDR_SARHUST.A}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a}, language = {English}, urldate = {2020-01-05} } @online{camba:20130227:bkdrrarstone:8c1d7b2, author = {Abraham Camba}, title = {{BKDR_RARSTONE: New RAT to Watch Out For}}, date = {2013-02-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/}, language = {English}, urldate = {2020-01-08} } @online{cameron:20170915:welp:8da10de, author = {Dell Cameron}, title = {{Welp, Vevo Just Got Hacked}}, date = {2017-09-15}, url = {https://gizmodo.com/welp-vevo-just-got-hacked-1813390834}, language = {English}, urldate = {2019-10-17} } @online{cameron:20181030:us:45da6b7, author = {Dell Cameron}, title = {{U.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal Aerospace Secrets}}, date = {2018-10-30}, organization = {Gizmodo}, url = {https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695}, language = {English}, urldate = {2019-11-27} } @online{camichel:20190309:retefe:3414337, author = {Corsin Camichel}, title = {{retefe: Artefacts from various retefe campaigns}}, date = {2019-03-09}, organization = {Github (cocaman)}, url = {https://github.com/cocaman/retefe}, language = {English}, urldate = {2020-01-13} } @online{camichel:20190523:analysing:9a4f909, author = {Corsin Camichel}, title = {{Analysing "Retefe" with Sysmon and Splunk}}, date = {2019-05-23}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/}, language = {English}, urldate = {2019-07-09} } @online{camichel:20200512:absent:f352502, author = {Corsin Camichel}, title = {{Tweet on AbSent Loader}}, date = {2020-05-12}, organization = {Twitter (@cocaman)}, url = {https://twitter.com/cocaman/status/1260069549069733888}, language = {English}, urldate = {2020-05-15} } @online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } @online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } @online{campbell:20191114:ta2101:e79f6fb, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}}, date = {2019-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us}, language = {English}, urldate = {2019-11-27} } @online{campbell:20200608:analysis:500f9fe, author = {Ryan Campbell}, title = {{Analysis of Valak Maldoc}}, date = {2020-06-08}, organization = {Security Soup Blog}, url = {https://security-soup.net/analysis-of-valak-maldoc/}, language = {English}, urldate = {2020-06-08} } @online{can:20190313:n:bfbaff0, author = {Ahmet Bilal Can}, title = {{N Ways to Unpack Mobile Malware}}, date = {2019-03-13}, organization = {Pentest Blog}, url = {https://pentest.blog/n-ways-to-unpack-mobile-malware/}, language = {English}, urldate = {2020-01-09} } @online{can:20190718:android:5097363, author = {Ahmet Bilal Can}, title = {{Android Malware Analysis : Dissecting Hydra Dropper}}, date = {2019-07-18}, url = {https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/}, language = {English}, urldate = {2019-12-05} } @techreport{canada:2011:snowglobe:2cf6813, author = {CSE Canada}, title = {{SNOWGLOBE: From Discovery to Attribution}}, date = {2011}, institution = {Spiegel Online}, url = {http://www.spiegel.de/media/media-35683.pdf}, language = {English}, urldate = {2019-12-17} } @online{canary:20200617:threat:3a7f962, author = {Red Canary}, title = {{Threat Detection: Blue Mockingbird}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://www.youtube.com/watch?v=6t_E8KOmZSs}, language = {English}, urldate = {2020-06-19} } @online{cannell:20130725:zeroaccess:4853854, author = {Joshua Cannell}, title = {{ZeroAccess uses Self-Debugging}}, date = {2013-07-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130801:sophos:404c6a5, author = {Joshua Cannell}, title = {{Sophos Discovers ZeroAccess Using RLO}}, date = {2013-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130926:new:428977b, author = {Joshua Cannell}, title = {{New Solarbot Malware Debuts, Creator Publicly Advertising}}, date = {2013-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/}, language = {English}, urldate = {2019-12-20} } @online{cannings:20160616:sakula:cece262, author = {David Cannings}, title = {{Sakula: an adventure in DLL planting}}, date = {2016-06-16}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1}, language = {English}, urldate = {2020-01-06} } @online{cannings:20170403:investigation:7deb188, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2019-12-17} } @online{cannings:20170403:investigation:8de942a, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An Investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2020-01-08} } @online{cannings:20170403:technical:e27583c, author = {David Cannings}, title = {{Technical Notes on RedLeaves}}, date = {2017-04-03}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves}, language = {English}, urldate = {2020-01-06} } @online{cannon:20171207:new:035f809, author = {Vincent Cannon and Nalani Fraser and Yogesh Londhe and Manish Sardiwal and Nick Richard and Jacqueline O’Leary}, title = {{New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit}}, date = {2017-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html}, language = {English}, urldate = {2019-12-20} } @online{cao:20200324:operation:89da9bd, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links}}, date = {2020-03-24}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/}, language = {English}, urldate = {2020-03-25} } @techreport{cao:20200324:technical:dc23839, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Technical Brief: Operation Poisoned News: Hong Kong Users Targeted with Mobile Malware via Local News Links}}, date = {2020-03-24}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf}, language = {English}, urldate = {2020-03-25} } @online{capilla:20161121:android:5150467, author = {Sergi Àlvarez i Capilla}, title = {{Android malware analysis with Radare: Dissecting the Triada Trojan}}, date = {2016-11-21}, organization = {NowSecure}, url = {https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/}, language = {English}, urldate = {2020-01-10} } @online{caragay:20150924:credit:59e0581, author = {RonJay Caragay and Michael Marcos}, title = {{Credit Card-Scraping Kasidet Builder Leads to Spike in Detections}}, date = {2015-09-24}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/}, language = {English}, urldate = {2020-01-13} } @techreport{carcano:20181001:triton:7863291, author = {Andrea Carcano}, title = {{TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever}}, date = {2018-10-01}, institution = {SANS Cyber Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf}, language = {English}, urldate = {2020-01-20} } @online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20170524:apt32:4060afe, author = {Nick Carr}, title = {{APT32: New Cyber Espionage Group}}, date = {2017-05-24}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/10703/261205}, language = {English}, urldate = {2020-01-07} } @online{carr:20170630:obfuscation:c3d947e, author = {Nick Carr and Daniel Bohannon}, title = {{Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques}}, date = {2017-06-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20180801:hunt:0fe0e15, author = {Nick Carr and Kimberly Goody and Steve Miller and Barry Vengerik}, title = {{On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation}}, date = {2018-08-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20181106:griffon:c7f800f, author = {Nick Carr}, title = {{Tweet on a GRIFFON sample}}, date = {2018-11-06}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1059898708286939136}, language = {English}, urldate = {2019-12-17} } @online{carr:20190605:malware:a6892ae, author = {Nick Carr}, title = {{Tweet on Malware Sample}}, date = {2019-06-05}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1136502701301346305}, language = {English}, urldate = {2020-01-07} } @online{carr:20191010:mahalo:917c5b2, author = {Nick Carr and Josh Yoder and Kimberly Goody and Scott Runnels and Jeremy Kennelly and Jordan Nuce}, title = {{Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques}}, date = {2019-10-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html}, language = {English}, urldate = {2019-11-18} } @online{carr:20191220:grunt:02cb116, author = {Nick Carr}, title = {{Tweet on GRUNT payload}}, date = {2019-12-20}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1208141697282117633}, language = {English}, urldate = {2020-01-09} } @online{carr:20200114:rough:1c149da, author = {Nick Carr and Matt Bromiley}, title = {{Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)}}, date = {2020-01-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html}, language = {English}, urldate = {2020-01-17} } @online{carr:20200601:malware:62e3d49, author = {Nick Carr}, title = {{Tweet on malware called NETFLASH}}, date = {2020-06-01}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1267475216923594755}, language = {English}, urldate = {2020-06-05} } @online{carvey:20190404:mimikatz:243c11a, author = {Harlan Carvey}, title = {{Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”}}, date = {2019-04-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/}, language = {English}, urldate = {2019-12-20} } @online{case:20190902:digital:0f6cd23, author = {Andrew Case and Matthew Meltzer and Steven Adair}, title = {{Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs}}, date = {2019-09-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/}, language = {English}, urldate = {2019-12-06} } @online{case:20200421:evil:54c1d46, author = {Andrew Case and Dave Lassalle and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant}}, date = {2020-04-21}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/}, language = {English}, urldate = {2020-04-22} } @online{caselden:20150418:operation:f2f3cba, author = {Dan Caselden and Yasir Khalid and James “Tom” Bennett and Genwei Jiang and Corbin Souffrant and Joshua Homan and Jonathan Wrolstad and Chris Phillips and Darien Kin}, title = {{Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack}}, date = {2015-04-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html}, language = {English}, urldate = {2019-10-16} } @online{caselden:20150623:operation:dc2929c, author = {Dan Caselden and Erica Eng}, title = {{Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign}}, date = {2015-06-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html}, language = {English}, urldate = {2019-12-20} } @online{cashdollar:20190613:latest:1dba306, author = {Larry Cashdollar}, title = {{Latest ECHOBOT: 26 Infection Vectors}}, date = {2019-06-13}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html}, language = {English}, urldate = {2020-01-08} } @online{caspi:20170504:osx:9f62c96, author = {Ofer Caspi}, title = {{OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic}}, date = {2017-05-04}, organization = {Check Point Software Technologies Ltd}, url = {http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/}, language = {English}, urldate = {2019-11-24} } @online{caspi:20170713:osxdok:b34ca60, author = {Ofer Caspi}, title = {{OSX/Dok Refuses to Go Away and It’s After Your Money}}, date = {2017-07-13}, organization = {Check Point}, url = {https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/}, language = {English}, urldate = {2020-01-05} } @online{caspi:20180724:emotet:a26725d, author = {Ofer Caspi and Ben Herzog}, title = {{Emotet: The Tricky Trojan that ‘Git Clones’}}, date = {2018-07-24}, organization = {Check Point}, url = {https://research.checkpoint.com/emotet-tricky-trojan-git-clones/}, language = {English}, urldate = {2020-01-13} } @online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } @online{casualmalware:20200311:firebird:6d1f8a2, author = {casual_malware}, title = {{Tweet on FireBird RAT}}, date = {2020-03-11}, organization = {Twitter (@casual_malware)}, url = {https://twitter.com/casual_malware/status/1237775601035096064}, language = {English}, urldate = {2020-03-13} } @techreport{ccc:20111008:analyse:0c4a8c9, author = {CCC}, title = {{ANALYSE EINER REGIERUNGS-MALWARE}}, date = {2011-10-08}, institution = {CCC}, url = {http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf}, language = {English}, urldate = {2020-01-07} } @online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } @online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } @online{ccncert:202005:malware:e6aed81, author = {CCN-CERT}, title = {{Malware report CCN-CERT ID-15/20 Snake Locker}}, date = {2020-05}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html}, language = {English}, urldate = {2020-06-10} } @online{centeno:20180501:legitimate:bd0644c, author = {Raphael Centeno}, title = {{Legitimate Application AnyDesk Bundled with New Ransomware Variant}}, date = {2018-05-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/}, language = {English}, urldate = {2019-10-14} } @online{centeno:20190508:dharma:cc5ac04, author = {Raphael Centeno}, title = {{Dharma Ransomware Uses AV Tool to Distract from Malicious Activities}}, date = {2019-05-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/}, language = {English}, urldate = {2020-01-06} } @online{centeno:20200521:backdoor:d6d37a9, author = {Raphael Centeno and Llallum Victoria}, title = {{Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers}}, date = {2020-05-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-devil-shadow-botnet-hidden-in-fake-zoom-installers/}, language = {English}, urldate = {2020-05-23} } @online{center:20130222:recent:b3d3f80, author = {Microsoft Security Response Center}, title = {{Recent Cyberattacks}}, date = {2013-02-22}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/}, language = {English}, urldate = {2019-12-20} } @online{center:20180330:analysis:4f1feb9, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}}, date = {2018-03-30}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/}, language = {Chinese}, urldate = {2020-01-13} } @techreport{center:201803:oilrig:b3c95ff, author = {NYOTRON ATTACK RESPONSE CENTER}, title = {{OilRig is Back with Next-Generation Tools and Techniques}}, date = {2018-03}, institution = {Nyotron}, url = {https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf}, language = {English}, urldate = {2019-10-13} } @online{center:20180523:sidewinderapttapt04:2f4c2cc, author = {Tencent Mimi Threat Intelligence Center}, title = {{SideWinder“响尾蛇”APT组织(T-APT-04):针对南亚的定向攻击威胁}}, date = {2018-05-23}, organization = {Tencent}, url = {https://s.tencent.com/research/report/479.html}, language = {Chinese}, urldate = {2020-01-06} } @techreport{center:20180614:cyber:b2150a3, author = {Cyber ​​Emergency Center}, title = {{Cyber ​​Emergency Center Report No. 3}}, date = {2018-06-14}, institution = {LAC}, url = {https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf}, language = {English}, urldate = {2020-07-20} } @online{center:20180723:golden:acfd437, author = {Qi Anxin Threat Intelligence Center}, title = {{Golden Rat Organization-targeted attack in Syria}}, date = {2018-07-23}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-27/}, language = {Chinese}, urldate = {2020-04-28} } @online{center:20181129:analysis:08c590c, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english}, language = {English}, urldate = {2020-03-02} } @online{center:20181129:analysis:d46e3e4, author = {Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/}, language = {English}, urldate = {2020-01-10} } @online{center:20181212:donot:32e8fb0, author = {Qi Anxin Threat Intelligence Center}, title = {{Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China}}, date = {2018-12-12}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/}, language = {English}, urldate = {2020-01-13} } @online{center:20190218:aptc36:abbf9ea, author = {Anxin Threat Intelligence Center}, title = {{APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations}}, date = {2019-02-18}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/}, language = {English}, urldate = {2020-01-09} } @online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } @online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } @techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } @online{center:20200604::a1c780b, author = {Chianxin Virus Response Center}, title = {{脚本系贼寇之风兴起,买卖体系堪比勒索软件}}, date = {2020-06-04}, url = {https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw}, language = {Chinese}, urldate = {2020-07-16} } @techreport{centre:20180705:nciipc:2796c50, author = {National Critical Information Infrastructure Protection Centre}, title = {{NCIIPC Newsletter July 2018}}, date = {2018-07-05}, institution = {National Critical Information Infrastructure Protection Centre}, url = {https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf}, language = {English}, urldate = {2020-01-10} } @online{cepe:20100531:sasfis:7642314, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/}, language = {English}, urldate = {2020-01-09} } @techreport{cepe:20100531:sasfis:c0eab28, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, institution = {Trend Micro}, url = {https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf}, language = {English}, urldate = {2020-01-08} } @online{cerberus:201906:twitter:97cd9de, author = {Android Cerberus}, title = {{Twitter Account of Android Cerberus}}, date = {2019-06}, organization = {Twitter (@AndroidCerberus)}, url = {https://twitter.com/AndroidCerberus}, language = {English}, urldate = {2020-01-09} } @online{cert:20160306:network:f9244d3, author = {thyssenkrupp CERT}, title = {{Network detector for Winnti malware}}, date = {2016-03-06}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-detector}, language = {English}, urldate = {2020-01-07} } @online{cert:20160906:kzcert:3d8bb82, author = {KZ CERT}, title = {{KZ-CERT has analyzed another sample of malicious software, which is a component of targeted attacks (Targeted attacks, Advanced Persistent Threats (APT))}}, date = {2016-09-06}, organization = {KZ CERT}, url = {http://www.kz-cert.kz/page/502}, language = {Kazakh}, urldate = {2019-10-16} } @online{cert:20180423:energetic:451033f, author = {Kaspersky Lab ICS CERT}, title = {{Energetic Bear/Crouching Yeti: attacks on servers}}, date = {2018-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/energetic-bear-crouching-yeti/85345/}, language = {English}, urldate = {2019-12-20} } @online{cert:20180522:nmap:1ee2530, author = {thyssenkrupp CERT}, title = {{Nmap Script to scan for Winnti infections}}, date = {2018-05-22}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-nmap-script}, language = {English}, urldate = {2020-01-07} } @online{cert:20180919::c3b6955, author = {Antiy CERT}, title = {{绿斑”行动——持续多年的攻击}}, date = {2018-09-19}, url = {https://www.antiy.com/response/20180919.html}, language = {English}, urldate = {2020-08-14} } @online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } @online{cert:20200522:analysis:fc8e2b2, author = {Antiy CERT}, title = {{Analysis of Ramsay components of Darkhotel's infiltration and isolation network}}, date = {2020-05-22}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20200522.html}, language = {Chinese}, urldate = {2020-05-23} } @online{cert:20200616:active:1c01229, author = {New Zealand CERT}, title = {{Active ransomware campaign leveraging remote access technologies}}, date = {2020-06-16}, organization = {New Zealand CERT}, url = {https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/}, language = {English}, urldate = {2020-06-21} } @online{cert:20200617:targeted:4a2a126, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attacks on industrial companies using Snake ransomware}}, date = {2020-06-17}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/}, language = {English}, urldate = {2020-06-18} } @online{certagid:20200713:campagna:1da46a9, author = {Cert-AgID}, title = {{Campagna sLoad v.2.9.3 veicolata via PEC}}, date = {2020-07-13}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/}, language = {Italian}, urldate = {2020-07-15} } @online{certbund:20191108:spam:0630ad5, author = {CERT-Bund}, title = {{Tweet on Spam Mails containing MAZE}}, date = {2019-11-08}, organization = {Twitter (@certbund)}, url = {https://twitter.com/certbund/status/1192756294307995655}, language = {English}, urldate = {2020-01-08} } @online{certem:20180803:certfr:65e03cf, author = {CERT-EM}, title = {{CERT-FR ALERT BULLETIN}}, date = {2018-08-03}, organization = {CERT-EM}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/}, language = {French}, urldate = {2020-01-08} } @techreport{certeu:20200603:cyber:681a7c2, author = {CERT-EU}, title = {{Cyber brief (June2020)}}, date = {2020-06-03}, institution = {CERT-EU}, url = {https://media.cert.europa.eu/static/MEMO/2020/TLP-WHITE-CERT-EU-CYBER-BRIEF-20-06%20v1.1.pdf}, language = {English}, urldate = {2020-06-05} } @online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } @online{certfr:20200318:rapport:abbc7c4, author = {CERT-FR}, title = {{Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa}}, date = {2020-03-18}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/}, language = {French}, urldate = {2020-03-26} } @techreport{certfr:20200423:le:4dbca96, author = {CERT-FR}, title = {{LE GROUPE CYBERCRIMINEL SILENCE}}, date = {2020-04-23}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf}, language = {French}, urldate = {2020-05-07} } @online{certfr:20200525:indicateurs:642332f, author = {CERT-FR}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}}, date = {2020-05-25}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/}, language = {French}, urldate = {2020-06-03} } @techreport{certfr:20200525:le:ac94f72, author = {CERT-FR}, title = {{Le Code Malveillant Dridex: Origines et Usages}}, date = {2020-05-25}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf}, language = {French}, urldate = {2020-05-26} } @techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } @techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } @techreport{certil:20170424:wave:d0c610f, author = {CERT-IL}, title = {{Wave attacks against government agencies, academia and business entities in Israel}}, date = {2017-04-24}, institution = {CERT-IL}, url = {https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf}, language = {Hebrew}, urldate = {2020-05-18} } @online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } @online{certpa:20190110:divergent:c0ab442, author = {Cert-PA}, title = {{“Divergent” malware Fileless}}, date = {2019-01-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/devergent-malware-fileless/}, language = {Italian}, urldate = {2019-11-23} } @online{certpa:20200310:campagna:dac7559, author = {Cert-PA}, title = {{Campagna sLoad “Star Wars Edition” veicolata via PEC}}, date = {2020-03-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/}, language = {Italian}, urldate = {2020-03-11} } @online{certpa:20200323:pwndlocker:3607042, author = {Cert-PA}, title = {{PwndLocker si rinnova in ProLock Ransomware}}, date = {2020-03-23}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/}, language = {Italian}, urldate = {2020-03-25} } @techreport{certpl:20110603:botnet:fd65588, author = {CERT.PL}, title = {{Botnet Hamweq - analiza}}, date = {2011-06-03}, institution = {CERT Polska / NASK}, url = {https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf}, language = {Polish}, urldate = {2019-11-28} } @online{certpl:20141215:banatrix:ff1a5a2, author = {CERT.PL}, title = {{Banatrix – an indepth look}}, date = {2014-12-15}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/banatrix-an-indepth-look/}, language = {English}, urldate = {2019-10-23} } @online{certpl:20151110:talking:d93cf24, author = {CERT.PL}, title = {{Talking to Dridex (part 0) – inside the dropper}}, date = {2015-11-10}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/}, language = {English}, urldate = {2020-01-06} } @techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } @online{certpl:20191118:brushaloader:f75d346, author = {CERT.PL}, title = {{Brushaloader gaining new layers like a pro}}, date = {2019-11-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/}, language = {English}, urldate = {2020-01-13} } @online{certua:20180903:bulk:09fa177, author = {Cert-UA}, title = {{Bulk mailing of spyware like Pterodo}}, date = {2018-09-03}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/42}, language = {Ukrainian}, urldate = {2020-01-08} } @online{certua:20181115:pterodo:3ed19e5, author = {Cert-UA}, title = {{Виявлена підготовка до проведення кібератаки з використанням ШПЗ типу Pterodo}}, date = {2018-11-15}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/46}, language = {Ukrainian}, urldate = {2020-01-13} } @online{ch0sys:20170615:dubrute:3cb7c5a, author = {ch0sys}, title = {{DUBrute}}, date = {2017-06-15}, organization = {Github (ch0sys)}, url = {https://github.com/ch0sys/DUBrute}, language = {English}, urldate = {2020-01-08} } @online{chang:20160603:sends:176f9ab, author = {Yin Hong Chang and Sudeep Singh}, title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}}, date = {2016-06-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html}, language = {English}, urldate = {2019-12-20} } @online{chang:20170619:erebus:dee1998, author = {Ziv Chang and Gilbert Sison and Jeanne Jocson}, title = {{Erebus Resurfaces as Linux Ransomware}}, date = {2017-06-19}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{channell:20200612:what:af937e9, author = {Justin Channell}, title = {{What is the Gibberish Hack?}}, date = {2020-06-12}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/06/gibberish-hack.html}, language = {English}, urldate = {2020-06-16} } @online{charlie:20200713:fell:f278f19, author = {Charlie}, title = {{Fell Deeds Awake}}, date = {2020-07-13}, organization = {Cofense}, url = {https://cofenselabs.com/fell-deeds-awake/}, language = {English}, urldate = {2020-07-15} } @online{chaturvedi:20200710:deep:f2d16c7, author = {Rohit Chaturvedi and Naveen Selvan}, title = {{Deep Dive Into the M00nD3V Logger}}, date = {2020-07-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger}, language = {English}, urldate = {2020-07-16} } @online{chaudhari:20171003:evolution:5462d67, author = {Pavankumar Chaudhari}, title = {{Evolution of jRAT JAVA Malware}}, date = {2017-10-03}, organization = {Seqrite}, url = {https://blogs.seqrite.com/evolution-of-jrat-java-malware/}, language = {English}, urldate = {2020-01-06} } @online{chaudhari:20200512:java:47c27e7, author = {Pavankumar Chaudhari}, title = {{Java RAT Campaign Targets Co-Operative Banks in India}}, date = {2020-05-12}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-india/}, language = {English}, urldate = {2020-05-23} } @online{chaudhari:20200810:gorgon:3a961be, author = {Pavankumar Chaudhari}, title = {{Gorgon APT targeting MSME sector in India}}, date = {2020-08-10}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/}, language = {English}, urldate = {2020-08-13} } @online{chebyshev:20200225:mobile:e40c963, author = {Victor Chebyshev}, title = {{Mobile malware evolution 2019}}, date = {2020-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/mobile-malware-evolution-2019/96280/}, language = {English}, urldate = {2020-02-26} } @techreport{checkpoint:20131212:malware:45645af, author = {Checkpoint}, title = {{Malware Research Group HIMAN Malware Analysis}}, date = {2013-12-12}, institution = {Checkpoint}, url = {https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{checkpoint:20190204:speakup:9fa2718, author = {Checkpoint}, title = {{SpeakUp: A New Undetected Backdoor Linux Trojan}}, date = {2019-02-04}, organization = {Checkpoint}, url = {https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/}, language = {English}, urldate = {2019-07-11} } @online{checkpoint:20200721:how:5980135, author = {Checkpoint}, title = {{How scammers are hiding their phishing trips in public clouds}}, date = {2020-07-21}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2020/07/21/how-scammers-are-hiding-their-phishing-trips-in-public-clouds/}, language = {English}, urldate = {2020-07-30} } @online{chen:20140602:sinowal:6d7af96, author = {Chao Chen}, title = {{Sinowal banking trojan}}, date = {2014-06-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan}, language = {English}, urldate = {2020-01-10} } @online{chen:20151217:slembunk:df100af, author = {Zhaofeng Chen and Jimmy Su and Wu Zhou and Jing Xie and Heqing Huang}, title = {{SlemBunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps}}, date = {2015-12-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html}, language = {English}, urldate = {2019-12-20} } @online{chen:20160622:after:aaa03f7, author = {Joseph C Chen}, title = {{After Angler: Shift in Exploit Kit Landscape and New Crypto-Ransomware Activity}}, date = {2016-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/}, language = {English}, urldate = {2019-10-12} } @online{chen:20161027:blackgear:00f52d4, author = {Joey Chen and MingYen Hsieh}, title = {{BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List}}, date = {2016-10-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/}, language = {English}, urldate = {2019-12-18} } @online{chen:20171107:redbaldknightbronze:63a08fe, author = {Joey Chen and MingYen Hsieh}, title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}}, date = {2017-11-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/}, language = {English}, urldate = {2020-01-09} } @online{chen:20180717:blackgear:69b5213, author = {Joey Chen}, title = {{Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication}}, date = {2018-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/}, language = {English}, urldate = {2020-01-13} } @online{chen:20180918:magecart:af83872, author = {Joseph C Chen}, title = {{Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites}}, date = {2018-09-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/}, language = {English}, urldate = {2020-01-08} } @online{chen:20190418:predator:5135f9f, author = {Yueh-Ting Chen and Evgeny Ananin}, title = {{Predator the Thief: New Routes of Delivery}}, date = {2019-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html}, language = {English}, urldate = {2019-12-17} } @online{chen:20190503:mirrorthief:05f07e5, author = {Joseph C Chen}, title = {{Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada}}, date = {2019-05-03}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/}, language = {English}, urldate = {2019-11-27} } @online{chen:20191009:fin6:11bb05d, author = {Joseph C. Chen}, title = {{FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops}}, date = {2019-10-09}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/}, language = {English}, urldate = {2020-02-25} } @techreport{chen:20191129:operation:16f5aaa, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE:TICK: 2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data}}, date = {2019-11-29}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf}, language = {English}, urldate = {2020-06-02} } @online{chen:20191129:operation:749d75d, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK}}, date = {2019-11-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/}, language = {English}, urldate = {2019-12-17} } @online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } @online{chen:20200512:tropic:8fff7a4, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments}}, date = {2020-05-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/}, language = {English}, urldate = {2020-05-14} } @techreport{chen:20200512:tropic:a3285d0, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments (Technical Brief)}}, date = {2020-05-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf}, language = {English}, urldate = {2020-05-14} } @online{chen:20200626:us:8bce65c, author = {Joseph C Chen}, title = {{US Local Government Services Targeted by New Magecart Credit Card Skimming Attack}}, date = {2020-06-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/}, language = {English}, urldate = {2020-06-30} } @online{chen:20200806:water:e7860e3, author = {Marshall Chen and Loseway Lu and Yorkbing Yap and Fyodor Yarochkin}, title = {{Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts}}, date = {2020-08-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campaign-targets-c-suites-office-365-accounts/}, language = {English}, urldate = {2020-08-13} } @online{cheng:20170421:china:ab10228, author = {Jonathan Cheng and Josh Chin}, title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}}, date = {2017-04-21}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==}, language = {English}, urldate = {2020-01-06} } @techreport{cherepanov:20141113:roaming:1b09324, author = {Anton Cherepanov}, title = {{Roaming tiger}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20150908:carbanak:c9457cd, author = {Anton Cherepanov}, title = {{Carbanak gang is back and packing new guns}}, date = {2015-09-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20160517:operation:e907b67, author = {Anton Cherepanov}, title = {{Operation Groundbait: Analysis of a surveillance toolkit}}, date = {2016-05-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf}, language = {English}, urldate = {2019-10-25} } @online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } @online{cherepanov:20170523:xdata:98a14a3, author = {Anton Cherepanov}, title = {{XData ransomware making rounds amid global WannaCryptor scare}}, date = {2017-05-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170630:telebots:84aa93d, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/}, language = {English}, urldate = {2019-12-20} } @techreport{cherepanov:20170703:blackenergy:2403feb, author = {Anton Cherepanov and Robert Lipovsky}, title = {{BlackEnergy – what we really know about the notorious cyber attacks}}, date = {2017-07-03}, institution = {ESET Research}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf}, language = {English}, urldate = {2019-10-14} } @online{cherepanov:20170704:analysis:37c48b2, author = {Anton Cherepanov}, title = {{Analysis of TeleBots’ cunning backdoor}}, date = {2017-07-04}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20180709:certificates:ae214b6, author = {Anton Cherepanov}, title = {{Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign}}, date = {2018-07-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181017:eset:c34687b, author = {Anton Cherepanov and Robert Lipovsky}, title = {{ESET unmasks ‘GREYENERGY’ cyber-espionage group}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.eset.com/int/greyenergy-exposed/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20181017:greyenergy:f328dbf, author = {Anton Cherepanov and Robert Lipovsky}, title = {{GreyEnergy: Updated arsenal of one of the most dangerous threat actors}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/}, language = {English}, urldate = {2020-01-07} } @techreport{cherepanov:20181018:greyenergy:9885d0c, author = {Anton Cherepanov}, title = {{GREYENERGY: A successor to BlackEnergy}}, date = {2018-10-18}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20190514:plead:3140588, author = {Anton Cherepanov}, title = {{Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage}}, date = {2019-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/}, language = {English}, urldate = {2019-11-14} } @online{chester:20170813:analysis:11db4f8, author = {Adam Chester}, title = {{Analysis of APT28 hospitality malware (Part 2)}}, date = {2017-08-13}, url = {https://blog.xpnsec.com/apt28-hospitality-malware-part-2/}, language = {English}, urldate = {2020-01-08} } @online{chiang:20070403:case:5dd68c2, author = {Ken Chiang and Levi Lloyd}, title = {{A Case Study of the Rustock Rootkit and Spam Bot}}, date = {2007-04-03}, organization = {USENIX}, url = {https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html}, language = {English}, urldate = {2019-12-17} } @techreport{chien:2011:nitro:76c8338, author = {Eric Chien and Gavin O'Gorman}, title = {{The Nitro Attacks}}, date = {2011}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-01-13} } @online{chili:20180201:operation:305d726, author = {Ivona Alexandra Chili and Bogdan Botezatu}, title = {{Operation PZChao: a possible return of the Iron Tiger APT}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/}, language = {English}, urldate = {2020-01-05} } @online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } @online{chirgwin:20180110:taiwanese:1ccf7ce, author = {Richard Chirgwin}, title = {{Taiwanese cops give malware-laden USB sticks as prizes for security quiz}}, date = {2018-01-10}, organization = {The Register}, url = {https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/}, language = {English}, urldate = {2020-01-09} } @online{chiu:20170621:player:b44064a, author = {Alex Chiu and Warren Mercer and Jaeson Schultz and Sean Baird and Matthew Molyett}, title = {{Player 1 Limps Back Into the Ring - Hello again, Locky!}}, date = {2017-06-21}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html}, language = {English}, urldate = {2019-12-17} } @online{chohan:20180816:chinese:91aaa15, author = {Sanil Chohan and Winnona Desombre and Justin Grosfelt}, title = {{Chinese Cyberespionage Originating From Tsinghua University Infrastructure}}, date = {2018-08-16}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-cyberespionage-operations/}, language = {English}, urldate = {2020-01-09} } @online{chokepoint:20170417:azazel:0fc47c6, author = {chokepoint}, title = {{Azazel}}, date = {2017-04-17}, organization = {Github (chokepoint)}, url = {https://github.com/chokepoint/azazel}, language = {English}, urldate = {2020-01-10} } @online{chong:20120416:detailed:3f191a4, author = {Rong Hwa Chong}, title = {{Detailed Analysis Of Sykipot (Smartcard Proxy Variant)}}, date = {2012-04-16}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919}, language = {English}, urldate = {2020-01-07} } @online{chong:20130401:trojanaptbanechant:3b8eea7, author = {Rong Hwa Chong}, title = {{Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks}}, date = {2013-04-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html}, language = {English}, urldate = {2020-07-15} } @online{chris:20140501:hunting:bcefc84, author = {Chris}, title = {{Hunting Hidden Lynx: How OSINT is Crucial for APT Analysis}}, date = {2014-05-01}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/hidden-lynx-analysis/}, language = {English}, urldate = {2020-01-07} } @online{chrisjd20:20170512:powershellwebbackdoor:ceb76d4, author = {chrisjd20}, title = {{powershell_web_backdoor}}, date = {2017-05-12}, organization = {Github (chrisjd20)}, url = {https://github.com/chrisjd20/powershell_web_backdoor}, language = {English}, urldate = {2020-01-06} } @online{chrysaidos:20151104:droidjack:d4ab0f5, author = {Nikolaos Chrysaidos}, title = {{DroidJack isn’t the only spying software out there: Avast discovers OmniRat}}, date = {2015-11-04}, organization = {Avast}, url = {https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co}, language = {English}, urldate = {2019-12-10} } @online{chrysaidos:20171220:new:6ebc559, author = {Nikolaos Chrysaidos}, title = {{New version of mobile malware Catelites possibly linked to Cron cyber gang}}, date = {2017-12-20}, organization = {Avast}, url = {https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang}, language = {English}, urldate = {2020-01-07} } @online{chumley:20140529:iranian:38c457f, author = {Cheryl K. Chumley}, title = {{Iranian hackers sucker punch U.S. defense officials with creative social-media scam}}, date = {2014-05-29}, organization = {The Washington Times}, url = {https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/}, language = {English}, urldate = {2020-01-06} } @online{ciccarelli:20191121:going:0e7cac5, author = {Mario Ciccarelli}, title = {{Going Deep | A Guide to Reversing Smoke Loader Malware}}, date = {2019-11-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/}, language = {English}, urldate = {2020-01-07} } @online{cid:20140318:windigo:7fd6adb, author = {Daniel B. Cid}, title = {{Windigo Linux Analysis – Ebury and Cdorked}}, date = {2014-03-18}, url = {https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html}, language = {English}, urldate = {2019-12-18} } @online{cimpanu:20160112:trochilus:2b0bc1c, author = {Catalin Cimpanu}, title = {{Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia}}, date = {2016-01-12}, organization = {Softpedia News}, url = {https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20160309:korean:06f01a0, author = {Catalin Cimpanu}, title = {{Korean Energy and Transportation Targets Attacked by OnionDog APT}}, date = {2016-03-09}, organization = {SOFTPEDIA® NEWS}, url = {http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20160911:free:c125edd, author = {Catalin Cimpanu}, title = {{Free Darktrack RAT Has the Potential of Being the Best RAT on the Market Search}}, date = {2016-09-11}, organization = {Softpedia News}, url = {http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20161209:proof:25c0bdd, author = {Catalin Cimpanu}, title = {{"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families}}, date = {2016-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170104:firecrypt:5b965cd, author = {Catalin Cimpanu}, title = {{FireCrypt Ransomware Comes With a DDoS Component}}, date = {2017-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170117:new:3c28f96, author = {Catalin Cimpanu}, title = {{New GhostAdmin Malware Used for Data Theft and Exfiltration}}, date = {2017-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170206:polish:577f33c, author = {Catalin Cimpanu}, title = {{Polish Banks Infected with Malware Hosted on Their Own Government's Site}}, date = {2017-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170410:longhorn:97fddcb, author = {Catalin Cimpanu}, title = {{Longhorn Cyber-Espionage Group Is Actually the CIA}}, date = {2017-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170421:brickerbot:658d8b8, author = {Catalin Cimpanu}, title = {{BrickerBot Author Claims He Bricked Two Million Devices}}, date = {2017-04-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170622:locky:4a088f0, author = {Catalin Cimpanu}, title = {{Locky Ransomware Returns, but Targets Only Windows XP & Vista}}, date = {2017-06-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170629:ransomware:d2d7b40, author = {Catalin Cimpanu}, title = {{Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone}}, date = {2017-06-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170826:us:0d7249a, author = {Catalin Cimpanu}, title = {{US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks}}, date = {2017-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171101:cryptoshuffler:64a3db4, author = {Catalin Cimpanu}, title = {{CryptoShuffler Stole $150,000 by Replacing Bitcoin Wallet IDs in PC Clipboards}}, date = {2017-11-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171109:ordinypt:cc9c071, author = {Catalin Cimpanu}, title = {{Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany}}, date = {2017-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171124:mirai:ea4773e, author = {Catalin Cimpanu}, title = {{Mirai Activity Picks up Once More After Publication of PoC Exploit Code}}, date = {2017-11-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171211:brickerbot:52db283, author = {Catalin Cimpanu}, title = {{BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices}}, date = {2017-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171212:moneytaker:b5f4fbb, author = {Catalin Cimpanu}, title = {{MoneyTaker Hacker Group Steals Millions from US and Russian Banks}}, date = {2017-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180124:new:90c5883, author = {Catalin Cimpanu}, title = {{New HNS IoT Botnet Has Already Amassed 14K Bots}}, date = {2018-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180226:nanocore:4659d30, author = {Catalin Cimpanu}, title = {{Nanocore RAT Author Gets 33 Months in Prison}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180418:stresspaint:640ad68, author = {Catalin Cimpanu}, title = {{Stresspaint Malware Steals Facebook Credentials and Session Cookies}}, date = {2018-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180427:north:b7ed973, author = {Catalin Cimpanu}, title = {{North Korean Hackers Are up to No Good Again}}, date = {2018-04-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180508:hide:5ab3dfd, author = {Catalin Cimpanu}, title = {{"Hide and Seek" Becomes First IoT Botnet Capable of Surviving Device Reboots}}, date = {2018-05-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:chinese:e0be0ab, author = {Catalin Cimpanu}, title = {{Chinese Cyber-Espionage Group Hacked Government Data Center}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:hacker:e0452dd, author = {Catalin Cimpanu}, title = {{Hacker Breaches Syscoin GitHub Account and Poisons Official Client}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180706:hns:c7115f1, author = {Catalin Cimpanu}, title = {{HNS Evolves From IoT to Cross-Platform Botnet}}, date = {2018-07-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180719:router:38a2d38, author = {Catalin Cimpanu}, title = {{Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day}}, date = {2018-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180728:new:b35a74a, author = {Catalin Cimpanu}, title = {{New Underminer Exploit Kit Discovered Pushing Bootkits and CoinMiners}}, date = {2018-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180821:microsoft:bc5c2f0, author = {Catalin Cimpanu}, title = {{Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections}}, date = {2018-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180823:lazarus:e929232, author = {Catalin Cimpanu}, title = {{Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack}}, date = {2018-08-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180824:iranian:04296ee, author = {Catalin Cimpanu}, title = {{Iranian Hackers Charged in March Are Still Actively Phishing Universities}}, date = {2018-08-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180905:new:c1c9e19, author = {Catalin Cimpanu}, title = {{New Silence hacking group suspected of having ties to cyber-security industry}}, date = {2018-09-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/}, language = {English}, urldate = {2019-12-19} } @online{cimpanu:20190116:north:8f56bd0, author = {Catalin Cimpanu}, title = {{North Korean hackers infiltrate Chile's ATM network after Skype job interview}}, date = {2019-01-16}, organization = {ZDNet}, url = {https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190214:127:78132dd, author = {Catalin Cimpanu}, title = {{127 million user records from 8 companies put up for sale on the dark web}}, date = {2019-02-14}, organization = {ZDNet}, url = {https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20190217:hacker:19fe800, author = {Catalin Cimpanu}, title = {{Hacker puts up for sale third round of hacked databases on the Dark Web}}, date = {2019-02-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190317:round:53521b8, author = {Catalin Cimpanu}, title = {{Round 4: Hacker returns and puts 26Mil user records for sale on the Dark Web}}, date = {2019-03-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-15} } @online{cimpanu:20190415:hacker:4b851e8, author = {Catalin Cimpanu}, title = {{A hacker has dumped nearly one billion user records over the past two months}}, date = {2019-04-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/}, language = {English}, urldate = {2020-01-05} } @online{cimpanu:20190419:security:683479e, author = {Catalin Cimpanu}, title = {{Security researcher MalwareTech pleads guilty}}, date = {2019-04-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20190509:new:f8a3f46, author = {Catalin Cimpanu}, title = {{New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web}}, date = {2019-05-09}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/}, language = {English}, urldate = {2020-01-09} } @online{cimpanu:20191010:new:3f09021, author = {Catalin Cimpanu}, title = {{New espionage malware found targeting Russian-speaking users in Eastern Europe}}, date = {2019-10-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/}, language = {English}, urldate = {2020-01-06} } @online{cimpanu:20191120:new:f9c81de, author = {Catalin Cimpanu}, title = {{New Roboto botnet emerges targeting Linux servers running Webmin}}, date = {2019-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20191123:extensive:4db6fce, author = {Catalin Cimpanu}, title = {{Extensive hacking operation discovered in Kazakhstan}}, date = {2019-11-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/}, language = {English}, urldate = {2020-01-08} } @online{cimpanu:20200108:naive:31da98b, author = {Catalin Cimpanu}, title = {{Naive IoT botnet wastes its time mining cryptocurrency}}, date = {2020-01-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20200123:someone:fb903da, author = {Catalin Cimpanu}, title = {{Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus}}, date = {2020-01-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/}, language = {English}, urldate = {2020-01-27} } @online{cimpanu:20200129:dod:57de65d, author = {Catalin Cimpanu}, title = {{DOD contractor suffers ransomware infection}}, date = {2020-01-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/}, language = {English}, urldate = {2020-02-03} } @online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } @online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } @online{cimpanu:20200229:meet:b1d7dbd, author = {Catalin Cimpanu}, title = {{Meet the white-hat group fighting Emotet, the world's most dangerous malware}}, date = {2020-02-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/}, language = {English}, urldate = {2020-03-02} } @online{cimpanu:20200319:france:9882b07, author = {Catalin Cimpanu}, title = {{France warns of new ransomware gang targeting local governments}}, date = {2020-03-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/}, language = {English}, urldate = {2020-03-26} } @online{cimpanu:20200327:booz:90c4f8d, author = {Catalin Cimpanu}, title = {{Booz Allen analyzed 200+ Russian hacking operations to better understand their tactics}}, date = {2020-03-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/booz-allen-analyzed-200-russian-hacking-operations-to-better-understand-their-tactics/}, language = {English}, urldate = {2020-03-27} } @online{cimpanu:20200331:fbi:91630df, author = {Catalin Cimpanu}, title = {{FBI re-sends alert about supply chain attacks for the third time in three months}}, date = {2020-03-31}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/}, language = {English}, urldate = {2020-04-07} } @online{cimpanu:20200427:shade:4d47bf1, author = {Catalin Cimpanu}, title = {{Shade (Troldesh) ransomware shuts down and releases decryption keys}}, date = {2020-04-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/}, language = {English}, urldate = {2020-04-28} } @online{cimpanu:20200518:fbi:54e14c9, author = {Catalin Cimpanu}, title = {{FBI: ProLock ransomware gains access to victim networks via Qakbot infections}}, date = {2020-05-18}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/}, language = {English}, urldate = {2020-05-18} } @online{cimpanu:20200602:revil:883c59f, author = {Catalin Cimpanu}, title = {{REvil ransomware gang launches auction site to sell stolen data}}, date = {2020-06-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200603:ransomware:116ecb8, author = {Catalin Cimpanu}, title = {{Ransomware gang says it breached one of NASA's IT contractors}}, date = {2020-06-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200615:web:a10a55d, author = {Catalin Cimpanu}, title = {{Web skimmers found on the websites of Intersport, Claire's, and Icing}}, date = {2020-06-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/}, language = {English}, urldate = {2020-06-16} } @online{cimpanu:20200715:chinese:0ff06bd, author = {Catalin Cimpanu}, title = {{Chinese state hackers target Hong Kong Catholic Church}}, date = {2020-07-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/}, language = {English}, urldate = {2020-07-30} } @online{cimpanu:20200810:fbi:704abe2, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/}, language = {English}, urldate = {2020-08-12} } @techreport{circl:20130329:analysis:b3c48b0, author = {CIRCL}, title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}}, date = {2013-03-29}, institution = {Computer Incident Response Center Luxembourg}, url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf}, language = {English}, urldate = {2019-11-24} } @techreport{circl:20130529:malware:cd9f6f8, author = {CIRCL}, title = {{Malware analysis report of a Backdoor.Snifula variant}}, date = {2013-05-29}, institution = {CIRCL}, url = {https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf}, language = {English}, urldate = {2019-07-11} } @techreport{circl:20130530:analysis:e828e08, author = {CIRCL}, title = {{Analysis of a stage 3 Miniduke sample}}, date = {2013-05-30}, institution = {CIRCL}, url = {https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf}, language = {English}, urldate = {2020-01-08} } @online{circl:20141126:tr23:fb5d867, author = {CIRCL}, title = {{TR-23 Analysis - NetWiredRC malware}}, date = {2014-11-26}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-23/}, language = {English}, urldate = {2020-01-09} } @online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } @online{cisa:20170412:ics:0d94c2e, author = {CISA}, title = {{ICS Alert (ICS-ALERT-17-102-01A)}}, date = {2017-04-12}, organization = {CISA}, url = {https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A}, language = {English}, urldate = {2020-01-09} } @online{cisa:20170612:alert:7799e28, author = {CISA}, title = {{Alert (TA17-163A)}}, date = {2017-06-12}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/alerts/TA17-163A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20180809:malware:71c0559, author = {CISA}, title = {{Malware Analysis Report (AR18-221A)}}, date = {2018-08-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-221A}, language = {English}, urldate = {2020-01-07} } @online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } @online{cisa:20191031:malware:4eccc2d, author = {CISA}, title = {{Malware Analysis Report (AR19-304A)}}, date = {2019-10-31}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-304a}, language = {English}, urldate = {2020-01-09} } @online{cisa:2019:hidden:52ee565, author = {CISA}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2019}, organization = {CISA}, url = {https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity}, language = {English}, urldate = {2020-01-07} } @techreport{citizenlab:20100406:shadows:0ddd0ca, author = {CitizenLab and Information Warfare Monitor and Shadowserver Foundation}, title = {{SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0}}, date = {2010-04-06}, institution = {CitizenLab}, url = {https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{clearsky:201707:operationwilted:7e57e58, author = {ClearSky and Trend Micro}, title = {{OperationWilted Tulip}}, date = {2017-07}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf}, language = {English}, urldate = {2020-01-06} } @online{clearsky:20180213:enfal:e063cf1, author = {ClearSky}, title = {{Tweet on Enfal loader}}, date = {2018-02-13}, organization = {Twitter (@ClearskySec)}, url = {https://twitter.com/ClearskySec/status/963829930776723461}, language = {English}, urldate = {2019-07-10} } @online{clueley:20200109:man:cea3f4b, author = {Graham Clueley}, title = {{Man jailed for using webcam RAT to spy on women in their bedrooms}}, date = {2020-01-09}, organization = {The State of Security}, url = {https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/}, language = {English}, urldate = {2020-01-20} } @online{cluley:20121113:new:627d122, author = {Graham Cluley}, title = {{New variant of Mac Trojan discovered, targeting Tibet}}, date = {2012-11-13}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/}, language = {English}, urldate = {2020-01-08} } @online{cluley:20150526:moose:4cb9940, author = {Graham Cluley}, title = {{Moose – the router worm with an appetite for social networks}}, date = {2015-05-26}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2015/05/26/moose-router-worm/}, language = {English}, urldate = {2019-12-20} } @online{cluley:20170830:new:c821389, author = {Graham Cluley}, title = {{New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies}}, date = {2017-08-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/}, language = {English}, urldate = {2019-11-14} } @online{cluley:20170904:despite:6f4a25f, author = {Graham Cluley}, title = {{Despite appearances, WikiLeaks wasn’t hacked}}, date = {2017-09-04}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/}, language = {English}, urldate = {2019-11-28} } @online{cluley:20200409:travelex:bb5a2d7, author = {Graham Cluley}, title = {{Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack}}, date = {2020-04-09}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/travelex-paid-ransom/}, language = {English}, urldate = {2020-04-26} } @online{cluley:20200505:kaiji:94f85b6, author = {Graham Cluley}, title = {{Kaiji – a new strain of IoT malware seizing control and launching DDoS attacks}}, date = {2020-05-05}, organization = {Bitdefender}, url = {https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/}, language = {English}, urldate = {2020-05-06} } @online{cn33liz:20170605:javascript:36e302d, author = {Cn33liz}, title = {{A JavaScript and VBScript Based Empire Launcher - by Cn33liz 2017}}, date = {2017-06-05}, organization = {Github (Cn33liz)}, url = {https://github.com/Cn33liz/StarFighters}, language = {English}, urldate = {2020-04-07} } @online{cna:201901:destructive:38ed2c3, author = {Saudi Arabia CNA}, title = {{Destructive Attack “DUSTMAN” Technical Report}}, date = {2019-01}, organization = {Saudi Arabia CNA}, url = {https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report}, language = {English}, urldate = {2020-01-13} } @online{cobb:20130502:stealthiness:6579e26, author = {Stephen Cobb}, title = {{The stealthiness of Linux/Cdorked: a clarification}}, date = {2013-05-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/}, language = {English}, urldate = {2019-11-14} } @online{cobli:20180618:six:c3dc8c0, author = {Claudiu Cobliș and Cristian Istrate and Cornel Punga and Andrei Ardelean}, title = {{Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation}}, date = {2018-06-18}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/}, language = {English}, urldate = {2020-07-08} } @online{codeandsec:20141002:finfisher:3b1d9c1, author = {CodeAndSec}, title = {{FinFisher Malware Analysis - Part 2}}, date = {2014-10-02}, organization = {CodeAndSec}, url = {https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2}, language = {English}, urldate = {2020-03-19} } @online{codercto:20181220:analysis:60da1aa, author = {Codercto}, title = {{Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies}}, date = {2018-12-20}, organization = {Codercto}, url = {https://www.codercto.com/a/46729.html}, language = {Chinese}, urldate = {2020-01-07} } @online{coding:20140801:soraya:4e51b2f, author = {Coding and Security}, title = {{Soraya Malware Analysis - Dropper}}, date = {2014-08-01}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper}, language = {English}, urldate = {2020-01-09} } @online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } @online{cofense:20170323:tales:cbdee9a, author = {Cofense}, title = {{Tales from the Trenches: Loki Bot Malware}}, date = {2017-03-23}, organization = {Cofense}, url = {https://phishme.com/loki-bot-malware/}, language = {English}, urldate = {2019-12-02} } @online{cofense:20190121:kutaki:3bff835, author = {Cofense}, title = {{The Kutaki Malware Bypasses Gateways to Steal Users’ Credentials}}, date = {2019-01-21}, organization = {Cofense}, url = {https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/}, language = {English}, urldate = {2020-01-06} } @online{cognizant:20200418:cognizant:0e20ac0, author = {Cognizant}, title = {{Cognizant Security Incident Update}}, date = {2020-04-18}, organization = {Cognizant}, url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update}, language = {English}, urldate = {2020-04-20} } @techreport{cognizant:20200617:notice:37fe994, author = {Cognizant}, title = {{Notice of Data Breach}}, date = {2020-06-17}, institution = {Cognizant}, url = {https://oag.ca.gov/system/files/Letter%204.pdf}, language = {English}, urldate = {2020-06-18} } @online{cohen:20180521:decrypting:37d595c, author = {Itay Cohen}, title = {{Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1}}, date = {2018-05-21}, organization = {MegaBeets}, url = {https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/}, language = {English}, urldate = {2019-07-10} } @online{cohen:20180629:backswap:1605a3d, author = {Ruby Cohen and Doron Voolf}, title = {{BackSwap Defrauds Online Banking Customers Using Hidden Input Fields}}, date = {2018-06-29}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi}, language = {English}, urldate = {2020-01-10} } @online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } @online{cohen:20181130:evolution:045e447, author = {Itay Cohen}, title = {{The Evolution of BackSwap}}, date = {2018-11-30}, organization = {Check Point}, url = {https://research.checkpoint.com/the-evolution-of-backswap/}, language = {English}, urldate = {2020-01-10} } @online{cohen:20190117:qealler:3db4f96, author = {David Cohen}, title = {{Qealler — The Silent Java Credential Thief}}, date = {2019-01-17}, organization = {CyberArk}, url = {https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/}, language = {English}, urldate = {2020-05-18} } @online{cohen:20190424:deobfuscating:581c86e, author = {Itay Cohen}, title = {{Deobfuscating APT32 Flow Graphs with Cutter and Radare2}}, date = {2019-04-24}, organization = {Check Point Research}, url = {https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/}, language = {English}, urldate = {2020-05-06} } @online{coldshell:20180828:walk:fb8dcc6, author = {Coldshell}, title = {{A walk through the AcridRain Stealer}}, date = {2018-08-28}, organization = {This is Security}, url = {https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/}, language = {English}, urldate = {2020-01-07} } @online{coldshell:20190118:nymaim:1d2e6f9, author = {Coldshell}, title = {{Nymaim deobfuscation}}, date = {2019-01-18}, organization = {Github (coldshell)}, url = {https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim}, language = {English}, urldate = {2020-01-10} } @online{cole:20200205:stomp:77ecf4b, author = {Rick Cole and Andrew Moore and Genevieve Stark and Blaine Stancill}, title = {{STOMP 2 DIS: Brilliance in the (Visual) Basics}}, date = {2020-02-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html}, language = {English}, urldate = {2020-02-09} } @online{conant:20180207:rat:5f1eba8, author = {Simon Conant}, title = {{RAT Trapped? LuminosityLink Falls Foul of Vermin Eradication Efforts}}, date = {2018-02-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/}, language = {English}, urldate = {2019-12-20} } @online{contextis:20191003:avivore:421fc23, author = {Contextis}, title = {{AVIVORE – Hunting Global Aerospace through the Supply Chain}}, date = {2019-10-03}, organization = {Contextis}, url = {https://www.contextis.com/de/blog/avivore}, language = {English}, urldate = {2020-01-09} } @online{coogan:20100204:spyeye:5c54efe, author = {Peter Coogan}, title = {{SpyEye Bot versus Zeus Bot}}, date = {2010-02-04}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot}, language = {English}, urldate = {2020-01-06} } @online{coogan:20100426:spyeyes:fb53c77, author = {Peter Coogan}, title = {{SpyEye’s "Kill Zeus" Bark is Worse Than its Bite}}, date = {2010-04-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite}, language = {English}, urldate = {2019-12-16} } @online{corera:20161010:how:29d38b3, author = {Gordon Corera}, title = {{How France's TV5 was almost destroyed by 'Russian hackers'}}, date = {2016-10-10}, organization = {BBC}, url = {https://www.bbc.com/news/technology-37590375}, language = {English}, urldate = {2020-01-09} } @online{cornateanu:20200303:extracting:a48a754, author = {Ryan Cornateanu}, title = {{Extracting Embedded Payloads From Malware}}, date = {2020-03-03}, url = {https://medium.com/@ryancor/extracting-embedded-payloads-from-malware-aaca8e9aa1a9}, language = {English}, urldate = {2020-03-04} } @online{cortes:20171005:freemilk:1c7eb5d, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2020-01-08} } @online{cortes:20171005:freemilk:a929f1b, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2019-12-20} } @online{costis:20200724:tau:2730a2c, author = {Andrew Costis}, title = {{TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves}}, date = {2020-07-24}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/}, language = {English}, urldate = {2020-08-05} } @online{coveware:20190129:phobos:8423f74, author = {CoveWare}, title = {{Phobos Ransomware, A Combo of CrySiS and Dharma}}, date = {2019-01-29}, organization = {CodeWare}, url = {https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew}, language = {English}, urldate = {2020-01-08} } @online{cowman:20191218:understanding:d629d14, author = {Pete Cowman}, title = {{Understanding Ransomware Series: Detecting Sodin}}, date = {2019-12-18}, organization = {Hatching.io}, url = {https://hatching.io/blog/ransomware-part2}, language = {English}, urldate = {2020-01-08} } @online{creaktive:20180521:tiny:13fd580, author = {creaktive}, title = {{Tiny SHell}}, date = {2018-05-21}, organization = {Github (creaktive)}, url = {https://github.com/creaktive/tsh}, language = {English}, urldate = {2020-01-10} } @online{creus:20160926:sofacys:2c11dc9, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2019-12-20} } @online{creus:20160926:sofacys:6ddbb81, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2020-01-13} } @online{crook:20200622:dynamic:47a0942, author = {Jack Crook}, title = {{Dynamic Correlation, ML and Hunting}}, date = {2020-06-22}, organization = {FindingBad Blogspot}, url = {http://findingbad.blogspot.com/2020/06/dynamic-correlation-ml-and-hunting.html}, language = {English}, urldate = {2020-06-23} } @techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } @techreport{crowdstrike:20150210:global:da4da20, author = {CrowdStrike}, title = {{Global Threat Intel Report}}, date = {2015-02-10}, institution = {CrowdStrike}, url = {http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{crowdstrike:2018:2018:5ba6206, author = {CrowdStrike}, title = {{2018 Global Threat Report}}, date = {2018}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf}, language = {English}, urldate = {2019-12-17} } @online{crowdstrike:2019:2019:2c268c8, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/}, language = {English}, urldate = {2020-07-16} } @techreport{crowdstrike:2019:2019:4e50c97, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-15} } @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } @techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } @online{crowdstrike:2020:2019:f849658, author = {CrowdStrike}, title = {{2019 Crowdstrike Global Threat Report}}, date = {2020}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report}, language = {English}, urldate = {2020-07-23} } @online{cryptolaemus:20180912:emotet:013e01b, author = {Cryptolaemus}, title = {{Emotet IOC}}, date = {2018-09-12}, organization = {Cryptolaemus Pastedump}, url = {https://paste.cryptolaemus.com}, language = {English}, urldate = {2020-01-13} } @online{cryptome:20121125:parastoo:b652ed3, author = {Cryptome}, title = {{Parastoo Hacks IAEA}}, date = {2012-11-25}, organization = {Cryptome}, url = {https://cryptome.org/2012/11/parastoo-hacks-iaea.htm}, language = {English}, urldate = {2020-01-06} } @techreport{csis:2012:w32tinba:542635f, author = {Peter Kruse (CSIS) and Feike Hacquebord (Trend Micro) and Robert McArdle (Trend Micro)}, title = {{W32.Tinba (Tinybanker) The Turkish Incident}}, date = {2012}, institution = {CSIS Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf}, language = {English}, urldate = {2019-12-24} } @techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } @online{ctu:20150730:sakula:8025917, author = {Dell Secureworks CTU}, title = {{Sakula Malware Family}}, date = {2015-07-30}, organization = {Secureworks}, url = {https://www.secureworks.com/research/sakula-malware-family}, language = {English}, urldate = {2020-01-06} } @online{cucci:20200419:reversing:4523233, author = {Kyle Cucci}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-08-13} } @online{cummings:20191217:incident:44acf5c, author = {JJ Cummings and Dave Liebenberg}, title = {{Incident Response lessons from recent Maze ransomware attacks}}, date = {2019-12-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html}, language = {English}, urldate = {2020-01-09} } @online{cutler:20190515:winnti:269a852, author = {Silas Cutler and Juan Andrés Guerrero-Saade}, title = {{Winnti: More than just Windows and Gates}}, date = {2019-05-15}, organization = {Chronicle}, url = {https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a}, language = {English}, urldate = {2019-10-14} } @online{cutler:20191116:fresh:871567d, author = {Silas Cutler}, title = {{Fresh PlugX October 2019}}, date = {2019-11-16}, organization = {Silas Cutler's Blog}, url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html}, language = {English}, urldate = {2020-01-07} } @online{cyber:20190328:unleash:f5f7048, author = {Skylight Cyber}, title = {{Unleash The Hash - ShadowHammer MAC Address List}}, date = {2019-03-28}, organization = {Skylight Cyber}, url = {https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/}, language = {English}, urldate = {2019-10-23} } @online{cyber:20200611:snowstorm:7112209, author = {MDR Cyber}, title = {{SNOWSTORM: Hacker-for-hire and physical surveillance targeted financial analyst}}, date = {2020-06-11}, organization = {Mishcon de Reya}, url = {https://www.mishcon.com/news/snowstorm-hacker-for-hire-and-physical-surveillance-targeted-financial-analyst}, language = {English}, urldate = {2020-06-12} } @techreport{cyberark:20200224:analyzing:57cc981, author = {CyberArk}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2020-04-15} } @techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } @online{cybermalveillance:20191106:outil:dfa36a5, author = {Cybermalveillance}, title = {{Outil de déchiffrement du rançongiciel (ransomware) PyLocky versions 1 et 2}}, date = {2019-11-06}, organization = {Cybermalveillance}, url = {https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/}, language = {French}, urldate = {2019-12-18} } @online{cybersecurity:201606:operation:eb6c3d9, author = {ClearSky Cybersecurity}, title = {{Operation DustySky Part 2}}, date = {2016-06}, organization = {clearskysec}, url = {https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain}, language = {English}, urldate = {2019-12-24} } @techreport{cybersecurity:20170210:ar1720045:43c91fd, author = {National Cybersecurity and Communications Integration Center}, title = {{AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity}}, date = {2017-02-10}, institution = {Department of Homeland Security}, url = {https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf}, language = {English}, urldate = {2019-11-05} } @online{cybersecurity:20180720:alert:89ca0c7, author = {National Cybersecurity and Communications Integration Center}, title = {{Alert (TA18-201A) Emotet Malware}}, date = {2018-07-20}, organization = {NCCIC}, url = {https://www.us-cert.gov/ncas/alerts/TA18-201A}, language = {English}, urldate = {2019-10-27} } @online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-05-04} } @online{cyberx:20170128:radiation:141e735, author = {CyberX}, title = {{Radiation Report}}, date = {2017-01-28}, organization = {CyberX}, url = {http://get.cyberx-labs.com/radiation-report}, language = {English}, urldate = {2020-01-13} } @techreport{cylance:20160406:operation:d4da7b5, author = {Cylance}, title = {{Operation Cleaver}}, date = {2016-04-06}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cylance:20181102:spyrats:67888b3, author = {Cylance}, title = {{The SpyRATs of OceanLotus}}, date = {2018-11-02}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cymmetria:2016:unveiling:da4224b, author = {Cymmetria}, title = {{Unveiling Patchwork: The Copy-Paste APT}}, date = {2016}, institution = {Cymmetria}, url = {https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf}, language = {English}, urldate = {2020-01-06} } @online{cymmetria:20170919:unveiling:e67fe90, author = {Cymmetria}, title = {{Unveiling Patchwork – a targeted attack caught with cyber deception}}, date = {2017-09-19}, organization = {Cymmetria}, url = {https://www.cymmetria.com/patchwork-targeted-attack/}, language = {English}, urldate = {2019-12-18} } @online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } @online{cymru:20200219:azorult:de72301, author = {Team Cymru}, title = {{Azorult – what we see using our own tools}}, date = {2020-02-19}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/}, language = {English}, urldate = {2020-02-26} } @online{cymru:20200325:how:b1d8c31, author = {Team Cymru}, title = {{How the Iranian Cyber Security Agency Detects Emissary Panda Malware}}, date = {2020-03-25}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/}, language = {English}, urldate = {2020-07-13} } @online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } @techreport{d00rt:20180706:lokibot:6508667, author = {d00rt}, title = {{LokiBot Infostealer Jihacked Version}}, date = {2018-07-06}, institution = {Github (d00rt)}, url = {https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf}, language = {English}, urldate = {2020-01-10} } @online{d00rt:20190105:emotet:8dee25a, author = {d00rt}, title = {{Emotet Research}}, date = {2019-01-05}, organization = {Github (d00rt)}, url = {https://github.com/d00rt/emotet_research}, language = {English}, urldate = {2020-01-10} } @online{d00rtrm:2019:emutet:8913da8, author = {D00RT_RM}, title = {{Emutet}}, date = {2019}, url = {https://d00rt.github.io/emotet_network_protocol/}, language = {English}, urldate = {2020-01-07} } @online{d:20151019:github:b15ea7e, author = {Anderson D}, title = {{Github Repository for AllaKore}}, date = {2015-10-19}, organization = {Github (Anderson-D)}, url = {https://github.com/Anderson-D/AllaKore}, language = {English}, urldate = {2020-01-08} } @online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } @online{dahan:20170425:shadowwali:565d1c1, author = {Assaf Dahan}, title = {{ShadowWali: New variant of the xxmm family of backdoors}}, date = {2017-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors}, language = {English}, urldate = {2020-02-11} } @online{dahan:20170524:operation:d79be79, author = {Assaf Dahan}, title = {{Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group}}, date = {2017-05-24}, organization = {Cybereason}, url = {https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/}, language = {English}, urldate = {2020-01-09} } @online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } @online{dahan:20190312:new:a435b52, author = {Assaf Dahan and Cybereason Nocturnus}, title = {{New Ursnif Variant targets Japan packed with new Features}}, date = {2019-03-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features}, language = {English}, urldate = {2019-11-28} } @online{dahan:20191120:phoenix:9c5d752, author = {Assaf Dahan}, title = {{Phoenix: The Tale of the Resurrected Keylogger}}, date = {2019-11-20}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger}, language = {English}, urldate = {2020-02-11} } @online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } @online{dahl:20130503:department:8be1534, author = {Matt Dahl}, title = {{Department of Labor Strategic Web Compromise}}, date = {2013-05-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20131010:regional:120d284, author = {Matt Dahl}, title = {{Regional Conflict and Cyber Blowback}}, date = {2013-10-10}, organization = {CrowdStrike}, url = {https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/}, language = {English}, urldate = {2020-05-18} } @online{dahl:20140513:cat:e5c45ff, author = {Matt Dahl}, title = {{Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN}}, date = {2014-05-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20141124:i:38a6ade, author = {Matt Dahl}, title = {{I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors}}, date = {2014-11-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20190125:widespread:48d15a3, author = {Matt Dahl}, title = {{Widespread DNS Hijacking Activity Targets Multiple Sectors}}, date = {2019-01-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20200601:malware:aa6f2ab, author = {Matt Dahl}, title = {{Tweet on malware called knspy used by Donot}}, date = {2020-06-01}, organization = {Twitter (@voodoodahl1)}, url = {https://twitter.com/voodoodahl1/status/1267571622732578816}, language = {English}, urldate = {2020-06-04} } @online{dahms:20140602:molerats:8b00d0d, author = {Timothy Dahms}, title = {{Molerats, Here for Spring!}}, date = {2014-06-02}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html}, language = {English}, urldate = {2019-12-20} } @online{dallas:20190326:babylon:32e6481, author = {Korben Dallas}, title = {{Tweet on Babylon RAT IOCs}}, date = {2019-03-26}, organization = {Twitter (@KorbenD_Intel)}, url = {https://twitter.com/KorbenD_Intel/status/1110654679980085262}, language = {English}, urldate = {2020-01-13} } @online{dan:20180208:merlin:cfc9e6b, author = {Action Dan}, title = {{Merlin for Red Teams}}, date = {2018-02-08}, organization = {Lockboxx}, url = {http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html}, language = {English}, urldate = {2020-01-09} } @online{danchev:20080610:whos:504e579, author = {Dancho Danchev}, title = {{Who's behind the GPcode ransomware?}}, date = {2008-06-10}, organization = {ZDNet}, url = {http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/}, language = {English}, urldate = {2019-12-18} } @online{danchev:20120928:dissecting:1ee1a3f, author = {Dancho Danchev}, title = {{Dissecting 'Operation Ababil' - an OSINT Analysis}}, date = {2012-09-28}, organization = {Dancho Danchev's Blog}, url = {http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html}, language = {English}, urldate = {2020-01-10} } @online{dangu:20180123:uncovering:a3ba605, author = {Jerome Dangu}, title = {{Uncovering 2017’s Largest Malvertising Operation}}, date = {2018-01-23}, organization = {Confiant}, url = {https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85}, language = {English}, urldate = {2019-12-24} } @online{dangu:20180305:zirconium:06d9e29, author = {Jerome Dangu}, title = {{Zirconium was one step ahead of Chrome’s redirect blocker with 0-day}}, date = {2018-03-05}, organization = {Confiant}, url = {https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d}, language = {English}, urldate = {2020-01-09} } @online{dannythesloth:20190608:vanilla:bcf3518, author = {DannyTheSloth}, title = {{Vanilla RAT}}, date = {2019-06-08}, organization = {Github (DannyTheSloth)}, url = {https://github.com/DannyTheSloth/VanillaRAT}, language = {English}, urldate = {2020-01-13} } @techreport{dantzig:20191219:operation:96804be, author = {Maarten van Dantzig and Erik Schamper}, title = {{Operation Wocao: Shining a light on one of China’s hidden hacking groups}}, date = {2019-12-19}, institution = {Fox-IT}, url = {https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf}, language = {English}, urldate = {2020-01-13} } @online{data:20140228:uroburos:f6fdb48, author = {G Data}, title = {{Uroburos - highly complex espionage software with Russian roots}}, date = {2014-02-28}, organization = {G Data Blog}, url = {https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots}, language = {English}, urldate = {2019-11-28} } @online{data:20140307:uroburos:22ddc69, author = {G Data}, title = {{Uroburos – Deeper travel into kernel protection mitigation}}, date = {2014-03-07}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation}, language = {English}, urldate = {2019-11-23} } @online{data:20140513:uroburos:a8b1175, author = {G Data}, title = {{Uroburos rootkit: Belgian Foreign Ministry stricken}}, date = {2014-05-13}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken}, language = {English}, urldate = {2019-10-27} } @online{data:20140602:analysis:1038a5f, author = {G Data}, title = {{Analysis of Uroburos, using WinDbg}}, date = {2014-06-02}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg}, language = {English}, urldate = {2020-01-09} } @online{data:20140731:poweliks:250c05f, author = {G Data}, title = {{Poweliks: the persistent malware without a file}}, date = {2014-07-31}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file}, language = {English}, urldate = {2020-01-10} } @online{data:20141030:com:0da80b3, author = {G Data}, title = {{COM Object hijacking: the discreet way of persistence}}, date = {2014-10-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence}, language = {English}, urldate = {2020-01-07} } @techreport{data:20141031:operation:9205b87, author = {G Data}, title = {{OPERATION “TOOHASH”: HOW TARGETED ATTACKS WORK}}, date = {2014-10-31}, institution = {G Data}, url = {https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf}, language = {English}, urldate = {2020-01-08} } @online{data:20141111:uroburos:8dce097, author = {G Data}, title = {{The Uroburos case: new sophisticated RAT identified}}, date = {2014-11-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified}, language = {English}, urldate = {2020-01-08} } @online{data:20150115:weiterentwicklung:a65efbe, author = {G Data}, title = {{Weiterentwicklung anspruchsvoller Spyware: von Agent.BTZ zu ComRAT}}, date = {2015-01-15}, organization = {G Data}, url = {https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat}, language = {English}, urldate = {2020-01-08} } @online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } @online{data:20150218:babar:24e6c08, author = {G Data}, title = {{Babar: espionage software finally found and put under the microscope}}, date = {2015-02-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope}, language = {English}, urldate = {2019-12-02} } @online{data:20160411:manamecrypt:06eda37, author = {G Data}, title = {{Manamecrypt – a ransomware that takes a different route}}, date = {2016-04-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route}, language = {English}, urldate = {2020-01-08} } @online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } @online{data:20170512:warning:162cfc4, author = {G Data}, title = {{Warning: Massive "WannaCry" Ransomware campaign launched}}, date = {2017-05-12}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign}, language = {English}, urldate = {2020-01-13} } @online{data:20170703:who:7b53706, author = {G Data}, title = {{Who is behind Petna?}}, date = {2017-07-03}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna}, language = {English}, urldate = {2020-01-08} } @online{data:20170711:ordinypt:a3f61cf, author = {G Data}, title = {{Ordinypt hat es auf Benutzer aus Deutschland abgesehen}}, date = {2017-07-11}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/11/30151-ordinypt}, language = {Deutsch}, urldate = {2020-01-08} } @online{data:20170720:rurktar:fa8bc7e, author = {G Data}, title = {{Rurktar - Spyware under Construction}}, date = {2017-07-20}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction}, language = {English}, urldate = {2020-01-09} } @online{data:20171012:emotet:c99dec0, author = {G Data}, title = {{Emotet beutet Outlook aus}}, date = {2017-10-12}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus}, language = {English}, urldate = {2019-12-05} } @online{data:20191121:new:cbeb2e4, author = {G Data}, title = {{New SectopRAT: Remote access malware utilizes second desktop to control browsers}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers}, language = {English}, urldate = {2020-01-10} } @online{data:20200630:ransomware:3f071e1, author = {G Data}, title = {{Ransomware on the Rise: Buran’s transformation into Zeppelin}}, date = {2020-06-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin}, language = {English}, urldate = {2020-07-02} } @online{davenport:20141218:keypoint:4c1fd04, author = {Christian Davenport}, title = {{KeyPoint network breach could affect thousands of federal workers}}, date = {2014-12-18}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html}, language = {English}, urldate = {2020-01-13} } @online{davila:20200518:eleethub:d605473, author = {Asher Davila and Yang Ji}, title = {{Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding}}, date = {2020-05-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/}, language = {English}, urldate = {2020-05-20} } @online{davis:20170921:apt33:52822d2, author = {Stuart Davis and Nick Carr}, title = {{APT33: New Insights into Iranian Cyber Espionage Group}}, date = {2017-09-21}, organization = {FireEye}, url = {https://www.brighttalk.com/webcast/10703/275683}, language = {English}, urldate = {2019-12-20} } @online{davis:20180529:mexico:d40bc2d, author = {Michelle Davis}, title = {{Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret}}, date = {2018-05-29}, organization = {Bloomberg}, url = {https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret}, language = {English}, urldate = {2020-01-07} } @online{davison:20170804:smoke:06d64d3, author = {Jason Davison}, title = {{Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis}}, date = {2017-08-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis}, language = {English}, urldate = {2020-01-08} } @online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } @online{dcso:20190314:pegasusbuhtrap:2e48e0e, author = {DCSO}, title = {{Pegasus/Buhtrap analysis of the malware stage based on the leaked source code}}, date = {2019-03-14}, organization = {DCSO}, url = {https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/}, language = {English}, urldate = {2020-01-07} } @online{dcso:20190318:enterprise:ff92a62, author = {DCSO}, title = {{Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware}}, date = {2019-03-18}, organization = {DCSO}, url = {https://blog.dcso.de/enterprise-malware-as-a-service/}, language = {English}, urldate = {2020-01-06} } @online{dcso:20200116:curious:15c5610, author = {DCSO}, title = {{A Curious Case of CVE-2019-19781 Palware: remove_bds}}, date = {2020-01-16}, organization = {DCSO}, url = {https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/}, language = {English}, urldate = {2020-01-17} } @online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } @online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } @techreport{decker:20090522:pushdo:518e04c, author = {Alice Decker and David Sancho and Loucif Kharouni and Max Goncharov and Robert McArdle}, title = {{Pushdo / Cutwail Botnet}}, date = {2009-05-22}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf}, language = {English}, urldate = {2020-01-13} } @online{decrypterfixer:20140911:torrentlocker:10d80ec, author = {DecrypterFixer}, title = {{TorrentLocker Ransomware Cracked and Decrypter has been made}}, date = {2014-09-11}, organization = {BleepingComputer Forums}, url = {http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/}, language = {English}, urldate = {2020-01-06} } @online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } @online{dee:20200129:borr:528fccb, author = {Dee}, title = {{Tweet on Borr}}, date = {2020-01-29}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1222704498923032576}, language = {English}, urldate = {2020-02-13} } @online{defense:20191111:revenge:114921b, author = {Binary Defense}, title = {{Revenge Is A Dish Best Served… Obfuscated?}}, date = {2019-11-11}, organization = {Binary Defense}, url = {https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated}, language = {English}, urldate = {2020-01-09} } @online{degrippo:20200316:ta505:6cfbbb0, author = {Sherrod DeGrippo}, title = {{TA505 and Others Launch New Coronavirus Campaigns; Now the Largest Collection of Attack Types in Years}}, date = {2020-03-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack}, language = {English}, urldate = {2020-04-26} } @online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } @online{degrippo:20200717:ta547:cec93e0, author = {Sherrod DeGrippo}, title = {{TA547 Pivots from Ursnif Banking Trojan to Ransomware in Australian Campaign}}, date = {2020-07-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign}, language = {English}, urldate = {2020-07-23} } @online{delmas:20170226:treasurehunter:cd0c965, author = {Arnaud Delmas}, title = {{TreasureHunter : A POS Malware Case Study}}, date = {2017-02-26}, url = {http://adelmas.com/blog/treasurehunter.php}, language = {English}, urldate = {2019-12-02} } @online{delmas:20170314:analyzing:1c055df, author = {Arnaud Delmas}, title = {{Analyzing and Deobfuscating FlokiBot Banking Trojan}}, date = {2017-03-14}, organization = {Arnaud Delmas}, url = {http://adelmas.com/blog/flokibot.php}, language = {English}, urldate = {2020-01-08} } @online{deloitte:20200122:project:0a44796, author = {Deloitte}, title = {{Project Lurus}}, date = {2020-01-22}, organization = {Deloitte}, url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF}, language = {English}, urldate = {2020-02-13} } @online{delpy:20190104:mimikatz:caaf928, author = {Benjamin Delpy}, title = {{mimikatz Repository}}, date = {2019-01-04}, organization = {Github (gentilkiwi)}, url = {https://github.com/gentilkiwi/mimikatz}, language = {English}, urldate = {2020-01-07} } @online{demetria:20121030:jacksbot:8a7230b, author = {Johanne Demetria}, title = {{JACKSBOT Has Some Dirty Tricks up Its Sleeves}}, date = {2012-10-30}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/}, language = {English}, urldate = {2020-01-06} } @online{dennesen:20141201:fin4:0760295, author = {Kristen Dennesen and Jordan Berry and Barry Vengerik and Jonathan Wrolstad}, title = {{FIN4: Stealing Insider Information for an Advantage in Stock Trading?}}, date = {2014-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html}, language = {English}, urldate = {2019-12-20} } @techreport{dereszowski:20150211:turladevelopment:98e2483, author = {Andrzej Dereszowski}, title = {{Turla-development & operations}}, date = {2015-02-11}, institution = {FIRST Tbilisi}, url = {https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf}, language = {English}, urldate = {2020-01-06} } @online{desai:201608:agent:d527844, author = {Deepen Desai}, title = {{Agent Tesla Keylogger delivered using cybersquatting}}, date = {2016-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting}, language = {English}, urldate = {2019-11-26} } @online{desai:20200319:new:00516c3, author = {Shivang Desai}, title = {{New Android App Offers Coronavirus Safety Mask But Delivers SMS Trojan}}, date = {2020-03-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan}, language = {English}, urldate = {2020-03-26} } @online{desai:20200729:android:fb3b3d0, author = {Shivang Desai}, title = {{Android Spyware Targeting Tanzania Premier League}}, date = {2020-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league}, language = {English}, urldate = {2020-08-05} } @online{designativedave:20121116:remote:d5d4856, author = {DesignativeDave}, title = {{Remote Administration Tool for Android devices}}, date = {2012-11-16}, organization = {Github (DesignativeDave)}, url = {https://github.com/DesignativeDave/androrat}, language = {English}, urldate = {2019-11-26} } @online{devadoss:20200629:initial:0c8ed48, author = {Dinesh Devadoss}, title = {{Tweet on initial Discovery of EvilQuest}}, date = {2020-06-29}, organization = {Twitter (@dineshdina04)}, url = {https://twitter.com/dineshdina04/status/1277668001538433025}, language = {English}, urldate = {2020-07-01} } @online{devane:20160721:phishing:314ff25, author = {Oliver Devane and Mohinder Gill}, title = {{Phishing Attacks Employ Old but Effective Password Stealer}}, date = {2016-07-21}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/}, language = {English}, urldate = {2019-12-17} } @online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } @techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } @online{dhanalakshmi:20180705:look:c39d2cb, author = {Dhanalakshmi}, title = {{A Look At Recent Tinba Banking Trojan Variant}}, date = {2018-07-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant}, language = {English}, urldate = {2019-11-20} } @online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } @online{dietrich:20181130:virut:2b9101c, author = {Christian J. Dietrich}, title = {{Virut Resurrects -- Musings on long-term sinkholing}}, date = {2018-11-30}, url = {https://chrisdietri.ch/post/virut-resurrects/}, language = {English}, urldate = {2019-11-25} } @online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } @online{digitrust:20170105:qrat:d5e7b46, author = {DigiTrust}, title = {{QRAT is Living in The World of JAVA}}, date = {2017-01-05}, organization = {DigiTrust}, url = {https://www.digitrustgroup.com/java-rat-qrat/}, language = {English}, urldate = {2020-01-09} } @techreport{dimaggio:20150806:black:af5cf27, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{dimaggio:20150806:black:b0fbb35, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160315:suckfly:0b3835e, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates}, language = {English}, urldate = {2020-01-05} } @online{dimaggio:20160315:suckfly:a1c8359, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160329:taiwan:4b83179, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back door Trojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan}, language = {English}, urldate = {2019-12-18} } @online{dimaggio:20160329:taiwan:de4b254, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back doorTrojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm}, language = {English}, urldate = {2020-01-20} } @online{dimaggio:20160428:tick:9fec91a, author = {Jon DiMaggio}, title = {{Tick cyberespionage group zeros in on Japan}}, date = {2016-04-28}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan}, language = {English}, urldate = {2020-01-10} } @online{dimaggio:20160517:indian:98dff05, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160517:indian:baa172f, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks}, language = {English}, urldate = {2019-10-23} } @online{dimchev:20160927:new:3bba3cd, author = {Alex Dimchev}, title = {{New Voldemort/Nagini Ransomware Virus Infection}}, date = {2016-09-27}, organization = {Best Security Research}, url = {http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/}, language = {English}, urldate = {2019-11-28} } @online{dimino:20120802:cridex:a9b195f, author = {Andre M. DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-02}, url = {http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html}, language = {English}, urldate = {2019-10-23} } @online{dimino:20120803:cridex:eab5b19, author = {Andre DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-03}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html}, language = {English}, urldate = {2019-12-18} } @online{division:2000:2000:6d829fc, author = {CERT Division}, title = {{2000 CERT Advisories}}, date = {2000}, organization = {Carnegie Mellon University}, url = {https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186}, language = {English}, urldate = {2020-01-08} } @techreport{division:20200514:malware:34fa46f, author = {Leonardo’s Cyber Security division}, title = {{Malware Technical Insight Turla "Penquin_x64"}}, date = {2020-05-14}, institution = {Leonardo}, url = {https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf}, language = {English}, urldate = {2020-05-14} } @techreport{division:20200707:cosmic:cc97389, author = {AGARI CYBER INTELLIGENCE DIVISION}, title = {{Cosmic Lynx: The Rise of Russian BEC}}, date = {2020-07-07}, institution = {}, url = {https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf}, language = {English}, urldate = {2020-07-08} } @online{dixon:20180623:oceanlotus:555d8bf, author = {Brandon Dixon and Steve Ginty}, title = {{OceanLotus 2018: Malicious Infrastructure}}, date = {2018-06-23}, organization = {passivetotal}, url = {https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f}, language = {English}, urldate = {2019-11-16} } @online{dodia:20190315:immortal:43b3d3d, author = {Rajdeepsinh Dodia and Uday Pratap Singh}, title = {{Immortal information stealer}}, date = {2019-03-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/immortal-information-stealer}, language = {English}, urldate = {2020-06-08} } @online{dodia:20190808:saefko:bdc733d, author = {Rajdeepsinh Dodia and Priyanka Bhati}, title = {{Saefko: A new multi-layered RAT}}, date = {2019-08-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat}, language = {English}, urldate = {2019-11-26} } @online{dodia:20200116:ftcode:9e80307, author = {Rajdeepsinh Dodia and Amandeep Kumar and Atinderpal Singh}, title = {{FTCODE Ransomware - New Version Includes Stealing Capabilities}}, date = {2020-01-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities}, language = {English}, urldate = {2020-01-27} } @techreport{doerr:20190808:enemy:3962b21, author = {Eric Doerr}, title = {{The Enemy Within: Modern Supply Chain Attacks}}, date = {2019-08-08}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf}, language = {English}, urldate = {2020-08-14} } @online{doffman:20190816:warning:65452b4, author = {Zak Doffman}, title = {{Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated)}}, date = {2019-08-16}, organization = {Forbes}, url = {https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:1b7b01c, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:72a1bd7, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf}, language = {English}, urldate = {2020-04-21} } @online{dolas:20200731:masslogger:b17ff73, author = {Aniruddha Dolas}, title = {{MassLogger: An Emerging Spyware and Keylogger}}, date = {2020-07-31}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/}, language = {English}, urldate = {2020-08-05} } @online{dolgushev:20181019:darkpulsar:c98e816, author = {Andrey Dolgushev and Dmitry Tarakanov and Vasily Berdnikov}, title = {{DarkPulsar}}, date = {2018-10-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkpulsar/88199/}, language = {English}, urldate = {2019-12-20} } @online{dolgushev:20191105:darkuniverse:36ead28, author = {Andrey Dolgushev and Vasily Berdnikov and Alexander Fedotov}, title = {{DarkUniverse – the mysterious APT framework #27}}, date = {2019-11-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/}, language = {English}, urldate = {2020-04-24} } @online{domaintools:20170321:hunt:e4d1473, author = {DomainTools}, title = {{Hunt Case Study: Hunting Campaign Indicators on Privacy Protected Attack Infrastructure}}, date = {2017-03-21}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr}, language = {English}, urldate = {2020-05-18} } @online{doman:20141027:scanbox:c4beb38, author = {Chris Doman and Tom Lancaster}, title = {{ScanBox framework – who’s affected, and who’s using it?}}, date = {2014-10-27}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html}, language = {English}, urldate = {2020-01-07} } @online{doman:20161026:moonlight:1edffaa, author = {Chris Doman}, title = {{Moonlight – Targeted attacks in the Middle East}}, date = {2016-10-26}, organization = {Unknown}, url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks}, language = {English}, urldate = {2020-04-06} } @online{doman:20170612:open:b143d52, author = {Christopher Doman}, title = {{Open Source Malware - Sharing is caring?}}, date = {2017-06-12}, organization = {SlideShare}, url = {https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring}, language = {English}, urldate = {2020-01-13} } @online{doman:20181008:delivery:8f2c9ed, author = {Chris Doman}, title = {{Delivery (Key)Boy}}, date = {2018-10-08}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/delivery-keyboy}, language = {English}, urldate = {2019-10-15} } @online{doman:20190306:internet:c3afbc0, author = {Chris Doman}, title = {{Internet of Termites}}, date = {2019-03-06}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/internet-of-termites}, language = {English}, urldate = {2020-01-07} } @online{doman:20200516:recent:bb6d18e, author = {Chris Doman and James Campbell}, title = {{Recent Attacks Against Supercomputers}}, date = {2020-05-16}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/05/16/1318/}, language = {English}, urldate = {2020-05-18} } @online{doman:20200611:ongoing:d94778b, author = {Chris Doman and James Campbell}, title = {{An Ongoing AWS Phishing Campaign}}, date = {2020-06-11}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/}, language = {English}, urldate = {2020-06-12} } @online{donohue:20141125:regin:15d544f, author = {Brain Donohue}, title = {{Regin APT Attacks Among the Most Sophisticated Ever Analyzed}}, date = {2014-11-25}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/}, language = {English}, urldate = {2019-12-17} } @online{doraisjoncas:20120316:osximuler:badbc2e, author = {Alexis Dorais-Joncas}, title = {{OSX/Imuler updated: still a threat on Mac OS X}}, date = {2012-03-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/}, language = {English}, urldate = {2019-11-14} } @online{dorfman:20200715:exclusive:6a11ebe, author = {Zach Dorfman and Kim Zetter and Jenna McLaughlin and Sean D. Naylor}, title = {{Exclusive: Secret Trump order gives CIA more powers to launch cyberattacks}}, date = {2020-07-15}, organization = {Yahoo News}, url = {https://news.yahoo.com/secret-trump-order-gives-cia-more-powers-to-launch-cyberattacks-090015219.html}, language = {English}, urldate = {2020-07-16} } @online{dorneanu:20140707:disect:49df4ee, author = {Victor Dorneanu}, title = {{Disect Android APKs like a Pro - Static code analysis}}, date = {2014-07-07}, url = {http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/}, language = {English}, urldate = {2020-01-07} } @online{douglas:20170309:spora:7038fba, author = {Kevin Douglas}, title = {{Spora Ransomware: Understanding the HTA Infection Vector}}, date = {2017-03-09}, organization = {Tenable}, url = {https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas}, language = {English}, urldate = {2020-01-10} } @online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } @online{downs:20151016:surveillance:86d472f, author = {Rob Downs}, title = {{Surveillance Malware Trends: Tracking Predator Pain and HawkEye}}, date = {2015-10-16}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/}, language = {English}, urldate = {2019-12-20} } @techreport{dragos:20170613:crashoverride:33b0a7e, author = {Dragos}, title = {{CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{dragos:20171213:trisis:43675c1, author = {Dragos}, title = {{TRISIS Malware: Analysis of Safety System Targeted Malware}}, date = {2017-12-13}, institution = {Dragos}, url = {https://dragos.com/blog/trisis/TRISIS-01.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{dragos:20180301:industrial:6e4e898, author = {Dragos}, title = {{INDUSTRIAL CONTROL SYSTEM THREATS}}, date = {2018-03-01}, institution = {Dragos}, url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf}, language = {English}, urldate = {2020-01-08} } @online{dragos:20180802:raspite:1873c25, author = {Dragos}, title = {{Raspite}}, date = {2018-08-02}, organization = {Dragos}, url = {https://dragos.com/blog/20180802Raspite.html}, language = {English}, urldate = {2020-01-13} } @online{dragos:20190403:allanite:46dcddd, author = {Dragos}, title = {{Allanite}}, date = {2019-04-03}, organization = {Dragos}, url = {https://dragos.com/blog/20180510Allanite.html}, language = {English}, urldate = {2020-01-09} } @techreport{dragos:20190801:global:2b76e8c, author = {Dragos}, title = {{Global Oil and Gas Cyber Threat Perspective}}, date = {2019-08-01}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf}, language = {English}, urldate = {2020-01-09} } @online{dragos:2019:adversary:0237a20, author = {Dragos}, title = {{Adversary Reports}}, date = {2019}, organization = {Dragos}, url = {https://dragos.com/adversaries.html}, language = {English}, urldate = {2020-01-10} } @online{dragos:20200203:ekans:041a3ee, author = {Dragos}, title = {{EKANS Ransomware and ICS Operations}}, date = {2020-02-03}, organization = {Dragos}, url = {https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/}, language = {English}, urldate = {2020-02-04} } @online{drstache:20200212:manabotnet:9a3d3c6, author = {DrStache}, title = {{Tweet on ManaBotnet}}, date = {2020-02-12}, organization = {Twitter (@DrStache_)}, url = {https://twitter.com/DrStache_/status/1227662001247268864}, language = {English}, urldate = {2020-02-27} } @online{drweb:20120822:first:3c5cc7e, author = {Dr.Web}, title = {{The first Trojan in history to steal Linux and Mac OS X passwords}}, date = {2012-08-22}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=2679&lng=en&c=14}, language = {English}, urldate = {2020-01-13} } @online{drweb:20140409:backdoorgootkit112a:b63758d, author = {Dr.Web}, title = {{BackDoor.Gootkit.112—a new multi-purpose backdoor}}, date = {2014-04-09}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=4338&lng=en}, language = {English}, urldate = {2019-07-11} } @online{drweb:20160822:trojanmutabaha1:912e922, author = {Dr.Web}, title = {{Trojan.Mutabaha.1}}, date = {2016-08-22}, organization = {Dr.Web}, url = {http://vms.drweb.ru/virus/?_is=1&i=8477920}, language = {Russian}, urldate = {2020-01-09} } @online{drweb:20160908:doctor:00c53a5, author = {Dr.Web}, title = {{Doctor Web discovers Linux Trojan written in Rust}}, date = {2016-09-08}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?c=5&i=10193&lng=en}, language = {English}, urldate = {2020-01-05} } @online{drweb:20170511:macbackdoorsystemd1:c74a3ef, author = {Dr.Web}, title = {{Mac.BackDoor.Systemd.1}}, date = {2017-05-11}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en}, language = {English}, urldate = {2020-01-08} } @online{drweb:20180807:doctor:4154c38, author = {Dr.Web}, title = {{Doctor Web discovered a clipper Trojan for Android}}, date = {2018-08-07}, organization = {Dr.Web}, url = {https://news.drweb.com/show?lng=en&i=12739}, language = {English}, urldate = {2020-01-13} } @online{drweb:20190508:new:06a3aa5, author = {Dr.Web}, title = {{A new threat for macOS spreads as WhatsApp}}, date = {2019-05-08}, organization = {Dr.Web}, url = {https://news.drweb.ru/show/?i=13281&c=23}, language = {English}, urldate = {2020-01-08} } @techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks onstate institutions inKazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-07-22} } @online{dsouza:20190311:resecurity:8388bc5, author = {Melissa Dsouza}, title = {{Resecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+ government agencies, oil and gas companies, and technology companies also targeted.}}, date = {2019-03-11}, organization = {Packt}, url = {https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/}, language = {English}, urldate = {2020-01-10} } @online{ducharme:20190911:watchbog:7f5240b, author = {Luke DuCharme and Paul Lee}, title = {{Watchbog and the Importance of Patching}}, date = {2019-09-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/09/watchbog-patching.html}, language = {English}, urldate = {2020-05-18} } @online{ducklin:20140121:digitally:4a7a4ee, author = {Paul Ducklin}, title = {{Digitally signed data-stealing malware targets Mac users in “undelivered courier item” attack}}, date = {2014-01-21}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/}, language = {English}, urldate = {2020-01-09} } @online{ducklin:20160229:hawkeye:e5bd59b, author = {Paul Ducklin}, title = {{The “HawkEye” attack: how cybercrooks target small businesses for big money}}, date = {2016-02-29}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/}, language = {English}, urldate = {2019-11-27} } @online{ducklin:20200624:glupteba:8f0c66a, author = {Paul Ducklin}, title = {{Glupteba - the malware that gets secret messages from the Bitcoin blockchain}}, date = {2020-06-24}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/}, language = {English}, urldate = {2020-06-26} } @online{dudek:20190410:trisis:480b199, author = {Marcin Dudek}, title = {{TRISIS / TRITON / HatMan Malware Repository}}, date = {2019-04-10}, organization = {Github (ICSrepo)}, url = {https://github.com/ICSrepo/TRISIS-TRITON-HATMAN}, language = {English}, urldate = {2019-07-09} } @techreport{dumont:20181201:dark:20efc15, author = {Romain Dumont and Marc-Etienne M.Léveillé and Hugo Porcher}, title = {{THE DARK SIDE OF THE FORSSHE: A landscape of OpenSSH backdoors}}, date = {2018-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf}, language = {English}, urldate = {2020-01-09} } @online{dumont:20190409:oceanlotus:eb8a99f, author = {Romain Dumont}, title = {{OceanLotus: macOS malware update}}, date = {2019-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/}, language = {English}, urldate = {2019-11-14} } @online{duncan:20160509:pseudodarkleech:5dff946, author = {Brad Duncan}, title = {{PSEUDO-DARKLEECH ANGLER EK FROM 185.118.66.154 SENDS BEDEP/CRYPTXXX}}, date = {2016-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2016/05/09/index.html}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170117:eitest:f6e103b, author = {Brad Duncan}, title = {{EITEST RIG-V FROM 92.53.127.86 SENDS SPORA RANSOMWARE}}, date = {2017-01-17}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/01/17/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170117:vreikstadi:aea370f, author = {Brad Duncan}, title = {{Tweet on Vreikstadi Malspam}}, date = {2017-01-17}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/821483557990318080}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170121:sage:cf422da, author = {Brad Duncan}, title = {{Sage 2.0 Ransomware}}, date = {2017-01-21}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/}, language = {English}, urldate = {2019-07-11} } @online{duncan:20170403:dhl:b9c41a9, author = {Brad Duncan}, title = {{DHL Invoice Malspam/Photo Malspam}}, date = {2017-04-03}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/03/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170425:20170425:dfd0f09, author = {Brian Duncan}, title = {{2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT}}, date = {2017-04-25}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/25/index.html}, language = {English}, urldate = {2019-11-29} } @online{duncan:20170509:rig:c6b2df9, author = {Brad Duncan}, title = {{RIG EK SENDS BUNITU TROJAN}}, date = {2017-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/09/index.html}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170516:20170516:920d589, author = {Brad Duncan}, title = {{2017-05-16 - MORE EXAMPLES OF MALSPAM PUSHING JAFF RANSOMWARE}}, date = {2017-05-16}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/16/index.html}, language = {English}, urldate = {2020-01-07} } @online{duncan:20170612:20170612:04b2c09, author = {Brian Duncan}, title = {{2017-06-12 - LOKI BOT MALSPAM - SUBJECT: RE: PURCHASE ORDER 457211}}, date = {2017-06-12}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/06/12/index.html}, language = {English}, urldate = {2019-11-28} } @online{duncan:20170627:checking:23c2251, author = {Brad Duncan}, title = {{Checking out the new Petya variant}}, date = {2017-06-27}, organization = {SANS}, url = {https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20170704:malspam:3713609, author = {Brad Duncan}, title = {{MALSPAM WITH JAVA-BASED RAT}}, date = {2017-07-04}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/07/04/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20170901:eitest:6388761, author = {Brad Duncan}, title = {{EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware}}, date = {2017-09-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/}, language = {English}, urldate = {2019-12-20} } @online{duncan:20171013:blank:71e7858, author = {Brad Duncan}, title = {{Blank Slate Malspam Stops Pushing Locky, Starts Pushing Sage 2.2 Randsomware}}, date = {2017-10-13}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/10/13/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20171102:20171102:dfff76e, author = {Brad Duncan}, title = {{2017-11-02 - ADVENTURES WITH SMOKE LOADER}}, date = {2017-11-02}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/11/02/index.html}, language = {English}, urldate = {2020-01-06} } @online{duncan:20171123:necurs:15f819e, author = {Brad Duncan}, title = {{NECURS BOTNET MALSPAM PUSHES "SCARAB" RANSOMWARE}}, date = {2017-11-23}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/11/23/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20171222:malspam:4a3fd87, author = {Brad Duncan}, title = {{MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT}}, date = {2017-12-22}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/12/22/index.html}, language = {English}, urldate = {2019-07-11} } @online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } @online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } @online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } @online{duncan:20181204:malspam:8e2d810, author = {Brad Duncan}, title = {{Malspam pushing Lokibot malware}}, date = {2018-12-04}, url = {https://isc.sans.edu/diary/24372}, language = {English}, urldate = {2019-10-29} } @online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190117:emotet:0754347, author = {Brad Duncan}, title = {{Emotet infections and follow-up malware}}, date = {2019-01-17}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190123:russian:150eb22, author = {Brad Duncan and Mike Harbison}, title = {{Russian Language Malspam Pushing Redaman Banking Malware}}, date = {2019-01-23}, url = {https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20190220:more:a3216b8, author = {Brad Duncan}, title = {{More Russian language malspam pushing Shade (Troldesh) ransomware}}, date = {2019-02-20}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190522:shade:7647744, author = {Brad Duncan}, title = {{Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada}}, date = {2019-05-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190625:rig:31ecb33, author = {Brad Duncan}, title = {{Rig Exploit Kit sends Pitou.B Trojan}}, date = {2019-06-25}, organization = {SANS}, url = {https://isc.sans.edu/diary/rss/25068}, language = {English}, urldate = {2019-12-17} } @online{duncan:20190711:recent:bd25d5a, author = {Brad Duncan}, title = {{Recent AZORult activity}}, date = {2019-07-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/25120}, language = {English}, urldate = {2020-01-10} } @online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } @online{duncan:20191219:valak:a793639, author = {Brad Duncan}, title = {{Tweet on Valak Malware}}, date = {2019-12-19}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/1207824548021886977}, language = {English}, urldate = {2020-01-05} } @online{duncan:20191223:wireshark:11f95ab, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Ursnif Infections}}, date = {2019-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20200123:german:2c867b2, author = {Brad Duncan}, title = {{German language malspam pushes Ursnif}}, date = {2020-01-23}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/}, language = {English}, urldate = {2020-01-26} } @online{duncan:20200528:goodbye:87a0245, author = {Brad Duncan}, title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}}, date = {2020-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/}, language = {English}, urldate = {2020-05-29} } @online{duncan:20200724:evolution:a372b2b, author = {Brad Duncan}, title = {{Evolution of Valak, from Its Beginnings to Mass Distribution}}, date = {2020-07-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/valak-evolution/}, language = {English}, urldate = {2020-08-05} } @online{dunwoody:20170403:dissecting:65071e7, author = {Matthew Dunwoody}, title = {{Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)}}, date = {2017-04-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html}, language = {English}, urldate = {2019-12-20} } @online{dunwoody:20170404:poshspy:dc59dda, author = {Matthew Dunwoody}, title = {{POSHSPY backdoor code}}, date = {2017-04-04}, organization = {GitHub (matthewdunwoody)}, url = {https://github.com/matthewdunwoody/POSHSPY}, language = {English}, urldate = {2019-12-18} } @online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } @online{duquette:20130124:linuxsshdoora:0b9dc3e, author = {Sébastien Duquette}, title = {{Linux/SSHDoor.A Backdoored SSH daemon that steals passwords}}, date = {2013-01-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/}, language = {English}, urldate = {2019-11-14} } @online{durando:20170426:bankbot:f7430c7, author = {Dario Durando and David Maciejak}, title = {{BankBot, the Prequel}}, date = {2017-04-26}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html}, language = {English}, urldate = {2019-12-17} } @online{durando:20170919:look:79fa513, author = {Dario Durando}, title = {{A Look Into The New Strain Of BankBot}}, date = {2017-09-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html}, language = {English}, urldate = {2020-01-13} } @online{durando:20190703:bianlian:c6f94bb, author = {Dario Durando}, title = {{BianLian: A New Wave Emerges}}, date = {2019-07-03}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html}, language = {English}, urldate = {2019-12-24} } @online{durando:20190904:funkybot:625b9ba, author = {Dario Durando}, title = {{FunkyBot: A New Android Malware Family Targeting Japan}}, date = {2019-09-04}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html}, language = {English}, urldate = {2020-01-13} } @online{dutcher:20130904:sykipot:3c79c33, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2020-01-08} } @online{dutcher:20130904:sykipot:8fffe0c, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2019-12-05} } @online{dwoskin:20190220:microsoft:9d4cb73, author = {Elizabeth Dwoskin and Craig Timberg}, title = {{Microsoft says it has found another Russian operation targeting prominent think tanks}}, date = {2019-02-20}, organization = {Washington Post}, url = {https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae}, language = {English}, urldate = {2019-11-29} } @online{east:20150619:russian:fe2f7aa, author = {London South East}, title = {{Russian Hackers Suspected In Cyberattack On German Parliament}}, date = {2015-06-19}, organization = {London South East}, url = {http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament}, language = {English}, urldate = {2020-01-05} } @techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } @online{editor:20170118:flashback:4ac713f, author = {Editor}, title = {{Flashback Wednesday: Pakistani Brain}}, date = {2017-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/}, language = {English}, urldate = {2019-11-14} } @online{editor:20171024:kiev:b706a68, author = {Editor}, title = {{Kiev metro hit with a new variant of the infamous Diskcoder ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer}, language = {English}, urldate = {2019-11-14} } @online{edmondson:20190118:black:e66dcec, author = {Mark Edmondson}, title = {{BLACK ENERGY – Analysis}}, date = {2019-01-18}, url = {https://marcusedmondson.com/2019/01/18/black-energy-analysis/}, language = {English}, urldate = {2020-01-08} } @techreport{edwards:2011:survey:e95ca12, author = {Jeff Edwards and Jose Nazario}, title = {{A Survey of Contemporary Chinese DDoS Malware}}, date = {2011}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{edwards:20161016:hajime:e095dad, author = {Sam Edwards and Ioannis Profetis}, title = {{Hajime: Analysis of a decentralizedinternet worm for IoT devices}}, date = {2016-10-16}, institution = {RapidityNetworks}, url = {https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf}, language = {English}, urldate = {2020-01-09} } @online{eidgenossenschaft:20190812:trojaner:60574cc, author = {Schweizerische Eidgenossenschaft}, title = {{Trojaner Emotet greift Unternehmensnetzwerke an}}, date = {2019-08-12}, organization = {Schweizerische Eidgenossenschaft}, url = {https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html}, language = {German}, urldate = {2020-01-08} } @online{eisenkraft:20190619:check:0a79b2b, author = {Kobi Eisenkraft and Moshe Hayun}, title = {{Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany}}, date = {2019-06-19}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{elastic:20200630:detection:79c8fbe, author = {Elastic}, title = {{Detection Rules by Elastic}}, date = {2020-06-30}, organization = {Github (elastic)}, url = {https://github.com/elastic/detection-rules}, language = {English}, urldate = {2020-07-02} } @online{eldeeb:20190820:source:66124bb, author = {Sherif Eldeeb}, title = {{Source code: TinyMet}}, date = {2019-08-20}, organization = {Github (SherifEldeeb)}, url = {https://github.com/SherifEldeeb/TinyMet}, language = {English}, urldate = {2020-02-13} } @online{elder:20190625:ransomware:4b72d11, author = {Jeff Elder}, title = {{Ransomware strain Troldesh spikes again – Avast tracks new attacks}}, date = {2019-06-25}, organization = {Avast}, url = {https://blog.avast.com/ransomware-strain-troldesh-spikes}, language = {English}, urldate = {2020-01-09} } @online{elevenpaths:20180511:new:8c874e9, author = {ElevenPaths}, title = {{New report: Malware attacks Chilean banks and bypasses SmartScreen, by exploiting DLL Hijacking within popular software}}, date = {2018-05-11}, organization = {Think Big}, url = {http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html}, language = {English}, urldate = {2020-01-08} } @online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } @online{elshinbary:20200621:deep:1a39a3f, author = {Abdallah Elshinbary}, title = {{Deep Analysis of SmokeLoader}}, date = {2020-06-21}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/}, language = {English}, urldate = {2020-06-22} } @online{elshinbary:20200704:deep:bdfbd8a, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Anubis Banking Malware}}, date = {2020-07-04}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/}, language = {English}, urldate = {2020-07-06} } @online{elshinbary:20200715:deep:9b38d20, author = {Abdallah Elshinbary}, title = {{Deep Analysis of QBot Banking Trojan}}, date = {2020-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/}, language = {English}, urldate = {2020-07-16} } @techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } @online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } @techreport{eng:2011:nitro:656e464, author = {Erica Eng and Gavin O'Gorman}, title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}}, date = {2011}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-04-21} } @online{entdark:20170530:bankbot:4cb608c, author = {entdark}, title = {{Bankbot on Google Play}}, date = {2017-05-30}, organization = {Koodous}, url = {http://blog.koodous.com/2017/05/bankbot-on-google-play.html}, language = {English}, urldate = {2020-01-13} } @online{eremin:20190322:azorult:3080ee5, author = {Alexander Eremin}, title = {{AZORult++: Rewriting history}}, date = {2019-03-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/azorult-analysis-history/89922/}, language = {English}, urldate = {2019-12-20} } @online{eremin:20200324:people:752ed0f, author = {Alexander Eremin}, title = {{People infected with coronavirus are all around you, says Ginp Trojan}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/}, language = {English}, urldate = {2020-03-26} } @online{eremin:20200623:oh:4e55504, author = {Alexander Eremin}, title = {{Oh, what a boot-iful mornin’ Rovnix bootkit back in business}}, date = {2020-06-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/oh-what-a-boot-iful-mornin/97365}, language = {English}, urldate = {2020-06-23} } @online{erlich:20181025:game:af49ad1, author = {Chen Erlich and Yakov Goldberg}, title = {{Game of Trojans: Dissecting the #Khalesi Infostealer Malware}}, date = {2018-10-25}, organization = {enSilo}, url = {https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware}, language = {English}, urldate = {2020-01-06} } @online{erlich:20190716:avast:b3dec63, author = {Chen Erlich}, title = {{The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable}}, date = {2019-07-16}, organization = {enSilo}, url = {https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767}, language = {English}, urldate = {2020-04-13} } @online{erquiaga:20190412:analysis:bb76a6f, author = {María José Erquiaga}, title = {{Analysis of an IRC based Botnet}}, date = {2019-04-12}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet}, language = {English}, urldate = {2020-01-10} } @online{eschweiler:20181025:cutwail:494e458, author = {Sebastian Eschweiler and Brett Stone-Gross and Bex Hartley}, title = {{Cutwail Spam Campaign Uses Steganography to Distribute URLZone}}, date = {2018-10-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/}, language = {English}, urldate = {2019-12-20} } @online{escinsecurity:20180129:weekly:2cd5b6e, author = {EscInSecurity}, title = {{Weekly TrickBot Analysis - End of w/c 22-Jan-2018 to 1000119}}, date = {2018-01-29}, organization = {EscInSecurity}, url = {https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html}, language = {English}, urldate = {2020-01-09} } @online{eset:20090805:pc:16d1905, author = {Eset}, title = {{PC Users Threatened by Conficker Worm and new Internet-browser Modifier}}, date = {2009-08-05}, organization = {ESET Research}, url = {https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/}, language = {English}, urldate = {2020-03-19} } @online{eset:20170627:new:891fe4f, author = {Eset}, title = {{New WannaCryptor‑like ransomware attack hits globally: All you need to know}}, date = {2017-06-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/}, language = {English}, urldate = {2020-01-08} } @techreport{eset:201801:diplomats:89688b4, author = {Eset}, title = {{Diplomats in Eastern Europe bitten by a Turla mosquito}}, date = {2018-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf}, language = {English}, urldate = {2020-01-08} } @online{esparza:20091001:detecting:3586ef7, author = {Jose Miguel Esparza}, title = {{Detecting ZeuS}}, date = {2009-10-01}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/detecting-zeus}, language = {English}, urldate = {2020-01-10} } @online{esparza:20091106:new:f49d94c, author = {Jose Miguel Esparza}, title = {{New ZeuS binary}}, date = {2009-11-06}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/new-zeus-binary}, language = {English}, urldate = {2020-01-08} } @online{esparza:20100202:zeus:c1a8f1f, author = {Jose Miguel Esparza}, title = {{ZeuS spreading via Facebook}}, date = {2010-02-02}, organization = {EternalTODO Blog}, url = {http://eternal-todo.com/blog/zeus-spreading-facebook}, language = {English}, urldate = {2019-07-11} } @online{esparza:20130901:yet:d6bf0b6, author = {Jose Miguel Esparza}, title = {{Yet another Andromeda / Gamarue analysis}}, date = {2013-09-01}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis}, language = {English}, urldate = {2020-01-10} } @online{esparza:20141005:dissecting:93f306b, author = {Jose Miguel Esparza}, title = {{Dissecting SmokeLoader (or Yulia's sweet ass proposition)}}, date = {2014-10-05}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo}, language = {English}, urldate = {2020-01-13} } @online{esparza:20150417:andromedagamarue:2330f4e, author = {Jose Miguel Esparza}, title = {{Andromeda/Gamarue bot loves JSON too (new versions details)}}, date = {2015-04-17}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/andromeda-gamarue-loves-json}, language = {English}, urldate = {2020-01-10} } @online{esparza:20191106:spanish:eaf5520, author = {Jose Miguel Esparza and Blueliv Team}, title = {{Spanish consultancy Everis suffers BitPaymer ransomware attack: a brief analysis}}, date = {2019-11-06}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/}, language = {English}, urldate = {2020-01-08} } @online{europol:20140710:global:63da679, author = {Europol}, title = {{Global Action Targeting Shylock Malware}}, date = {2014-07-10}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware}, language = {English}, urldate = {2019-12-18} } @online{europol:20171204:andromeda:2024e4d, author = {Europol}, title = {{Andromeda botnet dismantled in international cyber operation}}, date = {2017-12-04}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation}, language = {English}, urldate = {2020-01-09} } @online{europol:20181025:pay:d82bbfc, author = {Europol}, title = {{Pay No More: universal GandCrab decryption tool released for free on No More Ransom}}, date = {2018-10-25}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom}, language = {English}, urldate = {2019-11-26} } @online{europol:20190516:goznym:37f6fa9, author = {Europol}, title = {{GOZNYM MALWARE: CYBERCRIMINAL NETWORK DISMANTLED IN INTERNATIONAL OPERATION}}, date = {2019-05-16}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation}, language = {English}, urldate = {2019-12-18} } @online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } @online{evans:20200711:injecting:3d78e32, author = {Peter Evans and Rodel Mendrez}, title = {{Injecting Magecart into Magento Global Config}}, date = {2020-07-11}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/}, language = {English}, urldate = {2020-07-15} } @online{evild3ad:20110430:bkatrojaner:f7e6f23, author = {evild3ad}, title = {{BKA-Trojaner (Ransomware)}}, date = {2011-04-30}, organization = {evild3ad blog}, url = {https://www.evild3ad.com/405/bka-trojaner-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{ewane:20170609:macspy:608f090, author = {Peter Ewane}, title = {{MacSpy: OS X Mac RAT as a Service}}, date = {2017-06-09}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service}, language = {English}, urldate = {2019-12-04} } @techreport{ewhitehats:20180809:kovter:3181581, author = {eWhitehats}, title = {{Kovter Uncovered: Malware Teardown}}, date = {2018-08-09}, institution = {Github (ewhitehats)}, url = {https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf}, language = {English}, urldate = {2020-01-09} } @online{eybisi:20190407:mobile:c60bdb5, author = {Eybisi}, title = {{Mobile Malware Analysis : Tricks used in Anubis}}, date = {2019-04-07}, organization = {Eybisi}, url = {https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/}, language = {English}, urldate = {2020-01-08} } @online{f0rb1dd3n:20190304:reptile:cc8715f, author = {f0rb1dd3n}, title = {{Reptile}}, date = {2019-03-04}, organization = {Github (f0rb1dd3n)}, url = {https://github.com/f0rb1dd3n/Reptile}, language = {English}, urldate = {2020-01-10} } @online{f:20160512:hancitor:9c250c0, author = {Axel F and Matthew Mesa}, title = {{Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck}}, date = {2016-05-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear}, language = {English}, urldate = {2019-12-20} } @online{f:20160707:nettraveler:a613df3, author = {Axel F}, title = {{NetTraveler APT Targets Russian, European Interests}}, date = {2016-07-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests}, language = {English}, urldate = {2019-12-20} } @online{f:20170427:targets:b3540fd, author = {Axel F}, title = {{APT Targets Financial Analysts with CVE-2017-0199}}, date = {2017-04-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts}, language = {English}, urldate = {2019-12-20} } @online{f:20171016:leviathan:a898346, author = {Axel F and Pierre T}, title = {{Leviathan: Espionage actor spearphishes maritime and defense targets}}, date = {2017-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets}, language = {English}, urldate = {2019-12-20} } @online{f:20190515:threat:06b415a, author = {Axel F and Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA542, From Banker to Malware Distribution Service}}, date = {2019-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service}, language = {English}, urldate = {2019-12-20} } @online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } @online{facebook:20130215:protecting:491c151, author = {Facebook}, title = {{Protecting People On Facebook}}, date = {2013-02-15}, organization = {Facebook}, url = {https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766}, language = {English}, urldate = {2020-01-13} } @techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2019-12-20} } @techreport{fagerland:20131211:chinese:b7bb523, author = {Snorre Fagerland}, title = {{The Chinese Malware Complexes: The Maudi Surveillance Operation}}, date = {2013-12-11}, institution = {Norman Shark}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf}, language = {English}, urldate = {2020-01-27} } @online{fagerland:20141209:blue:0d254a1, author = {Snorre Fagerland and Waylon Grange}, title = {{Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Business Execs}}, date = {2014-12-09}, organization = {Blue Coat}, url = {https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware}, language = {English}, urldate = {2020-04-21} } @techreport{fagerland:20141209:inception:1966734, author = {Snorre Fagerland and Waylon Grange}, title = {{The Inception Framework: Cloud-hosted APT}}, date = {2014-12-09}, institution = {Blue Coat}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf}, language = {English}, urldate = {2020-04-21} } @online{falcone:20150518:cmstar:3d947f0, author = {Robert Falcone}, title = {{Cmstar Downloader: Lurid and Enfal’s New Cousin}}, date = {2015-05-18}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150727:ups:ae69e4c, author = {Robert Falcone and Richard Wartell}, title = {{UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload}}, date = {2015-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150923:chinese:4faf76a, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150923:chinese:7210cf9, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20151218:attack:e1f82ab, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Attack on French Diplomat Linked to Operation Lotus Blossom}}, date = {2015-12-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/}, language = {English}, urldate = {2020-01-06} } @online{falcone:20160124:scarlet:c5ef791, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists}}, date = {2016-01-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20160203:emissary:99f3e21, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?}}, date = {2016-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160325:projectm:afcff3a, author = {Robert Falcone and Simon Conant}, title = {{ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe}}, date = {2016-03-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe}, language = {English}, urldate = {2020-01-10} } @online{falcone:20160526:oilrig:89b6b4d, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160526:oilrig:99f488f, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2020-01-13} } @online{falcone:20160614:new:0c98099, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-10-29} } @online{falcone:20160614:new:1ba80fd, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160726:attack:2df4ff7, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Attack Delivers ‘9002’ Trojan Through Google Drive}}, date = {2016-07-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161017:dealerschoice:14aaca9, author = {Robert Falcone and Bryan Lee}, title = {{‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform}}, date = {2016-10-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161215:let:d1d1011, author = {Robert Falcone and Bryan Lee}, title = {{Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue}}, date = {2016-12-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170214:xagentosx:33ef060, author = {Robert Falcone}, title = {{XAgentOSX: Sofacy’s XAgent macOS Tool}}, date = {2017-02-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20170427:oilrig:fd3e813, author = {Robert Falcone}, title = {{OilRig Actors Provide a Glimpse into Development and Testing Efforts}}, date = {2017-04-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170727:oilrig:36046ef, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group}}, date = {2017-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/}, language = {English}, urldate = {2019-11-16} } @online{falcone:20170731:twoface:8fe5f2d, author = {Robert Falcone and Bryan Lee}, title = {{TwoFace Webshell: Persistent Access Point for Lateral Movement}}, date = {2017-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170926:striking:45926d9, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20170926:striking:f9aa319, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20171009:oilrig:71ea256, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan}}, date = {2017-10-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/}, language = {English}, urldate = {2019-10-14} } @online{falcone:20171108:oilrig:a8a3089, author = {Robert Falcone}, title = {{OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan}}, date = {2017-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20171211:oilrig:8d7f26f, author = {Robert Falcone}, title = {{OilRig Performs Tests on the TwoFace Webshell}}, date = {2017-12-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/}, language = {English}, urldate = {2020-01-10} } @online{falcone:20180125:oilrig:80920f0, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20180125:oilrig:ac00139, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180727:new:90cdd2c, author = {Robert Falcone and Bryan Lee and Tom Lancaster}, title = {{New Threat Actor Group DarkHydrus Targets Middle East Government}}, date = {2018-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180802:gorgon:8a338cc, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, url = {https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-11-29} } @online{falcone:20180807:darkhydrus:d449ea2, author = {Robert Falcone}, title = {{DarkHydrus Uses Phishery to Harvest Credentials in the Middle East}}, date = {2018-08-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20181116:analyzing:037fccb, author = {Robert Falcone and Kyle Wilhoit}, title = {{Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery}}, date = {2018-11-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20181120:sofacy:b1ef88a, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20181120:sofacy:bb4fd84, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } @online{falcone:20181218:sofacy:3573b82, author = {Robert Falcone}, title = {{Sofacy Creates New ‘Go’ Variant of Zebrocy Tool}}, date = {2018-12-18}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190108:darkhydrus:3996fa4, author = {Robert Falcone and Bryan Lee}, title = {{DarkHydrus delivers new Trojan that can use Google Drive for C2 communications}}, date = {2019-01-08}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190304:new:5bf1cea, author = {Robert Falcone and Brittany Ash}, title = {{New Python-Based Payload MechaFlounder Used by Chafer}}, date = {2019-03-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/}, language = {English}, urldate = {2019-12-24} } @online{falcone:20190416:dns:fed953e, author = {Robert Falcone}, title = {{DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling}}, date = {2019-04-16}, url = {https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/}, language = {English}, urldate = {2019-12-03} } @online{falcone:20190417:aggah:f17c88f, author = {Robert Falcone and Brittany Ash}, title = {{Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign}}, date = {2019-04-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190528:emissary:dc0f942, author = {Robert Falcone and Tom Lancaster}, title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}}, date = {2019-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20200303:molerats:990b000, author = {Robert Falcone and Bryan Lee and Alex Hinchliffe}, title = {{Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations}}, date = {2020-03-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/}, language = {English}, urldate = {2020-03-03} } @online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } @techreport{falliere:2009:zeus:73559c2, author = {Nicolas Falliere and Eric Chien}, title = {{Zeus: King of the Bots}}, date = {2009}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{falliere:201107:sality:85158ba, author = {Nicolas Falliere}, title = {{Sality: Story of a Peerto-Peer Viral Network}}, date = {2011-07}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf}, language = {English}, urldate = {2019-11-28} } @techreport{falliere:2012:w32qakbot:974b5b5, author = {Nicolas Falliere}, title = {{W32.Qakbot in Detail}}, date = {2012}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf}, language = {English}, urldate = {2019-11-28} } @techreport{faou:201702:read:03c3c9e, author = {Matthieu Faou and Jean-Ian Boutin}, title = {{Read The Manual: A Guide to the RTM Banking Trojan}}, date = {2017-02}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf}, language = {English}, urldate = {2019-11-25} } @online{faou:20180905:powerpool:5cde83e, author = {Matthieu Faou}, title = {{PowerPool malware exploits ALPC LPE zero‑day vulnerability}}, date = {2018-09-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/}, language = {English}, urldate = {2019-11-14} } @online{faou:20190507:turla:0300283, author = {Matthieu Faou}, title = {{Turla LightNeuron: An email too far}}, date = {2019-05-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/}, language = {English}, urldate = {2019-11-14} } @online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } @techreport{faou:201905:turla:5a8a05f, author = {Matthieu Faou}, title = {{TURLA LIGHTNEURON: One email away from remote code execution}}, date = {2019-05}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } @online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } @online{faou:20200526:from:804e2da, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey}}, date = {2020-05-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/}, language = {English}, urldate = {2020-05-27} } @techreport{faou:20200526:from:89e2854, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey (White Paper)}}, date = {2020-05-26}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf}, language = {English}, urldate = {2020-05-27} } @online{faouzi:20150929:andromeda:06d70c0, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 1}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis/}, language = {English}, urldate = {2020-01-13} } @online{faouzi:20150929:andromeda:543098f, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 2}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/}, language = {English}, urldate = {2020-01-07} } @online{faouzi:20151009:beta:fffb6be, author = {Ayoub Faouzi}, title = {{Beta Bot Analysis: Part 1}}, date = {2015-10-09}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref}, language = {English}, urldate = {2020-01-07} } @online{faria:20200701:threat:54ff8db, author = {John Faria}, title = {{Threat Bulletin: Cutting-off the Command-and-Control Infrastructure of CollectorGoomba}}, date = {2020-07-01}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin}, language = {English}, urldate = {2020-07-02} } @online{faria:20200701:threat:b9163dc, author = {John Faria}, title = {{Threat Bulletin: Cutting-off the Command-and-Control Infrastructure of CollectorGoomba}}, date = {2020-07-01}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/}, language = {English}, urldate = {2020-07-02} } @online{farina:20190111:avemaria:a3fd77c, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{The “AVE_MARIA” Malware}}, date = {2019-01-11}, organization = {Cybaze-Yorio Z-Lab}, url = {https://blog.yoroi.company/research/the-ave_maria-malware/}, language = {English}, urldate = {2019-11-26} } @techreport{farinholt:20200126:dark:9c2f434, author = {Brown Farinholt and Mohammad Rezaeirad and Damon McCoy and Kirill Levchenko}, title = {{Dark Matter: Uncovering the DarkComet RAT Ecosystem}}, date = {2020-01-26}, institution = {}, url = {https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf}, language = {English}, urldate = {2020-03-07} } @online{fbi:20181220:chinese:06e7a78, author = {FBI}, title = {{Chinese Hackers Indicted - Members of APT 10 Group Targeted Intellectual Property and Confidential Business Information}}, date = {2018-12-20}, organization = {FBI}, url = {https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018}, language = {English}, urldate = {2019-11-28} } @online{fbi:20200325:fbi:f2ba305, author = {FBI}, title = {{FBI Flash CP-000111-MW: Kwampirs Malware Indicators of Compromise Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries}}, date = {2020-03-25}, organization = {FBI}, url = {http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html}, language = {English}, urldate = {2020-04-07} } @online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } @online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } @online{feeley:20190320:new:07bf05b, author = {Brendon Feeley and Brett Stone-Gross}, title = {{New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration}}, date = {2019-03-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/}, language = {English}, urldate = {2019-12-20} } @online{fernandez:20190823:ransomware:dffa5db, author = {Manny Fernandez and David E. Sanger and Marina Trahan Martinez}, title = {{Ransomware Attacks Are Testing Resolve of Cities Across America}}, date = {2019-08-23}, organization = {The New York Times}, url = {https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html}, language = {English}, urldate = {2020-01-13} } @online{ferrell:20200618:hiding:c2db03f, author = {John Ferrell}, title = {{Hiding In Plain Sight}}, date = {2020-06-18}, organization = {Medium Huntress Labs}, url = {https://blog.huntresslabs.com/hiding-in-plain-sight-556469e0a4e}, language = {English}, urldate = {2020-06-19} } @online{finkle:20130219:exclusive:fc04bd6, author = {Jim Finkle and Joseph Menn}, title = {{Exclusive: Apple, Macs hit by hackers who targeted Facebook}}, date = {2013-02-19}, organization = {Reuters}, url = {https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219}, language = {English}, urldate = {2020-01-09} } @online{finkle:20170105:taiwan:1c7585c, author = {Jim Finkle and J.R. Wu}, title = {{Taiwan ATM heist linked to European hacking spree: security firm}}, date = {2017-01-05}, organization = {Reuters}, url = {https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:20130219:apt1:8d8a51a, author = {FireEye}, title = {{APT1: Exposing One of China’s Cyber Espionage Units}}, date = {2013-02-19}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{fireeye:2014:apt28:27799d1, author = {FireEye}, title = {{APT28}}, date = {2014}, institution = {FireEye}, url = {http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:2014:apt28:277f9ab, author = {FireEye}, title = {{APT28: A Windows into Russia's Cyber Espionage Operations?}}, date = {2014}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2019-12-04} } @techreport{fireeye:2014:operation:2160679, author = {FireEye}, title = {{Operation Quantum Entanglement}}, date = {2014}, institution = {FireEye}, url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf}, language = {English}, urldate = {2020-01-12} } @techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:201505:hiding:8695fc2, author = {FireEye}, title = {{HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC}}, date = {2015-05}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf}, language = {English}, urldate = {2019-12-19} } @techreport{fireeye:20150908:two:c836c9a, author = {FireEye}, title = {{Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days}}, date = {2015-09-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf}, language = {English}, urldate = {2020-01-20} } @techreport{fireeye:201511:pinpointing:03765ec, author = {FireEye}, title = {{PINPOINTING TARGETS: Exploiting Web Analytics to Ensnare Victims}}, date = {2015-11}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:20160308:southeast:cc3c8de, author = {FireEye}, title = {{SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE}}, date = {2016-03-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{fireeye:20160426:apt31:ecc41bd, author = {FireEye}, title = {{APT31 Threat Group Profile}}, date = {2016-04-26}, institution = {FireEye}, url = {https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf}, language = {English}, urldate = {2019-10-13} } @techreport{fireeye:201604:follow:5df2e81, author = {FireEye}, title = {{Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6}}, date = {2016-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf}, language = {English}, urldate = {2020-04-23} } @online{fireeye:20160608:spear:0d7a2c9, author = {FireEye}, title = {{Spear Phishing Attacks: Why They are Successful and How to Stop Them}}, date = {2016-06-08}, organization = {FireEye}, url = {https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html}, language = {English}, urldate = {2020-01-09} } @online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } @techreport{fireeye:20170616:fin10:aa62677, author = {FireEye}, title = {{FIN10: Anatomy of a Cyber Extortion Operation}}, date = {2017-06-16}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf}, language = {English}, urldate = {2020-01-08} } @online{fireeye:20171201:advanced:da42c60, author = {FireEye}, title = {{Advanced Persistent Threat Groups}}, date = {2017-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/current-threats/apt-groups.html}, language = {English}, urldate = {2020-01-07} } @online{fireeye:20180203:attacks:c65eb33, author = {FireEye}, title = {{Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations}}, date = {2018-02-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html}, language = {English}, urldate = {2020-04-06} } @online{fireeye:20180220:apt37:2ca8466, author = {FireEye}, title = {{APT37 (Reaper): The Overlooked North Korean Actor}}, date = {2018-02-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html}, language = {English}, urldate = {2019-12-20} } @techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2019-12-20} } @online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } @online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } @techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:2018:forrester:ae307d3, author = {FireEye}, title = {{The Forrester New Wave™: External Threat Intelligence Services, Q3 2018.}}, date = {2018}, institution = {FireEye}, url = {http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:2018:mtrends2018:f07ca60, author = {FireEye}, title = {{M-TRENDS2018}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf}, language = {English}, urldate = {2020-01-08} } @online{fireeye:20190411:mtrend:597b240, author = {FireEye}, title = {{M-Trend 2019}}, date = {2019-04-11}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2019}, language = {English}, urldate = {2020-01-10} } @online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } @online{fireeye:20190904:apt41:43d6dab, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41}, language = {English}, urldate = {2020-01-13} } @online{fireeye:20190904:apt41:b5d6780, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/api/pdfproxy?id=86840}, language = {English}, urldate = {2020-01-13} } @online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } @online{firsh:20180503:whos:19ffd6f, author = {Alexey Firsh}, title = {{Who’s who in the Zoo}}, date = {2018-05-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-who-in-the-zoo/85394/}, language = {English}, urldate = {2020-05-18} } @online{firsh:20180503:whos:79a3074, author = {Alexey Firsh}, title = {{Who’s who in the Zoo}}, date = {2018-05-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-who-in-the-zoo/85394}, language = {English}, urldate = {2019-12-20} } @techreport{firsh:20180503:whos:b1957dc, author = {Alexey Firsh}, title = {{WHO’S WHO IN THEZOO. CYBERESPIONAGE OPERATION TARGETS ANDROID USERS IN THE MIDDLE EAST.}}, date = {2018-05-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf}, language = {English}, urldate = {2020-01-09} } @online{firsh:20180829:busygasper:bf544dd, author = {Alexey Firsh}, title = {{BusyGasper – the unfriendly spy}}, date = {2018-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/busygasper-the-unfriendly-spy/87627/}, language = {English}, urldate = {2019-12-20} } @online{firsh:20200326:ios:9898c0f, author = {Alexey Firsh and Kurt Baumgartner and Brian Bartholomew}, title = {{iOS exploit chain deploys LightSpy feature-rich malware}}, date = {2020-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/}, language = {English}, urldate = {2020-03-27} } @online{firsh:20200428:hiding:97cbb7b, author = {Alexey Firsh and Lev Pikman}, title = {{Hiding in plain sight: PhantomLance walks into a market}}, date = {2020-04-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-phantomlance/96772/}, language = {English}, urldate = {2020-05-05} } @online{fishbein:20200728:watch:cf3e499, author = {Nicole Fishbein and Michael Kajiloti}, title = {{Watch Your Containers: Doki Infecting Docker Servers in the Cloud}}, date = {2020-07-28}, organization = {Intezer}, url = {https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/}, language = {English}, urldate = {2020-07-30} } @online{fisher:20130320:researchers:dcff6dc, author = {Dennis Fisher}, title = {{Researchers Uncover ‘TeamSpy’ Attack Campaign Against Government, Research Targets}}, date = {2013-03-20}, url = {https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/}, language = {English}, urldate = {2019-11-20} } @online{fisher:20190212:groups:6605dcc, author = {Dennis Fisher}, title = {{APT Groups Moving Down the Supply Chain}}, date = {2019-02-12}, organization = {Duo}, url = {https://duo.com/decipher/apt-groups-moving-down-the-supply-chain}, language = {English}, urldate = {2019-11-26} } @techreport{fitzgibbon:20090401:confickerc:bb043d2, author = {Niall Fitzgibbon and Mike Wood}, title = {{Conficker.C A Technical Analysis}}, date = {2009-04-01}, institution = {Sophos Labs}, url = {https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{flade:20200505:brenjagd:96d209e, author = {Florian Flade and Georg Mascolo}, title = {{Bärenjagd}}, date = {2020-05-05}, url = {https://www.sueddeutsche.de/politik/hack-bundestag-angriff-russland-1.4891668}, language = {English}, urldate = {2020-05-05} } @online{flashpoint:20151207:flashpoint:3f5aee6, author = {Flashpoint and Talos}, title = {{Flashpoint and Talos Analyze the Curious Case of the flokibot Connector}}, date = {2015-12-07}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/}, language = {English}, urldate = {2019-11-20} } @online{flashpoint:20161003:multipurpose:436518b, author = {Flashpoint}, title = {{Multi-Purpose “Floki Bot” Emerges as New Malware Kit}}, date = {2016-10-03}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/}, language = {English}, urldate = {2020-01-07} } @online{flashpoint:20170126:dridex:2ca4920, author = {Flashpoint}, title = {{Dridex Banking Trojan Returns, Leverages New UAC Bypass Method}}, date = {2017-01-26}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/}, language = {English}, urldate = {2020-01-08} } @online{flashpoint:20170525:linguistic:70ffc44, author = {Flashpoint}, title = {{Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors}}, date = {2017-05-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/}, language = {English}, urldate = {2019-12-10} } @online{flashpoint:20170727:new:bb5c883, author = {Flashpoint}, title = {{New Version of “Trickbot” Adds Worm Propagation Module}}, date = {2017-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/}, language = {English}, urldate = {2020-01-13} } @online{flashpoint:20170825:wirex:2f29c36, author = {Flashpoint}, title = {{The WireX Botnet: How Industry Collaboration Disrupted a DDoS Attack}}, date = {2017-08-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/}, language = {English}, urldate = {2020-01-08} } @online{flashpoint:20180510:treasurehunter:d6e33c1, author = {Flashpoint}, title = {{TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked}}, date = {2018-05-10}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/}, language = {English}, urldate = {2020-01-08} } @techreport{flashpoint:202007:zeppelin:8c54ff6, author = {Flashpoint}, title = {{Zeppelin Ransomware Analysis}}, date = {2020-07}, institution = {Flashpoint}, url = {https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf}, language = {English}, urldate = {2020-08-14} } @techreport{flores:20120106:official:5984bcc, author = {Rick Flores}, title = {{Official Malware Report: Malware Reverse Engineering}}, date = {2012-01-06}, institution = {Exploit-DB}, url = {https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf}, language = {English}, urldate = {2020-01-09} } @online{florio:20070717:trojangpcodere:f491e6b, author = {Elia Florio}, title = {{Trojan.Gpcoder.E}}, date = {2007-07-17}, organization = {Symantec}, url = {https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2}, language = {English}, urldate = {2020-01-10} } @online{flossman:20170216:viperrat:85bc048, author = {Michael Flossman}, title = {{ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar}}, date = {2017-02-16}, organization = {Lookout}, url = {https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/}, language = {English}, urldate = {2020-01-13} } @online{flossman:20170831:lookout:4dc3061, author = {Michael Flossman}, title = {{Lookout discovers sophisticated xRAT malware tied to 2014 “Xsser / mRAT” surveillance campaign against Hong Kong protesters}}, date = {2017-08-31}, organization = {Lookout}, url = {https://blog.lookout.com/xrat-mobile-threat}, language = {English}, urldate = {2020-01-09} } @online{flossman:20171020:jaderat:88e09f8, author = {Michael Flossman}, title = {{JadeRAT mobile surveillanceware spikes in espionage activity}}, date = {2017-10-20}, organization = {Lookout}, url = {http://paper.seebug.org/345/}, language = {English}, urldate = {2019-12-19} } @online{flossman:20171020:jaderat:946d7ac, author = {Michael Flossman}, title = {{JadeRAT mobile surveillanceware spikes in espionage activity}}, date = {2017-10-20}, organization = {Lookout}, url = {https://blog.lookout.com/mobile-threat-jaderat}, language = {English}, urldate = {2020-01-08} } @online{flossman:20171116:tropic:4cd1fde, author = {Michael Flossman}, title = {{Tropic Trooper goes mobile with Titan surveillanceware}}, date = {2017-11-16}, organization = {Lookout}, url = {https://blog.lookout.com/titan-mobile-threat}, language = {English}, urldate = {2020-01-06} } @online{fois:20190111:threat:5be977b, author = {Quentin Fois}, title = {{Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable}}, date = {2019-01-11}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/}, language = {English}, urldate = {2020-01-09} } @online{fokker:20181030:fallout:fa86aca, author = {John Fokker and Marc Rivero López}, title = {{Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims}}, date = {2018-10-30}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/}, language = {English}, urldate = {2019-12-17} } @online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } @techreport{fontarensky:20140711:eye:2641a17, author = {Ivan Fontarensky and Fabien Perigaud and Ronan Mouchoux and Cedric Pernet and David Bizeul}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, institution = {Airbus Defence & Space}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{fontarensky:2014:eye:a4c3c1b, author = {Ivan Fontarensky and Fabien Perigaud and Ronan Mouchoux and Cedric Pernet and David Bizeul}, title = {{The Eye of the Tiger}}, date = {2014}, institution = {Airbus Defence & Space}, url = {https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf}, language = {English}, urldate = {2020-01-08} } @online{fortiguard:20190228:empiremonkey:9163175, author = {FortiGuard}, title = {{EmpireMonkey malware distribution}}, date = {2019-02-28}, organization = {Fortiguard}, url = {https://fortiguard.com/encyclopedia/botnet/7630456}, language = {English}, urldate = {2020-03-22} } @online{fortiguard:20190510:activity:4b58c05, author = {FortiGuard}, title = {{Activity Summary - Week Ending May 10, 2019}}, date = {2019-05-10}, organization = {Fortiguard}, url = {https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019}, language = {English}, urldate = {2019-11-28} } @online{foundation:20190516:goznym:37cf686, author = {The Shadowserver Foundation}, title = {{Goznym Indictments – action following on from successful Avalanche Operations}}, date = {2019-05-16}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/}, language = {English}, urldate = {2020-01-10} } @online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } @online{fr3dhk:20200610:masslogger:c1f2c2f, author = {FR3D.HK}, title = {{MassLogger - Frankenstein's Creation}}, date = {2020-06-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/masslogger-frankenstein-s-creation}, language = {English}, urldate = {2020-06-18} } @online{franceschibicchierai:20150218:meet:2f64fcb, author = {Lorenzo Franceschi-Bicchierai}, title = {{Meet Babar, a New Malware Almost Certainly Created by France}}, date = {2015-02-18}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france}, language = {English}, urldate = {2020-01-10} } @online{franceschibicchierai:20150705:spy:30cea5b, author = {Lorenzo Franceschi-Bicchierai}, title = {{Spy Tech Company 'Hacking Team' Gets Hacked}}, date = {2015-07-05}, organization = {Vice}, url = {https://www.vice.com/en_us/article/gvye3m/spy-tech-company-hacking-team-gets-hacked}, language = {English}, urldate = {2019-10-14} } @online{franceschibicchierai:20170921:this:b59488a, author = {Lorenzo Franceschi-Bicchierai}, title = {{This Ransomware Demands Nudes Instead of Bitcoin}}, date = {2017-09-21}, organization = {Vice}, url = {https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin}, language = {English}, urldate = {2019-10-29} } @online{franceschibicchierai:20190329:researchers:5987d8a, author = {Lorenzo Franceschi-Bicchierai and Riccardo Coluccini}, title = {{Researchers Find Google Play Store Apps Were Actually Government Malware}}, date = {2019-03-29}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv}, language = {English}, urldate = {2020-01-06} } @online{franceschibicchierai:20190401:prosecutors:7880fc0, author = {Lorenzo Franceschi-Bicchierai}, title = {{Prosecutors Launch Investigation Into Company That Put Malware on Google Play Store}}, date = {2019-04-01}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store}, language = {English}, urldate = {2020-01-08} } @online{franceschibicchierai:20200721:worlds:666e813, author = {Lorenzo Franceschi-Bicchierai}, title = {{'World's Most Wanted Man' Involved in Bizarre Attempt to Buy Hacking Tools}}, date = {2020-07-21}, organization = {Vice}, url = {https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware}, language = {English}, urldate = {2020-07-30} } @online{frank:20200430:eventbot:f5a167d, author = {Daniel Frank and Lior Rochberger and Yaron Rimmer and Assaf Dahan}, title = {{EVENTBOT: A NEW MOBILE BANKING TROJAN IS BORN}}, date = {2020-04-30}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born}, language = {English}, urldate = {2020-05-04} } @online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } @online{frankoff:20141204:inside:80c0fea, author = {Sergei Frankoff}, title = {{Inside The New Asprox/Kuluoz (October 2013 - January 2014)}}, date = {2014-12-04}, url = {http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20180111:unpacking:bd095df, author = {Sergei Frankoff}, title = {{Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1}}, date = {2018-01-11}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=HfSQlC76_s4}, language = {English}, urldate = {2019-11-29} } @online{frankoff:20180304:unpacking:4d7dc7c, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request}}, date = {2018-03-04}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=242Tn0IL2jE}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20180312:python:eb6b9f5, author = {Sergei Frankoff}, title = {{Python decryptor for newer AdWind config file}}, date = {2018-03-12}, organization = {Github (herrcore)}, url = {https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885}, language = {English}, urldate = {2020-01-09} } @online{frankoff:20180520:unpacking:7db8c96, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg}}, date = {2018-05-20}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=QgUlPvEE4aw}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20181026:unpacking:b6155cc, author = {Sergei Frankoff}, title = {{Unpacking Bokbot / IcedID Malware - Part 1}}, date = {2018-10-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=wObF9n2UIAM}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20181114:big:723025d, author = {Sergei Frankoff and Bex Hartley}, title = {{Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware}}, date = {2018-11-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{frankoff:20190822:remcos:b86c5bd, author = {Sergei Frankoff}, title = {{Remcos RAT Unpacked From VB6 With x64dbg Debugger}}, date = {2019-08-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=DIH4SvKuktM}, language = {English}, urldate = {2020-01-10} } @online{frankoff:20200126:ida:a8194b4, author = {Sergei Frankoff and Sean Wilson}, title = {{IDA Pro Automated String Decryption For REvil Ransomware}}, date = {2020-01-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=l2P5CMH9TE0}, language = {English}, urldate = {2020-01-27} } @online{frankoff:20200530:irc:a711f6e, author = {Sergei Frankoff}, title = {{IRC Botnet Reverse Engineering Part 1 - Preparing Binary for Analysis in IDA PRO}}, date = {2020-05-30}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=JPvcLLYR0tE}, language = {English}, urldate = {2020-06-05} } @online{frankoff:20200713:how:fd519be, author = {Sergei Frankoff and OALabs}, title = {{How To Sinkhole A Botnet}}, date = {2020-07-13}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=FAFuSO9oAl0}, language = {English}, urldate = {2020-07-16} } @online{frankowicz:20160512:latentbot:9506f35, author = {Kamil Frankowicz}, title = {{LatentBot – modularny i silnie zaciemniony bot}}, date = {2016-05-12}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/}, language = {Polish}, urldate = {2019-12-18} } @online{frankowicz:20160810:cryptxxx:1ee108b, author = {Kamil Frankowicz}, title = {{CryptXXX \ CrypMIC – intensywnie dystrybuowany ransomware w ramach exploit-kitów}}, date = {2016-08-10}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/}, language = {Polish}, urldate = {2019-10-14} } @online{fraser:20190807:apt41:ce48314, author = {Nalani Fraser and Fred Plan and Jacqueline O’Leary and Vincent Cannon and Raymond Leong and Dan Perez and Chi-en Shen}, title = {{APT41: A Dual Espionage and Cyber Crime Operation}}, date = {2019-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html}, language = {English}, urldate = {2019-12-20} } @online{french:20191204:ransomware:92a6fae, author = {David French}, title = {{Ransomware, interrupted: Sodinokibi and the supply chain}}, date = {2019-12-04}, organization = {Elastic}, url = {https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain}, language = {English}, urldate = {2020-06-30} } @online{fumik0:20181015:predator:9c3fcd9, author = {fumik0}, title = {{Predator The Thief: In-depth analysis (v2.3.5)}}, date = {2018-10-15}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/}, language = {English}, urldate = {2020-01-10} } @online{fumik0:20181224:lets:f7dfc2c, author = {fumik0}, title = {{Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)}}, date = {2018-12-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/}, language = {English}, urldate = {2020-01-13} } @online{fumik0:2018:entry:62d5ae4, author = {fumik0}, title = {{Entry on Rarog}}, date = {2018}, organization = {fumik0 malware tracker}, url = {https://tracker.fumik0.com/malware/Rarog}, language = {English}, urldate = {2020-01-08} } @online{fumik0:20190503:lets:39770a3, author = {fumik0}, title = {{Let’s nuke Megumin Trojan}}, date = {2019-05-03}, organization = {fumik0 blog}, url = {https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/}, language = {English}, urldate = {2019-11-28} } @online{fumko:20190325:lets:e773175, author = {fumko}, title = {{Let’s play with Qulab, an exotic malware developed in AutoIT}}, date = {2019-03-25}, url = {https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/}, language = {English}, urldate = {2020-01-05} } @online{fumko:20190524:overview:7963f07, author = {fumko}, title = {{Overview of Proton Bot, another loader in the wild!}}, date = {2019-05-24}, url = {https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/}, language = {English}, urldate = {2019-12-19} } @online{funko:20191225:lets:599836d, author = {funko}, title = {{Let’s play (again) with Predator the thief}}, date = {2019-12-25}, url = {https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/}, language = {English}, urldate = {2020-01-08} } @online{gahr:201710:lokibot:45755da, author = {Wesley Gahr and Pham Duy Phuc and Niels Croese}, title = {{LokiBot - The first hybrid Android malware}}, date = {2017-10}, organization = {Threat Fabric}, url = {https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html}, language = {English}, urldate = {2019-12-19} } @techreport{gaiscert:20200527:dridex:90bd3bd, author = {GAIS-CERT}, title = {{Dridex Banking Trojan Technical Analysis Report}}, date = {2020-05-27}, institution = {GAIS-CERT}, url = {https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf}, language = {English}, urldate = {2020-06-24} } @online{gallagher:20150805:newly:dc763a1, author = {Sean Gallagher}, title = {{Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”}}, date = {2015-08-05}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/}, language = {English}, urldate = {2020-01-06} } @online{gallagher:20170421:researchers:f1ea70c, author = {Sean Gallagher}, title = {{Researchers claim China trying to hack South Korea missile defense efforts}}, date = {2017-04-21}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/}, language = {English}, urldate = {2020-01-08} } @online{gallagher:20190508:robbinhood:a7fdd3f, author = {Sean Gallagher}, title = {{“RobbinHood” ransomware takes down Baltimore City government networks}}, date = {2019-05-08}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-18} } @online{gallagher:20200727:prolock:4992cfc, author = {Sean Gallagher}, title = {{ProLock ransomware gives you the first 8 kilobytes of decryption for free}}, date = {2020-07-27}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/}, language = {English}, urldate = {2020-07-30} } @online{galperin:20140119:vietnamese:6ff15b6, author = {Eva Galperin and Morgan Marquis-Boire}, title = {{Vietnamese Malware Gets Very Personal}}, date = {2014-01-19}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal}, language = {English}, urldate = {2020-01-13} } @techreport{galperin:201608:operation:38ba7ff, author = {Eva Galperin and Cooper Quintin and Morgan Marquis-Boire and Claudio Guarnieri}, title = {{Operation Manul}}, date = {2016-08}, institution = {Electronic Frontier Foundation}, url = {https://www.eff.org/files/2018/01/29/operation-manul.pdf}, language = {English}, urldate = {2020-06-08} } @online{gamblin:20170715:mirai:72ffffb, author = {Jerry Gamblin}, title = {{Mirai BotNet Source Code}}, date = {2017-07-15}, organization = {Github (jgamblin)}, url = {https://github.com/jgamblin/Mirai-Source-Code}, language = {English}, urldate = {2019-12-17} } @online{gandhi:20160810:android:81912fe, author = {Viral Gandhi}, title = {{Android Marcher: Continuously Evolving Mobile Malware}}, date = {2016-08-10}, organization = {Zscaler}, url = {https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware}, language = {English}, urldate = {2020-01-10} } @online{gandler:20200330:zeus:bef1da7, author = {Amir Gandler and Limor Kessem}, title = {{Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy}}, date = {2020-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/}, language = {English}, urldate = {2020-04-01} } @online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } @online{garage4hackers:20140921:reversing:33b3a34, author = {garage4hackers}, title = {{Reversing Tinba: World's smallest trojan-banker DGA Code}}, date = {2014-09-21}, organization = {garage4hackers}, url = {http://garage4hackers.com/entry.php?b=3086}, language = {English}, urldate = {2019-07-11} } @online{gardo:20160323:new:c7c1042, author = {Tomáš Gardoň}, title = {{New self‑protecting USB trojan able to avoid detection}}, date = {2016-03-23}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/}, language = {English}, urldate = {2019-12-20} } @online{gardo:20170822:gamescom:764a8eb, author = {Tomáš Gardoň}, title = {{Gamescom 2017: It’s all fun and games until black hats step in}}, date = {2017-08-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/}, language = {English}, urldate = {2019-11-14} } @online{gastesi:20100907:zeus:330336f, author = {Mikel Gastesi}, title = {{ZeuS: The missing link}}, date = {2010-09-07}, organization = {S21sec}, url = {https://www.s21sec.com/en/zeus-the-missing-link/}, language = {English}, urldate = {2020-01-17} } @online{gatlan:20190517:teamviewer:563f298, author = {Sergiu Gatlan}, title = {{TeamViewer Confirms Undisclosed Breach From 2016}}, date = {2019-05-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/}, language = {English}, urldate = {2019-12-20} } @online{gatlan:20191018:maze:fb2c4b6, author = {Sergiu Gatlan}, title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}}, date = {2019-10-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/}, language = {English}, urldate = {2019-12-17} } @online{gatlan:20191118:linux:3b44951, author = {Sergiu Gatlan}, title = {{Linux, Windows Users Targeted With New ACBackdoor Malware}}, date = {2019-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/}, language = {English}, urldate = {2020-01-13} } @online{gatlan:20191209:snatch:04dbbf3, author = {Sergiu Gatlan}, title = {{Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools}}, date = {2019-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/}, language = {English}, urldate = {2020-01-07} } @online{gatlan:20200110:sodinokibi:73cbf66, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Hits New York Airport Systems}}, date = {2020-01-10}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/}, language = {English}, urldate = {2020-01-20} } @online{gatlan:20200123:sodinokibi:86b1d46, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Threatens to Publish Data of Automotive Group}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/}, language = {English}, urldate = {2020-01-23} } @online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } @online{gatlan:20200330:banking:9d302f2, author = {Sergiu Gatlan}, title = {{Banking Malware Spreading via COVID-19 Relief Payment Phishing}}, date = {2020-03-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/}, language = {English}, urldate = {2020-04-01} } @online{gatlan:20200403:microsoft:c12a844, author = {Sergiu Gatlan}, title = {{Microsoft: Emotet Took Down a Network by Overheating All Computers}}, date = {2020-04-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/}, language = {English}, urldate = {2020-04-08} } @online{gatlan:20200414:ragnarlocker:2a77ec4, author = {Sergiu Gatlan}, title = {{RagnarLocker ransomware hits EDP energy giant, asks for €10M}}, date = {2020-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/}, language = {English}, urldate = {2020-04-16} } @online{gatlan:20200616:chipmaker:0e801b8, author = {Sergiu Gatlan}, title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}}, date = {2020-06-16}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-17} } @online{gatlan:20200626:admin:044ef9a, author = {Sergiu Gatlan}, title = {{Admin of carding portal behind $568M in losses pleads guilty}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/admin-of-carding-portal-behind-568m-in-losses-pleads-guilty/}, language = {English}, urldate = {2020-06-29} } @online{gatlan:20200630:evilquest:b90c9ad, author = {Sergiu Gatlan}, title = {{EvilQuest wiper uses ransomware cover to steal files from Macs}}, date = {2020-06-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/}, language = {English}, urldate = {2020-07-01} } @online{gatlan:20200724:garmin:05d9247, author = {Sergiu Gatlan}, title = {{Garmin outage caused by confirmed WastedLocker ransomware attack}}, date = {2020-07-24}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/}, language = {English}, urldate = {2020-07-30} } @online{gatlan:20200728:emotet:37429c5, author = {Sergiu Gatlan}, title = {{Emotet malware now steals your email attachments to attack contacts}}, date = {2020-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/}, language = {English}, urldate = {2020-07-30} } @online{gavriel:20180103:new:34da39b, author = {Hod Gavriel}, title = {{New LockPoS Malware Injection Technique}}, date = {2018-01-03}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-lockpos-malware-injection-technique/}, language = {English}, urldate = {2019-11-28} } @online{gavriel:20180411:new:9ed9a94, author = {Hod Gavriel and Boris Erbesfeld}, title = {{New ‘Early Bird’ Code Injection Technique Discovered}}, date = {2018-04-11}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/}, language = {English}, urldate = {2020-03-03} } @online{gavriel:20180806:backswap:f13384a, author = {Hod Gavriel and Boris Erbesfeld}, title = {{BackSwap Banker Malware Hides Inside Replicas of Legitimate Programs}}, date = {2018-08-06}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/}, language = {English}, urldate = {2019-11-22} } @online{gavriel:20180814:latest:7df6364, author = {Hod Gavriel}, title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}}, date = {2018-08-14}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/}, language = {English}, urldate = {2019-11-26} } @online{gavriel:20190130:new:6e4ec87, author = {Hod Gavriel}, title = {{New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка)}}, date = {2019-01-30}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/}, language = {English}, urldate = {2020-01-08} } @online{gavriel:20190612:formbook:8dc2df9, author = {Hod Gavriel}, title = {{Formbook Research Hints Large Data Theft Attack Brewing}}, date = {2019-06-12}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/}, language = {English}, urldate = {2019-12-04} } @online{gavriel:20190813:hawkeye:379a3e4, author = {Hod Gavriel}, title = {{HawkEye Malware Changes Keylogging Technique}}, date = {2019-08-13}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/}, language = {English}, urldate = {2020-01-08} } @online{gavriel:20191121:dtrack:fe6fbbc, author = {Hod Gavriel}, title = {{Dtrack: In-depth analysis of APT on a nuclear power plant}}, date = {2019-11-21}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/}, language = {English}, urldate = {2020-01-13} } @techreport{gazer:201708:gazing:b454362, author = {Gazing at Gazer and Turla’s new second stage backdoor}, title = {{Gazing at Gazer Turla’s new second stage backdoor}}, date = {2017-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf}, language = {English}, urldate = {2020-01-08} } @online{gbrindisi:20160323:gozi:aa28233, author = {gbrindisi}, title = {{Gozi ISFB Sourceccode}}, date = {2016-03-23}, organization = {Github (gbrindisi)}, url = {https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb}, language = {English}, urldate = {2020-01-13} } @online{gdata:20180629:where:6b57825, author = {G-Data}, title = {{Where we go, we don't need files: Analysis of fileless malware "Rozena"}}, date = {2018-06-29}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena}, language = {English}, urldate = {2020-01-13} } @online{gdata:20190509:strange:2e58aae, author = {G-Data}, title = {{Strange Bits: HTML Smuggling and GitHub Hosted Malware}}, date = {2019-05-09}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github}, language = {English}, urldate = {2019-12-10} } @online{ge:20110909:bios:c162598, author = {Livian Ge}, title = {{BIOS Threat is Showing up Again!}}, date = {2011-09-09}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/bios-threat-showing-again}, language = {English}, urldate = {2019-12-10} } @online{geenens:20180201:jenx:8b824f5, author = {Pascal Geenens}, title = {{JenX – Los Calvos de San Calvicie}}, date = {2018-02-01}, organization = {Radware Blog}, url = {https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/}, language = {English}, urldate = {2019-07-10} } @techreport{geffner:20130719:endtoend:0b46196, author = {Jason Geffner}, title = {{End-to-End Analysis of a Domain Generating Algorithm Malware Family}}, date = {2013-07-19}, institution = {BlackHat}, url = {https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{gemini:20200707:full:283dfdd, author = {GEMINI}, title = {{Full list of all the 570+ sites that the Keeper gang hacked since April 2017}}, date = {2020-07-07}, institution = {}, url = {https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf}, language = {English}, urldate = {2020-07-08} } @online{gemini:20200707:keeper:b2f882b, author = {GEMINI}, title = {{"Keeper" Magecart Group Infects 570 Sites}}, date = {2020-07-07}, url = {https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/}, language = {English}, urldate = {2020-07-08} } @online{generale:20150413:analyzing:2a4956d, author = {CERT Societe Generale}, title = {{Analyzing Gootkit's persistence mechanism (new ASEP inside!)}}, date = {2015-04-13}, organization = {CERT Societe Generale}, url = {http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html}, language = {English}, urldate = {2020-01-13} } @online{genheimer:20190728:third:ede6ba2, author = {Marius Genheimer}, title = {{Third time's the charm? Analysing WannaCry samples}}, date = {2019-07-28}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190730:picking:cea78ea, author = {Marius Genheimer}, title = {{Picking Locky}}, date = {2019-07-30}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/picking-locky.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190731:tfw:3fa5aba, author = {Marius Genheimer}, title = {{TFW Ransomware is only your side hustle...}}, date = {2019-07-31}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html}, language = {English}, urldate = {2020-01-10} } @online{genheimer:20190810:germanwipers:96d9745, author = {Marius Genheimer}, title = {{GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!}}, date = {2019-08-10}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190907:malicious:37195ec, author = {Marius Genheimer}, title = {{Malicious RATatouille}}, date = {2019-09-07}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/malicious-ratatouille.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190924:return:f85ef19, author = {Marius Genheimer}, title = {{Return of the Mummy - Welcome back, Emotet}}, date = {2019-09-24}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191002:nicht:20adbf8, author = {Marius Genheimer}, title = {{Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)}}, date = {2019-10-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191026:earnquickbtcwithhiddentearmp4:b77f350, author = {Marius Genheimer}, title = {{Earn-quick-BTC-with-Hiddentear.mp4 / About Open Source Ransomware}}, date = {2019-10-26}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191029:osiris:55e249f, author = {Marius Genheimer}, title = {{Osiris, the god of afterlife...and banking malware?!}}, date = {2019-10-29}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191105:try:3aafee6, author = {Marius Genheimer}, title = {{Try not to stare - MedusaLocker at a glance}}, date = {2019-11-05}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191119:quick:b7c4538, author = {Marius Genheimer}, title = {{Quick and painless - Reversing DeathRansom / "Wacatac"}}, date = {2019-11-19}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191202:god:79aa57d, author = {Marius Genheimer}, title = {{God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor}}, date = {2019-12-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/god-save-the-queen-cause-ransom-is-money-savethequeen-encryptor.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191211:projectexe:72f2c37, author = {Marius Genheimer}, title = {{A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376}}, date = {2019-12-11}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191214:another:7c9c60a, author = {Marius Genheimer}, title = {{Another one for the collection - Mespinoza (Pysa) Ransomware}}, date = {2019-12-14}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html}, language = {English}, urldate = {2020-01-26} } @online{genheimer:20191223:i:516e8d0, author = {Marius Genheimer}, title = {{I literally can't think of a fitting pun - MrDec Ransomware}}, date = {2019-12-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200102:nice:266b137, author = {Marius Genheimer}, title = {{"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware}}, date = {2020-01-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200109:not:187b390, author = {Marius Genheimer}, title = {{Not so nice after all - Afrodita Ransomware}}, date = {2020-01-09}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200123:opposite:b471c6b, author = {Marius Genheimer}, title = {{The Opposite of Fileless Malware - NodeJS Ransomware}}, date = {2020-01-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200318:why:545326b, author = {Marius Genheimer}, title = {{Why would you even bother?! - JavaLocker}}, date = {2020-03-18}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200320:jamba:9d5bb76, author = {Marius Genheimer}, title = {{Jamba Superdeal: Helo Sir, you want to buy mask? - Corona Safety Mask SMS Scam}}, date = {2020-03-20}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200413:blame:b258b2b, author = {Marius Genheimer}, title = {{The Blame Game - About False Flags and overwritten MBRs}}, date = {2020-04-13}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html}, language = {English}, urldate = {2020-04-15} } @online{genheimer:20200617:deicer:de78cca, author = {Marius Genheimer}, title = {{deICEr: A Go tool for extracting config from IcedID second stage Loaders}}, date = {2020-06-17}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/deICEr}, language = {English}, urldate = {2020-06-18} } @online{georgiev:20191011:7:a4962f1, author = {Roman Georgiev}, title = {{За российскими дипломатами 7 лет следят с помощью шпионского ПО}}, date = {2019-10-11}, organization = {c news}, url = {https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami}, language = {Russian}, urldate = {2019-11-29} } @online{gheorghe:20160705:new:8f65d0c, author = {Alexandra Gheorghe}, title = {{New Backdoor Allows Full Access to Mac Systems, Bitdefender Warns}}, date = {2016-07-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/}, language = {English}, urldate = {2020-01-08} } @online{giagone:20171120:cobalt:fb5c2ed, author = {Ronnie Giagone and Lenart Bermejo and Fyodor Yarochkin}, title = {{Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks}}, date = {2017-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/}, language = {English}, urldate = {2019-10-29} } @online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } @online{giang:20200330:emotet:6034d14, author = {Nguyen Hoang Giang and Mingwei Zhang}, title = {{Emotet: Dangerous Malware Keeps on Evolving}}, date = {2020-03-30}, organization = {Symantec}, url = {https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de}, language = {English}, urldate = {2020-04-01} } @online{gibb:20180410:icedid:f1a3ff2, author = {Ross Gibb and Daphne Galme and Michael Gorelik}, title = {{IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution}}, date = {2018-04-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html}, language = {English}, urldate = {2019-12-17} } @online{gillespie:20160811:smrss32:0f85a72, author = {Michael Gillespie}, title = {{Smrss32 (.encrypted) Ransomware Help & Support - _HOW_TO_Decrypt.bmp}}, date = {2016-08-11}, organization = {BleepingComputer Forums}, url = {https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/}, language = {English}, urldate = {2019-07-09} } @online{gillespie:20180306:cryakl:4a313ab, author = {Michael Gillespie}, title = {{Tweet on Cryakl}}, date = {2018-03-06}, organization = {Twitter (@demonslay335)}, url = {https://twitter.com/demonslay335/status/971164798376468481}, language = {English}, urldate = {2020-01-07} } @online{gillespie:20181117:analyzing:7ff3264, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Reversing Basic .NET Ransomware}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=7gCU31ScJgk}, language = {English}, urldate = {2020-01-08} } @online{gillespie:20181117:analyzing:ecd5641, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Beginner Static Analysis}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=9nuo-AGg4p4}, language = {English}, urldate = {2020-02-27} } @online{giuliani:20110913:mebromi:2d33f8d, author = {Marco Giuliani}, title = {{Mebromi: the first BIOS rootkit in the wild}}, date = {2011-09-13}, organization = {Webroot}, url = {https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/}, language = {English}, urldate = {2020-01-08} } @online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } @online{global:20171027:big:916374a, author = {F-Secure Global}, title = {{The big difference with Bad Rabbit}}, date = {2017-10-27}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/}, language = {English}, urldate = {2020-01-07} } @online{global:20190328:analysis:8b788ab, author = {F-Secure Global}, title = {{Analysis of ShadowHammer ASUS Attack First Stage Payload}}, date = {2019-03-28}, organization = {F-Secure}, url = {https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/}, language = {English}, urldate = {2020-01-08} } @online{glyer:20200325:this:0bc322f, author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller}, title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}}, date = {2020-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html}, language = {English}, urldate = {2020-04-14} } @online{goet:20200110:hitchhikers:03fefe9, author = {Maarten Goet}, title = {{A hitchhikers guide to the cybersecurity galaxy}}, date = {2020-01-10}, organization = {Youtube (Azure Thursday)}, url = {https://www.youtube.com/watch?v=fBFm2fiEPTg}, language = {English}, urldate = {2020-06-16} } @online{golak:20190625:icedid:0a3e153, author = {Dawid Golak}, title = {{IcedID aka #Bokbot Analysis with Ghidra}}, date = {2019-06-25}, url = {https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766}, language = {English}, urldate = {2019-12-02} } @online{gold:20140122:iran:b9a3b8e, author = {Steve Gold}, title = {{Iran and Russia blamed for state-sponsored espionage}}, date = {2014-01-22}, organization = {SC Magazine}, url = {https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/}, language = {English}, urldate = {2020-06-08} } @techreport{goldberg:201509:variant:0121be8, author = {Yakov Goldberg and Maayan Fishelov}, title = {{A Variant of the Network Worm Win32 Allaple has been Spotted in the Wild}}, date = {2015-09}, institution = {Trapx Security}, url = {https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf}, language = {English}, urldate = {2019-11-16} } @online{goldberg:20180606:operation:64e4fac, author = {Daniel Goldberg and Ofri Ziv and Mor Matal}, title = {{Operation Prowli: Monetizing 40,000 Victim Machines}}, date = {2018-06-06}, organization = {Guardicore}, url = {https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/}, language = {English}, urldate = {2019-10-14} } @online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } @online{goliate:20150818:ransomware:be29cd4, author = {goliate}, title = {{ransomware open-sources}}, date = {2015-08-18}, organization = {Github (goliate)}, url = {https://github.com/goliate/hidden-tear}, language = {English}, urldate = {2020-01-13} } @online{golovanov:20170404:atmitch:1ed35bc, author = {Sergey Golovanov}, title = {{ATMitch: remote administration of ATMs}}, date = {2017-04-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/}, language = {English}, urldate = {2019-12-20} } @online{golovin:20200706:pig:c3a73df, author = {Igor Golovin and Anton Kivva}, title = {{Pig in a poke: smartphone adware}}, date = {2020-07-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/pig-in-a-poke-smartphone-adware/97607/}, language = {English}, urldate = {2020-07-08} } @online{gomez:20130207:ladyboyle:5927b00, author = {J. Gomez and Thoufique Haq}, title = {{LadyBoyle Comes to Town with a New Exploit}}, date = {2013-02-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html}, language = {English}, urldate = {2019-12-20} } @online{goodin:20110914:malware:c1e8db0, author = {Dan Goodin}, title = {{Malware burrows deep into computer BIOS to escape AV}}, date = {2011-09-14}, organization = {The Register}, url = {http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/}, language = {English}, urldate = {2020-01-06} } @online{goodin:20150216:how:4e36cde, author = {Dan Goodin}, title = {{How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last}}, date = {2015-02-16}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/}, language = {English}, urldate = {2019-12-06} } @online{goodin:20150415:elite:eaaea2d, author = {Dan Goodin}, title = {{Elite cyber crime group strikes back after attack by rival APT gang}}, date = {2015-04-15}, organization = {Ars Technica}, url = {http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/}, language = {English}, urldate = {2019-11-29} } @online{goodin:20170118:newly:2b58256, author = {Dan Goodin}, title = {{Newly discovered Mac malware found in the wild also works well on Linux}}, date = {2017-01-18}, organization = {Ars Technica}, url = {https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/}, language = {English}, urldate = {2020-01-13} } @online{goodin:20170725:perverse:998aed8, author = {Dan Goodin}, title = {{“Perverse” malware infecting hundreds of Macs remained undetected for years}}, date = {2017-07-25}, organization = {Ars Technica}, url = {https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/}, language = {English}, urldate = {2020-01-13} } @online{goodin:20180418:tens:ad8fd3a, author = {Dan Goodin}, title = {{Tens of thousands of Facebook accounts compromised in days by malware}}, date = {2018-04-18}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/}, language = {English}, urldate = {2019-11-23} } @online{goodin:20190606:google:f1f32d4, author = {Dan Goodin}, title = {{Google confirms that advanced backdoor came preinstalled on Android devices}}, date = {2019-06-06}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/}, language = {English}, urldate = {2020-01-13} } @online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } @online{goody:20200507:navigating:7147cb7, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko}, title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}}, date = {2020-05-07}, organization = {FireEye Inc}, url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html}, language = {English}, urldate = {2020-05-11} } @online{goody:20200521:navigating:a2eae5f, author = {Kimberly Goody and Jeremy Kennelly}, title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}}, date = {2020-05-21}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat}, language = {English}, urldate = {2020-06-05} } @online{gorelik:20170427:iranian:4ab7f08, author = {Michael Gorelik}, title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}}, date = {2017-04-27}, organization = {Morphisec}, url = {https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability}, language = {English}, urldate = {2020-07-30} } @online{gorelik:20170427:iranian:827f6f3, author = {Michael Gorelik}, title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}}, date = {2017-04-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability}, language = {English}, urldate = {2019-12-04} } @online{gorelik:20170609:fin7:3b251c4, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {http://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2019-12-04} } @online{gorelik:20170918:morphisec:501cc93, author = {Michael Gorelik}, title = {{Morphisec Discovers CCleaner Backdoor Saving Millions of Avast Users}}, date = {2017-09-18}, organization = {Morphisec}, url = {http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor}, language = {English}, urldate = {2020-01-08} } @online{gorelik:20171013:fin7:d52a75d, author = {Michael Gorelik}, title = {{FIN7 Dissected: Hackers Accelerate Pace of Innovation}}, date = {2017-10-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/fin7-attack-modifications-revealed}, language = {English}, urldate = {2019-11-29} } @online{gorelik:20181008:cobalt:dece0e0, author = {Michael Gorelik}, title = {{Cobalt Group 2.0}}, date = {2018-10-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/cobalt-gang-2.0}, language = {English}, urldate = {2020-01-05} } @online{gorelik:20181121:fin7:02ad475, author = {Michael Gorelik}, title = {{FIN7 Not Finished – Morphisec Spots New Campaign}}, date = {2018-11-21}, organization = {mor}, url = {http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign}, language = {English}, urldate = {2020-01-08} } @online{gorelik:20190227:new:5296a0b, author = {Michael Gorelik and Alon Groisman}, title = {{New Global Cyber Attack on Point of Sale Sytem}}, date = {2019-02-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems}, language = {English}, urldate = {2020-01-09} } @online{gorelik:20200228:trickbot:678683b, author = {Michael Gorelik}, title = {{Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10}}, date = {2020-02-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows}, language = {English}, urldate = {2020-03-03} } @online{gorelik:20200616:crystalbit:1906ecc, author = {Michael Gorelik}, title = {{CrystalBit / Apple Double DLL Hijack -- From fraudulent software bundle downloads to an evasive miner raging campaign}}, date = {2020-06-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/crystalbit-apple-double-dll-hijack}, language = {English}, urldate = {2020-06-16} } @online{gostev:20120528:flame:4aa29b8, author = {Alexander Gostev}, title = {{The Flame: Questions and Answers}}, date = {2012-05-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-flame-questions-and-answers-51/34344/}, language = {English}, urldate = {2020-01-06} } @online{gostev:20140312:agentbtz:8f1988f, author = {Alexander Gostev}, title = {{Agent.btz: a Source of Inspiration?}}, date = {2014-03-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/}, language = {English}, urldate = {2019-12-20} } @online{gottesman:20151006:moker:1b8240a, author = {Yotam Gottesman}, title = {{MOKER, PART 1: DISSECTING A NEW APT UNDER THE MICROSCOPE}}, date = {2015-10-06}, organization = {enSilo}, url = {https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/}, language = {English}, urldate = {2020-01-07} } @online{gottesman:20151006:moker:ed878d9, author = {Yotam Gottesman}, title = {{MOKER: A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK}}, date = {2015-10-06}, organization = {enSilo}, url = {http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network}, language = {English}, urldate = {2019-07-09} } @online{gottesman:20151008:moker:4a42451, author = {Yotam Gottesman}, title = {{MOKER, PART 2: CAPABILITIES}}, date = {2015-10-08}, organization = {enSilo}, url = {https://breakingmalware.com/malware/moker-part-2-capabilities/}, language = {English}, urldate = {2020-01-08} } @online{govcertch:20150911:analysing:e00b8ce, author = {GovCERT.ch}, title = {{Analysing a new eBanking Trojan called Fobber}}, date = {2015-09-11}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber}, language = {English}, urldate = {2019-11-29} } @techreport{govcertch:20150911:fobber:a23b812, author = {GovCERT.ch}, title = {{Fobber Analysis}}, date = {2015-09-11}, institution = {GovCERT.ch}, url = {http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2019-12-17} } @online{govcertch:20170130:sage:022d593, author = {GovCERT.ch}, title = {{Sage 2.0 comes with IP Generation Algorithm (IPGA)}}, date = {2017-01-30}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga}, language = {English}, urldate = {2019-11-29} } @online{govcertch:20170803:retefe:07f6df3, author = {GovCERT.ch}, title = {{The Retefe Saga}}, date = {2017-08-03}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/33/the-retefe-saga}, language = {English}, urldate = {2020-01-13} } @online{govcertch:20181108:reversing:87c494c, author = {GovCERT.ch}, title = {{Reversing Retefe}}, date = {2018-11-08}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/35/reversing-retefe}, language = {English}, urldate = {2019-11-21} } @online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } @online{govcertch:20190514:rise:8fd8ef4, author = {GovCERT.ch}, title = {{The Rise of Dridex and the Role of ESPs}}, date = {2019-05-14}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps}, language = {English}, urldate = {2020-01-09} } @online{govcertch:20190925:trickbot:8346dd7, author = {GovCERT.ch}, title = {{Trickbot - An analysis of data collected from the botnet}}, date = {2019-09-25}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet}, language = {English}, urldate = {2020-01-08} } @online{govcertch:20200220:analysis:18301ef, author = {GovCERT.ch}, title = {{Analysis of an Unusual HawkEye Sample}}, date = {2020-02-20}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/}, language = {English}, urldate = {2020-02-20} } @online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } @online{graff:20171104:how:7a25415, author = {Garrett M. Graff}, title = {{How the FBI Took Down Russia's Spam King—And His Massive Botnet}}, date = {2017-11-04}, organization = {Wired}, url = {https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/}, language = {English}, urldate = {2019-12-03} } @online{graham:20161229:some:111da12, author = {Robert Graham}, title = {{Some notes on IoCs}}, date = {2016-12-29}, organization = {Errata Security}, url = {https://blog.erratasec.com/2016/12/some-notes-on-iocs.html}, language = {English}, urldate = {2020-01-06} } @online{graham:20170629:nonpetya:c470dd8, author = {Robert Graham}, title = {{NonPetya: no evidence it was a "smokescreen"}}, date = {2017-06-29}, url = {http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html}, language = {English}, urldate = {2020-01-07} } @online{grange:20141209:blue:63864e2, author = {Waylon Grange}, title = {{Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Bus}}, date = {2014-12-09}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit}, language = {English}, urldate = {2019-12-20} } @online{grange:20170418:hajime:b2ed231, author = {Waylon Grange}, title = {{Hajime worm battles Mirai for control of the Internet of Things}}, date = {2017-04-18}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things}, language = {English}, urldate = {2019-12-06} } @online{grange:20200713:anchordns:d83e6f5, author = {Waylon Grange}, title = {{Anchor_dns malware goes cross platform}}, date = {2020-07-13}, organization = {Stage 2 Security}, url = {https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30}, language = {English}, urldate = {2020-07-16} } @online{graziano:20170130:eyepyramid:a15d7c0, author = {Mariano Graziano and Paul Rascagnères}, title = {{EyePyramid: An Archaeological Journey}}, date = {2017-01-30}, organization = {Cisco}, url = {http://blog.talosintel.com/2017/01/Eye-Pyramid.html}, language = {English}, urldate = {2019-11-22} } @online{great:20120717:madi:ddf85da, author = {GReAT}, title = {{The Madi Campaign – Part I}}, date = {2012-07-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-madi-campaign-part-i-5/33693/}, language = {English}, urldate = {2019-12-20} } @online{great:20120726:madi:d4f911e, author = {GReAT}, title = {{The Madi Campaign – Part II}}, date = {2012-07-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-madi-campaign-part-ii-53/33701/}, language = {English}, urldate = {2019-12-20} } @online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } @online{great:20130114:red:ac55753, author = {GReAT}, title = {{"Red October" Diplomatic Cyber Attacks Investigation}}, date = {2013-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/}, language = {English}, urldate = {2020-04-06} } @techreport{great:20130320:teamspy:10e8000, author = {GReAT}, title = {{The ‘TeamSpy’ Story -Abusing TeamViewer in Cyberespionage Campaigns}}, date = {2013-03-20}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf}, language = {English}, urldate = {2020-01-08} } @online{great:20130320:teamspy:2e6f353, author = {GReAT}, title = {{The TeamSpy Crew Attacks – Abusing TeamViewer for Cyberespionage}}, date = {2013-03-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/}, language = {English}, urldate = {2019-12-20} } @online{great:20130411:winnti:b1c0d83, author = {GReAT}, title = {{Winnti. More than just a game}}, date = {2013-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/winnti-more-than-just-a-game/37029/}, language = {English}, urldate = {2019-12-20} } @online{great:20130411:winnti:f53a759, author = {GReAT}, title = {{Winnti FAQ. More Than Just a Game}}, date = {2013-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/winnti-faq-more-than-just-a-game/57585/}, language = {English}, urldate = {2019-12-20} } @techreport{great:201304:winnti:c8e6f40, author = {GReAT}, title = {{Winnti - More than just a game}}, date = {2013-04}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf}, language = {English}, urldate = {2019-07-11} } @online{great:20130604:kaspersky:070481d, author = {GReAT}, title = {{Kaspersky Lab Uncovers ‘Operation NetTraveler,’ a Global Cyberespionage Campaign Targeting Government-Affiliated Organizations and Research Institutes}}, date = {2013-06-04}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes}, language = {English}, urldate = {2020-01-13} } @online{great:20130604:nettraveler:a9ac0f1, author = {GReAT}, title = {{“NetTraveler is Running!” – Red Star APT Attacks Compromise High-Profile Victims}}, date = {2013-06-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/}, language = {English}, urldate = {2019-12-20} } @online{great:20130925:icefog:7f2dd2b, author = {GReAT}, title = {{The Icefog APT: A Tale of Cloak and Three Daggers}}, date = {2013-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/}, language = {English}, urldate = {2019-12-20} } @online{great:20140210:caretomask:1aa235f, author = {GReAT}, title = {{The Careto/Mask APT: Frequently Asked Questions}}, date = {2014-02-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/}, language = {English}, urldate = {2019-12-20} } @online{great:20140807:epic:ba080b6, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-epic-turla-operation/65545/}, language = {English}, urldate = {2019-12-20} } @online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2019-12-20} } @online{great:20140820:el:c4534ec, author = {GReAT}, title = {{“El Machete”}}, date = {2014-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/el-machete/66108/}, language = {English}, urldate = {2019-12-20} } @online{great:20141110:darkhotel:19e4934, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-darkhotel-apt/66779/}, language = {English}, urldate = {2019-12-20} } @online{great:20141110:darkhotel:b1f9560, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/66779/the-darkhotel-apt/}, language = {English}, urldate = {2019-12-20} } @online{great:20141210:cloud:ccb4794, author = {GReAT}, title = {{Cloud Atlas: RedOctober APT is back in style}}, date = {2014-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/}, language = {English}, urldate = {2019-12-20} } @online{great:20150216:equation:7b95c72, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1}, language = {English}, urldate = {2019-12-20} } @online{great:20150216:equation:ad81ead, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/}, language = {English}, urldate = {2019-12-20} } @online{great:201502:carbanak:1b262fc, author = {GReAT}, title = {{Carbanak APT: The Great Bank Robbery}}, date = {2015-02}, organization = {Kaspersky SAS}, url = {https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe}, language = {English}, urldate = {2020-05-18} } @techreport{great:201502:carbanak:22f5e49, author = {GReAT}, title = {{CARBANAK APTTHE GREAT BANK ROBBERY}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{great:201502:desert:0826d08, author = {GReAT}, title = {{The Desert Falcons Targeted Attacks}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf}, language = {English}, urldate = {2020-04-06} } @online{great:20150306:animals:f15e26a, author = {GReAT}, title = {{Animals in the APT Farm}}, date = {2015-03-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/69114/animals-in-the-apt-farm/}, language = {English}, urldate = {2019-12-20} } @online{great:20150311:inside:28cec3e, author = {GReAT}, title = {{Inside the EquationDrug Espionage Platform}}, date = {2015-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/inside-the-equationdrug-espionage-platform/69203/}, language = {English}, urldate = {2019-12-20} } @online{great:20150610:mystery:c1ef5c2, author = {GReAT}, title = {{The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns}}, date = {2015-06-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/}, language = {English}, urldate = {2020-03-09} } @online{great:20150708:wild:4e853a7, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/}, language = {English}, urldate = {2019-12-20} } @online{great:20150708:wild:ee7c858, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/}, language = {English}, urldate = {2019-12-20} } @online{great:20150810:darkhotels:3c831d5, author = {GReAT}, title = {{Darkhotel’s attacks in 2015}}, date = {2015-08-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/}, language = {English}, urldate = {2019-12-20} } @online{great:20151204:sofacy:636eab4, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/}, language = {English}, urldate = {2019-12-20} } @online{great:20151204:sofacy:664b5a8, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/}, language = {English}, urldate = {2019-12-20} } @online{great:20160128:blackenergy:3c2a914, author = {GReAT}, title = {{BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents}}, date = {2016-01-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/}, language = {English}, urldate = {2019-12-20} } @online{great:20160208:aptstyle:5b3a24e, author = {GReAT and Computer Incidents Investigation Department}, title = {{APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks}}, date = {2016-02-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/}, language = {English}, urldate = {2019-12-20} } @online{great:20160209:poseidon:61725f7, author = {GReAT}, title = {{Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage}}, date = {2016-02-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/}, language = {English}, urldate = {2019-12-20} } @online{great:20160427:freezer:13a8a66, author = {GReAT}, title = {{Freezer Paper around Free Meat (Repackaging Open Source BeEF for Tracking and More)}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/}, language = {English}, urldate = {2019-10-18} } @online{great:20160427:freezer:bec7033, author = {GReAT}, title = {{Freezer Paper around Free Meat}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/freezer-paper-around-free-meat/74503/}, language = {English}, urldate = {2019-12-20} } @online{great:20160517:atm:f05ffb9, author = {GReAT and Olga Kochetova and Alexey Osipov}, title = {{ATM infector}}, date = {2016-05-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/atm-infector/74772/}, language = {English}, urldate = {2019-12-20} } @online{great:20160525:cve20152545:7006bff, author = {GReAT}, title = {{CVE-2015-2545: overview of current threats}}, date = {2016-05-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/}, language = {English}, urldate = {2019-12-20} } @online{great:20160708:dropping:273c1df, author = {GReAT}, title = {{The Dropping Elephant – aggressive cyber-espionage in the Asian region}}, date = {2016-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-dropping-elephant-actor/75328/}, language = {English}, urldate = {2019-12-20} } @online{great:20160808:projectsauron:503a441, author = {GReAT}, title = {{ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms}}, date = {2016-08-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/}, language = {English}, urldate = {2019-12-20} } @techreport{great:20160909:projectsauron:9114f84, author = {GReAT}, title = {{THE PROJECTSAURON APT}}, date = {2016-09-09}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf}, language = {English}, urldate = {2019-11-02} } @online{great:20160929:teamxrat:880e95a, author = {GReAT and Anton Ivanov and Fedor Sinitsyn}, title = {{TeamXRat: Brazilian cybercrime meets ransomware}}, date = {2016-09-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{great:20170112:eyepyramid:18aa9df, author = {GReAT}, title = {{The “EyePyramid” attacks}}, date = {2017-01-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/}, language = {English}, urldate = {2019-12-20} } @online{great:20170221:newish:1c13271, author = {GReAT}, title = {{New(ish) Mirai Spreader Poses New Risks}}, date = {2017-02-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/}, language = {English}, urldate = {2019-12-20} } @techreport{great:20170307:from:3af6ed0, author = {GReAT}, title = {{FROM SHAMOON TO STONEDRILL: Wipers attacking Saudi organizations and beyond}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-15} } @online{great:20170403:lazarus:033fcf7, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-under-the-hood/77908/}, language = {English}, urldate = {2019-12-20} } @online{great:20170403:lazarus:689432c, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77908/lazarus-under-the-hood/}, language = {English}, urldate = {2019-12-20} } @online{great:20170411:unraveling:8be3efd, author = {GReAT}, title = {{Unraveling the Lamberts Toolkit}}, date = {2017-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/}, language = {English}, urldate = {2019-12-20} } @online{great:20170512:wannacry:b24b188, author = {GReAT}, title = {{WannaCry ransomware used in widespread attacks all over the world}}, date = {2017-05-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/}, language = {English}, urldate = {2019-12-20} } @online{great:20170627:schroedingers:43c7e28, author = {GReAT}, title = {{Schroedinger’s Pet(ya)}}, date = {2017-06-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/schroedingers-petya/78870/}, language = {English}, urldate = {2019-12-20} } @online{great:20170630:from:d91b457, author = {GReAT}, title = {{From BlackEnergy to ExPetr}}, date = {2017-06-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-blackenergy-to-expetr/78937/}, language = {English}, urldate = {2019-12-20} } @online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } @online{great:20170830:introducing:80a9653, author = {GReAT}, title = {{Introducing WhiteBear}}, date = {2017-08-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/introducing-whitebear/81638/}, language = {English}, urldate = {2019-12-20} } @online{great:20171016:blackoasis:b447418, author = {GReAT}, title = {{BlackOasis APT and new targeted attacks leveraging zero-day exploit}}, date = {2017-10-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/}, language = {English}, urldate = {2019-12-20} } @online{great:20171101:silence:b22eae0, author = {GReAT}, title = {{Silence – a new Trojan attacking financial organizations}}, date = {2017-11-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-silence/83009/}, language = {English}, urldate = {2019-12-20} } @online{great:20180220:slice:0f910f7, author = {GReAT}, title = {{A Slice of 2017 Sofacy Activity}}, date = {2018-02-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-slice-of-2017-sofacy-activity/83930/}, language = {English}, urldate = {2019-12-20} } @online{great:20180308:devils:3373375, author = {GReAT}, title = {{The devil’s in the Rich header}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-devils-in-the-rich-header/84348/}, language = {English}, urldate = {2019-12-20} } @online{great:20180308:olympicdestroyer:79780c9, author = {GReAT}, title = {{OlympicDestroyer is here to trick the industry}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/}, language = {English}, urldate = {2019-12-20} } @techreport{great:201803:icefog:2e293e6, author = {GReAT}, title = {{The 'Icefog' APT: A Tale of Cloak and Three Daggers}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf}, language = {English}, urldate = {2020-01-13} } @online{great:20180412:operation:fdc83bc, author = {GReAT}, title = {{Operation Parliament, who is doing what?}}, date = {2018-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-parliament-who-is-doing-what/85237/}, language = {English}, urldate = {2019-12-20} } @online{great:20180412:trends:babf7f6, author = {GReAT}, title = {{APT Trends report Q1 2018}}, date = {2018-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q1-2018/85280/}, language = {English}, urldate = {2020-01-08} } @online{great:20180524:vpnfilter:cb1c89f, author = {GReAT}, title = {{VPNFilter EXIF to C2 mechanism analysed}}, date = {2018-05-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/}, language = {English}, urldate = {2019-12-20} } @online{great:20180619:hades:99ff28a, author = {GReAT}, title = {{Hades, the actor behind Olympic Destroyer is still alive}}, date = {2018-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympic-destroyer-is-still-alive/86169/}, language = {English}, urldate = {2019-12-20} } @online{great:20180710:trends:4651c7b, author = {GReAT}, title = {{APT Trends Report Q2 2018}}, date = {2018-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2018/86487/}, language = {English}, urldate = {2019-12-20} } @online{great:20180821:dark:430988e, author = {GReAT}, title = {{Dark Tequila Añejo}}, date = {2018-08-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/dark-tequila-anejo/87528/}, language = {English}, urldate = {2019-12-20} } @online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } @online{great:20180910:luckymouse:e309805, author = {GReAT}, title = {{LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company}}, date = {2018-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/luckymouse-ndisproxy-driver/87914/}, language = {English}, urldate = {2019-12-20} } @online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } @online{great:20181010:muddywater:12992b3, author = {GReAT}, title = {{MuddyWater expands operations}}, date = {2018-10-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/muddywater/88059/}, language = {English}, urldate = {2019-12-20} } @online{great:20181015:octopusinfested:1f464bf, author = {GReAT}, title = {{Octopus-infested seas of Central Asia}}, date = {2018-10-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/octopus-infested-seas-of-central-asia/88200/}, language = {English}, urldate = {2019-12-20} } @online{great:20190111:zebrocy:671fed1, author = {GReAT}, title = {{A Zebrocy Go Downloader}}, date = {2019-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-zebrocy-go-downloader/89419/}, language = {English}, urldate = {2019-12-20} } @online{great:20190311:predatory:63ab818, author = {GReAT}, title = {{A predatory tale: Who’s afraid of the thief?}}, date = {2019-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-predatory-tale/89779}, language = {English}, urldate = {2019-12-20} } @online{great:20190325:operation:c4bf341, author = {GReAT and AMR}, title = {{Operation ShadowHammer}}, date = {2019-03-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer/89992/}, language = {English}, urldate = {2019-12-20} } @online{great:20190326:cryptocurrency:c95b701, author = {GReAT}, title = {{Cryptocurrency businesses still being targeted by Lazarus}}, date = {2019-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/}, language = {English}, urldate = {2019-12-20} } @online{great:20190328:return:be8d0b5, author = {GReAT}, title = {{The return of the BOM}}, date = {2019-03-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-the-bom/90065/}, language = {English}, urldate = {2019-12-20} } @online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } @online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } @online{great:20190603:zebrocys:25be7a9, author = {GReAT}, title = {{Zebrocy’s Multilanguage Malware Salad}}, date = {2019-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/zebrocys-multilanguage-malware-salad/90680/}, language = {English}, urldate = {2019-12-20} } @online{great:20190626:viceleaker:7145f5f, author = {GReAT}, title = {{ViceLeaker Operation: mobile espionage targeting Middle East}}, date = {2019-06-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/fanning-the-flames-viceleaker-operation/90877/}, language = {English}, urldate = {2019-12-20} } @online{great:20190710:new:f1277c3, author = {GReAT and AMR}, title = {{New FinSpy iOS and Android implants revealed ITW}}, date = {2019-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/}, language = {English}, urldate = {2019-12-20} } @online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } @online{great:20190812:recent:3a35688, author = {GReAT}, title = {{Recent Cloud Atlas activity}}, date = {2019-08-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/recent-cloud-atlas-activity/92016/}, language = {English}, urldate = {2019-12-20} } @online{great:20190829:fully:a86ed11, author = {GReAT}, title = {{Fully equipped Spying Android RAT from Brazil: BRATA}}, date = {2019-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/spying-android-rat-from-brazil-brata/92775/}, language = {English}, urldate = {2019-12-20} } @online{great:20191003:compfun:fd13b9e, author = {GReAT}, title = {{COMpfun successor Reductor infects files on the fly to compromise TLS traffic}}, date = {2019-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/compfun-successor-reductor/93633/}, language = {English}, urldate = {2020-01-08} } @online{great:20191128:revengehotels:4fd8ea9, author = {GReAT}, title = {{RevengeHotels: cybercrime targeting hotel front desks worldwide}}, date = {2019-11-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/revengehotels/95229/}, language = {English}, urldate = {2020-01-09} } @online{great:20200108:operation:ea445d5, author = {GReAT}, title = {{Operation AppleJeus Sequel}}, date = {2020-01-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus-sequel/95596/}, language = {English}, urldate = {2020-01-13} } @online{great:20200508:naikons:f1646a6, author = {GReAT}, title = {{Naikon’s Aria}}, date = {2020-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/naikons-aria/96899/}, language = {English}, urldate = {2020-07-06} } @online{great:20200514:compfun:eda09d1, author = {GReAT}, title = {{COMpfun authors spoof visa application with HTTP status-based Trojan}}, date = {2020-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/compfun-http-status-based-trojan/96874/}, language = {English}, urldate = {2020-05-14} } @online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } @online{great:20200714:tetrade:c97f76a, author = {GReAT}, title = {{The Tetrade: Brazilian banking malware goes global}}, date = {2020-07-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-tetrade-brazilian-banking-malware/97779/}, language = {English}, urldate = {2020-07-15} } @online{great:20200722:mata:591e184, author = {GReAT}, title = {{MATA: Multi-platform targeted malware framework}}, date = {2020-07-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/}, language = {English}, urldate = {2020-07-23} } @online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } @online{greenberg:20170920:ccleaner:3590e9c, author = {Andy Greenberg}, title = {{The CCleaner Malware Fiasco Targeted at Least 18 Specific Tech Firms}}, date = {2017-09-20}, organization = {Wired}, url = {https://www.wired.com/story/ccleaner-malware-targeted-tech-firms}, language = {English}, urldate = {2019-12-16} } @online{greenberg:20171024:new:5359735, author = {Andy Greenberg}, title = {{New Ransomware Linked to NotPetya Sweeps Russia and Ukraine}}, date = {2017-10-24}, organization = {Wired}, url = {https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/}, language = {English}, urldate = {2020-01-06} } @online{greenberg:20171109:he:5442358, author = {Andy Greenberg}, title = {{He Perfected a Password-Hacking Tool—Then the Russians Came Calling}}, date = {2017-11-09}, organization = {Wired}, url = {https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/}, language = {English}, urldate = {2020-01-08} } @online{greenberg:20191017:untold:c257d22, author = {Andy Greenberg}, title = {{The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History}}, date = {2019-10-17}, organization = {Wired}, url = {https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/}, language = {English}, urldate = {2020-01-13} } @online{greenberg:20200528:nsa:c35f45e, author = {Andy Greenberg}, title = {{NSA: Russia's Sandworm Hackers Have Hijacked Mail Servers}}, date = {2020-05-28}, organization = {Wired}, url = {https://www.wired.com/story/nsa-sandworm-exim-mail-server-warning/}, language = {English}, urldate = {2020-05-29} } @online{greenberg:20200716:iranian:4cc83df, author = {Andy Greenberg}, title = {{Iranian Spies Accidentally Leaked Videos of Themselves Hacking}}, date = {2020-07-16}, organization = {Wired}, url = {https://www.wired.com/story/iran-apt35-hacking-video/}, language = {English}, urldate = {2020-07-16} } @online{greenberg:20200724:russias:689bbb1, author = {Andy Greenberg}, title = {{Russia's GRU Hackers Hit US Government and Energy Targets}}, date = {2020-07-24}, organization = {Wired}, url = {https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/}, language = {English}, urldate = {2020-07-30} } @online{greminger:20150618:so:28825c8, author = {Slavo Greminger}, title = {{So Long, and Thanks for All the Domains}}, date = {2015-06-18}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/}, language = {English}, urldate = {2019-07-11} } @online{griffin:20160808:monsoon:ac7eb5b, author = {Nicholas Griffin}, title = {{MONSOON - Analysis Of An APT Campaign}}, date = {2016-08-08}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign}, language = {English}, urldate = {2020-04-06} } @online{griffin:20160922:zeus:94d0df7, author = {Nicholas Griffin}, title = {{Zeus Delivered by DELoader to Defraud Customers of Canadian Banks}}, date = {2016-09-22}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks}, language = {English}, urldate = {2020-01-13} } @online{griffin:20160928:highly:c9c3359, author = {Nicholas Griffin}, title = {{Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware}}, date = {2016-09-28}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware}, language = {English}, urldate = {2020-01-09} } @online{griffin:20170117:carbanak:68e7e00, author = {Nicholas Griffin}, title = {{Carbanak Group uses Google for malware command-and-control}}, date = {2017-01-17}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control}, language = {English}, urldate = {2020-05-27} } @online{grill:20170313:detecting:b90625c, author = {Bernhard Grill and Megan Ruthven and Xin Zhao}, title = {{Detecting and eliminating Chamois, a fraud botnet on Android}}, date = {2017-03-13}, organization = {Google}, url = {https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html}, language = {English}, urldate = {2020-01-06} } @online{groisman:20190301:threat:aaf612e, author = {Alon Groisman}, title = {{Threat Alert: AVE Maria infostealer on the rise}}, date = {2019-03-01}, organization = {Morphisec}, url = {http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery}, language = {English}, urldate = {2020-01-09} } @online{grooten:20180427:gravityrat:40749fa, author = {Martijn Grooten}, title = {{GravityRAT malware takes your system's temperature}}, date = {2018-04-27}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/}, language = {English}, urldate = {2020-01-13} } @online{gross:20150513:cylance:57a5597, author = {Jon Gross}, title = {{Cylance SPEAR Team: A Threat Actor Resurfaces}}, date = {2015-05-13}, organization = {Cylance}, url = {https://blog.cylance.com/spear-a-threat-actor-resurfaces}, language = {English}, urldate = {2019-10-15} } @techreport{gross:20160223:operation:424641b, author = {Jon Gross and Cylance SPEAR Team}, title = {{Operation Dust Storm}}, date = {2016-02-23}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf}, language = {English}, urldate = {2020-01-09} } @online{gross:20170227:deception:3690880, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-09} } @online{gross:20170227:deception:c424a01, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Threat Vector}, url = {https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-05} } @online{group:20161009:siteintel:906676a, author = {SITE Intelligence Group}, title = {{SiteIntel: Cyber Caliphate Army}}, date = {2016-10-09}, url = {https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697}, language = {English}, urldate = {2020-05-27} } @online{group:20181113:chinese:6141b55, author = {Insikt Group}, title = {{Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques}}, date = {2018-11-13}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/}, language = {English}, urldate = {2020-01-13} } @techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{group:20190206:apt10:9c61d0b, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{group:20200123:european:c3ca9e3, author = {Insikt Group}, title = {{European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019}}, date = {2020-01-23}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf}, language = {English}, urldate = {2020-01-27} } @online{group:20200312:swallowing:b1becb5, author = {Insikt Group}, title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}}, date = {2020-03-12}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/turla-apt-infrastructure/}, language = {English}, urldate = {2020-03-13} } @techreport{group:20200610:new:fbd9342, author = {Insikt Group®}, title = {{New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit}}, date = {2020-06-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf}, language = {English}, urldate = {2020-06-11} } @online{group:20200615:striking:8fdf4bb, author = {Exploit Development Group}, title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}}, date = {2020-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/}, language = {English}, urldate = {2020-06-16} } @techreport{group:20200729:chinese:1929fcd, author = {Insikt Group}, title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}}, date = {2020-07-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf}, language = {English}, urldate = {2020-07-30} } @techreport{groupib:201603:buhtrap:65fd758, author = {Group-IB}, title = {{BUHTRAP: The Evolution of Targetted Attacks Against Financial Instituitions}}, date = {2016-03}, institution = {Group-IB}, url = {https://www.group-ib.com/brochures/gib-buhtrap-report.pdf}, language = {English}, urldate = {2020-01-12} } @online{groupib:2016:cron:ef29ee9, author = {Group-IB}, title = {{Cron has fallen}}, date = {2016}, organization = {Group-IB}, url = {http://blog.group-ib.com/cron}, language = {English}, urldate = {2020-01-13} } @techreport{groupib:20180522:anunak:97d0646, author = {Group-IB and Fox-IT}, title = {{Anunak: APT against financial institutions}}, date = {2018-05-22}, institution = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf}, language = {English}, urldate = {2020-01-06} } @online{groupib:20180905:silence:6886d17, author = {Group-IB}, title = {{Silence: Moving into the Darkside}}, date = {2018-09-05}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/silence}, language = {English}, urldate = {2019-12-18} } @online{groupib:20190328:groupib:e9956d2, author = {Group-IB and Pavel Krylov and Rustam Mirkasymov}, title = {{Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications}}, date = {2019-03-28}, organization = {Group-IB}, url = {https://www.group-ib.com/media/gustuff/}, language = {English}, urldate = {2019-07-09} } @online{groupib:201908:attacks:9da5611, author = {Group-IB}, title = {{Attacks by Silence}}, date = {2019-08}, organization = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/silence.html}, language = {English}, urldate = {2020-01-07} } @techreport{groupib:201908:silence:1845381, author = {Group-IB}, title = {{Silence 2.0 - Going Global}}, date = {2019-08}, institution = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf}, language = {English}, urldate = {2019-12-17} } @online{grozev:20200505:who:bd9d865, author = {Christo Grozev}, title = {{Who Is Dmitry Badin, The GRU Hacker Indicted By Germany Over The Bundestag Hacks?}}, date = {2020-05-05}, organization = {Bellingcat}, url = {https://www.bellingcat.com/news/2020/05/05/who-is-dmitry-badin-the-gru-hacker-indicted-by-germany-over-the-bundestag-hacks/}, language = {English}, urldate = {2020-05-05} } @online{grujars:20191213:squad:437183d, author = {GrujaRS}, title = {{Tweet on Squad Ransomware}}, date = {2019-12-13}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1205566219971125249}, language = {English}, urldate = {2020-01-08} } @online{grujars:20191227:yarraq:bdde865, author = {GrujaRS}, title = {{Tweet on Yarraq Ransomware}}, date = {2019-12-27}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1210541690349662209}, language = {English}, urldate = {2020-01-13} } @online{grujars:20200322:new:d94c371, author = {GrujaRS}, title = {{New #VHD (virtual hard disk)#Ransomware extension .vhd!}}, date = {2020-03-22}, url = {https://twitter.com/GrujaRS/status/1241657443282825217}, language = {English}, urldate = {2020-03-27} } @online{grujars:20200427:about:54c4b58, author = {GrujaRS}, title = {{Tweet about spotting goCryptoLocker in the wild}}, date = {2020-04-27}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1254657823478353920}, language = {English}, urldate = {2020-04-28} } @online{grunzweig:20121213:dexter:339a8fd, author = {Josh Grunzweig}, title = {{The Dexter Malware: Getting Your Hands Dirty}}, date = {2012-12-13}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/}, language = {English}, urldate = {2020-01-06} } @online{grunzweig:20130508:alina:4b70c89, author = {Josh Grunzweig}, title = {{Alina: Casting a Shadow on POS}}, date = {2013-05-08}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/}, language = {English}, urldate = {2020-01-09} } @online{grunzweig:20130517:alina:f668aaf, author = {Josh Grunzweig}, title = {{Alina: Following The Shadow Part 1}}, date = {2013-05-17}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20130603:alina:2c8f3e9, author = {Josh Grunzweig}, title = {{Alina: Following The Shadow Part 2}}, date = {2013-06-03}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20131209:curious:8c64525, author = {Josh Grunzweig}, title = {{The Curious Case of the Malicious IIS Module}}, date = {2013-12-09}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/}, language = {English}, urldate = {2019-12-04} } @online{grunzweig:20150319:findpos:87059f2, author = {Josh Grunzweig}, title = {{FindPOS: New POS Malware Family Discovered}}, date = {2015-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20151009:latest:c328965, author = {Josh Grunzweig}, title = {{Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan}}, date = {2015-10-09}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160122:new:f7cb504, author = {Josh Grunzweig and Bryan Lee}, title = {{New Attacks Linked to C0d0so0 Group}}, date = {2016-01-22}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160311:powersniff:ca6c14f, author = {Josh Grunzweig and Brandon Levene}, title = {{PowerSniff Malware Used in Macro-based Attacks}}, date = {2016-03-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/}, language = {English}, urldate = {2020-01-08} } @online{grunzweig:20160314:digital:b6ddc60, author = {Josh Grunzweig and Robert Falcone and Bryan Lee}, title = {{Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government}}, date = {2016-03-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160502:prince:bd368e1, author = {Josh Grunzweig}, title = {{Prince of Persia Hashes}}, date = {2016-05-02}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv}, language = {English}, urldate = {2020-01-08} } @online{grunzweig:20160524:new:d1cd669, author = {Josh Grunzweig and Mike Scott and Bryan Lee}, title = {{New Wekby Attacks Use DNS Requests As Command and Control Mechanism}}, date = {2016-05-24}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160708:investigating:576bb94, author = {Josh Grunzweig}, title = {{Investigating the LuminosityLink Remote Access Trojan Configuration}}, date = {2016-07-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160816:aveo:6f3cf5c, author = {Josh Grunzweig and Robert Falcone}, title = {{Aveo Malware Family Targets Japanese Speaking Users}}, date = {2016-08-16}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20161004:oilrig:2e3b9e0, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-10-22} } @online{grunzweig:20161004:oilrig:72c4b0e, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170105:dragonok:2b228f2, author = {Josh Grunzweig}, title = {{DragonOK Updates Toolset and Targets Multiple Geographic Regions}}, date = {2017-01-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20170105:dragonok:f5f73f6, author = {Josh Grunzweig}, title = {{DragonOK Updates Toolset and Targets Multiple Geographic Regions}}, date = {2017-01-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170315:nexuslogger:5530c6b, author = {Josh Grunzweig}, title = {{NexusLogger: A New Cloud-based Keylogger Enters the Market}}, date = {2017-03-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170420:cardinal:dbe903e, author = {Josh Grunzweig}, title = {{Cardinal RAT Active for Over Two Years}}, date = {2017-04-20}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170928:threat:835bf8e, author = {Josh Grunzweig and Robert Falcone}, title = {{Threat Actors Target Government of Belarus Using CMSTAR Trojan}}, date = {2017-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20171110:new:12fdedb, author = {Josh Grunzweig and Jen Miller-Osborn}, title = {{New Malware with Ties to SunOrcal Discovered}}, date = {2017-11-10}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180126:tophat:42d9f5d, author = {Josh Grunzweig}, title = {{The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services}}, date = {2018-01-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180417:squirtdanger:86b0da6, author = {Josh Grunzweig and Brandon Levene and Kyle Wilhoit and Pat Litke}, title = {{SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle}}, date = {2018-04-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20190225:multiple:5d7b857, author = {Josh Grunzweig and Brittany Ash}, title = {{Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan}}, date = {2019-02-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/}, language = {English}, urldate = {2019-12-10} } @online{grunzweig:20191129:fractured:65257b7, author = {Josh Grunzweig and Kyle Wilhoit}, title = {{The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia}}, date = {2019-11-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/}, language = {English}, urldate = {2020-01-12} } @online{gu:20171030:coin:5a1f004, author = {Jason Gu and Veo Zhang and Seven Shen}, title = {{Coin Miner Mobile Malware Returns, Hits Google Play}}, date = {2017-10-30}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/}, language = {English}, urldate = {2019-12-24} } @techreport{gu:2019:vine:df5dbfb, author = {Lion Gu and Bowen Pan}, title = {{A vine climbing over the Great Firewall: A long-term attack against China}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf}, language = {English}, urldate = {2020-01-08} } @online{guardicore:20200630:botnet:9a0cb16, author = {Guardicore}, title = {{Botnet Encyclopedia}}, date = {2020-06-30}, organization = {Guardicore}, url = {https://www.guardicore.com/botnet-encyclopedia/}, language = {English}, urldate = {2020-07-02} } @online{guarino:20190614:houdini:d6c63fa, author = {Nick Guarino and Aaron Riley}, title = {{Houdini Worm Transformed in New Phishing Attack}}, date = {2019-06-14}, organization = {Cofense}, url = {https://cofense.com/houdini-worm-transformed-new-phishing-attack/}, language = {English}, urldate = {2020-01-08} } @online{guarnieri:20130607:keyboy:58ebd77, author = {Claudio Guarnieri and Mark Schloesser}, title = {{KeyBoy, Targeted Attacks against Vietnam and India}}, date = {2013-06-07}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/}, language = {English}, urldate = {2019-12-20} } @online{guarnieri:20150619:digital:6c1a11b, author = {Claudio Guarnieri}, title = {{Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag}}, date = {2015-06-19}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/}, language = {English}, urldate = {2020-01-10} } @techreport{guarnieri:201608:iran:d15568e, author = {Claudio Guarnieri and Collin Anderson}, title = {{Iran and the Soft Warfor Internet Dominance}}, date = {2016-08}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf}, language = {English}, urldate = {2019-11-26} } @online{guarnieri:20170206:ikittens:b5486bb, author = {Claudio Guarnieri and Collin Anderson}, title = {{iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)}}, date = {2017-02-06}, organization = {Iran Threats}, url = {https://iranthreats.github.io/resources/macdownloader-macos-malware/}, language = {English}, urldate = {2020-01-09} } @online{gubi:20181017:emergence:670b6fd, author = {Israel Gubi}, title = {{The Emergence of the New Azorult 3.3}}, date = {2018-10-17}, organization = {Check Point}, url = {https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/}, language = {English}, urldate = {2020-01-07} } @online{gubi:20190709:2019:38d9134, author = {Israel Gubi}, title = {{The 2019 Resurgence of Smokeloader}}, date = {2019-07-09}, organization = {Check Point}, url = {https://research.checkpoint.com/2019-resurgence-of-smokeloader/}, language = {English}, urldate = {2020-01-10} } @online{guerrerosaade:20171224:turla:dd95598, author = {Juan Andrés Guerrero-Saade}, title = {{Tweet on Turla Penquin}}, date = {2017-12-24}, organization = {Twitter (@juanandres_gs)}, url = {https://twitter.com/juanandres_gs/status/944741575837528064}, language = {English}, urldate = {2020-01-06} } @techreport{guerrerosaade:201803:penquins:1c6305e, author = {Juan Andrés Guerrero-Saade and Costin Raiu and Daniel Moore and Thomas Rid}, title = {{Penquin's Moonlit Maze}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf}, language = {English}, urldate = {2019-11-25} } @online{guerrerosaade:20180626:redalpha:58724c7, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting the Tibetan Community}}, date = {2018-06-26}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redalpha-cyber-campaigns/}, language = {English}, urldate = {2020-01-07} } @techreport{guerrerosaade:20180626:redalpha:c7f1df0, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting theTibetan Community}}, date = {2018-06-26}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{guerrerosaade:20190409:flame:4ce4c10, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{Flame 2.0: Risen from the Ashes}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{guerrerosaade:20190409:oldest:062ea25, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{The Oldest Stuxnet Component Dials Up}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf}, language = {English}, urldate = {2019-12-04} } @online{guerrerosaade:20200422:nazar:0c5eef8, author = {Juan Andrés Guerrero-Saade}, title = {{Nazar: A Lost Amulet}}, date = {2020-04-22}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/the-lost-nazar}, language = {English}, urldate = {2020-05-05} } @online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } @online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } @online{guertin:20200109:pha:deb82eb, author = {Alec Guertin and Vadim Kotov}, title = {{PHA Family Highlights: Bread (and Friends)}}, date = {2020-01-09}, organization = {Google}, url = {https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html}, language = {English}, urldate = {2020-01-20} } @online{guirakhoo:20200312:how:cf2276f, author = {Alex Guirakhoo}, title = {{How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation}}, date = {2020-03-12}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/}, language = {English}, urldate = {2020-03-19} } @online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } @online{gutierrez:20121220:trojanstabuniq:3e7b380, author = {Fred Gutierrez}, title = {{Trojan.Stabuniq Found on Financial Institution Servers}}, date = {2012-12-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers}, language = {English}, urldate = {2020-01-10} } @online{h4ck:20141108:review:85ad7e4, author = {H4ck}, title = {{Review of jSpy a RAT from jSpy.net}}, date = {2014-11-08}, organization = {How-To-Hack.net}, url = {https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/}, language = {English}, urldate = {2019-07-31} } @online{h:20200316:new:60f8c3d, author = {Jeremy H and Axel F and Proofpoint Threat Insight Team}, title = {{New RedLine Stealer Distributed Using Coronavirus-themed Email Campaign}}, date = {2020-03-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign}, language = {English}, urldate = {2020-03-17} } @online{hackdig:20160217:russian:41104f7, author = {HackDig}, title = {{Russian Police Prevented Massive Banking Sector Cyber Attack}}, date = {2016-02-17}, url = {http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm}, language = {English}, urldate = {2020-06-03} } @online{hackdig:20200812:antiys:0d7e73e, author = {HackDig}, title = {{Antiy's analysis report on the recent APT attacks against the Green Spot organization}}, date = {2020-08-12}, url = {http://www.hackdig.com/08/hack-107672.htm}, language = {Chinese}, urldate = {2020-08-14} } @online{hacker:20171011:more:9040492, author = {Wraith Hacker}, title = {{More info on 'Evolved DNSMessenger'}}, date = {2017-10-11}, organization = {Wraith Hacker Blog}, url = {http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/}, language = {English}, urldate = {2019-10-12} } @online{hacks4pancakes:20170628:why:8053178, author = {hacks4pancakes}, title = {{Why NotPetya Kept Me Awake (& You Should Worry Too)}}, date = {2017-06-28}, url = {https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/}, language = {English}, urldate = {2020-01-09} } @online{hacquebord:20151022:pawn:8231722, author = {Feike Hacquebord}, title = {{Pawn Storm Targets MH17 Investigation Team}}, date = {2015-10-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/}, language = {English}, urldate = {2020-01-10} } @online{hacquebord:20191212:more:a1e84b7, author = {Feike Hacquebord and Cedric Pernet and Kenney Lu}, title = {{More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting}}, date = {2019-12-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/}, language = {English}, urldate = {2020-01-13} } @techreport{hacquebord:20200311:pawn:d7ef8ae, author = {Feike Hacquebord}, title = {{Pawn Storm in 2019: A Year of Scanning and Credential Phishing on High-Profile Targets}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf}, language = {English}, urldate = {2020-03-19} } @online{hadar:20180116:globeimposter:6a2afda, author = {Alon Hadar}, title = {{GlobeImposter Ransomware}}, date = {2018-01-16}, organization = {enSilo}, url = {https://blog.ensilo.com/globeimposter-ransomware-technical}, language = {English}, urldate = {2019-07-09} } @online{hahn:20161027:procleanerexe:bde4a80, author = {Karsten Hahn}, title = {{Tweet on procleaner.exe}}, date = {2016-10-27}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/791535679905927168}, language = {English}, urldate = {2019-11-26} } @online{hahn:20161218:unlock92:31d2259, author = {Karsten Hahn}, title = {{Tweet on Unlock92 Ransomware}}, date = {2016-12-18}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/810753660737073153}, language = {English}, urldate = {2020-01-07} } @online{hahn:20161219:cryptoblock:cd82b17, author = {Karsten Hahn}, title = {{Tweet on CryptoBlock}}, date = {2016-12-19}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/810770490491043840}, language = {English}, urldate = {2020-01-06} } @online{hahn:20161221:manifestus:d86e48c, author = {Karsten Hahn}, title = {{Tweet on Manifestus Ransomware}}, date = {2016-12-21}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/811587154983981056}, language = {English}, urldate = {2020-01-13} } @online{hahn:20161224:derialock:4ab9ba7, author = {Karsten Hahn}, title = {{Tweet on DeriaLock}}, date = {2016-12-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/812601286088597505}, language = {English}, urldate = {2019-11-26} } @online{hahn:20161224:kokokrypt:fb647ed, author = {Karsten Hahn}, title = {{Tweet on KoKoKrypt}}, date = {2016-12-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/812726545173401600}, language = {English}, urldate = {2020-01-08} } @online{hahn:20170105:comradecircle:246172d, author = {Karsten Hahn}, title = {{Tweet on ComradeCircle Ransomware}}, date = {2017-01-05}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/816926371867926528}, language = {English}, urldate = {2020-01-13} } @online{hahn:20170118:spora:43d64d0, author = {Karsten Hahn}, title = {{Spora - the Shortcut Worm that is also a Ransomware}}, date = {2017-01-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware}, language = {English}, urldate = {2019-10-15} } @online{hahn:20171203:malware:b8a77b5, author = {Karsten Hahn}, title = {{Malware Analysis - ROKRAT Unpacking from Injected Shellcode}}, date = {2017-12-03}, url = {https://www.youtube.com/watch?v=uoBQE5s2ba4}, language = {English}, urldate = {2020-01-12} } @online{hahn:20180109:hiddentear:372b79c, author = {Karsten Hahn}, title = {{Tweet on HiddenTear Sample}}, date = {2018-01-09}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/950787783353884672}, language = {English}, urldate = {2019-12-04} } @online{hahn:20190520:yggdrasil:5a23fde, author = {Karsten Hahn}, title = {{Tweet on Yggdrasil / CinaRAT}}, date = {2019-05-20}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1130455143504318466}, language = {English}, urldate = {2020-01-13} } @online{hahn:20191121:stop:a5c8118, author = {Karsten Hahn and Stefan Karpenstein}, title = {{STOP Ransomware: Finger weg von illegalen Software-Downloads}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads}, language = {English}, urldate = {2020-01-10} } @online{hahn:20200206:40000:3a0d792, author = {Karsten Hahn}, title = {{40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger}}, date = {2020-02-06}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger}, language = {English}, urldate = {2020-04-02} } @online{hahn:20200402:pekraut:479527e, author = {Karsten Hahn}, title = {{Pekraut - German RAT starts gnawing}}, date = {2020-04-02}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing}, language = {English}, urldate = {2020-04-06} } @online{hahn:20200616:new:124c3d1, author = {Karsten Hahn}, title = {{New Java STRRAT ships with .crimson ransomware module}}, date = {2020-06-16}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/strrat-crimson}, language = {English}, urldate = {2020-06-16} } @online{hahn:20200624:discordtokenstealer:2b4cc58, author = {Karsten Hahn}, title = {{Tweet on DiscordTokenStealer}}, date = {2020-06-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1275731035184156675}, language = {English}, urldate = {2020-06-24} } @online{hajime:20180328:quick:2874046, author = {Hajime}, title = {{Quick summary about the Port 8291 scan}}, date = {2018-03-28}, organization = {Netlab}, url = {https://blog.netlab.360.com/quick-summary-port-8291-scan-en/}, language = {English}, urldate = {2020-01-07} } @techreport{hajime:20200117:operation:ef488fd, author = {Takai Hajime}, title = {{Operation Bitter Biscuit}}, date = {2020-01-17}, institution = {NTT Security}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf}, language = {Japanese}, urldate = {2020-07-20} } @online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } @online{hamada:20160725:patchwork:77fa6bb, author = {Joji Hamada}, title = {{Patchwork cyberespionage group expands targets from governments to wide range of industries}}, date = {2016-07-25}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries}, language = {English}, urldate = {2020-01-13} } @online{hamzeloofard:20200131:new:5d058ea, author = {Shahab Hamzeloofard}, title = {{New wave of PlugX targets Hong Kong}}, date = {2020-01-31}, organization = {Avira}, url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/}, language = {English}, urldate = {2020-02-10} } @online{han:20171120:android:c3f825c, author = {Inhee Han}, title = {{Android Malware Appears Linked to Lazarus Cybercrime Group}}, date = {2017-11-20}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990}, language = {English}, urldate = {2019-12-17} } @online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } @online{haoming:20181129:analysis:6192262, author = {haoming}, title = {{Analysis Report of the Xorddos Malware Family}}, date = {2018-11-29}, organization = {NSFOCUS}, url = {https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/}, language = {English}, urldate = {2020-01-06} } @online{haoming:20181206:satan:69932c8, author = {haoming}, title = {{SATAN variant analysis & handling guide}}, date = {2018-12-06}, organization = {NSFOCUS}, url = {http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/}, language = {English}, urldate = {2019-10-15} } @online{haq:20130924:now:3cc13be, author = {Thoufique Haq and Ned Moran}, title = {{Now You See Me - H-worm by Houdini}}, date = {2013-09-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html}, language = {English}, urldate = {2019-12-20} } @online{haq:20131031:know:e772ee9, author = {Thoufique Haq and Ned Moran}, title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}}, date = {2013-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html}, language = {English}, urldate = {2019-12-20} } @techreport{haq:20140930:operation:ce4e85c, author = {Thoufique Haq and Ned Moran and Sai Vashisht and Mike Scott}, title = {{OPERATION QUANTUM ENTANGLEMENT}}, date = {2014-09-30}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf}, language = {English}, urldate = {2020-01-08} } @online{harakhavik:20190620:danabot:238fce9, author = {Yaroslav Harakhavik and Aliaksandr Chailytko}, title = {{DanaBot Demands a Ransom Payment}}, date = {2019-06-20}, organization = {Check Point}, url = {https://research.checkpoint.com/danabot-demands-a-ransom-payment/}, language = {English}, urldate = {2020-01-07} } @online{harakhavik:20200203:warzone:18606cf, author = {Yaroslav Harakhavik}, title = {{Warzone: Behind the enemy lines}}, date = {2020-02-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/}, language = {English}, urldate = {2020-02-03} } @online{harbison:20180413:say:920b109, author = {Mike Harbison and Simon Conant}, title = {{Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)}}, date = {2018-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/}, language = {English}, urldate = {2019-12-20} } @online{harbison:20180713:upatre:8d5e804, author = {Mike Harbison and Brittany Ash}, title = {{Upatre Continued to Evolve with new Anti-Analysis Techniques}}, date = {2018-07-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/}, language = {English}, urldate = {2019-12-20} } @online{hardy:20170427:advanced:d1d61c4, author = {Colin Hardy}, title = {{Advanced Banload Analysis}}, date = {2017-04-27}, organization = {ColinGuru}, url = {https://colin.guru/index.php?title=Advanced_Banload_Analysis}, language = {English}, urldate = {2019-12-10} } @online{harley:20110302:tdl4:9071c3f, author = {David Harley}, title = {{TDL4 and Glupteba: Piggyback PiggyBugs}}, date = {2011-03-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/}, language = {English}, urldate = {2019-11-14} } @online{harley:20110714:cycbot:9e18833, author = {David Harley}, title = {{Cycbot: Ready to Ride}}, date = {2011-07-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/}, language = {English}, urldate = {2019-11-14} } @online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } @online{harpaz:20180215:trickbots:2cf1b53, author = {Ophir Harpaz and Magal Baz and Limor Kessem}, title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}}, date = {2018-02-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/}, language = {English}, urldate = {2020-01-06} } @online{harpaz:20200401:vollgar:b10972a, author = {Ophir Harpaz}, title = {{THE VOLLGAR CAMPAIGN: MS-SQL SERVERS UNDER ATTACK}}, date = {2020-04-01}, organization = {Guardicore}, url = {https://www.guardicore.com/2020/04/vollgar-ms-sql-servers-under-attack/}, language = {English}, urldate = {2020-04-07} } @online{haruyama:20190904:cb:7c71995, author = {Takahiro Haruyama}, title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}}, date = {2019-09-04}, organization = {CarbonBlack}, url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/}, language = {English}, urldate = {2019-12-17} } @techreport{haruyama:20191024:defeating:4016e1f, author = {Takahiro Haruyama}, title = {{Defeating APT10 Compiler-level Obfuscations}}, date = {2019-10-24}, institution = {Carbon Black}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf}, language = {English}, urldate = {2020-03-03} } @online{haruyama:20200220:threat:aa4ef11, author = {Takahiro Haruyama}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}}, date = {2020-02-20}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/}, language = {English}, urldate = {2020-02-21} } @online{hasbini:20150928:gaza:0c6e96e, author = {Mohamad Amin Hasbini and Ghareeb Saad}, title = {{Gaza cybergang, where’s your IR team?}}, date = {2015-09-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/}, language = {English}, urldate = {2019-12-20} } @online{hasbini:20160817:operation:9bfa7d2, author = {Mohamad Amin Hasbini}, title = {{Operation Ghoul: targeted attacks on industrial and engineering organizations}}, date = {2016-08-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/}, language = {English}, urldate = {2019-12-20} } @online{hasbini:20171030:gaza:7c531cc, author = {Mohamad Amin Hasbini and Ghareeb Saad}, title = {{Gaza Cybergang – updated activity in 2017:}}, date = {2017-10-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/gaza-cybergang-updated-2017-activity/82765/}, language = {English}, urldate = {2019-12-20} } @online{haschek:20200608:a1:b166c86, author = {Christian Haschek}, title = {{The A1 Telekom Austria Hack}}, date = {2020-06-08}, organization = {Christian Haschek's Blog}, url = {https://blog.haschek.at/2020/the-a1-telekom-hack.html}, language = {English}, urldate = {2020-06-11} } @online{hasegawa:20191029:threat:180cf21, author = {Tatsuya Hasegawa}, title = {{Threat Spotlight: Neshta File Infector Endures}}, date = {2019-10-29}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html}, language = {English}, urldate = {2019-11-16} } @online{hasherezade:20150713:revisiting:391fe73, author = {hasherezade}, title = {{Revisiting The Bunitu Trojan}}, date = {2015-07-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20150819:inside:1828f15, author = {hasherezade}, title = {{Inside Neutrino botnet builder}}, date = {2015-08-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20151104:technical:abd2b27, author = {hasherezade}, title = {{A Technical Look At Dyreza}}, date = {2015-11-04}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160202:dma:5d599e2, author = {hasherezade}, title = {{DMA Locker: New Ransomware, But No Reason To Panic}}, date = {2016-02-02}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160209:dma:1fe0c43, author = {hasherezade}, title = {{DMA Locker Strikes Back}}, date = {2016-02-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160301:look:fe35696, author = {hasherezade}, title = {{Look Into Locky Ransomware}}, date = {2016-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160311:cerber:f1fb954, author = {hasherezade}, title = {{Cerber ransomware: new, but mature}}, date = {2016-03-11}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160324:maktub:fbe0f56, author = {hasherezade}, title = {{Maktub Locker – Beautiful And Dangerous}}, date = {2016-03-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160506:7ev3n:6b6cfb1, author = {hasherezade}, title = {{7ev3n ransomware turning ‘HONE$T’}}, date = {2016-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160519:petya:25c555f, author = {hasherezade}, title = {{Petya and Mischa – Ransomware Duet (Part 1)}}, date = {2016-05-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160523:dma:352692f, author = {hasherezade}, title = {{DMA Locker 4.0: Known ransomware preparing for a massive distribution}}, date = {2016-05-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20161117:princess:378c704, author = {hasherezade}, title = {{Princess Locker decryptor}}, date = {2016-11-17}, organization = {hasherezade's 1001 nights}, url = {https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/}, language = {English}, urldate = {2020-01-10} } @online{hasherezade:20170614:unpacking:a820fac, author = {hasherezade}, title = {{Unpacking YoungLotus malware}}, date = {2017-06-14}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=AUGxYhE_CUY}, language = {English}, urldate = {2020-01-06} } @online{hasherezade:20171215:unpacking:8c8d58c, author = {hasherezade}, title = {{Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')}}, date = {2017-12-15}, url = {https://www.youtube.com/watch?v=lqWJaaofNf4}, language = {English}, urldate = {2019-10-23} } @online{hasherezade:20171230:unpacking:5477bb2, author = {hasherezade}, title = {{Unpacking TrickBot with PE-sieve}}, date = {2017-12-30}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=lTywPmZEU1A}, language = {English}, urldate = {2020-01-06} } @online{hasherezade:201801:coin:7ef1583, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/}, language = {English}, urldate = {2019-12-04} } @online{hasherezade:20180223:avzhan:299cc86, author = {hasherezade}, title = {{Avzhan DDoS bot dropped by Chinese drive-by attack}}, date = {2018-02-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20180301:blast:6bec8e3, author = {hasherezade}, title = {{Blast from the past: stowaway Virut delivered with Chinese DDoS bot}}, date = {2018-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20180319:unpacking:150cdac, author = {hasherezade}, title = {{Unpacking Ursnif}}, date = {2018-03-19}, url = {https://www.youtube.com/watch?v=jlc7Ahp8Iqg}, language = {English}, urldate = {2019-12-24} } @online{hasherezade:20180331:deobfuscating:39c1be0, author = {hasherezade}, title = {{Deobfuscating TrickBot's strings with libPeConv}}, date = {2018-03-31}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KMcSAlS9zGE}, language = {English}, urldate = {2020-01-13} } @online{hasherezade:20180726:hidden:76d28ed, author = {hasherezade and Jérôme Segura}, title = {{‘Hidden Bee’ miner delivered via improved drive-by download toolkit}}, date = {2018-07-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/}, language = {English}, urldate = {2019-10-21} } @online{hasherezade:20181112:whats:e44d5f3, author = {hasherezade}, title = {{What’s new in TrickBot? Deobfuscating elements}}, date = {2018-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20190321:unpacking:8c38703, author = {hasherezade}, title = {{Unpacking Baldr stealer}}, date = {2019-03-21}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=E2V4kB_gtcQ}, language = {English}, urldate = {2019-07-11} } @online{hasherezade:20190406:unpacking:dc6a1be, author = {hasherezade}, title = {{Unpacking ISFB (including the custom 'PX' format)}}, date = {2019-04-06}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KvOpNznu_3w}, language = {English}, urldate = {2019-11-29} } @online{hasherezade:20190531:hidden:14f8a1c, author = {hasherezade}, title = {{Hidden Bee: Let’s go down the rabbit hole}}, date = {2019-05-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20190724:deep:c7d1aed, author = {hasherezade}, title = {{A deep dive into Phobos ransomware}}, date = {2019-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{hasherezade:20190815:hidden:d93c104, author = {hasherezade}, title = {{The Hidden Bee infection chain, part 1: the stegano pack}}, date = {2019-08-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/}, language = {English}, urldate = {2019-12-20} } @techreport{hasherezade:20200521:silent:95b5ce7, author = {hasherezade and prsecurity}, title = {{The “Silent Night” Zloader/Zbot}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf}, language = {English}, urldate = {2020-05-23} } @online{hassold:20180326:silent:9ce69cd, author = {Crane Hassold}, title = {{Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment}}, date = {2018-03-26}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment}, language = {English}, urldate = {2020-01-07} } @online{hassold:20180405:silent:288fac9, author = {Crane Hassold}, title = {{Silent Librarian University Attacks Continue Unabated in Days Following Indictment}}, date = {2018-04-05}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment}, language = {English}, urldate = {2019-10-23} } @online{haughom:20180806:reversing:8b4d9cf, author = {James Haughom}, title = {{Reversing Cerber - RaaS}}, date = {2018-08-06}, organization = {rinse and REpeat analysis}, url = {https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html}, language = {English}, urldate = {2020-01-08} } @online{haughom:20200310:iqy:1844f48, author = {James Haughom}, title = {{IQY files and Paradise Ransomware}}, date = {2020-03-10}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/}, language = {English}, urldate = {2020-06-17} } @online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } @online{hausding:20170707:94:4d1e639, author = {Michael Hausding}, title = {{94 .ch & .li domain names hijacked and used for drive-by}}, date = {2017-07-07}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/}, language = {English}, urldate = {2020-01-07} } @online{hawley:20190129:apt39:926a2a1, author = {Sarah Hawley and Ben Read and Cristiana Brafman-Kittner and Nalani Fraser and Andrew Thompson and Yuri Rozhansky and Sanaz Yashar}, title = {{APT39: An Iranian Cyber Espionage Group Focused on Personal Information}}, date = {2019-01-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20130430:linuxcdorked:5456e0a, author = {Kaoru Hayashi and Joseph Bingham and Takayoshi Nakayama}, title = {{Linux.Cdorked}}, date = {2013-04-30}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2013-050214-5501-99}, language = {English}, urldate = {2019-12-06} } @online{hayashi:20160509:krbanker:c59923f, author = {Kaoru Hayashi and Vicky Ray}, title = {{KRBanker Targets South Korea Through Adware and Exploit Kits}}, date = {2016-05-09}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20160915:mile:302680e, author = {Kaoru Hayashi}, title = {{MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies}}, date = {2016-09-15}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } @online{hayashi:20170725:tick:d89ab89, author = {Kaoru Hayashi}, title = {{“Tick” Group Continues Attacks}}, date = {2017-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20180731:bisonal:2ca3a6b, author = {Kaoru Hayashi and Vicky Ray}, title = {{Bisonal Malware Used in Attacks Against Russia and South Korea}}, date = {2018-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20180731:bisonal:8ca9ce6, author = {Kaoru Hayashi and Vicky Ray}, title = {{Bisonal Malware Used in Attacks Against Russia and South Korea}}, date = {2018-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/}, language = {English}, urldate = {2020-07-20} } @online{hazmalware:20161227:analysis:4038ecb, author = {Hazmalware}, title = {{ANALYSIS OF AUGUST STEALER MALWARE}}, date = {2016-12-27}, url = {https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html}, language = {English}, urldate = {2019-11-22} } @online{hazum:20200709:new:5e06825, author = {Aviran Hazum and Bogdan Melnykov and Israel Wernik}, title = {{New Joker variant hits Google Play with an old trick}}, date = {2020-07-09}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/}, language = {English}, urldate = {2020-07-11} } @techreport{heal:2018:complete:96388ed, author = {Quick Heal}, title = {{The Complete story of EMOTET Most prominent Malware of 2018}}, date = {2018}, institution = {Quick Heal}, url = {https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf}, language = {English}, urldate = {2020-01-13} } @online{hegel:20170711:winnti:e03c673, author = {Tom Hegel and Nate Marx}, title = {{Winnti (LEAD/APT17) Evolution - Going Open Source}}, date = {2017-07-11}, organization = {401 TRG}, url = {https://401trg.pw/winnti-evolution-going-open-source/}, language = {English}, urldate = {2019-12-18} } @online{hegel:20171016:update:9033e56, author = {Tom Hegel}, title = {{An Update on Winnti (LEAD/APT17)}}, date = {2017-10-16}, organization = {401TRG}, url = {https://401trg.pw/an-update-on-winnti/}, language = {English}, urldate = {2019-08-05} } @online{hegel:20180503:burning:2837854, author = {Tom Hegel}, title = {{Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers}}, date = {2018-05-03}, organization = {ProtectWise}, url = {https://401trg.com/burning-umbrella/}, language = {English}, urldate = {2019-10-15} } @online{heinemeyer:20200402:catching:b7f137d, author = {Max Heinemeyer}, title = {{Catching APT41 exploiting a zero-day vulnerability}}, date = {2020-04-02}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/}, language = {English}, urldate = {2020-04-13} } @online{helling:20200516:high:cf7dadf, author = {Robert Helling}, title = {{High Performance Hackers}}, date = {2020-05-16}, organization = {atdotde}, url = {https://atdotde.blogspot.com/2020/05/high-performance-hackers.html}, language = {English}, urldate = {2020-05-18} } @online{henderson:20180711:chinese:f0f3cbc, author = {Scott Henderson and Steve Miller and Dan Perez and Marcin Siedlarz and Ben Wilson and Ben Read}, title = {{Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally}}, date = {2018-07-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html}, language = {English}, urldate = {2019-12-20} } @online{henderson:20200422:vietnamese:d9dc0db, author = {Scott Henderson and Gabby Roncone and Sarah Jones and John Hultquist and Ben Read}, title = {{Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage}}, date = {2020-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html}, language = {English}, urldate = {2020-04-26} } @online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } @online{herman:20200207:magecart:185b67b, author = {Jordan Herman}, title = {{Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign}}, date = {2020-02-07}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-group-12-olympics/}, language = {English}, urldate = {2020-02-09} } @online{herman:20200609:misconfigured:75c6908, author = {Jordan Herman}, title = {{Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code}}, date = {2020-06-09}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/}, language = {English}, urldate = {2020-06-10} } @online{hern:20170703:notpetya:ba6bc6c, author = {Alex Hern}, title = {{'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher}}, date = {2017-07-03}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik}, language = {English}, urldate = {2019-07-11} } @online{hernandez:20170622:new:a5cf2c6, author = {Erye Hernandez and Danny Tsechansky}, title = {{The New and Improved macOS Backdoor from OceanLotus}}, date = {2017-06-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/}, language = {English}, urldate = {2019-12-20} } @online{hernandez:20200529:phishers:2759c33, author = {Elmer Hernandez}, title = {{Phishers Cast a Wider Net in the African Banking Sector}}, date = {2020-05-29}, organization = {Cofense}, url = {https://cofense.com/phishers-cast-wider-net-african-banking-sector/}, language = {English}, urldate = {2020-06-02} } @techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } @online{herzog:20181014:godzilla:0f2194a, author = {Ben Herzog}, title = {{Godzilla Loader and the Long Tail of Malware}}, date = {2018-10-14}, organization = {Check Point}, url = {https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/}, language = {English}, urldate = {2020-01-09} } @online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } @online{hfiref0x:20150328:uacme:f1b9f62, author = {hfiref0x}, title = {{UACME}}, date = {2015-03-28}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/UACME}, language = {English}, urldate = {2020-01-06} } @online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } @online{hfiref0x:20200120:dustman:70f16bf, author = {hfiref0x}, title = {{Dustman APT: Art of Copy-Paste}}, date = {2020-01-20}, organization = {The Vault Blog}, url = {https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html}, language = {English}, urldate = {2020-01-22} } @online{higgins:20151013:prolific:0b6089c, author = {Kelly Jackson Higgins}, title = {{Prolific Cybercrime Gang Favors Legit Login Credentials}}, date = {2015-10-13}, organization = {DARKReading}, url = {https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?}, language = {English}, urldate = {2020-01-10} } @online{higgins:20160209:chinese:1d80f84, author = {Kelly Jackson Higgins}, title = {{Chinese Cyberspies Pivot To Russia In Wake Of Obama-Xi Pact}}, date = {2016-02-09}, organization = {DARKReading}, url = {http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242}, language = {English}, urldate = {2020-01-09} } @online{higgins:20190924:iranian:4966d90, author = {Kelly Jackson Higgins}, title = {{Iranian Government Hackers Target US Veterans}}, date = {2019-09-24}, organization = {DARKReading}, url = {https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897}, language = {English}, urldate = {2020-03-22} } @online{hilt:20160914:bksod:f75ef88, author = {Stephen Hilt and William Gamazo Sanchez}, title = {{BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs}}, date = {2016-09-14}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/}, language = {English}, urldate = {2020-01-09} } @online{hilt:20170824:malicious:7a258f4, author = {Stephen Hilt and Lord Alfred Remorin}, title = {{Malicious Chrome Extensions Stealing Roblox In-Game Currency, Sending Cookies via Discord}}, date = {2017-08-24}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/}, language = {English}, urldate = {2019-12-16} } @online{hinchliffe:20170831:updated:fd02a16, author = {Alex Hinchliffe and Jen Miller-Osborn}, title = {{Updated KHRAT Malware Used in Cambodia Attacks}}, date = {2017-08-31}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/}, language = {English}, urldate = {2019-12-20} } @online{hinchliffe:20180313:henbox:4d61efe, author = {Alex Hinchliffe and Mike Harbison and Jen Miller-Osborn and Tom Lancaster}, title = {{HenBox: The Chickens Come Home to Roost}}, date = {2018-03-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/}, language = {English}, urldate = {2020-01-09} } @online{hinchliffe:20190226:farseer:62554e3, author = {Alex Hinchliffe and Mike Harbison}, title = {{Farseer: Previously Unknown Malware Family bolsters the Chinese armoury}}, date = {2019-02-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/}, language = {English}, urldate = {2020-01-08} } @online{hinchliffe:20191003:pkplug:4a43ea5, author = {Alex Hinchliffe}, title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}}, date = {2019-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/}, language = {English}, urldate = {2020-01-07} } @online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } @techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } @online{hirani:20190110:global:a53ec6a, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html}, language = {English}, urldate = {2019-12-20} } @online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } @online{hjelmvik:20141027:full:83d84ee, author = {Erik Hjelmvik}, title = {{Full Disclosure of Havex Trojans}}, date = {2014-10-27}, organization = {Netresec}, url = {http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans}, language = {English}, urldate = {2019-11-29} } @online{hk:20200429:gazorp:3aef446, author = {Fred HK}, title = {{Gazorp - Thieving from thieves}}, date = {2020-04-29}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/gazorp-thieving-from-thieves}, language = {English}, urldate = {2020-05-06} } @online{hk:20200810:diamondfox:d2a194b, author = {Fred HK}, title = {{DiamondFox - Bank Robbers will be replaced}}, date = {2020-08-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced}, language = {English}, urldate = {2020-08-12} } @online{hladik:20200730:obscured:41a50f3, author = {Joseph Hladik and Josh Fleischer}, title = {{Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates}}, date = {2020-07-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/insights-into-office-365-attacks-and-how-managed-defense-investigates.html}, language = {English}, urldate = {2020-08-05} } @online{hoej:20161226:alphabet:3e422a6, author = {Jaromír Hořejší}, title = {{Tweet on Alphabet Ransomware}}, date = {2016-12-26}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813714602466877440}, language = {English}, urldate = {2019-10-15} } @online{hoej:20161227:adamlocker:9266526, author = {Jaromír Hořejší}, title = {{Tweet on AdamLocker}}, date = {2016-12-27}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813712587997249536}, language = {English}, urldate = {2020-01-10} } @online{hoej:20161227:shelllocker:e32df2e, author = {Jaromír Hořejší}, title = {{Tweet on ShellLocker}}, date = {2016-12-27}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813726714228604928}, language = {English}, urldate = {2019-12-10} } @online{hoej:20161227:venuslocker:0a9196a, author = {Jaromír Hořejší}, title = {{Tweet on VenusLocker}}, date = {2016-12-27}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813690129088937984}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170102:new:adaeda4, author = {Jaromír Hořejší}, title = {{Tweet on new ransomware}}, date = {2017-01-02}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/815949909648150528}, language = {English}, urldate = {2019-12-04} } @online{hoej:20170102:ransomware:d94c3dd, author = {Jaromír Hořejší}, title = {{Tweet on Ransomware}}, date = {2017-01-02}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/815861135882780673}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170103:red:ed15894, author = {Jaromír Hořejší}, title = {{Tweet on Red Alert}}, date = {2017-01-03}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/816237293073797121}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170106:cockblocker:90b91b4, author = {Jaromír Hořejší}, title = {{Tweet on Cockblocker Ransomware}}, date = {2017-01-06}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/817311664391524352}, language = {English}, urldate = {2020-01-08} } @online{hoej:20170109:virustotal:0db44ac, author = {Jaromír Hořejší}, title = {{Tweet on Virustotal Sample}}, date = {2017-01-09}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/818369717371027456}, language = {English}, urldate = {2020-01-05} } @online{hoej:20170622:filecoder:ac5445f, author = {Jaromír Hořejší}, title = {{Tweet on Filecoder}}, date = {2017-06-22}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/877811773826641920}, language = {English}, urldate = {2020-01-13} } @online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } @online{hoej:20180312:campaign:00eb661, author = {Jaromír Hořejší}, title = {{Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia}}, date = {2018-03-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/}, language = {English}, urldate = {2020-01-13} } @online{hoej:20180314:tropic:352cf22, author = {Jaromír Hořejší and Joey Chen and Joseph C. Chen}, title = {{Tropic Trooper’s New Strategy}}, date = {2018-03-14}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/}, language = {English}, urldate = {2020-01-09} } @online{hoej:20180404:new:16fe860, author = {Jaromír Hořejší}, title = {{New MacOS Backdoor Linked to OceanLotus Found}}, date = {2018-04-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/}, language = {English}, urldate = {2020-01-13} } @online{hoej:20180821:supply:d426e6b, author = {Jaromír Hořejší and Joseph C. Chen and Kawabata Kohei and Kenney Lu}, title = {{Supply Chain Attack Operation Red Signature Targets South Korean Organizations}}, date = {2018-08-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/}, language = {English}, urldate = {2020-01-06} } @online{hoej:20190904:glupteba:230e916, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions}}, date = {2019-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/}, language = {English}, urldate = {2020-01-10} } @techreport{hoej:20191001:new:4a49a90, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign}}, date = {2019-10-01}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf}, language = {English}, urldate = {2019-12-18} } @online{hoej:20191001:new:feb95a9, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign}}, date = {2019-10-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/}, language = {English}, urldate = {2019-10-15} } @techreport{hoej:20200311:operation:782b803, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan: Technical Brief}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf}, language = {English}, urldate = {2020-03-11} } @online{hoej:20200311:operation:f03d64e, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan}}, date = {2020-03-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/}, language = {English}, urldate = {2020-03-11} } @online{hoffman:20141125:curious:57f7b6a, author = {Nick Hoffman}, title = {{Curious Korlia}}, date = {2014-11-25}, organization = {Adventures in Security}, url = {https://securitykitten.github.io/2014/11/25/curious-korlia.html}, language = {English}, urldate = {2019-10-18} } @online{hoffman:20141126:getmypass:5028f5e, author = {Nick Hoffman}, title = {{Getmypass Point of Sale Malware}}, date = {2014-11-26}, url = {https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20141201:lusypos:3df4156, author = {Nick Hoffman}, title = {{LusyPOS and Tor}}, date = {2014-12-01}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html}, language = {English}, urldate = {2019-08-07} } @online{hoffman:20150108:getmypass:1fa4beb, author = {Nick Hoffman}, title = {{Getmypass Point of Sale Malware Update}}, date = {2015-01-08}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html}, language = {English}, urldate = {2019-07-10} } @online{hoffman:20150111:mozart:025c466, author = {Nick Hoffman}, title = {{The Mozart RAM Scraper}}, date = {2015-01-11}, organization = {Security Kitten Blog}, url = {https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html}, language = {English}, urldate = {2020-01-06} } @online{hoffman:20150714:bernhardpos:c1e10e7, author = {Nick Hoffman}, title = {{BernhardPOS}}, date = {2015-07-14}, url = {https://securitykitten.github.io/2015/07/14/bernhardpos.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20151116:introducing:eed78d1, author = {Nick Hoffman}, title = {{Introducing LogPOS}}, date = {2015-11-16}, url = {https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html}, language = {English}, urldate = {2020-01-07} } @online{hoffman:20161115:scanpos:4f3423a, author = {Nick Hoffman}, title = {{ScanPOS, new POS malware being distributed by Kronos}}, date = {2016-11-15}, url = {https://securitykitten.github.io/2016/11/15/scanpos.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20161128:klrd:dc173ab, author = {Nick Hoffman}, title = {{The KLRD Keylogger}}, date = {2016-11-28}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20161214:mikey:300fbdb, author = {Nick Hoffman}, title = {{MiKey - A Linux keylogger}}, date = {2016-12-14}, organization = {Adventures in Security}, url = {https://securitykitten.github.io/2016/12/14/mikey.html}, language = {English}, urldate = {2020-01-08} } @techreport{hoffman:20170215:deep:37a8ef5, author = {Nick Hoffman and Jeremy Humble}, title = {{Deep Dive on the DragonOK Rambo Backdoor}}, date = {2017-02-15}, institution = {Morphick}, url = {https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf}, language = {English}, urldate = {2020-04-08} } @online{hoffman:20170215:rambo:fef31fe, author = {Nick Hoffman}, title = {{The Rambo Backdoor}}, date = {2017-02-15}, organization = {Adventures in Security}, url = {https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html}, language = {English}, urldate = {2020-01-10} } @techreport{holban:201805:mtrends:b30aba2, author = {Anca Holban}, title = {{M-Trends May 2018: From the field}}, date = {2018-05}, institution = {FireEye}, url = {https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf}, language = {English}, urldate = {2020-01-06} } @online{holland:20190719:analysis:06a9a1c, author = {Alex Holland}, title = {{An Analysis of L0rdix RAT, Panel and Builder}}, date = {2019-07-19}, organization = {HP}, url = {https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/}, language = {English}, urldate = {2020-01-07} } @online{holland:20190801:decrypting:3885751, author = {Alex Holland}, title = {{Decrypting L0rdix RAT’s C2}}, date = {2019-08-01}, organization = {Bromium}, url = {https://www.bromium.com/decrypting-l0rdix-rats-c2/}, language = {English}, urldate = {2020-01-07} } @online{holland:20190903:deobfuscating:22e33f3, author = {Alex Holland}, title = {{Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader}}, date = {2019-09-03}, organization = {Bromium}, url = {https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/}, language = {English}, urldate = {2020-01-06} } @online{holland:20190905:l0rdix:2472b65, author = {Alex Holland}, title = {{l0rdix C2 traffic decryptor}}, date = {2019-09-05}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py}, language = {English}, urldate = {2020-01-13} } @online{holland:20190912:ostap:9374bd2, author = {Alex Holland}, title = {{Ostap Deobfuscation script}}, date = {2019-09-12}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py}, language = {English}, urldate = {2020-01-06} } @online{holland:20200621:investigating:1dc98a0, author = {Alex Holland}, title = {{Investigating Threats in HP Sure Controller 4.2: TVRAT}}, date = {2020-06-21}, organization = {Bromium}, url = {https://threatresearch.ext.hp.com/investigating-threats-in-hp-sure-controller-4-2/}, language = {English}, urldate = {2020-07-11} } @online{holland:20200701:aggah:7dd38ba, author = {Alex Holland}, title = {{Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer}}, date = {2020-07-01}, organization = {HP}, url = {https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/}, language = {English}, urldate = {2020-07-17} } @techreport{honeywell:202006:usb:0b58405, author = {Honeywell}, title = {{USB Security-Myths vs. Reality}}, date = {2020-06}, institution = {}, url = {http://honeywellprocess.blob.core.windows.net/public/Marketing/White-Paper-USB-Security-Myths-vs-Reality.pdf}, language = {English}, urldate = {2020-07-15} } @online{hopfengetraenk:20190525:fasdisassembler:aed58f5, author = {Hopfengetraenk}, title = {{Fas-Disassembler for Visuallisp 0.8}}, date = {2019-05-25}, organization = {Github (Hopfengetraenk)}, url = {https://github.com/Hopfengetraenk/Fas-Disasm}, language = {English}, urldate = {2020-01-13} } @techreport{hork:20191206:demystifying:1285ddd, author = {Juraj Horňák and Jakub Souček}, title = {{Demystifying banking trojans from Latin America}}, date = {2019-12-06}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf}, language = {English}, urldate = {2020-05-05} } @online{hosseini:20170718:ten:600fd92, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } @online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } @online{hosseini:20170718:ten:fa1e393, author = {Ashkan Hosseini}, title = {{Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques}}, date = {2017-07-18}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-01-09} } @online{hpp:20200507:ruhruniversitt:7991318, author = {hpp}, title = {{Ruhr-Universität Bochum meldet Computerangriff}}, date = {2020-05-07}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/ruhr-uni-bochum-offenbar-opfer-von-computerangriff-a-c42754cc-72dc-4d34-8b58-bb0008619c05?utm_source=dlvr.it&utm_medium=twitter#ref=rss}, language = {English}, urldate = {2020-07-06} } @online{hrka:20191126:stantinko:0fbdd59, author = {Vladislav Hrčka}, title = {{Stantinko botnet adds cryptomining to its pool of criminal activities}}, date = {2019-11-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/}, language = {English}, urldate = {2020-01-12} } @online{hrka:20200319:stantinkos:b6a60f8, author = {Vladislav Hrčka}, title = {{Stantinko’s new cryptominer features unique obfuscation techniques}}, date = {2020-03-19}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/}, language = {English}, urldate = {2020-03-26} } @online{hrka:20200807:stadeo:9fc4787, author = {Vladislav Hrčka}, title = {{Stadeo: Deobfuscating Stantinko and more}}, date = {2020-08-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/}, language = {English}, urldate = {2020-08-14} } @online{hromcov:20180607:invisimole:5c5f0ed, author = {Zuzana Hromcová}, title = {{InvisiMole: Surprisingly equipped spyware, undercover since 2013}}, date = {2018-06-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190708:malicious:f712ebc, author = {Zuzana Hromcová}, title = {{Malicious campaign targets South Korean users with backdoor‑laced torrents}}, date = {2019-07-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190718:okrum:3841a95, author = {Zuzana Hromcová}, title = {{Okrum: Ke3chang group targets diplomatic missions}}, date = {2019-07-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190814:in:4da809c, author = {Zuzana Hromcová}, title = {{In the Balkans, businesses are under fire from a double‑barreled weapon}}, date = {2019-08-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20191010:eset:70f9671, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform}, language = {English}, urldate = {2020-04-06} } @online{hromcov:20191010:eset:d4155ed, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/}, language = {English}, urldate = {2020-02-13} } @techreport{hromcov:201910:at:3b4754e, author = {Zuzana Hromcová}, title = {{AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM}}, date = {2019-10}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{hromcov:20200608:invisimole:70a4dc1, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations}}, date = {2020-06-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf}, language = {English}, urldate = {2020-06-29} } @online{hromcov:20200618:digging:285d02f, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{Digging up InvisiMole’s hidden arsenal}}, date = {2020-06-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/}, language = {English}, urldate = {2020-06-29} } @online{hsu:20200624:lucifer:5fc044c, author = {Ken Hsu and Durgesh Sangvikar and Zhibin Zhang and Chris Navarrete}, title = {{Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices}}, date = {2020-06-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/}, language = {English}, urldate = {2020-06-24} } @online{huang:20170705:security:8819459, author = {Kevin Y. Huang}, title = {{Security 101: The Impact of Cryptocurrency-Mining Malware}}, date = {2017-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware}, language = {English}, urldate = {2020-01-07} } @online{hulcoop:20161117:its:b644801, author = {Adam Hulcoop and Matt Brooks and Etienne Maynier and John Scott-Railton and Masashi Crete-Nishihata}, title = {{It’s Parliamentary - KeyBoy and the targeting of the Tibetan Community}}, date = {2016-11-17}, organization = {CitizenLab}, url = {https://citizenlab.ca/2016/11/parliament-keyboy/}, language = {English}, urldate = {2019-07-11} } @online{hultquist:20190416:spear:a0125cb, author = {John Hultquist and Ben Read and Oleg Bondarenko and Chi-en Shen}, title = {{Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic}}, date = {2019-04-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html}, language = {English}, urldate = {2019-12-20} } @online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } @online{humphrey:20181122:turla:de7f30a, author = {Ben Humphrey}, title = {{Turla PNG Dropper is back}}, date = {2018-11-22}, organization = {nccgroup}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/}, language = {English}, urldate = {2019-11-21} } @online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } @online{hunter:20181120:l0rdix:bf0024c, author = {Ben Hunter}, title = {{L0RDIX: MULTIPURPOSE ATTACK TOOL}}, date = {2018-11-20}, organization = {enSilo}, url = {https://blog.ensilo.com/l0rdix-attack-tool}, language = {English}, urldate = {2019-12-17} } @online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {enSilo}, url = {https://blog.ensilo.com/uncovering-new-activity-by-apt10}, language = {English}, urldate = {2020-01-13} } @online{hunter:20200701:ekans:46605bc, author = {Ben Hunter and Fred Gutierrez}, title = {{EKANS Ransomware Targeting OT ICS Systems}}, date = {2020-07-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems}, language = {English}, urldate = {2020-07-06} } @techreport{huq:201409:pos:e79a593, author = {Numaan Huq}, title = {{PoS RAM Scraper Malware}}, date = {2014-09}, institution = {Wired}, url = {https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf}, language = {English}, urldate = {2020-01-07} } @online{huq:20160919:untangling:daa62bd, author = {Numaan Huq}, title = {{Untangling the Ripper ATM Malware}}, date = {2016-09-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/}, language = {English}, urldate = {2019-11-26} } @online{hurk:20191010:nemty:3be8553, author = {Frank van den Hurk}, title = {{Nemty update: decryptors for Nemty 1.5 and 1.6}}, date = {2019-10-10}, organization = {Tesorion}, url = {https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/}, language = {English}, urldate = {2019-10-23} } @online{hurley:20170703:notpetya:1453645, author = {Shaun Hurley and Karan Sood}, title = {{NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery}}, date = {2017-07-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20190103:digging:5219f6d, author = {Shaun Hurley and James Scalise}, title = {{Digging into BokBot’s Core Module}}, date = {2019-01-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20190321:interception:7e57329, author = {Shaun Hurley and James Scalise}, title = {{Interception: Dissecting BokBot’s “Man in the Browser”}}, date = {2019-03-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20200501:many:22ed72c, author = {Shaun Hurley}, title = {{The Many Paths Through Maze}}, date = {2020-05-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/}, language = {English}, urldate = {2020-05-05} } @online{huss:20151111:abaddonpos:ca72c4c, author = {Darien Huss}, title = {{AbaddonPOS: A new point of sale threat linked to Vawtrak}}, date = {2015-11-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak}, language = {English}, urldate = {2019-12-20} } @online{huss:20160128:exploring:7f85d44, author = {Darien Huss}, title = {{Exploring Bergard: Old Malware with New Tricks}}, date = {2016-01-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20160301:operation:65330f0, author = {Darien Huss}, title = {{Operation Transparent Tribe}}, date = {2016-03-01}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf}, language = {English}, urldate = {2019-12-02} } @online{huss:20170202:oops:ea454d5, author = {Darien Huss and Pierre T and Axel F and Proofpoint Staff}, title = {{Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX}}, date = {2017-02-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx}, language = {English}, urldate = {2019-12-20} } @online{huss:20170817:turla:b519667, author = {Darien Huss}, title = {{Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack}}, date = {2017-08-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack}, language = {English}, urldate = {2019-12-20} } @online{huss:20170825:operation:87e2e2b, author = {Darien Huss and Matthew Mesa}, title = {{Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures}}, date = {2017-08-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } @online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20180129:north:438b45d, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2018-01-29}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf}, language = {English}, urldate = {2020-01-05} } @online{hussey:20200625:golden:51322e2, author = {Brian Hussey}, title = {{The Golden Tax Department and the Emergence of GoldenSpy Malware}}, date = {2020-06-25}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/}, language = {English}, urldate = {2020-06-26} } @online{hussey:20200630:goldenspy:1ecdff8, author = {Brian Hussey}, title = {{GoldenSpy: Chapter Two - The Uninstaller}}, date = {2020-06-30}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/}, language = {English}, urldate = {2020-07-02} } @online{hussey:20200702:goldenspy:31c222a, author = {Brian Hussey}, title = {{GoldenSpy Chapter 3: New and Improved Uninstaller}}, date = {2020-07-02}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/}, language = {English}, urldate = {2020-07-15} } @online{hussey:20200714:goldenspy:a870540, author = {Brian Hussey}, title = {{GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software}}, date = {2020-07-14}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/}, language = {English}, urldate = {2020-07-15} } @online{huynh:20200806:bypassing:83c2a87, author = {Nhan Huynh}, title = {{Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach}}, date = {2020-08-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html}, language = {English}, urldate = {2020-08-12} } @online{hybridanalysis:20150413:sqlconnt1exe:86539cc, author = {Hybrid-Analysis}, title = {{sqlconnt1.exe}}, date = {2015-04-13}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2}, language = {English}, urldate = {2020-01-13} } @online{hybridanalysis:20180208:analysis:70d43bc, author = {Hybrid-Analysis}, title = {{Analysis Run}}, date = {2018-02-08}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100}, language = {English}, urldate = {2020-01-08} } @online{hydro:20190416:cyber:ada48a4, author = {Norsk Hydro}, title = {{The cyber attack rescue operation in Hydro Toulouse}}, date = {2019-04-16}, organization = {Youtube (Norsk Hydro)}, url = {https://www.youtube.com/watch?v=o6eEN0mUakM}, language = {English}, urldate = {2020-01-13} } @online{hyppnen:20110828:windows:e9fb853, author = {Mikko Hyppönen}, title = {{Windows Remote Desktop Worm "Morto" Spreading}}, date = {2011-08-28}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002227.html}, language = {English}, urldate = {2019-07-11} } @online{idf:20170205:hamas:b96235f, author = {IDF}, title = {{Hamas Uses Fake Facebook Profiles to Target Israeli Soldiers}}, date = {2017-02-05}, organization = {IDF}, url = {https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/}, language = {English}, urldate = {2019-12-31} } @online{ii:20181220:with:8e827ba, author = {Augusto Remillano II and Mark Vicente}, title = {{With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit}}, date = {2018-12-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/}, language = {English}, urldate = {2019-11-29} } @online{ii:20190507:cve20193396:42de798, author = {Augusto Remillano II and Robert Malagad}, title = {{CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/}, language = {English}, urldate = {2020-01-13} } @online{ii:20200622:xorddos:d41d1a7, author = {Augusto Remillano II}, title = {{XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers}}, date = {2020-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/}, language = {English}, urldate = {2020-06-24} } @online{ilascu:20180822:turla:b3753aa, author = {Ionut Ilascu}, title = {{Turla Outlook Backdoor Uses Clever Tactics for Stealth and Persistence}}, date = {2018-08-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180830:cobalt:a5490e1, author = {Ionut Ilascu}, title = {{Cobalt Hacking Group Tests Banks In Russia and Romania}}, date = {2018-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180905:windows:8d74121, author = {Ionut Ilascu}, title = {{Windows Task Scheduler Zero Day Exploited by Malware}}, date = {2018-09-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180907:domestic:18a5d5c, author = {Ionut Ilascu}, title = {{Domestic Kitten APT Operates in Silence Since 2016}}, date = {2018-09-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180911:british:392218c, author = {Ionut Ilascu}, title = {{British Airways Fell Victim To Card Scraping Attack}}, date = {2018-09-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180927:apt28:12917be, author = {Ionut Ilascu}, title = {{APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild}}, date = {2018-09-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181001:report:67e6316, author = {Ionut Ilascu}, title = {{Report Ties North Korean Attacks to New Malware, Linked by Word Macros}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181009:magecart:fc6ccf4, author = {Ionut Ilascu}, title = {{Magecart Group Compromises Plugin Used in Thousands of Stores, Makes Rookie Mistake}}, date = {2018-10-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181121:magecart:e366b8b, author = {Ionut Ilascu}, title = {{MageCart Group Sabotages Rival to Ruin Data and Reputation}}, date = {2018-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181207:netbooks:a99cef1, author = {Ionut Ilascu}, title = {{Netbooks, RPis, & Bash Bunny Gear - Attacking Banks from the Inside}}, date = {2018-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190110:ta505:12f4881, author = {Ionut Ilascu}, title = {{TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT}}, date = {2019-01-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190123:new:113a751, author = {Ionut Ilascu}, title = {{New Anatova Ransomware Supports Modules for Extra Functionality}}, date = {2019-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190130:new:5c2d8da, author = {Ionut Ilascu}, title = {{New LockerGoga Ransomware Allegedly Used in Altran Attack}}, date = {2019-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190222:cr1ptt0r:990b8aa, author = {Ionut Ilascu}, title = {{Cr1ptT0r Ransomware Infects D-Link NAS Devices, Targets Embedded Systems}}, date = {2019-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190303:op:89fdbdd, author = {Ionut Ilascu}, title = {{Op 'Sharpshooter' Connected to North Korea's Lazarus Group}}, date = {2019-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190626:new:3ea2210, author = {Ionut Ilascu}, title = {{New Silex Malware Trashes IoT Devices Using Default Passwords}}, date = {2019-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/}, language = {English}, urldate = {2020-01-08} } @online{ilascu:20190806:new:a045b9f, author = {Ionut Ilascu}, title = {{New Echobot Botnet Variant Uses Over 50 Exploits to Propagate}}, date = {2019-08-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190826:new:20f0561, author = {Ionut Ilascu}, title = {{New Nemty Ransomware May Spread via Compromised RDP Connections}}, date = {2019-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/}, language = {English}, urldate = {2020-01-07} } @online{ilascu:20190830:look:9a976c7, author = {Ionut Ilascu}, title = {{A Look Inside the Highly Profitable Sodinokibi Ransomware Business}}, date = {2019-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190903:nemty:459166a, author = {Ionut Ilascu}, title = {{Nemty Ransomware Gets Distribution from RIG Exploit Kit}}, date = {2019-09-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/}, language = {English}, urldate = {2020-01-08} } @online{ilascu:20190908:fake:3f0addd, author = {Ionut Ilascu}, title = {{Fake PayPal Site Spreads Nemty Ransomware}}, date = {2019-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{ilascu:20191115:new:533f0a6, author = {Ionut Ilascu}, title = {{New NextCry Ransomware Encrypts Data on NextCloud Linux Servers}}, date = {2019-11-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/}, language = {English}, urldate = {2020-01-06} } @online{ilascu:20200106:sodinokibi:1feb8a3, author = {Ionut Ilascu}, title = {{Sodinokibi Ransomware Hits Travelex, Demands $3 Million}}, date = {2020-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/}, language = {English}, urldate = {2020-01-13} } @online{ilascu:20200526:new:5905063, author = {Ionut Ilascu}, title = {{New [F]Unicorn ransomware hits Italy via fake COVID-19 infection map}}, date = {2020-05-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/}, language = {English}, urldate = {2020-06-08} } @online{ilascu:20200528:michigan:a52712f, author = {Ionut Ilascu}, title = {{Michigan State University network breached in ransomware attack}}, date = {2020-05-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/}, language = {English}, urldate = {2020-05-29} } @online{ilascu:20200608:honda:59ddaf6, author = {Ionut Ilascu}, title = {{Honda investigates possible ransomware attack, networks impacted}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/}, language = {English}, urldate = {2020-06-10} } @online{ilascu:20200613:black:f18a453, author = {Ionut Ilascu}, title = {{Black Kingdom ransomware hacks networks with Pulse VPN flaws}}, date = {2020-06-13}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/black-kingdom-ransomware-hacks-networks-with-pulse-vpn-flaws/}, language = {English}, urldate = {2020-06-16} } @online{ilascu:20200623:ryuk:c63b0c6, author = {Ionut Ilascu}, title = {{Ryuk ransomware deployed two weeks after Trickbot infection}}, date = {2020-06-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/}, language = {English}, urldate = {2020-06-30} } @online{ilascu:20200731:gandcrab:f2cd6ef, author = {Ionut Ilascu}, title = {{GandCrab ransomware operator arrested in Belarus}}, date = {2020-07-31}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/}, language = {English}, urldate = {2020-08-05} } @online{imano:20110311:trojankoredos:414e359, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-04-21} } @online{imano:20110311:trojankoredos:c3aa3c6, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-01-10} } @online{ims0rry:20171230:analysis:f221c40, author = {ims0rry}, title = {{Analysis DarkSky Botnet}}, date = {2017-12-30}, organization = {Telegra.ph blog}, url = {http://telegra.ph/Analiz-botneta-DarkSky-12-30}, language = {English}, urldate = {2020-01-08} } @techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } @online{incibe:20200408:ransomware:61b8c41, author = {INCIBE}, title = {{Ransomware NetWalker: análisis y medidas preventivas}}, date = {2020-04-08}, organization = {INCIBE-CERT}, url = {https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas}, language = {Spanish}, urldate = {2020-04-14} } @online{inglot:2017:attacker:3af6c23, author = {Bart Inglot and Byrne Ghavalas}, title = {{ATTACKER ANTICS: Illustrations of Ingenuity}}, date = {2017}, organization = {FireEye}, url = {https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx}, language = {English}, urldate = {2020-01-08} } @online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } @online{inocencio:20141113:bashlite:647137b, author = {Rhena Inocencio}, title = {{BASHLITE Affects Devices Running on BusyBox}}, date = {2014-11-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/}, language = {English}, urldate = {2019-07-10} } @online{insights:20200406:mcafee:7fdc3d4, author = {McAfee Insights}, title = {{McAfee Insights: Vicious Panda: The COVID Campaign}}, date = {2020-04-06}, organization = {McAfee}, url = {https://kc.mcafee.com/corporate/index?page=content&id=KB92636&locale=en_US}, language = {English}, urldate = {2020-05-14} } @online{institute:20110419:tdss:9ffae6b, author = {Infosec Institute}, title = {{TDSS part 1: The x64 Dollar Question}}, date = {2011-04-19}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/tdss4-part-1/}, language = {English}, urldate = {2020-01-06} } @online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } @techreport{intelligence:201405:into:e8ffc24, author = {ASERT Threat Intelligence}, title = {{Into the Light of Day:Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns}}, date = {2014-05}, institution = {Arbor Networks}, url = {http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{intelligence:201507:hammertoss:9275999, author = {FireEye Threat Intelligence}, title = {{HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group}}, date = {2015-07}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf}, language = {English}, urldate = {2019-10-23} } @online{intelligence:20151201:chinabased:8836a81, author = {FireEye Threat Intelligence}, title = {{China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets}}, date = {2015-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20160128:centerpos:551f13b, author = {FireEye Threat Intelligence}, title = {{CenterPOS: An Evolving POS Threat}}, date = {2016-01-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20170212:lazarus:dd99beb, author = {BAE Systems Applied Intelligence}, title = {{Lazarus & Watering-hole attacks}}, date = {2017-02-12}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html}, language = {English}, urldate = {2020-01-06} } @online{intelligence:20170406:apt10:08847cf, author = {FireEye iSIGHT Intelligence}, title = {{APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat}}, date = {2017-04-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20181023:triton:95a881f, author = {FireEye Intelligence}, title = {{TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers}}, date = {2018-10-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20190313:tefosteal:24e56c1, author = {Microsoft Security Intelligence}, title = {{Tweet on Tefosteal}}, date = {2019-03-13}, organization = {Twitter (@WDSecurity)}, url = {https://twitter.com/WDSecurity/status/1105990738993504256}, language = {English}, urldate = {2020-01-05} } @online{intelligence:20190315:flash:c7544fd, author = {Threat Intelligence}, title = {{Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication}}, date = {2019-03-15}, organization = {Cofense}, url = {https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/}, language = {English}, urldate = {2019-10-23} } @online{intelligence:20190509:toptier:004045c, author = {Advanced Intelligence}, title = {{Top-Tier Russian Hacking Collective Claims Breaches of Three Major Anti-Virus Companies}}, date = {2019-05-09}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies}, language = {English}, urldate = {2020-01-09} } @online{intelligence:20200519:netwalker:4681272, author = {Advanced Intelligence and Bridgit Sullivan and Daniel Frey}, title = {{NetWalker Ransomware Group Enters Advanced Targeting “Game”}}, date = {2020-05-19}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game}, language = {English}, urldate = {2020-05-23} } @online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } @online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } @online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } @online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } @online{intelligence:20200710:dark:a29ccb4, author = {Advanced Intelligence}, title = {{The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel}}, date = {2020-07-10}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel}, language = {English}, urldate = {2020-07-13} } @online{international:20170301:how:fb75ef9, author = {FraudWatch International}, title = {{How Does the Trickbot Malware Work?}}, date = {2017-03-01}, organization = {FraudWatch International}, url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works}, language = {English}, urldate = {2020-01-08} } @online{international:20180515:pakistan:c41a7ec, author = {Amnesty International}, title = {{PAKISTAN: HUMAN RIGHTS UNDER SURVEILLANCE}}, date = {2018-05-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/documents/asa33/8366/2018/en/}, language = {English}, urldate = {2019-11-28} } @online{international:20200615:india:2e4e60b, author = {Amnesty International}, title = {{India: Human Rights Defenders Targeted by a Coordinated Spyware Operation}}, date = {2020-06-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/}, language = {English}, urldate = {2020-06-16} } @online{intezer:20190920:russian:27d9f67, author = {Intezer}, title = {{Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns}}, date = {2019-09-20}, organization = {Intezer}, url = {https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/}, language = {English}, urldate = {2020-01-08} } @online{intezerlabs:20200511:ldpreload:b3e622b, author = {Twitter (IntezerLabs)}, title = {{Tweet on LD-PRELOAD userland rootkit}}, date = {2020-05-11}, organization = {Intezer}, url = {https://twitter.com/IntezerLabs/status/1259818964848386048}, language = {English}, urldate = {2020-05-18} } @online{intrusiontruth:20170509:apt3:4014a9f, author = {Intrusiontruth}, title = {{APT3 is Boyusec, a Chinese Intelligence Contractor}}, date = {2017-05-09}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/}, language = {English}, urldate = {2020-01-07} } @online{intrusiontruth:20190724:apt17:6b9a666, author = {Intrusiontruth}, title = {{APT17 is run by the Jinan bureau of the Chinese Ministry of State Security}}, date = {2019-07-24}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/}, language = {English}, urldate = {2020-04-21} } @online{intrusiontruth:20200109:what:bc9bc31, author = {Intrusiontruth}, title = {{What is the Hainan Xiandun Technology Development Company?}}, date = {2020-01-09}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200110:who:32afb65, author = {Intrusiontruth}, title = {{Who is Mr Gu?}}, date = {2020-01-10}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200113:who:e54190c, author = {Intrusiontruth}, title = {{Who else works for this cover company network?}}, date = {2020-01-13}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200114:who:a06a6c3, author = {Intrusiontruth}, title = {{Who is Mr Ding?}}, date = {2020-01-14}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200115:hainan:093f6f2, author = {Intrusiontruth}, title = {{Hainan Xiandun Technology Company is APT40}}, date = {2020-01-15}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40}, language = {English}, urldate = {2020-04-16} } @online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } @online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } @online{irmer:20150217:angry:d09af85, author = {Jan Širmer}, title = {{Angry Android hacker hides Xbot malware in popular application icons}}, date = {2015-02-17}, organization = {Avast}, url = {https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/}, language = {English}, urldate = {2019-12-24} } @online{irmer:20191023:spoofing:369e661, author = {Jan Širmer and Luigino Camastra and Adolf Středa}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-10-23}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/}, language = {English}, urldate = {2020-01-27} } @online{ishikawa:20171218:relationship:fb13bae, author = {Yoshihiro Ishikawa}, title = {{Relationship between PlugX and attacker group "DragonOK"}}, date = {2017-12-18}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html}, language = {Japanese}, urldate = {2019-11-22} } @online{ishikawa:20180521:confirmed:ad336b5, author = {Yoshihiro Ishikawa}, title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}}, date = {2018-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html}, language = {Japanese}, urldate = {2019-10-27} } @techreport{ishikawa:20181201:lets:73b0c60, author = {Yoshihiro Ishikawa and Shinichi Nagano}, title = {{Let's go with a Go RAT!}}, date = {2018-12-01}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf}, language = {English}, urldate = {2020-04-28} } @online{ishimaru:20150820:new:0b39f40, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20150820:new:d553aa4, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-activity-of-the-blue-termite-apt/71876/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20180416:roaming:42ebd00, author = {Suguru Ishimaru}, title = {{Roaming Mantis uses DNS hijacking to infect Android smartphones}}, date = {2018-04-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20180518:roaming:3e5185f, author = {Suguru Ishimaru}, title = {{Roaming Mantis dabbles in mining and phishing multilingually}}, date = {2018-05-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/}, language = {English}, urldate = {2019-12-20} } @techreport{ishimaru:2019:roaming:23097da, author = {Suguru Ishimaru and Manabu Niseki and Hiroaki Ogawa}, title = {{Roaming Mantis: an Anatomy of a DNS Hijacking Campaign}}, date = {2019}, institution = {Kaspersky Labs}, url = {https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf}, language = {English}, urldate = {2020-01-09} } @online{ishimaru:20200227:roaming:3e14d12, author = {Suguru Ishimaru}, title = {{Roaming Mantis, part V: Distributed in 2019 using SMiShing and enhanced anti-researcher techniques}}, date = {2020-02-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-part-v/96250/}, language = {English}, urldate = {2020-03-02} } @techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } @online{it:20160615:mofang:59e7ad3, author = {Fox IT}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-06-15}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/}, language = {English}, urldate = {2019-11-27} } @online{it:20190226:supreme:d4cad36, author = {dfir it!}, title = {{The Supreme Backdoor Factory}}, date = {2019-02-26}, organization = {dfir it!}, url = {https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/}, language = {English}, urldate = {2020-01-06} } @online{it:20191219:operation:64c0cd9, author = {Fox IT}, title = {{Operation Wocao : Shining a light on one of China’s hidden hacking groups}}, date = {2019-12-19}, organization = {Fox-IT}, url = {https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/}, language = {English}, urldate = {2020-01-07} } @online{ita:20200807:new:c2e5979, author = {CSIRT ITA}, title = {{New Phishing-As-A-Service framework}}, date = {2020-08-07}, organization = {CSIRT Italia}, url = {https://csirt.gov.it/contenuti/phishing-as-a-service-framework}, language = {Italian}, urldate = {2020-08-10} } @online{ivanov:20140301:chewbacca:5c7ac17, author = {Ivo Ivanov}, title = {{ChewBacca – A TOR Based POS Malware}}, date = {2014-03-01}, organization = {Vinsula}, url = {http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/}, language = {English}, urldate = {2019-11-26} } @online{ivanov:20161003:polyglot:6fe8657, author = {Anton Ivanov and Orkhan Mamedov and Fedor Sinitsyn}, title = {{Polyglot – the fake CTB-locker}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20161020:rotorcrypt:2bfa6f3, author = {Andrew Ivanov}, title = {{RotorCrypt (RotoCrypt) Ransomware Tar Ransomware}}, date = {2016-10-20}, url = {https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html}, language = {Russian}, urldate = {2019-11-23} } @online{ivanov:20170314:petrwrap:646653c, author = {Anton Ivanov and Fedor Sinitsyn}, title = {{PetrWrap: the new Petya-based ransomware used in targeted attacks}}, date = {2017-03-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170424:xpan:018ead2, author = {Anton Ivanov and Fabio Assolini and Fedor Sinitsyn and Santiago Pontiroli}, title = {{XPan, I am your father}}, date = {2017-04-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/78110/xpan-i-am-your-father/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170628:expetrpetyanotpetya:903b1fc, author = {Anton Ivanov and Orkhan Mamedov}, title = {{ExPetr/Petya/NotPetya is a Wiper, Not Ransomware}}, date = {2017-06-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170809:return:124e8c1, author = {Anton Ivanov and Orkhan Mamedov}, title = {{The return of Mamba ransomware}}, date = {2017-08-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-mamba-ransomware/79403/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20171027:xiaoba:16e3621, author = {Andrew Ivanov}, title = {{XiaoBa Ransomware}}, date = {2017-10-27}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html}, language = {Russian}, urldate = {2020-03-19} } @online{ivanov:20171202:scarabey:802d653, author = {Andrew Ivanov}, title = {{Scarabey Ransomware}}, date = {2017-12-02}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20180208:mbrlock:2c9f6d5, author = {Andrew Ivanov}, title = {{MBRlock Ransomware}}, date = {2018-02-08}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20180507:synack:2a41ea0, author = {Anton Ivanov and Fedor Sinitsyn and Orkhan Mamedov}, title = {{SynAck targeted ransomware uses the Doppelgänging technique}}, date = {2018-05-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20180914:rektware:836d8ac, author = {Andrew Ivanov}, title = {{Rektware Ransomware}}, date = {2018-09-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20190203:maoloa:52e7c7f, author = {Andrew Ivanov}, title = {{Maoloa Ransomware}}, date = {2019-02-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html}, language = {English}, urldate = {2019-11-28} } @online{ivanov:20190703:lilocked:0eb5e17, author = {Andrew Ivanov}, title = {{Lilocked Ransomware}}, date = {2019-07-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20190905:netwalker:902cacb, author = {Andrew Ivanov}, title = {{Netwalker Ransomware}}, date = {2019-09-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20191004:scarecrow:0d5bfe4, author = {Andrew Ivanov}, title = {{ScareCrow Ransomware}}, date = {2019-10-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/scarecrow-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20191011:mespinoza:e9cd17e, author = {Andrew Ivanov}, title = {{Mespinoza Ransomware}}, date = {2019-10-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html}, language = {English}, urldate = {2020-03-26} } @online{ivanov:20191015:medusalocker:132bb68, author = {Andrew Ivanov}, title = {{MedusaLocker Ransomware}}, date = {2019-10-15}, url = {http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html}, language = {English}, urldate = {2020-01-07} } @online{ivanov:20191019:abcd:06360d3, author = {Andrew Ivanov}, title = {{ABCD Ransomware LockBit Ransomware}}, date = {2019-10-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/search?q=lockbit}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20191020:infodot:47e0fd2, author = {Andrew Ivanov}, title = {{InfoDot Ransomware}}, date = {2019-10-20}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html}, language = {Russian}, urldate = {2020-04-01} } @online{ivanov:20191023:pwndlocker:d776ac5, author = {Andrew Ivanov}, title = {{PwndLocker Ransomware}}, date = {2019-10-23}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html}, language = {Russian}, urldate = {2020-03-03} } @online{ivanov:20191025:hdmr:de88a6d, author = {Andrew Ivanov}, title = {{HDMR, GO-SPORT}}, date = {2019-10-25}, url = {http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html}, language = {Russian}, urldate = {2020-01-08} } @online{ivanov:20191104:hakbit:473fb88, author = {Andrew Ivanov}, title = {{Hakbit Ransomware}}, date = {2019-11-04}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html}, language = {Russian}, urldate = {2020-01-10} } @online{ivanov:20191113:antefrigus:ad4c113, author = {Andrew Ivanov}, title = {{AnteFrigus Ransomware}}, date = {2019-11-13}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html}, language = {English}, urldate = {2020-01-08} } @online{ivanov:20191119:wacatac:c1815bb, author = {Andrew Ivanov}, title = {{Tweet on Wacatac Ransomware}}, date = {2019-11-19}, organization = {Twitter (@Amigo_A_)}, url = {https://twitter.com/Amigo_A_/status/1196898012645220354}, language = {English}, urldate = {2020-01-08} } @online{ivanov:20191119:wacatac:e257783, author = {Andrew Ivanov}, title = {{Wacatac Ransomware}}, date = {2019-11-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html}, language = {Russian}, urldate = {2020-01-08} } @online{ivanov:20191122:turkstatik:ada70a9, author = {Andrew Ivanov}, title = {{TurkStatik Ransomware}}, date = {2019-11-22}, url = {http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html}, language = {English}, urldate = {2019-11-28} } @online{ivanov:20191219:chernolocker:1d71ebd, author = {Andrew Ivanov}, title = {{ChernoLocker Ransomware}}, date = {2019-12-19}, url = {https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html}, language = {Russian}, urldate = {2020-01-26} } @online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } @online{ivanov:20200109:ako:79016d7, author = {Andrew Ivanov}, title = {{Ako, MedusaReborn}}, date = {2020-01-09}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html}, language = {English}, urldate = {2020-05-18} } @online{ivanov:20200123:shlayer:945a5b8, author = {Anton Ivanov and Mikhail Kuzin and Ilya Mogilin}, title = {{Shlayer Trojan attacks one in ten macOS users}}, date = {2020-01-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/shlayer-for-macos/95724/}, language = {English}, urldate = {2020-01-23} } @online{ivanov:20200125:cryptopatronum:4adacea, author = {Andrew Ivanov}, title = {{cryptopatronum ransomware}}, date = {2020-01-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html}, language = {Russian}, urldate = {2020-02-03} } @online{ivanov:20200130:thecursedmurderer:a2a7e72, author = {Andrew Ivanov}, title = {{TheCursedMurderer Ransomware}}, date = {2020-01-30}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200201:fct:ba54e92, author = {Andrew Ivanov}, title = {{FCT Ransomware}}, date = {2020-02-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200203:passlock:a72c982, author = {Andrew Ivanov}, title = {{PassLock Ransomware}}, date = {2020-02-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200204:ragnarlocker:7e8d324, author = {Andrew Ivanov}, title = {{RagnarLocker Ransomware}}, date = {2020-02-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html}, language = {Russian}, urldate = {2020-04-15} } @online{ivanov:20200217:gibberish:b003dbc, author = {Andrew Ivanov}, title = {{Gibberish Ransomware}}, date = {2020-02-17}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200225:blackkingdom:5c73f86, author = {Andrew Ivanov}, title = {{BlackKingdom Ransomware}}, date = {2020-02-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html}, language = {Russian}, urldate = {2020-06-16} } @online{ivanov:20200301:cryptodarkrubix:6720abd, author = {Andrew Ivanov}, title = {{CryptoDarkRubix Ransomware}}, date = {2020-03-01}, url = {https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html}, language = {Russian}, urldate = {2020-07-30} } @online{ivanov:20200307:javalocker:4b44b72, author = {Andrew Ivanov}, title = {{JavaLocker Ransomware}}, date = {2020-03-07}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200311:coronavirus:1b3c4d6, author = {Andrew Ivanov}, title = {{CoronaVirus Ransomware}}, date = {2020-03-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200312:teslarvng:0ab7628, author = {Andrew Ivanov}, title = {{Teslarvng Ransomware Yakuza Ransomware}}, date = {2020-03-12}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html}, language = {Russian}, urldate = {2020-03-27} } @online{ivanov:20200314:nefilim:329ccf1, author = {Andrew Ivanov}, title = {{Nefilim Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html}, language = {English}, urldate = {2020-03-22} } @online{ivanov:20200314:rekensom:1e0a54a, author = {Andrew Ivanov}, title = {{RekenSom Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200317:prolock:3aa858f, author = {Andrew Ivanov}, title = {{ProLock Ransomware}}, date = {2020-03-17}, url = {https://id-ransomware.blogspot.com/2020/03/prolock-ransomware.html}, language = {Russian}, urldate = {2020-04-06} } @online{ivanov:20200318:sekhmet:0463cdb, author = {Andrew Ivanov}, title = {{Sekhmet Ransomware}}, date = {2020-03-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20200324:kekw:ef9d6a6, author = {Andrew Ivanov}, title = {{KEKW Ransomware KEKW-Locker Ransomware}}, date = {2020-03-24}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20200331:wannaren:0ab1946, author = {Andrew Ivanov}, title = {{WannaRen Ransomware}}, date = {2020-03-31}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200401:jeno:379b0a1, author = {Andrew Ivanov}, title = {{Jeno Ransomware}}, date = {2020-04-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200410:void:3b7f0d1, author = {Andrew Ivanov}, title = {{Void Ransomware}}, date = {2020-04-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html}, language = {Russian}, urldate = {2020-04-13} } @online{ivanov:20200419:sadogo:0a661a2, author = {Andrew Ivanov}, title = {{Sadogo Ransomware}}, date = {2020-04-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200426:gocryptolocker:116e256, author = {Andrew Ivanov}, title = {{goCryptoLocker}}, date = {2020-04-26}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html}, language = {Russian}, urldate = {2020-05-02} } @online{ivanov:20200617:ransomexx:ab0e087, author = {Andrew Ivanov}, title = {{RansomEXX Ransomware}}, date = {2020-06-17}, url = {https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html}, language = {Russian}, urldate = {2020-07-08} } @online{ivanov:20200707:silentdeath:fed1f53, author = {Andrew Ivanov}, title = {{SilentDeath Ransomware}}, date = {2020-07-07}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/07/silentdeath-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20200716:fastwind:5e4367c, author = {Andrew Ivanov}, title = {{FastWind Ransomware}}, date = {2020-07-16}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/07/fastwind-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{j:20181218:scumbag:720cb3c, author = {Lokesh J}, title = {{Scumbag Combo: Agent Tesla and XpertRAT}}, date = {2018-12-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=15672}, language = {English}, urldate = {2020-01-06} } @online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } @online{jackson:20141219:unrelenting:f3f3ccf, author = {Don Jackson}, title = {{The unrelenting evolution of Vawtrak}}, date = {2014-12-19}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak}, language = {English}, urldate = {2019-11-04} } @online{jacquais:20180109:bestkorea:94b6c7a, author = {Jacquais}, title = {{BestKorea}}, date = {2018-01-09}, url = {https://github.com/Jacquais/BestKorea}, language = {English}, urldate = {2020-03-13} } @online{jallepalli:20190326:winrar:dff4878, author = {Dileep Kumar Jallepalli}, title = {{WinRAR Zero-day Abused in Multiple Campaigns}}, date = {2019-03-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html}, language = {English}, urldate = {2019-12-20} } @online{james:20111026:tsunami:7815511, author = {Peter James}, title = {{Tsunami Backdoor Can Be Used for Denial of Service Attacks}}, date = {2011-10-26}, organization = {Intego}, url = {https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks}, language = {English}, urldate = {2019-10-25} } @online{jamesinthebox:20181001:dga:c78b3d8, author = {James_inthe_box}, title = {{Tweet on DGA using TLD xyz}}, date = {2018-10-01}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1046844087469391872}, language = {English}, urldate = {2020-01-08} } @online{jamesinthebox:20200512:himera:39130f2, author = {James_inthe_box}, title = {{Tweet on Himera Loader}}, date = {2020-05-12}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1260191589789392898}, language = {English}, urldate = {2020-05-18} } @online{jamesinthebox:20200814:echelon:699dd29, author = {James_inthe_box}, title = {{Tweet on Echelon Stealer}}, date = {2020-08-14}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1294088216807534593}, language = {English}, urldate = {2020-08-14} } @online{jameswt:20200525:fuckunicorn:8136f92, author = {JamesWT}, title = {{Tweet on FuckUnicorn instance of HiddenTear}}, date = {2020-05-25}, organization = {Twitter (@JAMESWT_MHT)}, url = {https://twitter.com/JAMESWT_MHT/status/1264828072001495041}, language = {English}, urldate = {2020-06-08} } @online{jamie:20200331:lokibot:f927742, author = {Jamie}, title = {{LokiBot: Getting Equation Editor Shellcode}}, date = {2020-03-31}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/}, language = {English}, urldate = {2020-04-07} } @online{jamie:20200619:zloader:dd6729d, author = {Jamie}, title = {{zloader: VBA, R1C1 References, and Other Tomfoolery}}, date = {2020-06-19}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/}, language = {English}, urldate = {2020-06-21} } @online{jarvis:20131218:cryptolocker:a15fe52, author = {Keith Jarvis}, title = {{CryptoLocker Ransomware}}, date = {2013-12-18}, organization = {Secureworks}, url = {https://www.secureworks.com/research/cryptolocker-ransomware}, language = {English}, urldate = {2019-11-27} } @online{jazi:20200416:new:6b7cb7a, author = {Hossein Jazi}, title = {{New AgentTesla variant steals WiFi credentials}}, date = {2020-04-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/}, language = {English}, urldate = {2020-04-16} } @online{jazi:20200506:new:7723083, author = {Hossein Jazi and Thomas Reed and Jérôme Segura}, title = {{New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app}}, date = {2020-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/}, language = {English}, urldate = {2020-05-07} } @online{jazi:20200603:new:96bf302, author = {Hossein Jazi and Jérôme Segura}, title = {{New LNK attack tied to Higaisa APT discovered}}, date = {2020-06-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/}, language = {English}, urldate = {2020-06-05} } @online{jazi:20200617:multistage:6358f3f, author = {Hossein Jazi and Jérôme Segura}, title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}}, date = {2020-06-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/}, language = {English}, urldate = {2020-06-19} } @online{jazi:20200721:chinese:da6a239, author = {Hossein Jazi and Jérôme Segura}, title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}}, date = {2020-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/}, language = {English}, urldate = {2020-07-22} } @online{jedynak:20170104:technical:9cf0ab7, author = {Jarosław Jedynak}, title = {{Technical analysis of CryptoMix/CryptFile2 ransomware}}, date = {2017-01-04}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{jedynak:20170130:nymaim:d5553e6, author = {Jarosław Jedynak}, title = {{Nymaim revisited}}, date = {2017-01-30}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/nymaim-revisited/}, language = {English}, urldate = {2020-01-09} } @online{jedynak:20170214:sage:c9187b1, author = {Jarosław Jedynak}, title = {{Sage 2.0 analysis}}, date = {2017-02-14}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/sage-2-0-analysis/}, language = {English}, urldate = {2020-01-13} } @online{jedynak:20170530:mole:868f8ea, author = {Jarosław Jedynak}, title = {{Mole ransomware: analysis and decryptor}}, date = {2017-05-30}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/}, language = {English}, urldate = {2019-12-17} } @online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } @online{jeff0falltrades:20200610:frat:6a40185, author = {jeFF0Falltrades and James_inthe_box and _re_fox}, title = {{FRat Reporting, YARA, and IoCs}}, date = {2020-06-10}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md}, language = {English}, urldate = {2020-06-12} } @online{jennings:20170417:python:d5a3654, author = {Luke Jennings}, title = {{Python script for decoding DOUBLEPULSAR}}, date = {2017-04-17}, organization = {Github (countercept)}, url = {https://github.com/countercept/doublepulsar-c2-traffic-decryptor}, language = {English}, urldate = {2020-01-08} } @techreport{jiang:20150910:hangul:2e0fc13, author = {Genwei Jiang and Josiah Kimble}, title = {{Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors}}, date = {2015-09-10}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf}, language = {English}, urldate = {2020-01-13} } @online{jiang:20151216:eps:3db357c, author = {Genwei Jiang and Dan Caselden and Ryann Winters}, title = {{The EPS Awakens}}, date = {2015-12-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html}, language = {English}, urldate = {2019-12-20} } @online{jiayu:20180124:mykings:63bef87, author = {JiaYu}, title = {{MyKings: A massively multiple botnet}}, date = {2018-01-24}, url = {http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/}, language = {Chinese}, urldate = {2019-11-20} } @online{jin:20190117:malware:f880151, author = {Xingyu Jin and Claud Xiao}, title = {{Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products}}, date = {2019-01-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/}, language = {English}, urldate = {2020-01-07} } @online{jinye:20191217:lazarus:f97fffd, author = {Jinye and GenShen Ye}, title = {{Lazarus Group uses Dacls RAT to attack Linux platform}}, date = {2019-12-17}, organization = {Netlab}, url = {https://blog.netlab.360.com/dacls-the-dual-platform-rat/}, language = {Chinese}, urldate = {2020-01-07} } @online{jinye:20200523:new:20aa28f, author = {Jinye}, title = {{New activity of DoubleGuns Group, control hundreds of thousands of bots via public cloud service}}, date = {2020-05-23}, organization = {360 netlab}, url = {https://blog.netlab.360.com/shuangqiang/}, language = {English}, urldate = {2020-05-26} } @online{jnok:20190128:russia:579f446, author = {Juraj Jánošík}, title = {{Russia hit by new wave of ransomware spam}}, date = {2019-01-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/}, language = {English}, urldate = {2019-11-14} } @online{joe:20170127:deep:d365b7e, author = {Joe}, title = {{Deep Analysis of Android Ransom Charger}}, date = {2017-01-27}, organization = {Joe's Security}, url = {http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html}, language = {English}, urldate = {2020-01-08} } @online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } @online{johannes:20170131:malicious:ed4f2fb, author = {Johannes}, title = {{Malicious Office files using fileless UAC bypass to drop KEYBASE malware}}, date = {2017-01-31}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/}, language = {English}, urldate = {2020-01-08} } @online{johnson:20130219:apt1:ee9c94f, author = {A L Johnson}, title = {{APT1: Q&A on Attacks by the Comment Crew}}, date = {2013-02-19}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20160222:russian:cc3bc7b, author = {A L Johnson}, title = {{Russian bank employees received fake job offers in targeted email attack}}, date = {2016-02-22}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20160808:strider:49d9d44, author = {A L Johnson}, title = {{Strider: Cyberespionage group turns eye of Sauron on targets}}, date = {2016-08-08}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20171214:attackers:6b0be76, author = {Blake Johnson and Dan Caban and Marina Krotofil and Dan Scali and Nathan Brubaker and Christopher Glyer}, title = {{Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure}}, date = {2017-12-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html}, language = {English}, urldate = {2019-12-20} } @online{johnson:20180515:swedish:47c0265, author = {Simon Johnson and Olof Swahnberg and Niklas Pollard and Hugh Lawson}, title = {{Swedish sports body says anti-doping unit hit by hacking attack}}, date = {2018-05-15}, organization = {Reuters}, url = {https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN}, language = {English}, urldate = {2019-12-10} } @techreport{jones:20160426:new:78ff145, author = {Jason Jones}, title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}}, date = {2016-04-26}, institution = {Github (CyberMonitor)}, url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf}, language = {English}, urldate = {2019-12-17} } @online{joven:20160603:cooking:a48c0f8, author = {Rommel Abraham D Joven}, title = {{Cooking Up Autumn (Herbst) Ransomware}}, date = {2016-06-03}, organization = {Fortinet}, url = {https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware}, language = {English}, urldate = {2020-01-08} } @online{joven:20170609:macransom:56a318d, author = {Rommel Joven and Wayne Chin Yick Low}, title = {{MacRansom: Offered as Ransomware as a Service}}, date = {2017-06-09}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service}, language = {English}, urldate = {2020-01-05} } @online{joven:20180517:wicked:913857a, author = {Rommel Joven and Kenny Yang}, title = {{A Wicked Family of Bots}}, date = {2018-05-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html}, language = {English}, urldate = {2020-01-05} } @online{joven:20190627:inter:2cde728, author = {Rommel Joven}, title = {{Inter: Skimmer For All}}, date = {2019-06-27}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html}, language = {English}, urldate = {2020-01-10} } @online{jpcert:20160216:banking:43d5789, author = {JPCert}, title = {{Banking Trojan “Citadel” Returns}}, date = {2016-02-16}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html}, language = {English}, urldate = {2019-12-19} } @online{jpcertcc:20180731:scanner:d1757d9, author = {JPCERT/CC}, title = {{Scanner for CobaltStrike}}, date = {2018-07-31}, organization = {Github (JPCERTCC)}, url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py}, language = {English}, urldate = {2020-01-13} } @online{jpcertcc:20191210:updated:86aee30, author = {JPCERT/CC}, title = {{[Updated] Alert Regarding Emotet Malware Infection}}, date = {2019-12-10}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/english/at/2019/at190044.html}, language = {English}, urldate = {2020-01-09} } @online{jr0driguezb:20181009:malware:89b0393, author = {JR0driguezB}, title = {{Malware Configs - Pandabanker}}, date = {2018-10-09}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker}, language = {English}, urldate = {2020-01-07} } @online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } @online{jr:20160829:german:f88cef5, author = {Floser Bacurio Jr. and Joie Salvio}, title = {{German Speakers Targeted by SPAM Leading to Ozone RAT}}, date = {2016-08-29}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html}, language = {English}, urldate = {2020-01-13} } @online{jullian:20180112:analyzing:572a942, author = {Rémi Jullian}, title = {{Analyzing an Agent Tesla campaign: from a word document to the attacker credentials}}, date = {2018-01-12}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/}, language = {English}, urldate = {2019-07-10} } @online{jullian:20180329:indepth:badef63, author = {Rémi Jullian}, title = {{In-depth Formbook malware analysis – Obfuscation and process injection}}, date = {2018-03-29}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/}, language = {English}, urldate = {2020-01-10} } @techreport{jullian:20181205:formbook:40cf2ad, author = {Rémi Jullian}, title = {{FORMBOOK In-depth malware analysis}}, date = {2018-12-05}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{jurez:20171121:new:828279e, author = {Oscar Juárez}, title = {{New banking malware in Brazil - XPCTRA RAT ANALYSIS}}, date = {2017-11-21}, organization = {bugaroo}, url = {https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis}, language = {English}, urldate = {2020-01-08} } @online{jursa:20200520:ghostdns:43190d5, author = {David Jursa and Simi Musilova and Jan Rubín and Alexej Savčin}, title = {{GhostDNS Source Code Leaked}}, date = {2020-05-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/simonamusilova/ghostdns-source-code-leaked/}, language = {English}, urldate = {2020-05-23} } @online{justice:20170410:justice:f1767d7, author = {US Department of Justice}, title = {{Justice Department Announces Actions to Dismantle Kelihos Botnet}}, date = {2017-04-10}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0}, language = {English}, urldate = {2019-12-03} } @online{justice:20180110:phillip:d3877cf, author = {U.S. Department of Justice}, title = {{Phillip Durachinsky Indictment}}, date = {2018-01-10}, url = {https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html}, language = {English}, urldate = {2019-12-24} } @online{justice:20180323:nine:51457d0, author = {United States Department of Justice}, title = {{Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps}}, date = {2018-03-23}, organization = {United States Department of Justice}, url = {https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic}, language = {English}, urldate = {2019-10-23} } @online{justice:20180323:nine:51c3fd6, author = {Department of Justice}, title = {{Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps}}, date = {2018-03-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary}, language = {English}, urldate = {2019-12-17} } @online{justice:20180618:joshua:7362ccc, author = {Department of Justice}, title = {{Joshua Adam Schulte Charged with the Unauthorized Disclosure of Classified Information and Other Offenses Relating to the Theft of Classified Material from the Central Intelligence Agency}}, date = {2018-06-18}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other-offenses}, language = {English}, urldate = {2019-11-26} } @online{justice:20181212:indictment:d897f0c, author = {US Department of Justice}, title = {{Indictment against Andrey Turchin aka fxmsp}}, date = {2018-12-12}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-wdwa/press-release/file/1292541/download}, language = {English}, urldate = {2020-07-08} } @online{justice:20200626:russian:276b274, author = {Department of Justice}, title = {{Russian National (Aleksei Burkov, Cardplanet) Sentenced to Prison for Operating Websites Devoted to Fraud and Malicious Cyber Activities}}, date = {2020-06-26}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-national-sentenced-prison-operating-websites-devoted-fraud-and-malicious-cyber}, language = {English}, urldate = {2020-06-29} } @online{justice:20200731:malware:f004207, author = {Department of Justice}, title = {{Malware Author Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses}}, date = {2020-07-31}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568}, language = {English}, urldate = {2020-08-05} } @online{justice:20200813:global:fd1a7c6, author = {Department of Justice}, title = {{Global Disruption of Three Terror Finance Cyber-Enabled Campaigns}}, date = {2020-08-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns}, language = {English}, urldate = {2020-08-14} } @online{justin:20181217:apt39:6e13cad, author = {Justin}, title = {{Tweet on APT39}}, date = {2018-12-17}, organization = {Twitter (@MJDutch)}, url = {https://twitter.com/MJDutch/status/1074820959784321026?s=19}, language = {English}, urldate = {2020-01-08} } @online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } @online{k:20110130:gpcode:53d8cac, author = {Steven K}, title = {{GpCode Ransomware 2010 Simple Analysis}}, date = {2011-01-30}, url = {http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html}, language = {English}, urldate = {2019-12-24} } @techreport{k:2018:in:87e5693, author = {Taha K.}, title = {{IN THE TRAILS OF WINDSHIFTAPT}}, date = {2018}, institution = {DarkMatter}, url = {https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf}, language = {English}, urldate = {2020-01-08} } @online{kadiev:20101220:end:0a62065, author = {Alexei Kadiev}, title = {{End of the Line for the Bredolab Botnet?}}, date = {2010-12-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20120816:inside:5dd3a54, author = {Kafeine}, title = {{Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel}}, date = {2012-08-16}, organization = {Malware Don't Need Coffee}, url = {https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20121129:inside:cff4761, author = {Kafeine}, title = {{Inside view of Lyposit aka (for its friends) Lucky LOCKER}}, date = {2012-11-29}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html}, language = {English}, urldate = {2019-12-18} } @online{kafeine:20130521:unveiling:1b90bcf, author = {Kafeine}, title = {{Unveiling the Locker Bomba (aka Lucky Locker v0.6 aka Lyposit/Adneukine)}}, date = {2013-05-21}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20140618:neutrino:a72cb23, author = {Kafeine}, title = {{Neutrino Bot (aka MS:Win32/Kasidet)}}, date = {2014-06-18}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20150304:new:0c67206, author = {Kafeine}, title = {{New crypto ransomware in town : CryptoFortress}}, date = {2015-03-04}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html}, language = {English}, urldate = {2019-11-29} } @online{kafeine:20170515:adylkuzz:c94b40e, author = {Kafeine}, title = {{Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar}}, date = {2017-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20170620:adgholas:8ca8d57, author = {Kafeine}, title = {{AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware}}, date = {2017-06-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20171016:coalabot:28f848f, author = {Kafeine}, title = {{CoalaBot: http Ddos Bot}}, date = {2017-10-16}, organization = {Malware Don't Need Coffee}, url = {https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20171019:apt28:927b889, author = {Kafeine and Pierre T}, title = {{APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed}}, date = {2017-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20180131:smominru:5a6c554, author = {Kafeine}, title = {{Smominru Monero mining botnet making millions for operators}}, date = {2018-01-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20190203:fallout:00a924c, author = {Kafeine}, title = {{Tweet on Fallout Exploit Kit}}, date = {2019-02-03}, organization = {Twitter (@kafeine)}, url = {https://twitter.com/kafeine/status/1092000556598677504}, language = {English}, urldate = {2020-01-07} } @online{kafeine:20190722:brushaloader:487137c, author = {Kafeine and Proofpoint Threat Insight Team}, title = {{BrushaLoader still sweeping up victims one year later}}, date = {2019-07-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later}, language = {English}, urldate = {2019-12-20} } @online{kafka:20170921:new:8bcb309, author = {Filip Kafka}, title = {{New FinFisher surveillance campaigns: Internet providers involved?}}, date = {2017-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } @techreport{kafka:20180124:esets:246a0d4, author = {Filip Kafka}, title = {{ESET’S GUIDE TODEOBFUSCATING AND DEVIRTUALIZING FINFISHER}}, date = {2018-01-24}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf}, language = {English}, urldate = {2020-01-13} } @online{kafka:20180309:new:9d79d4b, author = {Filip Kafka}, title = {{New traces of Hacking Team in the wild}}, date = {2018-03-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/}, language = {English}, urldate = {2019-11-14} } @online{kafka:201901:vb2018:7d81852, author = {Filip Kafka}, title = {{VB2018 paper: From Hacking Team to hacked team to...?}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/}, language = {English}, urldate = {2020-01-13} } @online{kai5263499:20170222:bella:2b93625, author = {kai5263499}, title = {{Bella: A pure python, post-exploitation, data mining tool and remote administration tool for macOS.}}, date = {2017-02-22}, organization = {Github (kai5263499)}, url = {https://github.com/kai5263499/Bella}, language = {English}, urldate = {2020-01-06} } @online{kajiloti:20191112:purelocker:9d8244d, author = {Michael Kajiloti}, title = {{PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers}}, date = {2019-11-12}, organization = {Intezer}, url = {https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/}, language = {English}, urldate = {2020-01-13} } @online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } @online{kamluk:20140114:icefog:bc79c50, author = {Vitaly Kamluk and Igor Soumenkov and Costin Raiu}, title = {{The Icefog APT Hits US Targets With Java Backdoor}}, date = {2014-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/}, language = {English}, urldate = {2019-12-20} } @online{kan:20170417:new:6eb33c6, author = {Michael Kan}, title = {{New NSA leak may expose its bank spying, Windows exploits}}, date = {2017-04-17}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html}, language = {English}, urldate = {2019-12-24} } @techreport{karim:20190408:trails:83a8378, author = {Taha Karim}, title = {{Trails of WindShift}}, date = {2019-04-08}, institution = {SANS Cyber Security Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf}, language = {English}, urldate = {2020-01-20} } @online{karim:20191210:new:b423605, author = {Taha Karim}, title = {{New macOS Bundlore Loader Analysis}}, date = {2019-12-10}, organization = {Confiant}, url = {https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c}, language = {English}, urldate = {2020-01-07} } @online{karim:20200713:internet:be95d1e, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 Exploitation — part 1}}, date = {2020-07-13}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-exploitation-part-1-7ff08b7dcc8b}, language = {English}, urldate = {2020-07-15} } @online{karim:20200713:internet:d7f7dd7, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 In the wild Exploitation - prelude}}, date = {2020-07-13}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-in-the-wild-exploitation-prelude-ef546f19cd30}, language = {English}, urldate = {2020-07-15} } @online{karim:20200714:internet:a2f6f67, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 Exploitation — part 3}}, date = {2020-07-14}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-exploitation-part-3-a92d3011b38}, language = {English}, urldate = {2020-07-15} } @online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } @online{karpin:20161107:little:598f939, author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman}, title = {{Little Trickbot Growing Up: New Campaign}}, date = {2016-11-07}, organization = {F5 Labs}, url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412}, language = {English}, urldate = {2020-01-06} } @online{karpin:20180711:tackling:b80ad4a, author = {Julia Karpin}, title = {{Tackling Gootkit's Traps}}, date = {2018-07-11}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps}, language = {English}, urldate = {2019-12-17} } @techreport{karve:201608:diving:6f604b3, author = {Sanchit Karve and Guilherme Venere and Mark Olea}, title = {{DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN}}, date = {2016-08}, institution = {Intel Security}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf}, language = {English}, urldate = {2019-11-27} } @online{kaspersky:20060626:erpresser:6c57dc7, author = {Kaspersky}, title = {{Erpresser}}, date = {2006-06-26}, organization = {Kaspersky Labs}, url = {https://de.securelist.com/analysis/59479/erpresser/}, language = {German}, urldate = {2020-01-08} } @online{kaspersky:20120717:kaspersky:bbbf635, author = {Kaspersky}, title = {{Kaspersky Lab and Seculert Announce ‘Madi,’ a Newly Discovered Cyber-Espionage Campaign in the Middle East}}, date = {2012-07-17}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east}, language = {English}, urldate = {2019-12-10} } @techreport{kaspersky:201402:unveiling:4e5e91c, author = {Kaspersky}, title = {{Unveiling “Careto” - The Masked APT}}, date = {2014-02}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf}, language = {English}, urldate = {2019-10-12} } @online{kaspersky:20140827:nettraveler:5469ce3, author = {Kaspersky}, title = {{NetTraveler Gets a Makeover for 10th Anniversary}}, date = {2014-08-27}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary}, language = {English}, urldate = {2020-01-13} } @techreport{kaspersky:201502:equation:3c079fb, author = {Kaspersky}, title = {{Equation Group: Questions and Answers}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{kaspersky:20170307:from:2d853ae, author = {Kaspersky}, title = {{From Shamoon to Stonedrill}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-09} } @online{kaspersky:20170501:crouching:a5be2eb, author = {Kaspersky}, title = {{Crouching Yeti (Energetic Bear) Malware}}, date = {2017-05-01}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat}, language = {English}, urldate = {2020-01-10} } @online{kaspersky:20180717:return:1dcb99e, author = {Kaspersky}, title = {{The return of Fantomas, or how we deciphered Cryakl}}, date = {2018-07-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/}, language = {English}, urldate = {2019-12-20} } @online{kaspersky:20190520:video:148e81f, author = {Kaspersky}, title = {{Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019}}, date = {2019-05-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=T5wPwvLrBYU}, language = {English}, urldate = {2020-01-08} } @online{kaspersky:20191029:shadedecryptor:4a5e5f4, author = {Kaspersky}, title = {{ShadeDecryptor tool}}, date = {2019-10-29}, organization = {Kaspersky Labs}, url = {https://support.kaspersky.com/13059}, language = {English}, urldate = {2020-01-09} } @online{kaspersky:20191211:story:d54a08a, author = {Kaspersky}, title = {{Story of the year 2019: Cities under ransomware siege}}, date = {2019-12-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/}, language = {English}, urldate = {2020-01-13} } @online{kaspersky:20200423:look:4e5d7ab, author = {Kaspersky}, title = {{A look at the ATM/PoS malware landscape from 2017-2019}}, date = {2020-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/}, language = {English}, urldate = {2020-04-26} } @online{kasslin:20071101:spam:8c0c4cd, author = {Kimmo Kasslin and Elia Florio}, title = {{Spam from the kernel}}, date = {2007-11-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel}, language = {English}, urldate = {2020-05-04} } @online{kasza:20161025:houdinis:d57d422, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/}, language = {English}, urldate = {2019-11-17} } @online{kasza:20161025:houdinis:f8fba8f, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170227:gamaredon:322eb5f, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170227:gamaredon:3d28d34, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2020-01-09} } @online{kasza:20170227:gamaredon:a88c3f8, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170407:blockbuster:0e430d3, author = {Anthony Kasza and Micah Yates}, title = {{The Blockbuster Sequel}}, date = {2017-04-07}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170814:blockbuster:79266d5, author = {Anthony Kasza}, title = {{The Blockbuster Saga Continues}}, date = {2017-08-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20171120:operation:0bc8efe, author = {Anthony Kasza and Juan Cortes and Micah Yates}, title = {{Operation Blockbuster Goes Mobile}}, date = {2017-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/}, language = {English}, urldate = {2019-12-24} } @online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } @online{kate:20200509:clodcore:6e24986, author = {kate}, title = {{ClodCore: A malware family that delivers mining modules through cloud control}}, date = {2020-05-09}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/clodcore-a-malware-family-that-delivers-mining-modules-through-cloud-control/}, language = {English}, urldate = {2020-05-18} } @online{kate:20200514:vendetta:06e3cde, author = {kate}, title = {{Vendetta - new threat actor from Europe}}, date = {2020-05-14}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/}, language = {English}, urldate = {2020-05-18} } @online{katsuki:20120820:crisis:60cb26b, author = {Takashi Katsuki}, title = {{Crisis for Windows Sneaks onto Virtual Machines}}, date = {2012-08-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines}, language = {English}, urldate = {2020-01-10} } @online{katsuki:20121116:malware:9268919, author = {Takashi Katsuki}, title = {{Malware Targeting Windows 8 Uses Google Docs}}, date = {2012-11-16}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs}, language = {English}, urldate = {2020-01-10} } @online{kawaii:20191022:new:0d66066, author = {Jagaimo Kawaii}, title = {{New PatchWork Spearphishing Attack}}, date = {2019-10-22}, organization = {Lab52}, url = {https://lab52.io/blog/new-patchwork-campaign-against-pakistan/}, language = {English}, urldate = {2020-01-13} } @online{kawaii:20200113:apt27:4c2f818, author = {Jagaimo Kawaii}, title = {{APT27 ZxShell RootKit module updates}}, date = {2020-01-13}, organization = {Lab52}, url = {https://lab52.io/blog/apt27-rootkit-updates/}, language = {English}, urldate = {2020-01-13} } @online{kawaii:20200602:mustang:2cf125a, author = {Jagaimo Kawaii}, title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}}, date = {2020-06-02}, organization = {Lab52}, url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/}, language = {English}, urldate = {2020-06-03} } @online{kayal:20191002:domestic:f400298, author = {Aseel Kayal and Lotem Finkelstein}, title = {{Domestic Kitten: an Iranian surveillance program}}, date = {2019-10-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program}, language = {English}, urldate = {2020-01-09} } @online{kazantsev:20200504:atm:20ca401, author = {Anatoly Kazantsev}, title = {{ATM malware targets Wincor and Diebold ATMs}}, date = {2020-05-04}, organization = {Avira}, url = {https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/}, language = {English}, urldate = {2020-05-18} } @online{kb:20170203:zeus:02a798a, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: a case study}}, date = {2017-02-03}, url = {https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/}, language = {English}, urldate = {2019-11-22} } @online{kb:20170313:zeus:9a4fbcd, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: Don’t trust your eyes}}, date = {2017-03-13}, url = {https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/}, language = {English}, urldate = {2020-01-13} } @online{keller:20170512:global:2ee68f6, author = {Holger Keller}, title = {{Global WannaCry ransomware outbreak uses known NSA exploits}}, date = {2017-05-12}, organization = {Emsisoft}, url = {http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/}, language = {English}, urldate = {2019-12-10} } @techreport{kellermann:20200528:modern:8155ea4, author = {Tom Kellermann and Ryan Murphy}, title = {{Modern Bank Heists 3.0}}, date = {2020-05-28}, institution = {VMWare Carbon Black}, url = {https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf}, language = {English}, urldate = {2020-05-29} } @online{kelly:20141020:orcarat:236c19f, author = {Dan Kelly and Tom Lancaster}, title = {{OrcaRAT - A whale of a tale}}, date = {2014-10-20}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html}, language = {English}, urldate = {2019-11-24} } @online{kenefick:20180910:closer:b2e9b2a, author = {Ian Kenefick}, title = {{A Closer Look at the Locky Poser, PyLocky Ransomware}}, date = {2018-09-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{kenin:20171219:brickerbot:4cbdce8, author = {Simon Kenin}, title = {{BrickerBot mod_plaintext Analysis}}, date = {2017-12-19}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/}, language = {English}, urldate = {2020-01-08} } @online{kennedy:20191006:go:82e5c38, author = {Joakim Kennedy}, title = {{Go under the hood: Eris Ransomware}}, date = {2019-10-06}, organization = {Playhouse}, url = {https://lekstu.ga/posts/go-under-the-hood-eris/}, language = {English}, urldate = {2020-01-10} } @online{kennedy:20200810:anomali:241a19b, author = {Joakim Kennedy and Rory Gould}, title = {{Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service}}, date = {2020-08-10}, organization = {Anomali}, url = {https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service}, language = {English}, urldate = {2020-08-12} } @online{kent:20161220:backdoorpralice:4bbc640, author = {Nolan Kent}, title = {{Backdoor.Pralice}}, date = {2016-12-20}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2016-122104-0203-99}, language = {English}, urldate = {2019-07-09} } @online{kerner:20170406:chinese:81730df, author = {Sean Michael Kerner}, title = {{Chinese Nation-State Hackers Target U.S in Operation TradeSecret}}, date = {2017-04-06}, organization = {eWeek}, url = {https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret}, language = {English}, urldate = {2020-01-08} } @online{kerr:20180213:stopping:14ebecf, author = {Devon Kerr}, title = {{Stopping Olympic Destroyer: New Process Injection Insights}}, date = {2018-02-13}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights}, language = {English}, urldate = {2020-01-08} } @online{kersten:20190216:emotet:7cb0628, author = {Max Kersten}, title = {{Emotet droppers}}, date = {2019-02-16}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/}, language = {English}, urldate = {2020-01-09} } @online{kersten:20191014:corona:60d807b, author = {Max Kersten}, title = {{Corona DDoS bot}}, date = {2019-10-14}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/}, language = {English}, urldate = {2020-01-13} } @online{kersten:20200120:ticket:ad7af1c, author = {Max Kersten}, title = {{Ticket resellers infected with a credit card skimmer}}, date = {2020-01-20}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/}, language = {English}, urldate = {2020-01-27} } @online{kersten:20200217:following:07470c1, author = {Max Kersten}, title = {{Following the tracks of MageCart 12}}, date = {2020-02-17}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/}, language = {English}, urldate = {2020-02-20} } @online{kersten:20200224:closing:9d39fcf, author = {Max Kersten}, title = {{Closing in on MageCart 12}}, date = {2020-02-24}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/}, language = {English}, urldate = {2020-02-25} } @online{kersten:20200326:azorult:5d5ee1f, author = {Max Kersten}, title = {{Azorult loader stages}}, date = {2020-03-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/}, language = {English}, urldate = {2020-03-26} } @online{kersten:20200414:emotet:ec18d45, author = {Max Kersten}, title = {{Emotet JavaScript downloader}}, date = {2020-04-14}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/}, language = {English}, urldate = {2020-04-14} } @online{keshet:20161109:tricks:c3ab510, author = {Lior Keshet}, title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}}, date = {2016-11-09}, url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/}, language = {English}, urldate = {2019-10-17} } @online{keshet:20170104:exposing:fd0938e, author = {Lior Keshet}, title = {{Exposing an AV-Disabling Driver Just in Time for Lunch}}, date = {2017-01-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/}, language = {English}, urldate = {2020-01-10} } @online{keshet:20170110:client:5352952, author = {Lior Keshet and Limor Kessem}, title = {{Client Maximus: New Remote Overlay Malware Highlights Rising Malcode Sophistication in Brazil}}, date = {2017-01-10}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20130807:thieves:f60d69b, author = {Limor Kessem}, title = {{Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD}}, date = {2013-08-07}, organization = {RSA}, url = {https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/}, language = {English}, urldate = {2020-03-02} } @online{kessem:20150812:tinba:250e880, author = {Limor Kessem}, title = {{Tinba Trojan Sets Its Sights on Romania}}, date = {2015-08-12}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/}, language = {English}, urldate = {2020-01-06} } @online{kessem:20160414:meet:16351ef, author = {Limor Kessem and Lior Keshet}, title = {{Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim}}, date = {2016-04-14}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/}, language = {English}, urldate = {2020-01-06} } @online{kessem:20160708:gootkit:ed75518, author = {Limor Kessem}, title = {{GootKit: Bobbing and Weaving to Avoid Prying Eyes}}, date = {2016-07-08}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20160816:brazil:0bc05a3, author = {Limor Kessem and Denis Laskov and Ziv Eli}, title = {{Brazil Can’t Catch a Break: After Panda Comes the Sphinx}}, date = {2016-08-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/}, language = {English}, urldate = {2020-01-08} } @online{kessem:20160920:meanwhile:7b7a093, author = {Limor Kessem and Hanan Natan and Denis Laskov}, title = {{Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks}}, date = {2016-09-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/}, language = {English}, urldate = {2019-12-17} } @online{kessem:20170126:around:eaefc0c, author = {Limor Kessem}, title = {{Around the World With Zeus Sphinx: From Canada to Australia and Back}}, date = {2017-01-26}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20170328:nukebot:2b33bbb, author = {Limor Kessem and Ilya Kolmanovich}, title = {{The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak}}, date = {2017-03-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/}, language = {English}, urldate = {2020-01-05} } @online{kessem:20170615:zeus:7c4b8e4, author = {Limor Kessem}, title = {{Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?}}, date = {2017-06-15}, url = {https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/}, language = {English}, urldate = {2019-12-02} } @online{kessem:20170727:after:10c4ba5, author = {Limor Kessem and Shachar Gritzman}, title = {{After Big Takedown Efforts, 20 More BankBot Mobile Malware Apps Make It Into Google Play}}, date = {2017-07-27}, organization = {Security Intelligence}, url = {https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/}, language = {English}, urldate = {2019-12-06} } @online{kessem:20171011:trickbot:57ebc20, author = {Limor Kessem}, title = {{TrickBot Takes to Latin America, Continues to Expand Its Global Reach}}, date = {2017-10-11}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/}, language = {English}, urldate = {2020-01-08} } @online{kessem:20171113:new:bb937fd, author = {Limor Kessem and Maor Wiesen and Tal Darsan and Tomer Agayev}, title = {{New Banking Trojan IcedID Discovered by IBM X-Force Research}}, date = {2017-11-13}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/}, language = {English}, urldate = {2019-11-27} } @online{kessem:20180822:backswap:73c04f5, author = {Limor Kessem}, title = {{BackSwap Malware Now Targets Six Banks in Spain}}, date = {2018-08-22}, organization = {IBM}, url = {https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/}, language = {English}, urldate = {2019-12-20} } @online{kessem:20180904:camubot:d0c8b12, author = {Limor Kessem and Maor Wiesen}, title = {{CamuBot: New Financial Malware Targets Brazilian Banking Customers}}, date = {2018-09-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/}, language = {English}, urldate = {2020-01-13} } @online{kessem:20190516:goznym:cb4a177, author = {Limor Kessem}, title = {{GozNym Closure Comes in the Shape of a Europol and DOJ Arrest Operation}}, date = {2019-05-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/}, language = {English}, urldate = {2019-12-05} } @online{khanse:20170301:poorly:1107be6, author = {Anand Khanse}, title = {{Poorly coded Lamdelin Lockscreen Ransomware lets you in using Alt+F4}}, date = {2017-03-01}, organization = {The Windows Club}, url = {http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/}, language = {English}, urldate = {2019-07-09} } @online{kharouni:20100121:sasfis:8634992, author = {Loucif Kharouni}, title = {{SASFIS Fizzles in the Background}}, date = {2010-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/}, language = {English}, urldate = {2019-12-18} } @techreport{kharouni:201410:operation:f1d1705, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2019-11-28} } @online{khasaia:20170717:wmighost:20b59d3, author = {Lasha Khasaia}, title = {{WMIGhost / Wimmie - WMI malware}}, date = {2017-07-17}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/WMIGhost/}, language = {English}, urldate = {2019-12-24} } @online{khasaia:20180319:reversing:f6a3e7c, author = {Lasha Khasaia}, title = {{Reversing iBank Trojan [Injection Phase]}}, date = {2018-03-19}, organization = {Secrary}, url = {https://secrary.com/ReversingMalware/iBank/}, language = {English}, urldate = {2019-10-29} } @online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } @online{kim:20180720:cyberattack:ac7f5e4, author = {Jack Kim}, title = {{Cyberattack on Singapore health database steals details of 1.5 million, including PM}}, date = {2018-07-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-singapore-cyberattack/cyberattack-on-singapore-health-database-steals-details-of-1-5-million-including-pm-idUSKBN1KA14J}, language = {English}, urldate = {2020-01-08} } @online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-03-11} } @online{kimayong:20180213:new:b8d70e2, author = {Paul Kimayong}, title = {{New Gootkit Banking Trojan variant pushes the limits on evasive behavior}}, date = {2018-02-13}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055}, language = {English}, urldate = {2019-12-10} } @online{kimayong:20180521:nukebot:dcd8985, author = {Paul Kimayong}, title = {{Nukebot Banking Trojan targeting people in France}}, date = {2018-05-21}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702}, language = {English}, urldate = {2019-11-22} } @online{kimayong:20200618:covid19:4bb5511, author = {Paul Kimayong}, title = {{COVID-19 and FMLA Campaigns used to install new IcedID banking malware}}, date = {2020-06-18}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware}, language = {English}, urldate = {2020-06-23} } @online{kimberly:20110804:analysis:fcb91de, author = {Kimberly}, title = {{Analysis of ngrBot}}, date = {2011-08-04}, organization = {Stop Malvertising Rootkits}, url = {http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html}, language = {English}, urldate = {2019-12-04} } @online{kimberly:20120420:analysis:6fe646f, author = {Kimberly}, title = {{Analysis of DarkMegi aka NpcDark}}, date = {2012-04-20}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html}, language = {English}, urldate = {2020-01-09} } @online{kimberly:20140427:analysis:a034e60, author = {Kimberly}, title = {{Analysis of the Predator Pain Keylogger}}, date = {2014-04-27}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html}, language = {English}, urldate = {2019-11-24} } @online{kimberly:20140716:mini:58ac768, author = {Kimberly}, title = {{Mini Analysis of the TinyBanker Tinba}}, date = {2014-07-16}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html}, language = {English}, urldate = {2020-01-08} } @online{kimberly:20140831:introduction:eb2cc6b, author = {Kimberly}, title = {{Introduction to the ZeroLocker ransomware}}, date = {2014-08-31}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html}, language = {English}, urldate = {2020-01-13} } @online{kimberly:20191010:malware:032ed3c, author = {Kimberly}, title = {{Tweet on Malware Sample}}, date = {2019-10-10}, organization = {Twitter (@StopMalvertisin)}, url = {https://twitter.com/StopMalvertisin/status/1182505434231398401}, language = {English}, urldate = {2020-01-10} } @online{kino:20200220:lodeinfo:9842ab1, author = {Kota Kino}, title = {{日本国内の組織を狙ったマルウエアLODEINFO}}, date = {2020-02-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html}, language = {Japanese}, urldate = {2020-02-27} } @online{kino:20200611:lodeinfo:104e43a, author = {Kota Kino}, title = {{マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)}}, date = {2020-06-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html}, language = {Japanese}, urldate = {2020-06-12} } @online{kirk:20110726:spyeye:a7ad044, author = {Jeremy Kirk}, title = {{SpyEye Trojan defeating online banking defenses}}, date = {2011-07-26}, organization = {Computerworld}, url = {https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html}, language = {English}, urldate = {2020-01-13} } @online{kirk:20120104:spyeye:3ecb013, author = {Jeremy Kirk}, title = {{SpyEye Malware Borrows Zeus Trick to Mask Fraud}}, date = {2012-01-04}, organization = {PCWorld}, url = {https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html}, language = {English}, urldate = {2020-01-08} } @online{kirk:20160221:source:dfeba08, author = {Jeremy Kirk}, title = {{Source code for powerful Android banking malware is leaked}}, date = {2016-02-21}, url = {https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html}, language = {English}, urldate = {2019-10-29} } @online{kivva:20160606:everyone:ee770c6, author = {Anton Kivva}, title = {{Everyone sees not what they want to see}}, date = {2016-06-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/}, language = {English}, urldate = {2019-12-20} } @online{kiwi:20110428:un:4c39d1d, author = {Gentil Kiwi}, title = {{Un observateur d’événements aveugle…}}, date = {2011-04-28}, url = {http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle}, language = {English}, urldate = {2020-01-07} } @online{kiyotaka:20180329:chessmaster:c48e1c0, author = {Tamada Kiyotaka and MingYen Hsieh}, title = {{ChessMaster Adds Updated Tools to Its Arsenal}}, date = {2018-03-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/}, language = {English}, urldate = {2020-01-08} } @techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } @online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } @online{klein:20120215:merchant:b6f5565, author = {Amit Klein}, title = {{Merchant of Fraud Returns: Shylock Polymorphic Financial Malware Infections on the Rise}}, date = {2012-02-15}, organization = {Security Intelligence}, url = {https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/}, language = {English}, urldate = {2019-11-23} } @online{kleinhen:20190603:code:3634038, author = {Derek Kleinhen}, title = {{Code Analysis of Basic Cryptomining Malware}}, date = {2019-06-03}, organization = {Kindred Security}, url = {https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/}, language = {English}, urldate = {2020-01-06} } @techreport{kleinhen:20191210:swort:ab1b863, author = {Derek Kleinhen}, title = {{Swort PowerShell Stager Analysis}}, date = {2019-12-10}, institution = {Github (itsKindred)}, url = {https://github.com/itsKindred/malware-analysis-writeups/blob/master/swrort-dropper/swrort-stager-analysis.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{kleinhen:20191224:bashar:944cfdf, author = {Derek Kleinhen}, title = {{Bashar Bachir Infection Chain Analysis}}, date = {2019-12-24}, institution = {Github (itsKindred)}, url = {https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf}, language = {English}, urldate = {2020-01-10} } @online{kleissner:20130326:behind:d12032a, author = {Peter Kleissner}, title = {{Behind MultiBanker, what the security industry doesn’t tell you and its money mule network}}, date = {2013-03-26}, organization = {Kleissner & Associates}, url = {http://blog.kleissner.org/?p=69}, language = {English}, urldate = {2019-12-20} } @online{kleissner:20130521:news:b67b754, author = {Peter Kleissner}, title = {{News on MultiBanker, features now a jabber p2p functionality}}, date = {2013-05-21}, organization = {Kleissner & Associates}, url = {http://blog.kleissner.org/?p=192}, language = {English}, urldate = {2020-01-08} } @online{kleissner:20150610:pony:2dbaf47, author = {Peter Kleissner}, title = {{Pony + Pkybot + Automated Transfer System = Banker}}, date = {2015-06-10}, organization = {Kleissner & Associates}, url = {http://blog.kleissner.org/?p=788}, language = {English}, urldate = {2020-01-08} } @techreport{kleissner:20151202:sality:791ea01, author = {Peter Kleissner}, title = {{Sality: 2003 - Today}}, date = {2015-12-02}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20151130:inside:801d2d4, author = {Yonathan Klijnsma}, title = {{Inside Braviax/FakeRean: An analysis and history of a FakeAV family}}, date = {2015-11-30}, organization = {0x3A Security}, url = {https://0x3asecurity.wordpress.com/2015/11/30/134260124544/}, language = {English}, urldate = {2019-07-09} } @techreport{klijnsma:20160517:mofang:7035a61, author = {Yonathan Klijnsma and Danny Heppener and Mitchel Sahertian and Krijn de Mik and Maarten van Dantzig and Yun Zheng Hu and Lennart Haagsma and Martin van Hensbergen and Erik de Jong}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-05-17}, institution = {Fox-IT}, url = {https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf}, language = {English}, urldate = {2020-01-09} } @online{klijnsma:20171025:down:8d41ef5, author = {Yonathan Klijnsma}, title = {{Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection}}, date = {2017-10-25}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/badrabbit/}, language = {English}, urldate = {2020-01-10} } @online{klijnsma:20171026:new:8298949, author = {Yonathan Klijnsma}, title = {{New htpRAT Gives Complete Remote Control Capabilities to Chinese Cyber Threat Actors}}, date = {2017-10-26}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/htprat/}, language = {English}, urldate = {2020-01-09} } @online{klijnsma:20171102:new:d98411c, author = {Yonathan Klijnsma}, title = {{New Insights into Energetic Bear’s Watering Hole Cyber Attacks on Turkish Critical Infrastructure}}, date = {2017-11-02}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/energetic-bear/}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20171128:gaffe:7c5097a, author = {Yonathan Klijnsma}, title = {{Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions}}, date = {2017-11-28}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/cobalt-strike/}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20171220:mining:4b3dc11, author = {Yonathan Klijnsma}, title = {{Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry}}, date = {2017-12-20}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20180116:first:9184887, author = {Yonathan Klijnsma}, title = {{First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks}}, date = {2018-01-16}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/}, language = {English}, urldate = {2019-11-26} } @online{klijnsma:20180123:espionage:f3d28b0, author = {Yonathan Klijnsma}, title = {{Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors}}, date = {2018-01-23}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/}, language = {English}, urldate = {2019-12-24} } @online{klijnsma:20180709:inside:e92fff2, author = {Yonathan Klijnsma and Jordan Herman}, title = {{Inside and Beyond Ticketmaster: The Many Breaches of Magecart}}, date = {2018-07-09}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/}, language = {English}, urldate = {2020-01-12} } @online{klijnsma:20190228:magecart:e2b0173, author = {Yonathan Klijnsma}, title = {{Magecart Group 4: Never Gone, Always Advancing – Professionals In Cybercrime}}, date = {2019-02-28}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/}, language = {English}, urldate = {2020-01-06} } @online{klijnsma:20200318:magecart:2ee4a78, author = {Yonathan Klijnsma}, title = {{Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims}}, date = {2020-03-18}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-nutribullet/}, language = {English}, urldate = {2020-03-19} } @online{kline:20170810:globe:382859f, author = {Amanda Kline}, title = {{Globe Imposter Ransomware Makes a New Run}}, date = {2017-08-10}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run}, language = {English}, urldate = {2020-01-07} } @online{klnai:20130408:banking:20bce4c, author = {Peter Kálnai}, title = {{Banking Trojan Carberp: An Epitaph?}}, date = {2013-04-08}, organization = {Avast}, url = {https://blog.avast.com/2013/04/08/carberp_epitaph/}, language = {English}, urldate = {2020-02-25} } @online{klnai:20130722:multisystem:907e0a4, author = {Peter Kálnai}, title = {{Multisystem Trojan Janicab attacks Windows and MacOSX via scripts}}, date = {2013-07-22}, organization = {Avast}, url = {https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/}, language = {English}, urldate = {2020-05-20} } @online{klnai:20130827:linux:02c05c7, author = {Peter Kálnai}, title = {{Linux Trojan “Hand of Thief” ungloved}}, date = {2013-08-27}, organization = {Avast}, url = {https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/}, language = {English}, urldate = {2020-03-02} } @online{klnai:20130925:win3264napolar:4f16ddc, author = {Peter Kálnai}, title = {{Win32/64:Napolar: New Trojan shines on the cyber crime-scene}}, date = {2013-09-25}, organization = {Avast}, url = {https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/}, language = {English}, urldate = {2020-02-26} } @techreport{klnai:20131029:dissecting:30488b5, author = {Peter Kálnai and Jaromír Hořejší}, title = {{Dissecting Banking Trojan Carberp}}, date = {2013-10-29}, institution = {RSA Conference}, url = {https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf}, language = {English}, urldate = {2020-02-27} } @online{klnai:20150106:linux:d8e30ec, author = {Peter Kálnai}, title = {{Linux DDoS Trojan hiding itself with an embedded rootkit}}, date = {2015-01-06}, organization = {Avast}, url = {https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/}, language = {English}, urldate = {2020-02-25} } @techreport{klnai:201509:ddos:21c35c6, author = {Peter Kálnai and Jaromír Hořejší}, title = {{DDOS TROJAN: A MALICIOUS CONCEPT THAT CONQUERED THE ELF FORMAT}}, date = {2015-09}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf}, language = {English}, urldate = {2020-01-08} } @online{klnai:20160101:notes:100f4d8, author = {Peter Kálnai and Jaromír Hořejší}, title = {{Notes on click fraud: American story}}, date = {2016-01-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/}, language = {English}, urldate = {2020-03-04} } @online{klnai:20161220:new:05597b1, author = {Peter Kálnai and Michal Malík}, title = {{New Linux/Rakos threat: devices and servers under SSH scan (again)}}, date = {2016-12-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/}, language = {English}, urldate = {2019-11-14} } @online{klnai:20161220:new:4044e88, author = {Peter Kálnai and Michal Malík}, title = {{New Linux/Rakos threat: devices and servers under SSH scan (again)}}, date = {2016-12-20}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/}, language = {English}, urldate = {2019-12-20} } @online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } @online{klnai:20170928:moneymaking:ac6e685, author = {Peter Kálnai and Michal Poslušný}, title = {{Money‑making machine: Monero‑mining malware}}, date = {2017-09-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/}, language = {English}, urldate = {2019-11-14} } @online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2019-11-14} } @techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2020-01-06} } @online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } @online{klopsch:20200322:mustang:56f3768, author = {Andreas Klopsch}, title = {{Mustang Panda joins the COVID-19 bandwagon}}, date = {2020-03-22}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/}, language = {English}, urldate = {2020-03-27} } @online{klopsch:20200330:old:ed1f6ef, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 1}}, date = {2020-03-30}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/}, language = {English}, urldate = {2020-04-01} } @online{klopsch:20200505:old:84beb5b, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 3}}, date = {2020-05-05}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/}, language = {English}, urldate = {2020-05-05} } @online{klopsch:20200524:examining:842b499, author = {Andreas Klopsch}, title = {{Examining Smokeloader’s Anti Hooking technique}}, date = {2020-05-24}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/}, language = {English}, urldate = {2020-05-25} } @online{klopsch:20200610:harmful:c46175f, author = {Andreas Klopsch}, title = {{Harmful Logging - Diving into MassLogger}}, date = {2020-06-10}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger}, language = {English}, urldate = {2020-06-10} } @online{klopsch:20200621:upnp:f54abe6, author = {Andreas Klopsch}, title = {{UpnP – Messing up Security since years}}, date = {2020-06-21}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/upnp-messing-up-security-since-years/}, language = {English}, urldate = {2020-06-22} } @online{klopsch:20200712:deobfuscating:a374688, author = {Andreas Klopsch}, title = {{Deobfuscating DanaBot’s API Hashing}}, date = {2020-07-12}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/deobfuscating-danabots-api-hashing/}, language = {English}, urldate = {2020-07-15} } @online{kmerolla:20150731:otx:0dc083c, author = {KMEROLLA}, title = {{OTX Pulse on PlugX}}, date = {2015-07-31}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/}, language = {English}, urldate = {2020-01-08} } @online{knight:20190930:cb:a21cf30, author = {Scott Knight}, title = {{CB Threat Analysis Unit: Technical Analysis of “Crosswalk”}}, date = {2019-09-30}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/}, language = {English}, urldate = {2020-04-21} } @online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } @online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } @online{knockel:20200507:we:04af3df, author = {Jeffrey Knockel and Christopher Parsons and Lotus Ruan and Ruohan Xiong and Jedidiah Crandall and Ron Deibert}, title = {{We Chat, They Watch: How International Users Unwittingly Build up WeChat’s Chinese Censorship Apparatus}}, date = {2020-05-07}, organization = {The Citizenlab}, url = {https://citizenlab.ca/2020/05/we-chat-they-watch/}, language = {English}, urldate = {2020-05-07} } @online{knowlton:20100825:military:dc8aa06, author = {Brian Knowlton}, title = {{Military Computer Attack Confirmed}}, date = {2010-08-25}, organization = {The New York Times}, url = {https://www.nytimes.com/2010/08/26/technology/26cyber.html}, language = {English}, urldate = {2019-11-29} } @online{knutsen:20171119:iranian:654e55f, author = {ELISE KNUTSEN}, title = {{Iranian agents blackmailed BBC reporter with ‘naked photo’ threats}}, date = {2017-11-19}, organization = {Arab News}, url = {http://www.arabnews.com/node/1195681/media}, language = {English}, urldate = {2019-12-17} } @online{kohei:20160720:crypmic:b272a4c, author = {Kawabata Kohei}, title = {{CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps}}, date = {2016-07-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/}, language = {English}, urldate = {2020-01-09} } @online{kolesnikov:20180911:kronososiris:ab69b91, author = {Oleg Kolesnikov and Harshvardhan Parashar}, title = {{KRONOS/Osiris Banking Trojan Attack}}, date = {2018-09-11}, organization = {Securonix}, url = {https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack}, language = {English}, urldate = {2020-01-09} } @online{komarov:20160909:govrat:292ff22, author = {Andrew Komarov}, title = {{GOVRAT V2.0 - Attacking US military and government}}, date = {2016-09-09}, organization = {InfoArmor}, url = {https://www.yumpu.com/en/document/view/55930175/govrat-v20}, language = {English}, urldate = {2019-10-15} } @techreport{kopeytsev:20200528:steganography:8f5230a, author = {Vyacheslav Kopeytsev}, title = {{Steganography in targeted attacks on industrial enterprises}}, date = {2020-05-28}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf}, language = {English}, urldate = {2020-05-29} } @online{kopriva:20200203:analysis:c531bd3, author = {Jan Kopriva}, title = {{Analysis of a triple-encrypted AZORult downloader}}, date = {2020-02-03}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/}, language = {English}, urldate = {2020-02-10} } @online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } @online{koren:20161101:ursnif:a5e4fcd, author = {Ariel Koren}, title = {{Ursnif Malware: Deep Technical Dive}}, date = {2016-11-01}, organization = {Ariel Koren's Blog}, url = {https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/}, language = {English}, urldate = {2020-01-10} } @online{koren:20161102:nymaim:26e076d, author = {Ariel Koren}, title = {{Nymaim Malware: Deep Technical Dive – Adventures in Evasive Malware}}, date = {2016-11-02}, organization = {Ariel Koren's Blog}, url = {https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/}, language = {English}, urldate = {2020-01-08} } @online{koriat:20160617:in:f42b6a0, author = {Oren Koriat}, title = {{In The Wild: Mobile Malware Implements New Features}}, date = {2016-06-17}, organization = {Check Point}, url = {https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/}, language = {English}, urldate = {2020-01-08} } @online{kosayev:20191007:dissecting:161f586, author = {Uriel Kosayev}, title = {{Dissecting Ardamax Keylogger}}, date = {2019-10-07}, organization = {Medium}, url = {https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576}, language = {English}, urldate = {2020-01-05} } @online{kotowicz:20150517:newest:1b5db0b, author = {Maciej Kotowicz}, title = {{Newest addition to a happy family: KBOT}}, date = {2015-05-17}, organization = {CERT.PL}, url = {https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt}, language = {English}, urldate = {2020-04-06} } @online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } @online{kotowicz:20170702:isfb:2fe662b, author = {Maciej Kotowicz}, title = {{ISFB: Still Live and Kicking}}, date = {2017-07-02}, organization = {CERT.PL}, url = {https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15}, language = {English}, urldate = {2020-01-13} } @techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } @online{kotowicz:20200226:abusing:2a32e8e, author = {Maciej Kotowicz}, title = {{(Ab)using bash-fu to analyze recent Aggah sample}}, date = {2020-02-26}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/basfu_aggah/}, language = {English}, urldate = {2020-02-27} } @online{kotowicz:20200321:royal:da8fd16, author = {Maciej Kotowicz}, title = {{On the Royal Road}}, date = {2020-03-21}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/on_the_royal_road/}, language = {English}, urldate = {2020-03-24} } @online{kotowicz:20200423:quick:ce2218e, author = {Maciej Kotowicz}, title = {{Quick look at Nazar backdoor - Capabilities}}, date = {2020-04-23}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice/}, language = {English}, urldate = {2020-05-05} } @online{kotowicz:20200427:quick:e6bf310, author = {Maciej Kotowicz}, title = {{Quick look at Nazar's backdoor - Network Communication}}, date = {2020-04-27}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice_comm/}, language = {English}, urldate = {2020-05-05} } @online{kotowicz:20200515:in:e687019, author = {Maciej Kotowicz}, title = {{In depth analysis of Lazarus validator}}, date = {2020-05-15}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/lazarus_validator/}, language = {English}, urldate = {2020-05-19} } @online{kotowicz:20200622:venomrat:129ba02, author = {Maciej Kotowicz}, title = {{VenomRAT - new, hackforums grade, reincarnation of QuassarRAT}}, date = {2020-06-22}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/venom/}, language = {English}, urldate = {2020-06-25} } @online{koustek:20170512:wannacry:ff9bc08, author = {Jakub Křoustek}, title = {{WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today}}, date = {2017-05-12}, organization = {Avast}, url = {https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today}, language = {English}, urldate = {2020-01-07} } @online{kovacs:20170719:darkhotel:03c4181, author = {Eduard Kovacs}, title = {{'DarkHotel' APT Uses New Methods to Target Politicians}}, date = {2017-07-19}, organization = {SecurityWeek}, url = {https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians}, language = {English}, urldate = {2020-01-09} } @online{kozy:20141002:occupy:bda8f35, author = {Adam Kozy}, title = {{Occupy Central: The Umbrella Revolution and Chinese Intelligence}}, date = {2014-10-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/occupy-central-the-umbrella-revolution-and-chinese-intelligence/}, language = {English}, urldate = {2020-05-11} } @online{kozy:20150223:cyber:d6b26b8, author = {Adam Kozy}, title = {{Cyber Kung-Fu: The Great Firewall Art of DNS Poisoning}}, date = {2015-02-23}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cyber-kung-fu-great-firewall-art-dns-poisoning/}, language = {English}, urldate = {2020-05-11} } @online{kozy:20150601:rhetoric:365c0d1, author = {Adam Kozy}, title = {{Rhetoric Foreshadows Cyber Activity in the South China Sea}}, date = {2015-06-01}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/}, language = {English}, urldate = {2019-12-20} } @techreport{kozy:20150806:bringing:a7978d5, author = {Adam Kozy and Johannes Gilger}, title = {{Bringing A Cannon To A Knife Fight}}, date = {2015-08-06}, institution = {CrowdStrike}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Kozy-Bringing-A-Cannon-To-A-Knife-Fight.pdf}, language = {English}, urldate = {2020-05-11} } @online{kozy:20151230:bringing:616e8d1, author = {Adam Kozy and Johannes Gilger}, title = {{Bringing A Cannon To A Knife Fight}}, date = {2015-12-30}, organization = {CrowdStrike}, url = {https://www.youtube.com/watch?v=wewFYh8pQrY}, language = {English}, urldate = {2020-05-11} } @online{kozy:20171220:end:218a388, author = {Adam Kozy}, title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}}, date = {2017-12-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/}, language = {English}, urldate = {2020-05-11} } @online{kozy:20180830:two:7e5235f, author = {Adam Kozy}, title = {{Two Birds, One STONE PANDA}}, date = {2018-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/two-birds-one-stone-panda/}, language = {English}, urldate = {2020-05-11} } @online{kpn:20200121:ftcode:358aca5, author = {KPN}, title = {{FTCODE: taking over (a portion of) the botnet}}, date = {2020-01-21}, organization = {KPN}, url = {https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm}, language = {English}, urldate = {2020-01-22} } @online{kpn:20200128:tracking:6c628f3, author = {KPN}, title = {{Tracking REvil}}, date = {2020-01-28}, organization = {KPN}, url = {https://www.kpn.com/security-blogs/Tracking-REvil.htm}, language = {English}, urldate = {2020-01-28} } @online{krabs:20180302:analysing:7b1f12f, author = {Mr. Krabs}, title = {{Analysing Remcos RAT’s executable}}, date = {2018-03-02}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/}, language = {English}, urldate = {2019-07-31} } @online{krabs:20190213:analyzing:404862f, author = {Mr. Krabs}, title = {{Analyzing Amadey – a simple native malware}}, date = {2019-02-13}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/}, language = {English}, urldate = {2020-01-08} } @online{krabs:20190604:taking:be0ac28, author = {Mr. Krabs}, title = {{Taking a look at Baldr stealer}}, date = {2019-06-04}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/}, language = {English}, urldate = {2019-12-10} } @online{krabs:20191205:buer:9c3cf72, author = {Mr. Krabs}, title = {{Buer Loader, new Russian loader on the market with interesting persistence}}, date = {2019-12-05}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/}, language = {English}, urldate = {2020-01-08} } @online{krastev:20180719:killswitch:487a882, author = {Ventsislav Krastev}, title = {{Killswitch File Now Available for GandCrab v4.1.2 Ransomware}}, date = {2018-07-19}, organization = {Sensors Tech Forum}, url = {https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{krastev:20180903:lockymap:1e8c9cd, author = {Ventsislav Krastev}, title = {{.lockymap Files Virus (PyLocky Ransomware) – Remove and Restore Data}}, date = {2018-09-03}, organization = {SensorTechForums}, url = {https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/}, language = {English}, urldate = {2020-01-13} } @online{krasuski:20160902:necurs:d01f298, author = {Adam Krasuski}, title = {{Necurs – hybrid spam botnet}}, date = {2016-09-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/}, language = {English}, urldate = {2019-11-20} } @online{krasuski:20160916:tofsee:79a1d35, author = {Adam Krasuski}, title = {{Tofsee – modular spambot}}, date = {2016-09-16}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/tofsee-en/}, language = {English}, urldate = {2020-01-13} } @techreport{krcert:20200629:operation:bbe9f5c, author = {KrCERT}, title = {{OPERATION BOOKCODES}}, date = {2020-06-29}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2455&attach_file_id=EpF2455.pdf}, language = {Korean}, urldate = {2020-06-29} } @online{krebs:20100401:spyeye:d557888, author = {Brian Krebs}, title = {{SpyEye vs. ZeuS Rivalry}}, date = {2010-04-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/}, language = {English}, urldate = {2019-11-28} } @online{krebs:20100917:spyeye:92d9e7f, author = {Brian Krebs}, title = {{SpyEye Botnet’s Bogus Billing Feature}}, date = {2010-09-17}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/}, language = {English}, urldate = {2019-10-15} } @online{krebs:20110328:microsoft:dab0119, author = {Brian Krebs}, title = {{Microsoft Hunting Rustock Controllers}}, date = {2011-03-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/}, language = {English}, urldate = {2019-07-11} } @online{krebs:20110426:spyeye:b9e984e, author = {Brian Krebs}, title = {{SpyEye Targets Opera, Google Chrome Users}}, date = {2011-04-26}, url = {https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/}, language = {English}, urldate = {2020-01-08} } @online{krebs:20110728:trojan:2335232, author = {Brian Krebs}, title = {{Trojan Tricks Victims Into Transferring Funds}}, date = {2011-07-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/}, language = {English}, urldate = {2019-12-20} } @online{krebs:20120919:blog:c9b0499, author = {Brian Krebs}, title = {{Blog Posts on Nitol}}, date = {2012-09-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nitol/}, language = {English}, urldate = {2020-01-13} } @online{krebs:20130118:polish:d1c0560, author = {Brian Krebs}, title = {{Polish Takedown Targets ‘Virut’ Botnet}}, date = {2013-01-18}, url = {https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/}, language = {English}, urldate = {2019-12-18} } @online{krebs:20150209:anthem:1631cd7, author = {Brian Krebs}, title = {{Anthem Breach May Have Started in April 2014}}, date = {2015-02-09}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/}, language = {English}, urldate = {2019-11-29} } @online{krebs:20150515:carefirst:2847408, author = {Brian Krebs}, title = {{Carefirst Blue Cross Breach Hits 1.1M}}, date = {2015-05-15}, url = {https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/}, language = {English}, urldate = {2020-01-05} } @online{krebs:20150615:catching:d4edaea, author = {Brian Krebs}, title = {{Catching Up on the OPM Breach}}, date = {2015-06-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/}, language = {English}, urldate = {2020-01-09} } @online{krebs:20160721:canadian:5c7f22f, author = {Brian Krebs}, title = {{Canadian Man Behind Popular ‘Orcus RAT’}}, date = {2016-07-21}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/}, language = {English}, urldate = {2019-07-11} } @online{krebs:20160921:krebsonsecurity:259c3cd, author = {Brian Krebs}, title = {{KrebsOnSecurity Hit With Record DDoS}}, date = {2016-09-21}, url = {https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/}, language = {English}, urldate = {2019-12-18} } @online{krebs:20161001:source:796f0bc, author = {Brian Krebs}, title = {{Source Code for IoT Botnet ‘Mirai’ Released}}, date = {2016-10-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/}, language = {English}, urldate = {2019-07-10} } @online{krebs:20170301:ransomware:ead8101, author = {Brian Krebs}, title = {{Ransomware for Dummies: Anyone Can Do It}}, date = {2017-03-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/}, language = {English}, urldate = {2020-01-09} } @online{krebs:20170406:selfproclaimed:542e91e, author = {Brian Krebs}, title = {{Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer}}, date = {2017-04-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nuclear-bot/}, language = {English}, urldate = {2019-07-27} } @online{krebs:20170512:uk:11a7e5a, author = {Brian Krebs}, title = {{U.K. Hospitals Hit in Widespread Ransomware Attack}}, date = {2017-05-12}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/}, language = {English}, urldate = {2020-01-06} } @online{krebs:20170828:tech:4df59f2, author = {Brian Krebs}, title = {{Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet}}, date = {2017-08-28}, url = {https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/}, language = {English}, urldate = {2019-11-17} } @online{krebs:20171023:reaper:8341031, author = {Brian Krebs}, title = {{Reaper: Calm Before the IoT Security Storm?}}, date = {2017-10-23}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm}, language = {English}, urldate = {2020-01-10} } @online{krebs:20171127:who:8490729, author = {Brian Krebs}, title = {{WHO WAS THE NSA CONTRACTOR ARRESTED FOR LEAKING THE ‘SHADOW BROKERS’ HACKING TOOLS?}}, date = {2017-11-27}, organization = {Blacklake}, url = {https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/}, language = {English}, urldate = {2019-11-25} } @online{krebs:20171213:mirai:bd2cb74, author = {Brian Krebs}, title = {{Mirai IoT Botnet Co-Authors Plead Guilty}}, date = {2017-12-13}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/}, language = {English}, urldate = {2020-01-08} } @online{krebs:201807:luminositylink:1d9ce64, author = {Brian Krebs}, title = {{‘LuminosityLink RAT’ Author Pleads Guilty}}, date = {2018-07}, url = {https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/}, language = {English}, urldate = {2019-10-23} } @online{krebs:20180902:alleged:caf0cb2, author = {Brian Krebs}, title = {{Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted}}, date = {2018-09-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/}, language = {English}, urldate = {2020-01-13} } @online{krebs:20190218:deep:0f75439, author = {Brian Krebs}, title = {{A Deep Dive on the Recent Widespread DNS Hijacking Attacks}}, date = {2019-02-18}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/dnspionage/}, language = {English}, urldate = {2019-11-29} } @online{krebs:20190402:canadian:4743d2d, author = {Brian Krebs}, title = {{Canadian Police Raid ‘Orcus RAT’ Author}}, date = {2019-04-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/}, language = {English}, urldate = {2019-12-19} } @online{krebs:20190422:whos:2004970, author = {Brian Krebs}, title = {{Who’s Behind the RevCode WebMonitor RAT?}}, date = {2019-04-22}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/}, language = {English}, urldate = {2020-01-13} } @online{krebs:20190603:report:e065d06, author = {Brian Krebs}, title = {{Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware}}, date = {2019-06-03}, url = {https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/}, language = {English}, urldate = {2019-10-17} } @online{krebs:20190708:whos:54977ab, author = {Brian Krebs}, title = {{Who’s Behind the GandCrab Ransomware?}}, date = {2019-07-08}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{krebs:20190715:is:4e715d7, author = {Brian Krebs}, title = {{Is ‘REvil’ the New GandCrab Ransomware?}}, date = {2019-07-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{krebs:20191001:mariposa:a422c50, author = {Brian Krebs}, title = {{Mariposa Botnet Author, Darkcode Crime Forum Admin Arrested in Germany}}, date = {2019-10-01}, url = {https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/}, language = {English}, urldate = {2020-01-10} } @online{krebs:20191216:ransomware:f4d7d8c, author = {Brian Krebs}, title = {{Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up}}, date = {2019-12-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/}, language = {English}, urldate = {2020-01-08} } @online{krebs:20191217:nuclear:88151cd, author = {Brian Krebs}, title = {{Nuclear Bot Author Arrested in Sextortion Case}}, date = {2019-12-17}, url = {https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/}, language = {English}, urldate = {2020-01-07} } @online{krebs:20200320:case:ae196f4, author = {Brian Krebs}, title = {{The Case for Limiting Your Browser Extensions}}, date = {2020-03-20}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/}, language = {English}, urldate = {2020-05-05} } @online{krebs:20200506:europes:2f8ce94, author = {Brian Krebs}, title = {{Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware}}, date = {2020-05-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware}, language = {English}, urldate = {2020-05-13} } @online{krebs:20200511:ransomware:2d96270, author = {Brian Krebs}, title = {{Ransomware Hit ATM Giant Diebold Nixdorf}}, date = {2020-05-11}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/}, language = {English}, urldate = {2020-05-13} } @online{kremez:20151226:backdoor:4552c35, author = {Vitali Kremez}, title = {{Backdoor: Win32/Hesetox.A: vSkimmer POS Malware Analysis }}, date = {2015-12-26}, organization = {Flashpoint}, url = {http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis}, language = {English}, urldate = {2019-12-24} } @online{kremez:20170724:lets:8b64c6c, author = {Vitali Kremez}, title = {{Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'}}, date = {2017-07-24}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html}, language = {English}, urldate = {2020-01-06} } @online{kremez:20170818:extracted:cdbd2f4, author = {Vitali Kremez}, title = {{Tweet on extracted config from Gootkit}}, date = {2017-08-18}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/898549340121288704}, language = {English}, urldate = {2020-01-06} } @online{kremez:20171105:lets:c732c05, author = {Vitali Kremez}, title = {{Let's Learn: Lethic Spambot & Survey of Anti-Analysis Techniques}}, date = {2017-11-05}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html}, language = {English}, urldate = {2020-01-07} } @online{kremez:20171112:lets:4db8d74, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Golroted Trojan's Process Hollowing Technique & UAC Bypass in HKCU\Environment}}, date = {2017-11-12}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html}, language = {English}, urldate = {2020-01-06} } @online{kremez:20171121:lets:5fb17b0, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}}, date = {2017-11-21}, url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html}, language = {English}, urldate = {2019-11-22} } @online{kremez:20171122:trickbot:faea11e, author = {Vitali Kremez}, title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}}, date = {2017-11-22}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/}, language = {English}, urldate = {2019-12-10} } @online{kremez:20171213:update:50a1f16, author = {Vitali Kremez}, title = {{Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth}}, date = {2017-12-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html}, language = {English}, urldate = {2020-01-08} } @online{kremez:20171219:lets:030e09a, author = {Vitali Kremez}, title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}}, date = {2017-12-19}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html}, language = {English}, urldate = {2019-11-23} } @online{kremez:20171227:lets:5c2d27f, author = {Vitali Kremez}, title = {{Let's Learn: Cutlet ATM Malware Internals}}, date = {2017-12-27}, url = {http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html}, language = {English}, urldate = {2019-07-22} } @online{kremez:20180129:lets:450880d, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"}}, date = {2018-01-29}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html}, language = {English}, urldate = {2020-01-10} } @online{kremez:20180222:lets:6fd91bb, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module}}, date = {2018-02-22}, url = {http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html}, language = {English}, urldate = {2019-12-04} } @online{kremez:20180325:lets:070366d, author = {Vitali Kremez}, title = {{Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence}}, date = {2018-03-25}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html}, language = {English}, urldate = {2019-10-13} } @online{kremez:20180403:lets:b45dd50, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}}, date = {2018-04-03}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html}, language = {English}, urldate = {2019-07-27} } @online{kremez:20180413:lets:3dd37f4, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Dive into Gootkit Banker Version 4 Malware Analysis}}, date = {2018-04-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html}, language = {English}, urldate = {2019-10-23} } @online{kremez:20180729:lets:8f04eed, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1}}, date = {2018-07-29}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html}, language = {English}, urldate = {2020-01-06} } @online{kremez:20180805:lets:489101d, author = {Vitali Kremez}, title = {{Let's Learn: Diving into the Latest "Ramnit" Banker Malware via "sLoad" PowerShell}}, date = {2018-08-05}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html}, language = {English}, urldate = {2020-01-10} } @online{kremez:20180820:lets:d3f938c, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules}}, date = {2018-08-20}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html}, language = {English}, urldate = {2019-10-23} } @online{kremez:20180825:lets:f8147ab, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Recent Gozi ISFB Banking Malware Version 2.16/2.17 (portion of ISFB v3) & "loader.dll/client.dll"}}, date = {2018-08-25}, url = {https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html}, language = {English}, urldate = {2019-11-25} } @online{kremez:20180907:lets:8515a2b, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1}}, date = {2018-09-07}, url = {https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html}, language = {English}, urldate = {2020-01-08} } @online{kremez:20181031:lets:e59c3f8, author = {Vitali Kremez}, title = {{Let's Learn: Exploring ZeusVM Banking Malware Hooking Engine}}, date = {2018-10-31}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html}, language = {English}, urldate = {2019-12-24} } @online{kremez:20181105:lets:aed7583, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression}}, date = {2018-11-05}, url = {https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html}, language = {English}, urldate = {2020-01-07} } @online{kremez:20181107:lets:d4ffc27, author = {Vitali Kremez}, title = {{Let’s Learn: Introducing Latest TrickBot Point-of-Sale Finder Module}}, date = {2018-11-07}, url = {https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html}, language = {English}, urldate = {2019-11-17} } @online{kremez:20181113:lets:dd6d4d7, author = {Vitali Kremez}, title = {{Let's Learn: Dissect Panda Banking Malware's "libinject" Process Injection Module}}, date = {2018-11-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html}, language = {English}, urldate = {2020-01-13} } @online{kremez:20181127:lets:e9928d7, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on Sofacy Cannon Loader/Backdoor Review}}, date = {2018-11-27}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html}, language = {English}, urldate = {2020-01-13} } @online{kremez:20181210:lets:f947fb1, author = {Vitali Kremez}, title = {{Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight}}, date = {2018-12-10}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html}, language = {English}, urldate = {2020-01-09} } @online{kremez:20181221:lets:46e594a, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader}}, date = {2018-12-21}, url = {https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html}, language = {English}, urldate = {2019-12-24} } @online{kremez:20190107:lets:07f4941, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version '_512'}}, date = {2019-01-07}, url = {https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html}, language = {English}, urldate = {2020-01-07} } @online{kremez:20190115:disclosure:0e74c4e, author = {Vitali Kremez}, title = {{Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties}}, date = {2019-01-15}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/}, language = {English}, urldate = {2019-08-08} } @online{kremez:20190117:turla:1eff5e6, author = {Vitali Kremez}, title = {{Tweet on Turla Outlook Backdoor}}, date = {2019-01-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1085820673811992576}, language = {English}, urldate = {2020-01-13} } @online{kremez:20190328:lets:9a07122, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess}}, date = {2019-03-28}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html}, language = {English}, urldate = {2020-01-10} } @online{kremez:20190413:decoded:c9b46a9, author = {Vitali Kremez}, title = {{Decoded Turla Powershell Implant}}, date = {2019-04-13}, organization = {GitHub}, url = {https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1}, language = {English}, urldate = {2019-07-11} } @online{kremez:20190425:ransomware:4093d36, author = {Vitali Kremez}, title = {{Tweet on Ransomware}}, date = {2019-04-25}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1121440931759128576}, language = {English}, urldate = {2020-01-05} } @online{kremez:20190509:robinhood:187f468, author = {Vitali Kremez}, title = {{RobinHood Ransomware “CoolMaker” Functions Not So Cool}}, date = {2019-05-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/}, language = {English}, urldate = {2020-01-06} } @online{kremez:20190604:inside:d633c6f, author = {Vitali Kremez}, title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}}, date = {2019-06-04}, organization = {SlideShare}, url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez}, language = {English}, urldate = {2020-01-13} } @online{kremez:20190619:macho:641b90d, author = {Vitali Kremez}, title = {{Tweet on Mach-O & PE32 Payloads}}, date = {2019-06-19}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1141540229951709184}, language = {English}, urldate = {2020-01-07} } @online{kremez:20190712:atm:9918194, author = {Vitali Kremez}, title = {{ATM Malware Pin/PAN Card Offline Skimmer XFSADM}}, date = {2019-07-12}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1149454961740255232}, language = {English}, urldate = {2019-11-17} } @online{kremez:20190824:notes:486e04c, author = {Vitali Kremez}, title = {{Notes on Nemty Ransomware}}, date = {2019-08-24}, organization = {Github (k-vitali)}, url = {https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw}, language = {English}, urldate = {2020-01-13} } @online{kremez:20190911:stealeruploader:0d4c48f, author = {Vitali Kremez}, title = {{Tweet on Stealer/Uploader}}, date = {2019-09-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1171782155581689858}, language = {English}, urldate = {2020-01-07} } @online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } @online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } @online{kremez:20191024:how:e6d838d, author = {Vitali Kremez}, title = {{How TrickBot Malware Hooking Engine Targets Windows 10 Browsers}}, date = {2019-10-24}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/}, language = {English}, urldate = {2020-07-03} } @online{kremez:20191105:possible:e2886d4, author = {Vitali Kremez}, title = {{Tweet on Possible Snatch}}, date = {2019-11-05}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1191414501297528832}, language = {English}, urldate = {2020-01-08} } @online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } @online{kremez:20191210:morphisec:c0fc51c, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS}}, date = {2019-12-10}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/}, language = {English}, urldate = {2020-01-08} } @online{kremez:20200109:toptier:4f8de90, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}}, date = {2020-01-09}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/}, language = {English}, urldate = {2020-01-13} } @online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } @online{kremez:20200205:prorussian:4fab984, author = {Vitali Kremez}, title = {{Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting}}, date = {2020-02-05}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/}, language = {English}, urldate = {2020-02-09} } @online{kremez:20200227:lets:8b6f2b8, author = {Vitali Kremez}, title = {{Let’s Learn: Inside Parallax RAT Malware: Process Hollowing Injection & Process Doppelgänging API Mix: Part I}}, date = {2020-02-27}, url = {https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html}, language = {English}, urldate = {2020-03-25} } @online{kremez:20200424:trickbot:3773039, author = {Vitali Kremez}, title = {{TrickBot "BazarBackdoor" Process Hollowing Injection Primer}}, date = {2020-04-24}, url = {https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html}, language = {English}, urldate = {2020-05-02} } @online{kremez:20200519:netwalker:7ad1e7c, author = {Vitali Kremez}, title = {{Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction}}, date = {2020-05-19}, organization = {zero2auto}, url = {https://zero2auto.com/2020/05/19/netwalker-re/}, language = {English}, urldate = {2020-06-02} } @online{kremez:20200617:signed:f8eecc6, author = {Vitali Kremez and malwrhunterteam}, title = {{Tweet on signed Tinymet payload (V.02) used by TA505}}, date = {2020-06-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1273292957429510150}, language = {English}, urldate = {2020-06-18} } @online{kremez:20200710:yara:9b51a77, author = {Vitali Kremez and Christiaan Beek and Tom Ueltschi and Hilko Bengen and Jo Johnson and Cooper Quintin and Wyatt Roersma and Tomislav Pericin}, title = {{YARA Rules talks and presentation of REVERSING 2020}}, date = {2020-07-10}, organization = {ReversingLabs}, url = {https://register.reversinglabs.com/reversing2020/session-videos}, language = {English}, urldate = {2020-07-11} } @online{kremez:20200711:trickbot:602fd73, author = {Vitali Kremez}, title = {{TrickBot Group Launches Test Module Alerting on Fraud Activity}}, date = {2020-07-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity}, language = {English}, urldate = {2020-07-13} } @online{kreminchuker:20191218:echobot:2fe9511, author = {Eli Kreminchuker and Maxim Zavodchik and Raymond Pompon}, title = {{Echobot Malware Now up to 71 Exploits, Targeting SCADA}}, date = {2019-12-18}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada}, language = {English}, urldate = {2020-01-10} } @online{kreyenberg:20200228:mysterious:ed48f62, author = {Hannah Kreyenberg}, title = {{Mysterious spam campaign: A security analysis}}, date = {2020-02-28}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/mysterious-spam-campaign/}, language = {English}, urldate = {2020-06-16} } @online{kristal:20200511:anatomy:4ece947, author = {Gal Kristal}, title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}}, date = {2020-05-11}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/}, language = {English}, urldate = {2020-05-13} } @online{krueger:20191015:lowkey:aab2f5e, author = {Tobias Krueger}, title = {{LOWKEY: Hunting for the Missing Volume Serial ID}}, date = {2019-10-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html}, language = {English}, urldate = {2019-12-10} } @techreport{krysiuk:2013:trojanbamital:1c4d921, author = {Piotr Krysiuk and Vikram Thakur}, title = {{Trojan.Bamital}}, date = {2013}, institution = {Symantec}, url = {https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf}, language = {English}, urldate = {2019-12-24} } @online{kscert:20151105:sphinx:0414ca2, author = {kscert}, title = {{Sphinx Moth: Expanding our knowledge of the “Wild Neutron” / “Morpho” APT}}, date = {2015-11-05}, organization = {Kudelski Security}, url = {https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/}, language = {English}, urldate = {2020-01-10} } @online{kubovich:20180703:hamas:372b78f, author = {Yaniv Kubovich}, title = {{Hamas Cyber Ops Spied on Hundreds of Israeli Soldiers Using Fake World Cup, Dating Apps}}, date = {2018-07-03}, organization = {Haaretz}, url = {https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773}, language = {English}, urldate = {2019-11-29} } @online{kuhn:20190724:guesswho:1b23cb0, author = {John Kuhn}, title = {{GuessWho Ransomware – A Variant of Rapid Ransomware}}, date = {2019-07-24}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145}, language = {English}, urldate = {2020-01-10} } @online{kujawa:20120609:you:c8d15e0, author = {Adam Kujawa}, title = {{You dirty RAT! Part 1: DarkComet}}, date = {2012-06-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20120615:you:307c877, author = {Adam Kujawa}, title = {{You Dirty RAT! Part 2 – BlackShades NET}}, date = {2012-06-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20120621:blackshades:3002f8a, author = {Adam Kujawa}, title = {{BlackShades in Syria}}, date = {2012-06-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20121005:dark:192d4aa, author = {Adam Kujawa}, title = {{Dark Comet 2: Electric Boogaloo}}, date = {2012-10-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20140530:taking:d9b729e, author = {Adam Kujawa}, title = {{Taking off the Blackshades}}, date = {2014-05-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/}, language = {English}, urldate = {2019-12-20} } @techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } @online{kumar:20170122:russian:a19c81e, author = {Mohit Kumar}, title = {{Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain}}, date = {2017-01-22}, organization = {The Hacker News}, url = {http://thehackernews.com/2017/01/neverquest-fbi-hacker.html}, language = {English}, urldate = {2019-12-18} } @online{kumar:20200626:taurus:4d00888, author = {Avinash Kumar and Uday Pratap Singh}, title = {{Taurus: The New Stealer in Town}}, date = {2020-06-26}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/taurus-new-stealer-town}, language = {English}, urldate = {2020-08-13} } @techreport{kumar:202006:mobile:a277975, author = {Apurva Kumar and Christoph Hebeisen and Kristin Del Rosso}, title = {{Mobile APT SurveillanceCampaigns Targeting Uyghurs A collection of long-running Android tooling connected to a Chinese mAPT actor}}, date = {2020-06}, institution = {Lookout}, url = {https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf}, language = {English}, urldate = {2020-07-02} } @online{kumar:20200701:multiyear:5ce3699, author = {Apurva Kumar and Christoph Hebeisen and Kristin Del Rosso}, title = {{Multiyear Surveillance Campaigns Discovered Targeting Uyghurs}}, date = {2020-07-01}, organization = {Lookout}, url = {https://blog.lookout.com/multiyear-surveillance-campaigns-discovered-targeting-uyghurs}, language = {English}, urldate = {2020-07-02} } @online{kundaliya:20190411:lazarus:2ad8687, author = {Dev Kundaliya}, title = {{Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea}}, date = {2019-04-11}, organization = {Computing.co.uk}, url = {https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea}, language = {English}, urldate = {2020-01-06} } @online{kundaliya:20191224:warning:6ffa2c8, author = {Dev Kundaliya}, title = {{Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries}}, date = {2019-12-24}, url = {https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries}, language = {English}, urldate = {2020-01-06} } @online{kuprins:20190903:analysis:2b5a874, author = {Aleksejs Kuprins}, title = {{Analysis of Joker — A Spy & Premium Subscription Bot on GooglePlay}}, date = {2019-09-03}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451}, language = {English}, urldate = {2020-01-06} } @online{kuprins:20200625:roamingmantis:256a9f9, author = {Aleksejs Kuprins}, title = {{The RoamingMantis Group’s Expansion to European Apple Accounts and Android Devices}}, date = {2020-06-25}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681}, language = {English}, urldate = {2020-06-25} } @online{kuzin:20140710:versatile:0c64d25, author = {Mikhail Kuzin}, title = {{Versatile DDoS Trojan for Linux}}, date = {2014-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/versatile-ddos-trojan-for-linux/64361/}, language = {English}, urldate = {2019-12-20} } @online{kuzin:20180720:calisto:09350f7, author = {Mikhail Kuzin and Sergey Zelensky}, title = {{Calisto Trojan for macOS}}, date = {2018-07-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/calisto-trojan-for-macos/86543/}, language = {English}, urldate = {2019-12-20} } @online{kuzmenko:20190618:plurox:14d4e0d, author = {Anton Kuzmenko}, title = {{Plurox: Modular backdoor}}, date = {2019-06-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/plurox-modular-backdoor/91213/}, language = {English}, urldate = {2019-12-20} } @online{kuznetsov:20130314:new:148c189, author = {Igor Kuznetsov and Costin Raiu}, title = {{New Uyghur and Tibetan Themed Attacks Using PDF Exploits}}, date = {2013-03-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465}, language = {English}, urldate = {2020-04-24} } @online{kwiatkowski:20200331:holy:857c397, author = {Ivan Kwiatkowski and Félix Aime and Pierre Delcher}, title = {{Holy water: ongoing targeted water-holing attack in Asia}}, date = {2020-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/}, language = {English}, urldate = {2020-04-07} } @online{kwiatkowski:20200728:lazarus:5b1523a, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{Lazarus on the hunt for big game}}, date = {2020-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/}, language = {English}, urldate = {2020-07-30} } @online{laan:20160828:feintcloud:628f6af, author = {Wladimir J. van der Laan}, title = {{FEINTCLOUD}}, date = {2016-08-28}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/08/28/feintcloud.html}, language = {English}, urldate = {2020-01-13} } @online{laan:20160904:blatsting:26f14e8, author = {Wladimir J. van der Laan}, title = {{BLATSTING Command-and-Control protocol}}, date = {2016-09-04}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html}, language = {English}, urldate = {2019-07-11} } @online{laan:20160911:buzzdirection:2f24cce, author = {Wladimir J. van der Laan}, title = {{BUZZDIRECTION: BLATSTING reloaded}}, date = {2016-09-11}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/11/buzzdirection.html}, language = {English}, urldate = {2020-01-08} } @online{laanwj:20160822:blatsting:11dc652, author = {Laanwj}, title = {{BLATSTING FUNKSPIEL}}, date = {2016-08-22}, url = {https://laanwj.github.io/2016/08/22/blatsting.html}, language = {English}, urldate = {2020-01-07} } @online{laanwj:20160901:tadaqueous:c25857a, author = {Laanwj}, title = {{TADAQUEOUS moments}}, date = {2016-09-01}, url = {https://laanwj.github.io/2016/09/01/tadaqueos.html}, language = {English}, urldate = {2020-01-07} } @online{laanwj:20160906:blatsting:67dc773, author = {Laanwj}, title = {{Blatsting C&C Transcript}}, date = {2016-09-06}, url = {https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html}, language = {English}, urldate = {2019-12-04} } @online{laanwj:20160913:curious:fa20b98, author = {Laanwj}, title = {{The curious case of BLATSTING's RSA implementation}}, date = {2016-09-13}, url = {https://laanwj.github.io/2016/09/13/blatsting-rsa.html}, language = {English}, urldate = {2020-01-09} } @online{laanwj:20160917:few:2572d3c, author = {Laanwj}, title = {{A few notes on SECONDDATE's C&C protocol}}, date = {2016-09-17}, url = {https://laanwj.github.io/2016/09/17/seconddate-cnc.html}, language = {English}, urldate = {2020-01-07} } @online{lab52:20190313:orangeworm:396a091, author = {Lab52}, title = {{ORANGEWORM GROUP – KWAMPIRS ANALYSIS UPDATE}}, date = {2019-03-13}, organization = {Security Art Work}, url = {https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/}, language = {English}, urldate = {2020-01-06} } @online{lab52:20200609:recent:c5c6aa7, author = {Lab52}, title = {{Recent FK_Undead rootkit samples found in the wild}}, date = {2020-06-09}, organization = {Lab52}, url = {https://lab52.io/blog/recent-fk-undead-rootkit-samples-found-in-the-wild/}, language = {English}, urldate = {2020-06-10} } @techreport{lab:20120531:skywiper:5435097, author = {CrySyS Lab}, title = {{sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks}}, date = {2012-05-31}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/skywiper.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{lab:20130320:teamspy:d2d8b88, author = {CrySyS Lab}, title = {{TeamSpy –Obshie manevri. Ispolzovat' tolko s razreshenija S-a.}}, date = {2013-03-20}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/teamspy.pdf}, language = {English}, urldate = {2020-01-08} } @online{lab:20170404:chasing:b9789da, author = {Kaspersky Lab}, title = {{Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies}}, date = {2017-04-04}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies}, language = {English}, urldate = {2019-12-24} } @techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } @online{lab:20181213:return:786b4e0, author = {Certfa Lab}, title = {{The Return of The Charming Kitten}}, date = {2018-12-13}, organization = {Certfa}, url = {https://blog.certfa.com/posts/the-return-of-the-charming-kitten/}, language = {English}, urldate = {2020-01-13} } @online{lab:20191209:caution:05ff83a, author = {EmsiSoft Malware Lab}, title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}}, date = {2019-12-09}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/}, language = {English}, urldate = {2020-01-07} } @online{lab:20200130:fake:8ef4342, author = {Certfa Lab}, title = {{Fake Interview: The New Activity of Charming Kitten}}, date = {2020-01-30}, organization = {Certfa Lab}, url = {https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/}, language = {English}, urldate = {2020-03-03} } @online{lab:20200505:awaiting:513382e, author = {Security Lab}, title = {{Awaiting the Inevitable Return of Emotet}}, date = {2020-05-05}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/}, language = {English}, urldate = {2020-05-05} } @online{lab:20200519:information:eb0a182, author = {Security Lab}, title = {{Information Stealer Campaign Targeting German HR Contacts}}, date = {2020-05-19}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/}, language = {English}, urldate = {2020-05-29} } @online{lab:20200605:avaddon:399af6f, author = {Security Lab}, title = {{Avaddon: From seeking affiliates to in-the-wild in 2 days}}, date = {2020-06-05}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/}, language = {English}, urldate = {2020-06-08} } @online{lab:20200612:trickbot:2bf54ef, author = {Security Lab}, title = {{Trickbot Malspam Leveraging Black Lives Matter as Lure}}, date = {2020-06-12}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/}, language = {English}, urldate = {2020-07-01} } @online{lab:20200616:qakbot:0353100, author = {Security Lab}, title = {{QakBot malspam leading to ProLock: Nothing personal just business}}, date = {2020-06-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/}, language = {English}, urldate = {2020-07-01} } @online{lab:20200707:clop:12bb60d, author = {Hornetsecurity Security Lab}, title = {{Clop, Clop! It’s a TA505 HTML malspam analysis}}, date = {2020-07-07}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/}, language = {English}, urldate = {2020-07-30} } @online{lab:20200709:servhelper:13899fd, author = {G DATA Security Lab}, title = {{ServHelper: Hidden Miners}}, date = {2020-07-09}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners}, language = {English}, urldate = {2020-07-16} } @online{lab:20200720:emotet:f918eaf, author = {Hornetsecurity Security Lab}, title = {{Emotet is back}}, date = {2020-07-20}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/emotet-is-back/}, language = {English}, urldate = {2020-07-30} } @online{labs:20071022:malwareentwicklung:8050999, author = {Kaspersky Labs}, title = {{Malware-Entwicklung im ersten Halbjahr 2007}}, date = {2007-10-22}, organization = {Kaspersky Labs}, url = {https://de.securelist.com/malware-entwicklung-im-ersten-halbjahr-2007/59574/}, language = {German}, urldate = {2020-03-19} } @online{labs:2009:kaspersky:546f640, author = {Kaspersky Labs}, title = {{Kaspersky Lab analyses new version of Kido (Conficker)}}, date = {2009}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker}, language = {English}, urldate = {2019-11-25} } @online{labs:20140417:quick:6a0fa31, author = {Nettitude Labs}, title = {{A quick analysis of the latest Shadow Brokers dump}}, date = {2014-04-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/}, language = {English}, urldate = {2019-12-19} } @techreport{labs:20140904:pitou:211eac4, author = {F-Secure Labs}, title = {{PITOU: The "silent" resurrection of the notorious Srizbi kernel spambot}}, date = {2014-09-04}, institution = {F-Secure}, url = {https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf}, language = {English}, urldate = {2020-01-13} } @online{labs:20141114:onionduke:dc56d5c, author = {F-Secure Labs}, title = {{OnionDuke: APT Attacks Via the Tor Network}}, date = {2014-11-14}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002764.html}, language = {English}, urldate = {2020-01-09} } @online{labs:20150304:you:edeb053, author = {BriMor Labs}, title = {{And you get a POS malware name...and you get a POS malware name....and you get a POS malware name....}}, date = {2015-03-04}, organization = {BriMor Labs}, url = {https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html}, language = {English}, urldate = {2019-11-29} } @online{labs:20150805:whos:972f567, author = {Malwarebytes Labs}, title = {{Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets}}, date = {2015-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/}, language = {English}, urldate = {2019-12-20} } @online{labs:20150917:dukes:767fbef, author = {F-Secure Labs}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/}, language = {English}, urldate = {2020-01-13} } @online{labs:20160318:teslacrypt:5c7daff, author = {Malwarebytes Labs}, title = {{Teslacrypt Spam Campaign: “Unpaid Issue…”}}, date = {2016-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160401:petya:b3dfd23, author = {Malwarebytes Labs}, title = {{Petya – Taking Ransomware To The Low Level}}, date = {2016-04-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160714:untangling:c16cc34, author = {Malwarebytes Labs}, title = {{Untangling Kovter’s persistence methods}}, date = {2016-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160718:third:4b06b46, author = {Malwarebytes Labs}, title = {{Third time (un)lucky – improved Petya is out}}, date = {2016-07-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/}, language = {English}, urldate = {2019-12-20} } @techreport{labs:20160805:nanhaishu:cee830d, author = {F-Secure Labs}, title = {{NANHAISHU: RATing the South China Sea}}, date = {2016-08-05}, institution = {F-Secure}, url = {https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf}, language = {English}, urldate = {2020-01-13} } @online{labs:20160805:smoke:afada56, author = {Malwarebytes Labs}, title = {{Smoke Loader – downloader with a smokescreen still alive}}, date = {2016-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160815:shakti:e11f9b7, author = {Malwarebytes Labs}, title = {{Shakti Trojan: Document Thief}}, date = {2016-08-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160825:unpacking:66173f5, author = {Malwarebytes Labs}, title = {{Unpacking the spyware disguised as antivirus}}, date = {2016-08-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/}, language = {English}, urldate = {2019-12-20} } @online{labs:201608:shakti:2c08a62, author = {Malwarebytes Labs}, title = {{Shakti Trojan: Technical Analysis}}, date = {2016-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/}, language = {English}, urldate = {2019-12-19} } @online{labs:20161024:introducing:e59ac27, author = {Malwarebytes Labs}, title = {{Introducing TrickBot, Dyreza’s successor}}, date = {2016-10-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/}, language = {English}, urldate = {2019-12-20} } @online{labs:20161110:floki:cb97f8d, author = {Malwarebytes Labs}, title = {{Floki Bot and the stealthy dropper}}, date = {2016-11-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/}, language = {English}, urldate = {2019-12-20} } @online{labs:20161121:princesslocker:9a8ec57, author = {Malwarebytes Labs}, title = {{PrincessLocker – ransomware with not so royal encryption}}, date = {2016-11-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20161215:goldeneye:234318b, author = {Malwarebytes Labs}, title = {{Goldeneye Ransomware – the Petya/Mischa combo rebranded}}, date = {2016-12-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170126:zbot:b625eef, author = {Malwarebytes Labs}, title = {{Zbot with legitimate applications on board}}, date = {2017-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170131:locky:92db484, author = {Malwarebytes Labs}, title = {{Locky Bart ransomware and backend server analysis}}, date = {2017-01-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170227:new:e13a158, author = {Malwarebytes Labs}, title = {{New Neutrino Bot comes in a protective loader}}, date = {2017-02-27}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170310:explained:4186cb4, author = {Malwarebytes Labs}, title = {{Explained: Spora ransomware}}, date = {2017-03-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170315:vaccinating:751a95c, author = {Minerva Labs}, title = {{Vaccinating against Spora ransomware: a proof-of-concept tool by Minerva}}, date = {2017-03-15}, organization = {Github (MinervaLabsResearch)}, url = {https://github.com/MinervaLabsResearch/SporaVaccination}, language = {English}, urldate = {2019-10-23} } @online{labs:20170317:diamond:67bf9e6, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 1: introduction and unpacking}}, date = {2017-03-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170329:explained:dc19964, author = {Malwarebytes Labs}, title = {{Explained: Sage ransomware}}, date = {2017-03-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170406:diamond:5788882, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 2: let’s dive in the code}}, date = {2017-04-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170421:elusive:3f45f0e, author = {Malwarebytes Labs}, title = {{Elusive Moker Trojan is back}}, date = {2017-04-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/}, language = {English}, urldate = {2019-12-20} } @online{labs:201704:callisto:5e97cb4, author = {F-Secure Labs}, title = {{CALLISTO GROUP}}, date = {2017-04}, organization = {F-Secure}, url = {https://www.f-secure.com/documents/996508/1030745/callisto-group}, language = {English}, urldate = {2019-12-10} } @online{labs:20170629:eternalpetya:bdd5896, author = {Malwarebytes Labs}, title = {{EternalPetya and the lost Salsa20 key}}, date = {2017-06-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170630:eternalpetya:122fb36, author = {Malwarebytes Labs}, title = {{EternalPetya – yet another stolen piece in the package?}}, date = {2017-06-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170712:net:7efe3ac, author = {Malwarebytes Labs}, title = {{A .NET malware abusing legitimate ffmpeg}}, date = {2017-07-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170714:keeping:0759a8b, author = {Malwarebytes Labs}, title = {{Keeping up with the Petyas: Demystifying the malware family}}, date = {2017-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170724:bye:ffc2434, author = {Malwarebytes Labs}, title = {{Bye, bye Petya! Decryptor for old versions released.}}, date = {2017-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/}, language = {English}, urldate = {2019-12-20} } @online{labs:201707:trickbot:e738eaf, author = {Ring Zero Labs}, title = {{TrickBot Banking Trojan - DOC00039217.doc}}, date = {2017-07}, organization = {Ring Zero Labs}, url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html}, language = {English}, urldate = {2020-01-10} } @online{labs:20170801:trickbot:222d8bc, author = {Malwarebytes Labs}, title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}}, date = {2017-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170818:inside:f145bae, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 1}}, date = {2017-08-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170829:inside:a4e7a99, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 2}}, date = {2017-08-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170926:elaborate:bed9adc, author = {Malwarebytes Labs}, title = {{Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity}}, date = {2017-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/}, language = {English}, urldate = {2019-12-20} } @online{labs:20171018:magniber:2ae5250, author = {Malwarebytes Labs}, title = {{Magniber ransomware: exclusively for South Koreans}}, date = {2017-10-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/}, language = {English}, urldate = {2019-12-20} } @online{labs:20171113:match:b967fde, author = {Obscurity Labs}, title = {{Match Made In The Shadows: Part [3]}}, date = {2017-11-13}, organization = {Obscurity Labs}, url = {https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/}, language = {English}, urldate = {2020-05-07} } @online{labs:20171228:pandazeuss:0d9ab97, author = {Spamhaus Malware Labs}, title = {{PandaZeuS’s Christmas Gift: Change in the Encryption scheme}}, date = {2017-12-28}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/771/}, language = {English}, urldate = {2020-01-05} } @online{labs:20180130:gandcrab:86c30cb, author = {Malwarebytes Labs}, title = {{GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated)}}, date = {2018-01-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/}, language = {English}, urldate = {2019-12-20} } @online{labs:20180328:indepth:574e8fd, author = {Malwarebytes Labs}, title = {{An in-depth malware analysis of QuantLoader}}, date = {2018-03-28}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/}, language = {English}, urldate = {2019-12-20} } @online{labs:20180416:smoke:b91b833, author = {Spamhaus Malware Labs}, title = {{Smoke Loader malware improves after Microsoft spoils its Campaign}}, date = {2018-04-16}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign}, language = {English}, urldate = {2020-01-08} } @online{labs:20181115:mylobot:4f8ccb3, author = {LabsBlack Lotus Labs}, title = {{Mylobot Continues Global Infections}}, date = {2018-11-15}, organization = {Centurylink}, url = {https://blog.centurylink.com/mylobot-continues-global-infections/}, language = {English}, urldate = {2019-12-24} } @online{labs:20181205:trickbots:b45d588, author = {VIPRE Labs}, title = {{Trickbot’s Tricks}}, date = {2018-12-05}, organization = {VIPRE}, url = {https://labs.vipre.com/trickbots-tricks/}, language = {English}, urldate = {2020-01-09} } @online{labs:20190311:attackers:013804a, author = {Minerva Labs}, title = {{Attackers Insert Themselves into the Email Conversation to Spread Malware}}, date = {2019-03-11}, organization = {Minerva}, url = {https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware}, language = {English}, urldate = {2020-01-08} } @online{labs:20190327:emotet:388559f, author = {Spamhaus Malware Labs}, title = {{Emotet adds a further layer of camouflage}}, date = {2019-03-27}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage}, language = {English}, urldate = {2020-01-06} } @online{labs:20190409:say:9be09c3, author = {Malwarebytes Labs}, title = {{Say hello to Baldr, a new stealer on the market}}, date = {2019-04-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/}, language = {English}, urldate = {2019-12-20} } @online{labs:20190508:fin7:6874fc6, author = {Kaspersky Labs}, title = {{Fin7 hacking group targets more than 130 companies after leaders’ arrest}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest}, language = {English}, urldate = {2020-03-22} } @online{labs:20191002:mcafee:1a04182, author = {McAfee Labs}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us}}, date = {2019-10-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/}, language = {English}, urldate = {2019-12-22} } @online{labs:2019:ransommegacortex:5d35576, author = {Malwarebytes Labs}, title = {{Ransom.Megacortex}}, date = {2019}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/detections/ransom-megacortex/}, language = {English}, urldate = {2020-01-10} } @online{labs:20200125:indonesian:1f0de05, author = {Sanguine Labs}, title = {{Indonesian Magecart hackers arrested}}, date = {2020-01-25}, organization = {Sanguine Security}, url = {https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/}, language = {English}, urldate = {2020-01-27} } @online{labs:20200324:new:88d7b1d, author = {Avira Protection Labs}, title = {{A new technique to analyze FormBook malware infections}}, date = {2020-03-24}, organization = {Avira}, url = {https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/}, language = {English}, urldate = {2020-04-01} } @online{labs:20200328:indepth:9049cf2, author = {Avira Protection Labs}, title = {{In-depth analysis of a Cerberus trojan variant}}, date = {2020-03-28}, organization = {Avira}, url = {https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/}, language = {English}, urldate = {2020-04-01} } @online{labs:20200413:new:f16a8b5, author = {Black Lotus Labs}, title = {{New Mozi Malware Family Quietly Amasses IoT Bots}}, date = {2020-04-13}, organization = {Centurylink}, url = {https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/}, language = {English}, urldate = {2020-04-26} } @techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } @online{labs:20200623:new:8b4b4e3, author = {Avira Protection Labs}, title = {{New Mirai variant Aisuru detects Cowrie opensource honeypots}}, date = {2020-06-23}, organization = {Avira}, url = {https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/}, language = {English}, urldate = {2020-06-24} } @online{labs:20200701:alina:1c5d0e8, author = {Black Lotus Labs}, title = {{Alina Point of Sale Malware Still Lurking in DNS}}, date = {2020-07-01}, organization = {Centurylink}, url = {https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/}, language = {English}, urldate = {2020-07-06} } @techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } @online{ladores:20170907:emotet:bf3075c, author = {Don Ladores}, title = {{EMOTET Returns, Starts Spreading via Spam Botnet}}, date = {2017-09-07}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/}, language = {English}, urldate = {2019-11-28} } @online{laeb:20200221:exploring:179689d, author = {Raveed Laeb}, title = {{Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology}}, date = {2020-02-21}, organization = {KELA}, url = {https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/}, language = {English}, urldate = {2020-02-26} } @online{lagrimas:20121009:sasfis:5e95a5a, author = {Dianne Lagrimas}, title = {{SASFIS}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis}, language = {English}, urldate = {2020-01-08} } @online{lahav:20190711:pykspa:9a2e7e7, author = {Lior Lahav}, title = {{Pykspa V2 DHA Updated to Become Selective}}, date = {2019-07-11}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html}, language = {English}, urldate = {2020-01-06} } @online{lambert:20171004:turla:904593f, author = {John Lambert}, title = {{Tweet on Turla JS backdoor}}, date = {2017-10-04}, organization = {Twitter (@JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/915590893155098629}, language = {English}, urldate = {2019-10-23} } @online{lambert:20180220:evilosx:4d3473b, author = {John Lambert}, title = {{Tweet on EvilOSX}}, date = {2018-02-20}, organization = {Twitter (@JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/966139336436498432}, language = {English}, urldate = {2020-01-09} } @online{lambert:20180408:conminer:79fa45b, author = {John Lambert}, title = {{Tweet on ConMiner WebAssembly}}, date = {2018-04-08}, organization = {Twitter (@JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/983011262731714565}, language = {English}, urldate = {2020-01-13} } @online{lambert:20180408:cryptonight:e09e793, author = {John Lambert}, title = {{Cryptonight currency miner WASM}}, date = {2018-04-08}, organization = {Gist (JohnLaTwC)}, url = {https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec}, language = {English}, urldate = {2019-11-29} } @online{lambert:20190417:unidentified:bae45d7, author = {John Lambert}, title = {{Tweet on an unidentified VBS Backdoor}}, date = {2019-04-17}, organization = {Twitter (JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/1118278148993339392}, language = {English}, urldate = {2019-07-11} } @online{lambert:20190501:frameworkpos:376a823, author = {Tony Lambert}, title = {{FrameworkPOS and the adequate persistent threat}}, date = {2019-05-01}, organization = {Red Canary}, url = {https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/}, language = {English}, urldate = {2020-01-29} } @online{lambert:20200507:introducing:04e15eb, author = {Tony Lambert}, title = {{Introducing Blue Mockingbird}}, date = {2020-05-07}, organization = {Red Canary}, url = {https://redcanary.com/blog/blue-mockingbird-cryptominer/}, language = {English}, urldate = {2020-06-02} } @online{lambert:20200722:connecting:eb1b19a, author = {Tony Lambert}, title = {{Connecting Kinsing malware to Citrix and SaltStack campaigns}}, date = {2020-07-22}, organization = {Red Canary}, url = {https://redcanary.com/blog/kinsing-malware-citrix-saltstack/}, language = {English}, urldate = {2020-07-30} } @online{lamos:20171218:collaborative:1231f31, author = {Robert Lamos}, title = {{Collaborative Takedown Kills IoT Worm 'Satori'}}, date = {2017-12-18}, organization = {eWeek}, url = {http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20140919:malware:b8ce62a, author = {Tom Lancaster}, title = {{Malware microevolution}}, date = {2014-09-19}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html}, language = {English}, urldate = {2020-01-08} } @online{lancaster:20150427:attacks:8467adc, author = {Tom Lancaster}, title = {{Attacks against Israeli & Palestinian interests}}, date = {2015-04-27}, organization = {PWC}, url = {https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html}, language = {English}, urldate = {2020-01-08} } @online{lancaster:20160928:confucius:24e8de3, author = {Tom Lancaster and Micah Yates}, title = {{Confucius Says…Malware Families Get Further By Abusing Legitimate Websites}}, date = {2016-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20170627:paranoid:f933eb4, author = {Tom Lancaster and Esmid Idrizovic}, title = {{Paranoid PlugX}}, date = {2017-06-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20171114:muddying:aa0467a, author = {Tom Lancaster}, title = {{Muddying the Water: Targeted Attacks in the Middle East}}, date = {2017-11-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/}, language = {English}, urldate = {2020-01-08} } @online{lancaster:20180129:vermin:eea5a83, author = {Tom Lancaster and Juan Cortes}, title = {{VERMIN: Quasar RAT and Custom Malware Used In Ukraine}}, date = {2018-01-29}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20181105:inception:4eb9f99, author = {Tom Lancaster}, title = {{Inception Attackers Target Europe with Year-old Office Vulnerability}}, date = {2018-11-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20190319:cardinal:b75240f, author = {Tom Lancaster and Josh Grunzweig}, title = {{Cardinal RAT Sins Again, Targets Israeli Fin-Tech Firms}}, date = {2019-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/}, language = {English}, urldate = {2020-01-13} } @online{landesman:20130501:linuxcdorked:348acc3, author = {Mary Landesman}, title = {{Linux/CDorked FAQs}}, date = {2013-05-01}, organization = {Cisco}, url = {https://blogs.cisco.com/security/linuxcdorked-faqs}, language = {English}, urldate = {2020-01-09} } @online{landry:20160712:malware:c5d817c, author = {Joseph Landry and Udi Shamir}, title = {{Malware Discovered – SFG: Furtim Malware Analysis}}, date = {2016-07-12}, url = {https://sentinelone.com/blogs/sfg-furtims-parent/}, language = {English}, urldate = {2019-12-05} } @techreport{lanstein:2013:apts:2b30193, author = {Alex Lanstein}, title = {{APTs By The Dozen: Dissecting Advanced Attacks}}, date = {2013}, institution = {FireEye}, url = {https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf}, language = {English}, urldate = {2020-08-14} } @online{lanstein:20140325:spear:762baf1, author = {Alex Lanstein and Ned Moran}, title = {{Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370}}, date = {2014-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html}, language = {English}, urldate = {2019-12-20} } @online{largent:20180606:vpnfilter:157380d, author = {William Largent}, title = {{VPNFilter Update - VPNFilter exploits endpoints, targets new devices}}, date = {2018-06-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1}, language = {English}, urldate = {2019-12-10} } @online{larin:20181212:zeroday:4c8907e, author = {Boris Larin and Vladislav Stolyarov and Anton Ivanov}, title = {{Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)}}, date = {2018-12-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/}, language = {English}, urldate = {2019-12-20} } @online{larin:20200528:zeroday:e7fee04, author = {Boris Larin and Alexey Kulaev}, title = {{The zero-day exploits of Operation WizardOpium}}, date = {2020-05-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/}, language = {English}, urldate = {2020-05-29} } @online{larin:20200624:magnitude:90a4a71, author = {Boris Larin}, title = {{Magnitude exploit kit - evolution}}, date = {2020-06-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/magnitude-exploit-kit-evolution/97436/}, language = {English}, urldate = {2020-06-24} } @online{larin:20200812:internet:91fcf4e, author = {Boris Larin}, title = {{Internet Explorer and Windows zero-day exploits used in Operation PowerFall}}, date = {2020-08-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/}, language = {English}, urldate = {2020-08-12} } @online{larinier:20180716:sidewinder:cb05fe4, author = {Sébastien Larinier}, title = {{APT Sidewinder: Tricks powershell, Anti Forensics and execution side loading}}, date = {2018-07-16}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c}, language = {English}, urldate = {2020-01-13} } @online{larinier:20180731:malicious:571d2df, author = {Sébastien Larinier}, title = {{Malicious document targets Vietnamese officials}}, date = {2018-07-31}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?}, language = {English}, urldate = {2020-03-04} } @online{larinier:20180802:goblin:0aa8168, author = {Sébastien Larinier}, title = {{Goblin Panda against the Bears}}, date = {2018-08-02}, url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4}, language = {English}, urldate = {2019-07-11} } @online{larinier:20180828:when:0389d90, author = {Sébastien Larinier}, title = {{When a malware is more complex than the paper}}, date = {2018-08-28}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257}, language = {English}, urldate = {2020-01-13} } @online{larinier:20190202:unpacking:894335d, author = {Sébastien Larinier}, title = {{Unpacking Clop}}, date = {2019-02-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f}, language = {English}, urldate = {2020-01-06} } @online{larinier:20190502:goblin:a0118b4, author = {Sébastien Larinier}, title = {{Goblin Panda continues to target Vietnam}}, date = {2019-05-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6}, language = {English}, urldate = {2019-10-23} } @online{larinier:20200207:40:9415c5c, author = {Sébastien Larinier}, title = {{APT 40 in Malaysia}}, date = {2020-02-07}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9}, language = {English}, urldate = {2020-02-09} } @online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } @online{larinier:20200708:how:7d692bb, author = {Sébastien Larinier}, title = {{How to unpack Chinoxy backdoor and decipher the configuration of the backdoor}}, date = {2020-07-08}, organization = {Medium (@sevdraven)}, url = {https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02}, language = {English}, urldate = {2020-07-11} } @online{lasha:20170701:remcos:984d85c, author = {lasha}, title = {{Remcos RAT}}, date = {2017-07-01}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/RemcosRAT/}, language = {English}, urldate = {2020-01-09} } @online{lasq:20180723:deobfuscating:dd200d6, author = {Lasq}, title = {{Deobfuscating Emotet’s powershell payload}}, date = {2018-07-23}, organization = {MalFind}, url = {https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/}, language = {English}, urldate = {2020-01-09} } @online{lc4m:20200626:lalala:922eb17, author = {lc4m}, title = {{Tweet on LALALA stealer and how its name was chosen}}, date = {2020-06-26}, organization = {Twitter (@luc4m)}, url = {https://twitter.com/luc4m/status/1276477397102145538}, language = {English}, urldate = {2020-06-30} } @online{lechtik:20180204:dorkbot:7c9daf2, author = {Mark Lechtik}, title = {{DorkBot: An Investigation}}, date = {2018-02-04}, organization = {Check Point}, url = {https://research.checkpoint.com/dorkbot-an-investigation/}, language = {English}, urldate = {2020-01-09} } @online{lechtik:20180612:deep:67efc2c, author = {Mark Lechtik}, title = {{Deep Dive into UPAS Kit vs. Kronos}}, date = {2018-06-12}, organization = {Check Point Research}, url = {https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/}, language = {English}, urldate = {2020-01-07} } @online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } @techreport{lecigne:20200605:exploits:396ce52, author = {Clement Lecigne}, title = {{Exploits of a TAG analyst chasing in the wild}}, date = {2020-06-05}, institution = {SSTIC 2020}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/cloture_2020/SSTIC2020-Slides-cloture_2020-lecigne.pdf}, language = {English}, urldate = {2020-06-21} } @online{lee:20150720:watering:0a84edb, author = {Bryan Lee and Josh Grunzweig}, title = {{Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor}}, date = {2015-07-20}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/}, language = {English}, urldate = {2020-02-13} } @online{lee:20151222:bbsrat:d5ec63d, author = {Bryan Lee and Josh Grunzweig}, title = {{BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger}}, date = {2015-12-22}, url = {https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/}, language = {English}, urldate = {2019-11-21} } @online{lee:20160109:confirmation:a5aeb08, author = {Robert M. Lee}, title = {{Confirmation of a Coordinated Attack on the Ukrainian Power Grid}}, date = {2016-01-09}, organization = {Industrial Control Systems}, url = {https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid}, language = {English}, urldate = {2020-01-07} } @online{lee:20160212:look:1483b5a, author = {Bryan Lee and Rob Downs}, title = {{A Look Into Fysbis: Sofacy’s Linux Backdoor}}, date = {2016-02-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/}, language = {English}, urldate = {2020-01-13} } @online{lee:20160212:look:4113ea1, author = {Bryan Lee and Rob Downs}, title = {{A Look Into Fysbis: Sofacy’s Linux Backdoor}}, date = {2016-02-12}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/}, language = {English}, urldate = {2019-12-20} } @online{lee:20160217:oceanlotus:b309baf, author = {Eddie Lee}, title = {{OceanLotus for OS X – an Application Bundle Pretending to be an Adobe Flash Update}}, date = {2016-02-17}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update}, language = {English}, urldate = {2020-01-09} } @online{lee:20160321:os:892f883, author = {Eddie Lee and Krishna Kona}, title = {{OS X Malware Samples Analyzed}}, date = {2016-03-21}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed}, language = {English}, urldate = {2019-11-17} } @online{lee:20170215:magic:d143d8f, author = {Bryan Lee and Robert Falcone}, title = {{Magic Hound Campaign Attacks Saudi Targets}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/}, language = {English}, urldate = {2020-01-09} } @online{lee:20170215:magic:e0b1b72, author = {Bryan Lee and Robert Falcone}, title = {{Magic Hound Campaign Attacks Saudi Targets}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/}, language = {English}, urldate = {2019-09-22} } @online{lee:201712:trisis:978f131, author = {Robert M. Lee}, title = {{TRISIS: Analyzing Safety System Targeting Malware}}, date = {2017-12}, organization = {Dragos}, url = {https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/}, language = {English}, urldate = {2019-12-17} } @online{lee:20180223:oopsie:3a5deb8, author = {Bryan Lee and Robert Falcone}, title = {{OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan}}, date = {2018-02-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/}, language = {English}, urldate = {2020-01-13} } @online{lee:20180223:oopsie:f09d30f, author = {Bryan Lee and Robert Falcone}, title = {{OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan}}, date = {2018-02-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/}, language = {English}, urldate = {2019-12-20} } @online{lee:20180228:sofacy:04fead3, author = {Bryan Lee and Mike Harbison and Robert Falcone}, title = {{Sofacy Attacks Multiple Government Entities}}, date = {2018-02-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/}, language = {English}, urldate = {2020-01-06} } @online{lee:20180606:sofacy:6d3e723, author = {Bryan Lee and Robert Falcone}, title = {{Sofacy Group’s Parallel Attacks}}, date = {2018-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/}, language = {English}, urldate = {2019-12-20} } @online{lee:20180725:oilrig:d332c68, author = {Bryan Lee and Robert Falcone}, title = {{OilRig Targets Technology Service Provider and Government Agency with QUADAGENT}}, date = {2018-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/}, language = {English}, urldate = {2019-11-29} } @online{lee:20181212:dear:0d9a44e, author = {Bryan Lee and Robert Falcone}, title = {{Dear Joohn: The Sofacy Group’s Global Campaign}}, date = {2018-12-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/}, language = {English}, urldate = {2020-01-08} } @online{lee:20190430:behind:01b3010, author = {Bryan Lee and Robert Falcone}, title = {{Behind the Scenes with OilRig}}, date = {2019-04-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/}, language = {English}, urldate = {2020-01-06} } @online{lee:20190523:one:4d2b33e, author = {Martin Lee}, title = {{One year later: The VPNFilter catastrophe that wasn't}}, date = {2019-05-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html}, language = {English}, urldate = {2019-07-09} } @online{lee:20190905:cb:5dd9651, author = {Swee Lai Lee}, title = {{CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware}}, date = {2019-09-05}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{lee:20191209:trickbot:48d9da3, author = {Bryan Lee and Brittany Ash and Mike Harbison}, title = {{TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks}}, date = {2019-12-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/}, language = {English}, urldate = {2020-01-22} } @online{lee:20200413:apt41:fdd4c46, author = {Bryan Lee and Robert Falcone and Jen Miller-Osborn}, title = {{APT41 Using New Speculoos Backdoor to Target Organizations Globally}}, date = {2020-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/}, language = {English}, urldate = {2020-04-14} } @online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } @online{legezo:20180613:luckymouse:26f9860, author = {Denis Legezo}, title = {{LuckyMouse hits national data center to organize country-level waterholing campaign}}, date = {2018-06-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/luckymouse-hits-national-data-center/86083/}, language = {English}, urldate = {2019-12-20} } @online{legezo:20190130:chafer:bb3ce4d, author = {Denis Legezo}, title = {{Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities}}, date = {2019-01-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/chafer-used-remexi-malware/89538/}, language = {English}, urldate = {2019-12-20} } @online{legezo:20200324:wildpressure:add6905, author = {Denis Legezo}, title = {{WildPressure targets industrial-related entities in the Middle East}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/}, language = {English}, urldate = {2020-03-26} } @online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } @online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } @online{lehti:20150722:duke:8f54e8b, author = {Artturi Lehtiö}, title = {{Duke APT group's latest tools: cloud services and Linux support}}, date = {2015-07-22}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002822.html}, language = {English}, urldate = {2019-10-15} } @online{lei:20180124:lazarus:63d2701, author = {CH Lei and Fyodor Yarochkin and Lenart Bermejo and Philippe Z Lin and Razor Huang}, title = {{Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More}}, date = {2018-01-24}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/}, language = {English}, urldate = {2020-01-08} } @online{leon:20181024:waiting:5fdf295, author = {Leon}, title = {{Waiting for goDoH}}, date = {2018-10-24}, organization = {Sensepost}, url = {https://sensepost.com/blog/2018/waiting-for-godoh/}, language = {English}, urldate = {2020-01-06} } @online{leong:20191031:messagetap:823e994, author = {Raymond Leong and Dan Perez and Tyler Dean}, title = {{MESSAGETAP: Who’s Reading Your Text Messages?}}, date = {2019-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html}, language = {English}, urldate = {2019-12-18} } @online{leopard:20171108:analysis:a6a1a01, author = {Security Leopard}, title = {{Analysis of an active USB flash drive virus}}, date = {2017-11-08}, organization = {Freebuf}, url = {http://www.freebuf.com/column/153424.html}, language = {Chinese}, urldate = {2020-01-13} } @online{leopard:20180619:hidden:7eceae4, author = {Security Leopard}, title = {{"Hidden Bee" strikes: Kingsoft Internet Security intercepts the world's first Bootkit-class mining botnet}}, date = {2018-06-19}, url = {https://www.freebuf.com/column/175106.html}, language = {Chinese}, urldate = {2019-11-17} } @online{lepore:20190918:chirp:44c11e9, author = {Jonathan Lepore}, title = {{Chirp of the PoisonFrog}}, date = {2019-09-18}, organization = {IronNet}, url = {https://ironnet.com/blog/chirp-of-the-poisonfrog/}, language = {English}, urldate = {2020-01-09} } @online{lepore:20200206:dns:c7069f1, author = {Jonathan Lepore}, title = {{DNS Tunneling Series, Part 3: The Siren Song of RogueRobin}}, date = {2020-02-06}, organization = {IronNet}, url = {https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/}, language = {English}, urldate = {2020-02-13} } @online{levene:20150820:retefe:b3a0c4f, author = {Brandon Levene and Robert Falcone and Josh Grunzweig and Bryan Lee and Ryan Olson}, title = {{Retefe Banking Trojan Targets Sweden, Switzerland and Japan}}, date = {2015-08-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/}, language = {English}, urldate = {2019-12-20} } @online{levene:20170328:dimnie:a19c996, author = {Brandon Levene and Dominik Reichel and Esmid Idrizovic}, title = {{Dimnie: Hiding in Plain Sight}}, date = {2017-03-28}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/}, language = {English}, urldate = {2019-12-20} } @online{levene:20170503:kazuar:84e99e2, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2019-12-20} } @online{levene:20170503:kazuar:b869345, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2020-01-09} } @online{levene:20171101:everybody:9473c82, author = {Brandon Levene and Brandon Young and Dominik Reichel}, title = {{Everybody Gets One: QtBot Used to Distribute Trickbot and Locky}}, date = {2017-11-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/}, language = {English}, urldate = {2019-12-20} } @online{levene:20180305:sure:13de36e, author = {Brandon Levene and Josh Grunzweig}, title = {{Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency}}, date = {2018-03-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/}, language = {English}, urldate = {2019-12-20} } @online{levene:20180307:patchwork:8973699, author = {Brandon Levene and Josh Grunzweig and Brittany Ash}, title = {{Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent}}, date = {2018-03-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/}, language = {English}, urldate = {2019-12-20} } @techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } @online{leyden:20120604:small:eb760a3, author = {John Leyden}, title = {{Small banking Trojan poses major risk}}, date = {2012-06-04}, url = {http://www.theregister.co.uk/2012/06/04/small_banking_trojan/}, language = {English}, urldate = {2020-01-08} } @online{li:20111013:detailed:650b25e, author = {Frankie Fu Kay Li}, title = {{A Detailed Analysis of an Advanced Persistent Threat Malware}}, date = {2011-10-13}, url = {https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814}, language = {English}, urldate = {2019-10-14} } @online{li:20151013:new:34dc6b1, author = {Brooks Li and Feike Hacquebord and Peter Pi}, title = {{New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries}}, date = {2015-10-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/}, language = {English}, urldate = {2019-10-15} } @online{li:20151013:new:f451b34, author = {Brooks Li and Feike Hacquebord and Peter Pi}, title = {{New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries}}, date = {2015-10-13}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/}, language = {English}, urldate = {2019-12-19} } @online{liebenberg:20180830:rocke:7bdc336, author = {David Liebenberg}, title = {{Rocke: The Champion of Monero Miners}}, date = {2018-08-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html}, language = {English}, urldate = {2020-05-18} } @online{liebenberg:20200615:quarterly:c2dcd77, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly report: Incident Response trends in Summer 2020}}, date = {2020-06-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more}, language = {English}, urldate = {2020-06-19} } @online{lied:20190519:skreddersydd:e16c8d8, author = {Henrik Lied and Peter Svaar and Dennis Ravndal and Anders Brekke and Kristine Hirsti}, title = {{Skreddersydd dobbeltangrep mot Hydro}}, date = {2019-05-19}, organization = {nrk}, url = {https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202}, language = {Norwegian}, urldate = {2019-11-21} } @techreport{lifars:202005:xmrigbased:5e57232, author = {LIFARS}, title = {{XMRig-based CoinMinersby Blue Mockingbird Threat Actor}}, date = {2020-05}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf}, language = {English}, urldate = {2020-06-19} } @techreport{ligh:20061113:malware:d305d70, author = {Micael Ligh}, title = {{Malware Case Study - ZeusMalware}}, date = {2006-11-13}, institution = {Secure Science Corporation}, url = {https://www.mnin.org/write/ZeusMalware.pdf}, language = {English}, urldate = {2019-11-23} } @online{ligh:20121212:unpacking:612f008, author = {Michael Hale Ligh}, title = {{Unpacking Dexter POS "Memory Dump Parsing" Malware}}, date = {2012-12-12}, organization = {Volatility Labs}, url = {https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html}, language = {English}, urldate = {2020-01-13} } @techreport{lilly:20200609:past:d6656a1, author = {Bilyana Lilly and Joe Cheravitch}, title = {{The Past, Present, and Future of Russia’s Cyber Strategy and Forces}}, date = {2020-06-09}, institution = {RAND Corporation}, url = {https://ccdcoe.org/uploads/2020/05/CyCon_2020_8_Lilly_Cheravitch.pdf}, language = {English}, urldate = {2020-06-10} } @online{limerat:20191016:limerat:da2782c, author = {LimeRat}, title = {{LimeRat}}, date = {2019-10-16}, url = {https://www.youtube.com/watch?v=x-g-ZLeX8GM}, language = {English}, urldate = {2019-10-16} } @online{limerboy:20200125:gocryptolocker:eee8d0a, author = {LimerBoy}, title = {{goCryptoLocker}}, date = {2020-01-25}, url = {https://github.com/LimerBoy/goCryptoLocker/blob/master/main.go}, language = {English}, urldate = {2020-04-28} } @online{limerboy:20200216:inferno:835a010, author = {LimerBoy}, title = {{Inferno}}, date = {2020-02-16}, url = {https://github.com/LimerBoy/Inferno}, language = {English}, urldate = {2020-03-13} } @online{limerboy:20200312:adamantiumthief:ba2b907, author = {LimerBoy}, title = {{Adamantium-Thief}}, date = {2020-03-12}, url = {https://github.com/LimerBoy/Adamantium-Thief}, language = {English}, urldate = {2020-03-13} } @online{lin:20150205:anatomy:91eb612, author = {Michael Lin and Derek Gooley}, title = {{Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited}}, date = {2015-02-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html}, language = {English}, urldate = {2019-12-20} } @online{lines:20190415:cobalt:7b3c086, author = {Neil Lines}, title = {{Cobalt Strike. Walkthrough for Red Teamers}}, date = {2019-04-15}, organization = {PenTestPartners}, url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/}, language = {English}, urldate = {2019-12-17} } @online{link:20190422:dadstache:5444490, author = {Suspicious Link}, title = {{Tweet on DADSTACHE payload}}, date = {2019-04-22}, organization = {Twitter (@killamjr)}, url = {https://twitter.com/killamjr/status/1204584085395517440}, language = {English}, urldate = {2020-01-06} } @online{linkcabin:20160123:imminent:fe72c42, author = {LinkCabin}, title = {{Imminent Monitor 4 RAT Analysis – A Glance}}, date = {2016-01-23}, organization = {LinkCabin}, url = {https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/}, language = {English}, urldate = {2020-01-09} } @online{lipovsky:20141014:cve20144114:49123f0, author = {Robert Lipovsky}, title = {{CVE‑2014‑4114: Details on August BlackEnergy PowerPoint Campaigns}}, date = {2014-10-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{lipovsky:20141112:korplug:b5b58cc, author = {Robert Lipovsky}, title = {{Korplug military targeted attacks: Afghanistan & Tajikistan}}, date = {2014-11-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/}, language = {English}, urldate = {2019-12-20} } @online{lipovsky:20150730:operation:3e5afee, author = {Robert Lipovsky and Anton Cherepanov}, title = {{Operation Potao Express: Analysis of a cyber‑espionage toolkit}}, date = {2015-07-30}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2015/07/30/operation-potao-express/}, language = {English}, urldate = {2019-12-20} } @techreport{lipovsky:20150730:operation:bfe3508, author = {Robert Lipovsky and Anton Cherepanov}, title = {{Operation Potao Express: Analysis of a cyber‑espionage toolkit}}, date = {2015-07-30}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf}, language = {English}, urldate = {2020-02-25} } @online{lipovsky:20160518:operation:1c9edf8, author = {Robert Lipovsky and Anton Cherepanov}, title = {{Operation Groundbait: Espionage in Ukrainian war zones}}, date = {2016-05-18}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/05/18/groundbait}, language = {English}, urldate = {2020-01-08} } @online{lipovsky:20170105:killdisk:43eba48, author = {Robert Lipovsky and Peter Kálnai}, title = {{KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt}}, date = {2017-01-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/}, language = {English}, urldate = {2019-12-10} } @online{lisichkin:20200119:analyzing:1f21f30, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques - Part 1}}, date = {2020-01-19}, organization = {0x00sec}, url = {https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663}, language = {English}, urldate = {2020-01-27} } @online{lisichkin:20200204:analyzing:bba72ea, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques - Part 3: A case of Powershell, Excel 4 Macros and VB6}}, date = {2020-02-04}, organization = {0x00sec}, url = {https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943}, language = {English}, urldate = {2020-02-08} } @online{lisichkin:20200218:analyzing:f805dad, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques Part 4: I’m afraid of no packer(Part 1 of 2)}}, date = {2020-02-18}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/}, language = {English}, urldate = {2020-02-25} } @online{lisichkin:20200427:master:1cfb192, author = {Dan Lisichkin}, title = {{Master of RATs - How to create your own Tracker}}, date = {2020-04-27}, organization = {0x00sec}, url = {https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848}, language = {English}, urldate = {2020-04-28} } @online{lisichkin:20200605:zero2auto:ecc4713, author = {Dan Lisichkin}, title = {{Zero2Auto - Netwalker Walk through}}, date = {2020-06-05}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/}, language = {English}, urldate = {2020-06-08} } @online{liston:20100527:sasfis:c963466, author = {Kevin Liston}, title = {{Sasfis Propagation}}, date = {2010-05-27}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/}, language = {English}, urldate = {2020-01-08} } @online{litvak:20190717:evilgnome:0874eda, author = {Paul Litvak}, title = {{EvilGnome: Rare Malware Spying on Linux Desktop Users}}, date = {2019-07-17}, organization = {Intezer}, url = {https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/}, language = {English}, urldate = {2020-01-10} } @online{litvak:20190724:watching:abc3541, author = {Paul Litvak and Ignacio Sanmillan}, title = {{Watching the WatchBog: New BlueKeep Scanner and Linux Exploits}}, date = {2019-07-24}, organization = {Intezer}, url = {https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/}, language = {English}, urldate = {2020-05-18} } @online{litvak:20200130:new:e013fd0, author = {Paul Litvak and Michael Kajiloti}, title = {{New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset}}, date = {2020-01-30}, organization = {Intezer}, url = {https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/}, language = {English}, urldate = {2020-02-03} } @online{litvak:20200504:kaiji:6b90937, author = {Paul Litvak}, title = {{Kaiji: New Chinese Linux malware turning to Golang}}, date = {2020-05-04}, organization = {Intezer}, url = {https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/}, language = {English}, urldate = {2020-05-06} } @online{litvak:20200521:evolution:a14bf60, author = {Paul Litvak}, title = {{The Evolution of APT15’s Codebase 2020}}, date = {2020-05-21}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/}, language = {English}, urldate = {2020-05-23} } @online{liu:2018:tracking:2ca5e73, author = {Ya Liu and Hui Wang}, title = {{Tracking Mirai variants (Appendix: Hashes)}}, date = {2018}, organization = {Qihoo 360 Technology}, url = {https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes}, language = {English}, urldate = {2019-11-27} } @online{liu:20200706:gafgyt:9fb2ccc, author = {Ya Liu}, title = {{The Gafgyt variant vbot seen in its 31 campaigns}}, date = {2020-07-06}, organization = {360 netlab}, url = {https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/}, language = {English}, urldate = {2020-07-06} } @online{liveoverflow:20190505:unpacking:25df4ad, author = {LiveOverflow and Sergei Frankoff and Sean Wilson}, title = {{Unpacking Redaman Malware & Basics of Self-Injection Packers - ft. OALabs}}, date = {2019-05-05}, organization = {Youtube (LiveOverflow)}, url = {https://www.youtube.com/watch?v=YXnNO3TipvM}, language = {English}, urldate = {2020-01-13} } @online{llimos:20181101:trickbot:7d0ea94, author = {Noel Anthony Llimos and Carl Maverick Pascual}, title = {{Trickbot Shows Off New Trick: Password Grabber Module}}, date = {2018-11-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module}, language = {English}, urldate = {2020-01-06} } @online{llimos:20190805:latest:62ba94b, author = {Noel Anthony Llimos and Michael Jhon Ofiaza}, title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}}, date = {2019-08-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/}, language = {English}, urldate = {2020-01-23} } @online{locklear:20170607:russian:65a8aed, author = {Mallory Locklear}, title = {{Russian malware link hid in a comment on Britney Spears' Instagram}}, date = {2017-06-07}, organization = {engadget}, url = {https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/}, language = {English}, urldate = {2020-01-08} } @online{lodi:20171205:nearly:c0a9413, author = {Matteo Lodi}, title = {{Nearly undetectable Qarallax RAT spreading via spam}}, date = {2017-12-05}, organization = {Certego}, url = {http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/}, language = {English}, urldate = {2019-12-17} } @online{lodi:20181123:sload:28fb962, author = {Matteo Lodi}, title = {{Sload hits Italy. Unveil the power of powershell as a downloader}}, date = {2018-11-23}, organization = {Certego}, url = {https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/}, language = {English}, urldate = {2020-01-13} } @online{lodi:20190214:malware:93db4e1, author = {Matteo Lodi}, title = {{Malware Tales: Gootkit}}, date = {2019-02-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-gootkit/}, language = {English}, urldate = {2020-01-06} } @online{lodi:20190614:malware:c93f3de, author = {Matteo Lodi}, title = {{Malware Tales: Sodinokibi}}, date = {2019-06-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-sodinokibi/}, language = {English}, urldate = {2019-12-17} } @online{lodi:20191002:malware:4f9442c, author = {Matteo Lodi and Marco Bompani}, title = {{Malware Tales: FTCODE}}, date = {2019-10-02}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-ftcode/}, language = {English}, urldate = {2020-01-07} } @online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } @online{logic:20180801:inside:e5a8e2c, author = {Kryptos Logic}, title = {{Inside Look at Emotet's Global Victims and Malspam Qakbot Payloads}}, date = {2018-08-01}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html}, language = {English}, urldate = {2020-01-09} } @online{logic:20181031:emotet:ab7226f, author = {Kryptos Logic}, title = {{Emotet Awakens With New Campaign of Mass Email Exfiltration}}, date = {2018-10-31}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html}, language = {English}, urldate = {2020-01-08} } @online{londhe:20170725:hawkeye:a4071fa, author = {Yogesh Londhe and Swapnil Patil}, title = {{HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign}}, date = {2017-07-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } @techreport{lookingglass:20150428:operation:68a342f, author = {LookingGlass}, title = {{Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare}}, date = {2015-04-28}, institution = {LookingGlass}, url = {https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{lookout:201704:pegasus:b9392ab, author = {Lookout}, title = {{Pegasus for Android: Technical Analysis and Findings of Chrysaor}}, date = {2017-04}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf}, language = {English}, urldate = {2020-01-07} } @online{lookout:20180514:stealth:ebcc067, author = {Lookout}, title = {{Stealth Mango & Tangelo Technical Report}}, date = {2018-05-14}, organization = {Lookout}, url = {https://www.lookout.com/info/stealth-mango-report-ty}, language = {English}, urldate = {2020-01-13} } @techreport{lookout:201907:monokle:d2b6e7b, author = {Lookout}, title = {{Monokle: The Mobile Surveillance Tooling of the Special Technology Center}}, date = {2019-07}, institution = {Lookout}, url = {https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf}, language = {English}, urldate = {2019-12-04} } @online{lopez:20200215:python:7a23d37, author = {Nathan Lopez}, title = {{Python Remote Administration Tool (RAT)}}, date = {2020-02-15}, organization = {Github (nathanlopez)}, url = {https://github.com/nathanlopez/Stitch}, language = {English}, urldate = {2020-04-07} } @online{lord:20130201:keeping:b006baa, author = {Bob Lord}, title = {{Keeping our users secure}}, date = {2013-02-01}, organization = {Twitter}, url = {https://blog.twitter.com/official/en_us/a/2013/keeping-our-users-secure.html}, language = {English}, urldate = {2020-01-07} } @online{ltd:20200618:behind:a5e168d, author = {Security division of NTT Ltd.}, title = {{Behind the scenes of the Emotet Infrastructure}}, date = {2020-06-18}, organization = {NTT Security}, url = {https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure}, language = {English}, urldate = {2020-06-20} } @online{ltd:20200706:trickbot:9612912, author = {Security division of NTT Ltd.}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2020-07-06}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns}, language = {English}, urldate = {2020-07-30} } @online{ltd:20200720:shellbot:adab896, author = {Security division of NTT Ltd.}, title = {{Shellbot victim overlap with Emotet network infrastructure}}, date = {2020-07-20}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure}, language = {English}, urldate = {2020-07-30} } @online{lu:20170126:deep:70f2c9e, author = {Kai Lu}, title = {{Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part I: Debugging in The Scope of Native Layer}}, date = {2017-01-26}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer}, language = {English}, urldate = {2020-01-10} } @online{lu:20170126:deep:d965de0, author = {Kai Lu}, title = {{Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java}}, date = {2017-01-26}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java}, language = {English}, urldate = {2020-01-08} } @online{lu:20190606:deep:0ac679a, author = {Kai Lu}, title = {{A Deep Dive into the Emotet Malware}}, date = {2019-06-06}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html}, language = {English}, urldate = {2020-01-07} } @online{lu:20190616:deep:ba89738, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)}}, date = {2019-06-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html}, language = {English}, urldate = {2019-11-27} } @online{lu:20190709:deep:90d708f, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection}}, date = {2019-07-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html}, language = {English}, urldate = {2020-01-08} } @online{lu:20190722:deep:a4bdd84, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part III - Analysis of Child Processes}}, date = {2019-07-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html}, language = {English}, urldate = {2020-01-13} } @online{lubiedo:20200608:dark:6e9abe3, author = {Twitter (@_lubiedo)}, title = {{Dark Nexus: the old, the new and the ugly}}, date = {2020-06-08}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly}, language = {English}, urldate = {2020-06-10} } @online{luce:20190308:iranianbacked:5b34dea, author = {Dan De Luce and Courtney Kube}, title = {{Iranian-backed hackers stole data from major U.S. government contractor}}, date = {2019-03-08}, organization = {NBC}, url = {https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986}, language = {English}, urldate = {2020-01-13} } @online{lucia:20181221:apt28:466f390, author = {Emanuele De Lucia}, title = {{APT28 / Sofacy – SedUploader under the Christmas tree}}, date = {2018-12-21}, url = {https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/}, language = {English}, urldate = {2020-03-30} } @online{luckyduck:20151216:facebook:3632e6d, author = {LuckyDuck}, title = {{Facebook page advertising DarkTrack RAT}}, date = {2015-12-16}, organization = {Facebook (darktrackrat)}, url = {https://www.facebook.com/darktrackrat/}, language = {English}, urldate = {2020-01-08} } @online{luis:20170224:necurs:629636f, author = {Sofia Luis}, title = {{Necurs Proxy Module With DDOS Features}}, date = {2017-02-24}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features}, language = {English}, urldate = {2019-12-06} } @online{lunghi:20171211:untangling:5f00f99, author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet}, title = {{Untangling the Patchwork Cyberespionage Group}}, date = {2017-12-11}, organization = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite}, language = {English}, urldate = {2019-10-21} } @online{lunghi:20180829:urpage:0f63a4b, author = {Daniel Lunghi and Ecular Xu}, title = {{The Urpage Connection to Bahamut, Confucius and Patchwork}}, date = {2018-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/}, language = {English}, urldate = {2020-01-06} } @techreport{lunghi:20181009:untangling:348f703, author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet}, title = {{Untangling the Patchwork Espionage Group}}, date = {2018-10-09}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf}, language = {English}, urldate = {2020-01-06} } @online{lunghi:20190610:muddywater:b87a78a, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools}}, date = {2019-06-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/}, language = {English}, urldate = {2019-11-27} } @techreport{lunghi:20190610:new:4f86b75, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors, New Post-Exploitation Tools, Android Malware, and More}}, date = {2019-06-10}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{lunghi:20191002:abusing:3c9a1b7, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Abusing third-party cloud services in targeted attacks}}, date = {2019-10-02}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf}, language = {English}, urldate = {2020-01-13} } @online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } @techreport{lunghi:20200218:uncovering:d96f725, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl}}, date = {2020-02-18}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf}, language = {English}, urldate = {2020-04-01} } @techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } @online{lynch:20150623:exclusive:3fbed86, author = {Sarah N. Lynch and Joseph Menn}, title = {{Exclusive: SEC hunts hackers who stole corporate emails to trade stocks}}, date = {2015-06-23}, organization = {Reuters}, url = {https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623}, language = {English}, urldate = {2020-01-08} } @online{lynch:20160419:multigrain:94e7443, author = {Cian Lynch and Dimiter Andonov and Claudiu Teodorescu}, title = {{MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry}}, date = {2016-04-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html}, language = {English}, urldate = {2019-12-20} } @online{lyngaas:20190509:chinese:90e8320, author = {Sean Lyngaas}, title = {{Chinese national indicted for 2015 Anthem breach}}, date = {2019-05-09}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/}, language = {English}, urldate = {2020-01-13} } @online{lyngaas:20200528:german:0be9cc3, author = {Sean Lyngaas}, title = {{German intelligence agencies warn of Russian hacking threats to critical infrastructure}}, date = {2020-05-28}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/german-intelligence-memo-berserk-bear-critical-infrastructure/}, language = {English}, urldate = {2020-05-29} } @online{lyngaas:20200528:israeli:481ca71, author = {Sean Lyngaas}, title = {{Israeli official confirms attempted cyberattack on water systems}}, date = {2020-05-28}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/israel-cyberattacks-water-iran-yigal-unna/}, language = {English}, urldate = {2020-05-29} } @online{m0n0ph1:20170418:github:63a0bd5, author = {m0n0ph1}, title = {{Github repository for trochilus RAT}}, date = {2017-04-18}, organization = {Github (m0n0ph1)}, url = {https://github.com/m0n0ph1/malware-1/tree/master/Trochilus}, language = {English}, urldate = {2020-01-06} } @online{m4n0w4r:20181103:l:d496fbd, author = {m4n0w4r}, title = {{Là 1937CN hay OceanLotus hay Lazarus …}}, date = {2018-11-03}, url = {https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20190103:another:2f48120, author = {m4n0w4r}, title = {{Another malicious document with CVE-2017–11882}}, date = {2019-01-03}, url = {https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20190531:thng:c687d46, author = {m4n0w4r}, title = {{Thưởng tết….}}, date = {2019-05-31}, organization = {TradaHacking}, url = {https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7}, language = {Vietnamese}, urldate = {2020-01-10} } @online{m4n0w4r:20190627:tc:90087b2, author = {m4n0w4r}, title = {{Tốc kí một sample sử dụng CVE_2018_20250 (Target VN)}}, date = {2019-06-27}, url = {https://tradahacking.vn/t%E1%BB%91c-k%C3%AD-m%E1%BB%99t-sample-s%E1%BB%AD-d%E1%BB%A5ng-cve-2018-20250-target-vn-3ba306bf3d83}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20191008:mt:a14c60d, author = {m4n0w4r}, title = {{Một sample nhắm vào Bank ở VN}}, date = {2019-10-08}, url = {https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20191219:re009:fc59940, author = {m4n0w4r}, title = {{[RE009] Phân tích mã độc “KẾ HOẠCH, NHIỆM VỤ TRỌNG TÂM NĂM 2020.doc” đính kèm email phishing}}, date = {2019-12-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2019/12/re009-phan-tich-ma-doc-ke-hoach-nhiem-vu-trong-tam-2020.html}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20200310:re012:43d61e3, author = {m4n0w4r}, title = {{[RE012] Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 1}}, date = {2020-03-10}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20200319:phn:461fca7, author = {m4n0w4r}, title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}}, date = {2020-03-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html}, language = {Vietnamese}, urldate = {2020-03-19} } @online{m4n0w4r:20200505:guloader:926315b, author = {m4n0w4r and Dang Dinh Phuong}, title = {{GuLoader AntiVM Techniques}}, date = {2020-05-05}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html}, language = {Vietnamese}, urldate = {2020-07-13} } @online{m4n0w4r:20200627:quick:4b18a32, author = {m4n0w4r}, title = {{Quick analysis note about GuLoader (or CloudEyE)}}, date = {2020-06-27}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/}, language = {English}, urldate = {2020-07-13} } @online{m:20170216:nefarious:a0ed57b, author = {Winston M}, title = {{Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!}}, date = {2017-02-16}, organization = {Cysinfo}, url = {https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/}, language = {English}, urldate = {2019-10-23} } @online{mabutas:20200511:new:aa2bbd7, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability}, language = {English}, urldate = {2020-06-03} } @online{mabutas:20200511:new:e25ce4e, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/}, language = {English}, urldate = {2020-05-11} } @online{macnica:20171204:new:4bfec6c, author = {Macnica}, title = {{New method of macro malware disguised as defense-related files}}, date = {2017-12-04}, organization = {Macnica}, url = {http://blog.macnica.net/blog/2017/12/post-8c22.html}, language = {Japanese}, urldate = {2020-01-06} } @techreport{macnica:20200701:business:6ddbc7b, author = {Macnica and ITOCHU Corporation}, title = {{Business Email Scams and Countermeasures, Clever tricks of cyber crimes that cause huge damage}}, date = {2020-07-01}, institution = {}, url = {https://www.macnica.net/pdf/macnica_wp_0729.pdf}, language = {Japanese}, urldate = {2020-08-05} } @online{magazine:20161212:inside:0f139d0, author = {SC Magazine}, title = {{Inside DiamondFox}}, date = {2016-12-12}, organization = {SC Magazine}, url = {https://www.scmagazine.com/inside-diamondfox/article/578478/}, language = {English}, urldate = {2020-01-13} } @online{mager:20160419:your:df8bb48, author = {Mark Mager}, title = {{Your Package Has Been Successfully Encrypted: TeslaCrypt 4.1A and the Malware Attack Chain}}, date = {2016-04-19}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack}, language = {English}, urldate = {2020-01-13} } @online{magisa:20190920:mac:c83a228, author = {Luis Magisa}, title = {{Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website}}, date = {2019-09-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/}, language = {English}, urldate = {2020-05-19} } @online{maharjan:20200515:malware:8c6907f, author = {Nishan Maharjan}, title = {{Malware Analysis: Snake Ransomware}}, date = {2020-05-15}, url = {https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017}, language = {English}, urldate = {2020-05-19} } @online{maiffret:20170311:wikileaks:5ca94e5, author = {Marc Maiffret}, title = {{Wikileaks Vault7 JQJSNICKER code leak}}, date = {2017-03-11}, organization = {Marc Maiffret's Blog}, url = {http://marcmaiffret.com/vault7/}, language = {English}, urldate = {2020-01-13} } @online{mak:20160517:newest:d00afc9, author = {mak}, title = {{Newest addition to a happy family: KBOT}}, date = {2016-05-17}, organization = {CERT.PL}, url = {http://www.cert.pl/news/11379}, language = {English}, urldate = {2020-02-18} } @online{makrushin:20180313:time:7171143, author = {Denis Makrushin and Yury Namestnikov}, title = {{Time of death? A therapeutic postmortem of connected medicine}}, date = {2018-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/time-of-death-connected-medicine/84315/}, language = {English}, urldate = {2019-12-20} } @online{malbot:20180629:recent:508e44b, author = {MalBot}, title = {{Recent LiteHTTP activities and IOCs}}, date = {2018-06-29}, organization = {Malware.News}, url = {https://malware.news/t/recent-litehttp-activities-and-iocs/21053}, language = {English}, urldate = {2020-01-08} } @online{malhotra:20200220:obliquerat:588aa08, author = {Asheer Malhotra}, title = {{ObliqueRAT: New RAT hits victims' endpoints via malicious documents}}, date = {2020-02-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html}, language = {English}, urldate = {2020-02-25} } @online{malhotra:20200413:how:6ea81f8, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I}}, date = {2020-04-13}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/}, language = {English}, urldate = {2020-04-15} } @online{malhotra:20200415:how:6cfc199, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II}}, date = {2020-04-15}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/}, language = {English}, urldate = {2020-04-20} } @online{malhotra:20200622:indigodrop:6d5e7e1, author = {Asheer Malhotra}, title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}}, date = {2020-06-22}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html}, language = {English}, urldate = {2020-06-24} } @online{malina:20200210:kbot:87338ae, author = {Anna Malina}, title = {{KBOT: sometimes they come back}}, date = {2020-02-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/kbot-sometimes-they-come-back/96157/}, language = {English}, urldate = {2020-02-25} } @online{malk:20170327:linux:2a57a66, author = {Michal Malík}, title = {{Tweet on Linux IRC Bot}}, date = {2017-03-27}, organization = {Twitter (@michalmalik)}, url = {https://twitter.com/michalmalik/status/846368624147353601}, language = {English}, urldate = {2020-01-13} } @online{malpedia:20091025:malpedia:6f22737, author = {Malpedia}, title = {{Malpedia IcyHeart Page (Placeholder)}}, date = {2009-10-25}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart}, language = {English}, urldate = {2020-03-19} } @online{malpedia:2018:family:7ea1bb3, author = {Malpedia}, title = {{Family Description: KleptoParasite Stealer}}, date = {2018}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer}, language = {English}, urldate = {2020-01-13} } @online{malpedia:20200114:family:940a88a, author = {Malpedia}, title = {{Family Page for GuLoader}}, date = {2020-01-14}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader}, language = {English}, urldate = {2020-01-14} } @online{malpedia:20200114:family:9f9eb7d, author = {Malpedia}, title = {{Family Page for FastLoader}}, date = {2020-01-14}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader}, language = {English}, urldate = {2020-01-14} } @online{malpedia:20200309:pyunidentified001:d3ca5d0, author = {Malpedia}, title = {{py.unidentified_001}}, date = {2020-03-09}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001}, language = {English}, urldate = {2020-03-11} } @online{malpedia:20200309:pyunidentified002:47cb3c0, author = {Malpedia}, title = {{py.unidentified_002}}, date = {2020-03-09}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002}, language = {English}, urldate = {2020-03-11} } @online{malpedia:20200309:pyunidentified003:9893d71, author = {Malpedia}, title = {{py.unidentified_003}}, date = {2020-03-09}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003}, language = {English}, urldate = {2020-03-11} } @online{malpedia:20200513:malpedia:bf0a6fb, author = {Malpedia}, title = {{Malpedia Family Page for Kiralock (Placeholder)}}, date = {2020-05-13}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.kiralock}, language = {English}, urldate = {2020-05-14} } @online{malpedia:20200515:dbatloader:e08eb1b, author = {Malpedia}, title = {{DBatLoader}}, date = {2020-05-15}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader}, language = {English}, urldate = {2020-05-18} } @online{maltego:20180719:forum:423247d, author = {Maltego}, title = {{Forum thread with announcement for Eredel Stealer}}, date = {2018-07-19}, organization = {Nulled.to Forums (Google webcache)}, url = {https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab}, language = {English}, urldate = {2020-01-15} } @online{malvica:20200202:uncovering:ec2d3da, author = {Matteo Malvica}, title = {{Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD}}, date = {2020-02-02}, organization = {uf0 Blog}, url = {https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/}, language = {English}, urldate = {2020-02-03} } @online{malwarebreakdown:20170403:shadow:d023630, author = {MalwareBreakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader. Downloaded Neutrino Bot (AKA Kasidet).}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet}, language = {English}, urldate = {2019-07-10} } @online{malwarebreakdown:20171010:malvertising:657b019, author = {MalwareBreakdown}, title = {{Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.}}, date = {2017-10-10}, organization = {MalwareBreakdown}, url = {https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/}, language = {English}, urldate = {2019-11-29} } @online{malwarebreakdown:20171112:seamless:0a1c207, author = {MalwareBreakdown}, title = {{Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.}}, date = {2017-11-12}, url = {https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/}, language = {English}, urldate = {2019-12-17} } @online{malwarebreakdown:20180111:malspam:994cbfe, author = {MalwareBreakdown}, title = {{Malspam Entitled “Invoice attched for your reference” Delivers Agent Tesla Keylogger}}, date = {2018-01-11}, organization = {MalwareBreakdown}, url = {https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/}, language = {English}, urldate = {2019-11-29} } @online{malwarebytes:20170608:latentbot:9f46488, author = {Malwarebytes}, title = {{LatentBot piece by piece}}, date = {2017-06-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/}, language = {English}, urldate = {2019-11-16} } @online{malwarehunterteam:20161020:quasar:f530cea, author = {MalwareHunterTeam}, title = {{Tweet on Quasar RAT}}, date = {2016-10-20}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/789153556255342596}, language = {English}, urldate = {2019-07-11} } @online{malwarehunterteam:20161020:ransomware:6c23f80, author = {MalwareHunterTeam}, title = {{Tweet on Ransomware}}, date = {2016-10-20}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/789161704106127360}, language = {English}, urldate = {2020-01-06} } @online{malwarehunterteam:20161109:bandok:eddf860, author = {MalwareHunterTeam}, title = {{Tweet on Bandok}}, date = {2016-11-09}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/796425285197561856}, language = {English}, urldate = {2020-06-05} } @online{malwarehunterteam:20170921:malware:48bf254, author = {MalwareHunterTeam}, title = {{Tweet on Malware Sample}}, date = {2017-09-21}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/910952333084971008}, language = {English}, urldate = {2019-12-19} } @online{malwarehunterteam:20180323:rapid:31feb13, author = {MalwareHunterTeam}, title = {{Tweet on Rapid Ransomware 2.0}}, date = {2018-03-23}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/977275481765613569}, language = {English}, urldate = {2019-12-10} } @online{malwarehunterteam:20180529:aurora:867bacc, author = {MalwareHunterTeam}, title = {{Tweet on Aurora / OneKeyLocker Ransomware}}, date = {2018-05-29}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1001461507513880576}, language = {English}, urldate = {2020-03-02} } @online{malwarehunterteam:20190206:ransomware:af1a446, author = {MalwareHunterTeam}, title = {{Tweet on Ransomware Sample}}, date = {2019-02-06}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1093136163836174339}, language = {English}, urldate = {2020-01-13} } @online{malwarehunterteam:20190215:malware:2512b91, author = {MalwareHunterTeam}, title = {{Tweet on Malware Sample}}, date = {2019-02-15}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1096363455769202688}, language = {English}, urldate = {2019-11-29} } @online{malwarehunterteam:20200211:parallax:e157478, author = {MalwareHunterTeam}, title = {{Tweet on Parallax RAT}}, date = {2020-02-11}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1227196799997431809}, language = {English}, urldate = {2020-02-13} } @online{malwarehunterteam:20200413:xploitspy:2fd474f, author = {MalwareHunterTeam}, title = {{Tweet on XploitSPY}}, date = {2020-04-13}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/1249768400806653952}, language = {English}, urldate = {2020-07-07} } @online{malwarehunterteam:20200415:spymax:4ac5dc7, author = {MalwareHunterTeam}, title = {{Tweet on SpyMax sample}}, date = {2020-04-15}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/1250412485808717826}, language = {English}, urldate = {2020-07-07} } @online{malwareintelligence:20090711:special:df61090, author = {MalwareIntelligence}, title = {{Special!!! ZeuS Botnet for Dummies}}, date = {2009-07-11}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html}, language = {English}, urldate = {2020-01-07} } @online{malwareintelligence:20100315:new:d307b96, author = {MalwareIntelligence}, title = {{New phishing campaign against Facebook led by Zeus}}, date = {2010-03-15}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html}, language = {English}, urldate = {2020-01-07} } @online{malwarelu:20120722:xtreme:ada355e, author = {Malware.lu}, title = {{Xtreme RAT analysis}}, date = {2012-07-22}, organization = {Malware.lu}, url = {https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html}, language = {English}, urldate = {2020-01-08} } @online{malwareninja:20110927:debugging:0033a33, author = {malwareninja}, title = {{Debugging Injected Code with IDA Pro}}, date = {2011-09-27}, url = {https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/}, language = {English}, urldate = {2019-08-07} } @online{malwaretech:20130813:powerloader:9853b70, author = {MalwareTech}, title = {{PowerLoader Injection – Something truly amazing}}, date = {2013-08-13}, organization = {MalwareTech}, url = {https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html}, language = {English}, urldate = {2020-07-15} } @online{malwaretech:20140506:rovnix:737e795, author = {MalwareTech}, title = {{Rovnix new “evolution”}}, date = {2014-05-06}, organization = {MalwareTech}, url = {http://www.malwaretech.com/2014/05/rovnix-new-evolution.html}, language = {English}, urldate = {2020-01-08} } @online{malwaretech:20170513:how:1036ae2, author = {MalwareTech}, title = {{How to Accidentally Stop a Global Cyber Attacks}}, date = {2017-05-13}, organization = {MalwareTech}, url = {https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html}, language = {English}, urldate = {2019-11-25} } @online{malwrhunterteam:20180519:rapid:b25afd8, author = {malwrhunterteam}, title = {{Tweet on Rapid 2 ransomware}}, date = {2018-05-19}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/997748495888076800}, language = {English}, urldate = {2020-01-06} } @online{malwrhunterteam:20190115:israbye:a23a44b, author = {malwrhunterteam}, title = {{Tweet on Israbye}}, date = {2019-01-15}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1085162243795369984}, language = {English}, urldate = {2020-01-06} } @online{malwrhunterteam:20190211:vegalocker:2828b6f, author = {malwrhunterteam}, title = {{Tweet on VegaLocker}}, date = {2019-02-11}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1095024267459284992}, language = {English}, urldate = {2020-01-08} } @online{malwrhunterteam:20191212:dmr:dc8b2ad, author = {malwrhunterteam}, title = {{Tweet on DMR Ransomware}}, date = {2019-12-12}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1}, language = {English}, urldate = {2020-01-09} } @online{malwrhunterteam:20200109:bitpylock:17860f7, author = {malwrhunterteam}, title = {{Tweet on BitPyLock}}, date = {2020-01-09}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1215252402988822529}, language = {English}, urldate = {2020-01-13} } @online{malwrologist:20180328:multistage:0fade2d, author = {Malwrologist}, title = {{Multi-stage Powershell script (Brownies)}}, date = {2018-03-28}, url = {https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/}, language = {English}, urldate = {2020-01-08} } @online{malwrologist:20200407:malware:b0d12ef, author = {Malwrologist}, title = {{Malware Analysis in Action - Episode 2}}, date = {2020-04-07}, organization = {Youtube (DissectMalware)}, url = {https://www.youtube.com/watch?v=QBoj6GB79wM}, language = {English}, urldate = {2020-04-26} } @online{mamedov:20171024:bad:3c21717, author = {Orkhan Mamedov and Fedor Sinitsyn and Anton Ivanov}, title = {{Bad Rabbit ransomware}}, date = {2017-10-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/bad-rabbit-ransomware/82851/}, language = {English}, urldate = {2019-12-20} } @online{mamedov:20180813:keypass:154cf0f, author = {Orkhan Mamedov and Fedor Sinitsyn}, title = {{KeyPass ransomware}}, date = {2018-08-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/keypass-ransomware/87412/}, language = {English}, urldate = {2019-12-20} } @online{mamedov:20190703:sodin:74c101f, author = {Orkhan Mamedov and Artur Pakulov and Fedor Sinitsyn}, title = {{Sodin ransomware exploits Windows vulnerability and processor architecture}}, date = {2019-07-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/sodin-ransomware/91473/}, language = {English}, urldate = {2019-12-20} } @online{manager:2013:netsupport:f3fadef, author = {NetSupport Manager}, title = {{NetSupport Manager Website}}, date = {2013}, organization = {NetSupport Manager}, url = {http://www.netsupportmanager.com/index.asp}, language = {English}, urldate = {2020-01-07} } @online{manager:20180110:analysis:3a5fe83, author = {Tencent Computer Manager}, title = {{Analysis of BlackTech's latest APT attack}}, date = {2018-01-10}, organization = {Freebuf}, url = {http://www.freebuf.com/column/159865.html}, language = {English}, urldate = {2020-01-08} } @online{manahan:20130121:shylock:981b444, author = {Mark Joseph Manahan}, title = {{Shylock Not the Lone Threat Targeting Skype}}, date = {2013-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/}, language = {English}, urldate = {2020-01-13} } @online{mandiant:20130220:1:7fa9646, author = {Mandiant}, title = {{APT 1 Malware Arsenal Technical Annex}}, date = {2013-02-20}, organization = {FireEye}, url = {https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal}, language = {Mandiant}, urldate = {2020-01-08} } @techreport{mandiant:2018:apt1:b76cc4d, author = {Mandiant}, title = {{APT1}}, date = {2018}, institution = {Mandiant}, url = {https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{mandiant:20200729:ghostwriter:c81a10a, author = {Mandiant}, title = {{‘Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned with Russian Security Interests}}, date = {2020-07-29}, institution = {Mandiant}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/Ghostwriter-Influence-Campaign.pdf}, language = {English}, urldate = {2020-07-30} } @online{mannon:20150311:malvertising:8a04865, author = {Chris Mannon}, title = {{Malvertising Targeting European Transit Users}}, date = {2015-03-11}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users}, language = {English}, urldate = {2019-10-14} } @online{mantri:20200708:operation:bee5008, author = {Kalpesh Mantri}, title = {{Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India}}, date = {2020-07-08}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/}, language = {English}, urldate = {2020-07-13} } @online{manuel:20110902:zeus:cd9266e, author = {Jasper Manuel}, title = {{ZeuS Gets Another Update}}, date = {2011-09-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/}, language = {English}, urldate = {2019-10-28} } @online{manuel:20170405:indepth:8481b41, author = {Jasper Manuel and Artem Semenchenko}, title = {{In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2}}, date = {2017-04-05}, organization = {Fortninet}, url = {http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2}, language = {English}, urldate = {2019-10-13} } @online{manuel:20170405:indepth:f5fe3b5, author = {Jasper Manuel and Artem Semenchenko}, title = {{In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1}}, date = {2017-04-05}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1}, language = {English}, urldate = {2020-01-06} } @online{manuel:20170815:quick:ab09ae8, author = {Jasper Manuel}, title = {{A Quick Look at a New KONNI RAT Variant}}, date = {2017-08-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant}, language = {English}, urldate = {2020-01-09} } @online{manuel:20170905:rehashed:c3d5a4c, author = {Jasper Manuel and Artem Semenchenko}, title = {{Rehashed RAT Used in APT Campaign Against Vietnamese Organizations}}, date = {2017-09-05}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations}, language = {English}, urldate = {2019-10-23} } @online{manuel:20180416:searching:2fd67ee, author = {Jasper Manuel}, title = {{Searching for the Reuse of Mirai Code: Hide ‘N Seek Bot}}, date = {2018-04-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html}, language = {English}, urldate = {2020-01-08} } @online{manuel:20180708:hussarini:ce47cdc, author = {Jasper Manuel and Rommel Joven}, title = {{Hussarini – Targeted Cyber Attack in the Philippines}}, date = {2018-07-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html}, language = {English}, urldate = {2019-10-17} } @online{manuel:20190710:loocipher:279c185, author = {Jasper Manuel}, title = {{LooCipher: Can Encrypted Files Be Recovered From Hell?}}, date = {2019-07-10}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/loocipher-can-encrypted-files-be-recovered.html}, language = {English}, urldate = {2020-01-06} } @online{maor:20140711:father:7c022b3, author = {Etay Maor}, title = {{The Father of Zeus: Kronos Malware Discovered}}, date = {2014-07-11}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/}, language = {English}, urldate = {2020-01-09} } @online{maor:20200116:downloader:f60aa07, author = {Maor}, title = {{Tweet on Downloader}}, date = {2020-01-16}, organization = {Twitter (@M11Sec)}, url = {https://twitter.com/M11Sec/status/1217781224204357633}, language = {English}, urldate = {2020-01-20} } @online{marcos:20150122:new:1fdb830, author = {Michael Marcos}, title = {{New RATs Emerge from Leaked Njw0rm Source Code}}, date = {2015-01-22}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/}, language = {English}, urldate = {2019-12-17} } @online{marczak:20160529:keep:8f48d9e, author = {Bill Marczak and John Scott-Railton}, title = {{Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents}}, date = {2016-05-29}, organization = {CitizenLab}, url = {https://citizenlab.ca/2016/05/stealth-falcon/}, language = {English}, urldate = {2020-04-06} } @online{marczak:20171206:champing:4cb4525, author = {Bill Marczak and Geoffrey Alexander and Sarah McKune and John Scott-Railton and Ron Deibert}, title = {{Champing at the Cyberbit Ethiopian Dissidents Targeted with New Commercial Spyware}}, date = {2017-12-06}, organization = {The Citizen Lab}, url = {https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/}, language = {English}, urldate = {2019-11-23} } @online{marczak:20180309:sandvines:14ef912, author = {Bill Marczak and Jakub Dalek and Sarah McKune and Adam Senft and John Scott-Railton and Ron Deibert}, title = {{Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?}}, date = {2018-03-09}, url = {https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/}, language = {English}, urldate = {2020-01-05} } @online{marczak:20180918:hide:2c8e5f5, author = {Bill Marczak and John Scott-Railton and Sarah McKune and Bahr Abdul Razzak and Ron Deibert}, title = {{Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries}}, date = {2018-09-18}, organization = {The Citizenlab}, url = {https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/}, language = {English}, urldate = {2019-11-21} } @online{marczak:20190924:missing:95ad19a, author = {Bill Marczak and Adam Hulcoop and Etienne Maynier and Bahr Abdul Razzak and Masashi Crete-Nishihata and John Scott-Railton and and Ron Deibert}, title = {{Missing Link Tibetan Groups Targeted with 1-Click Mobile Exploits}}, date = {2019-09-24}, organization = {The Citizen Lab}, url = {https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/}, language = {English}, urldate = {2019-12-20} } @online{marczak:20200128:stopping:cda3173, author = {Bill Marczak and Siena Anstis and Masashi Crete-Nishihata and John Scott-Railton and Ron Deibert}, title = {{Stopping the Press: New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator}}, date = {2020-01-28}, organization = {CitizenLab}, url = {https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/}, language = {English}, urldate = {2020-01-28} } @online{marinho:20170829:second:582ba7f, author = {Renato Marinho}, title = {{Second Google Chrome Extension Banker Malware in Two Weeks}}, date = {2017-08-29}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/22766}, language = {English}, urldate = {2020-01-08} } @online{marinho:20170926:xpctra:f648aa4, author = {Renato Marinho}, title = {{XPCTRA Malware Steals Banking and Digital Wallet User's Credentials}}, date = {2017-09-26}, organization = {ISC}, url = {https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/}, language = {English}, urldate = {2019-11-26} } @online{marinho:20171206:exploring:f4a89fa, author = {Renato Marinho and Raimir Holanda}, title = {{Exploring a P2P Transient Botnet - From Discovery to Enumeration}}, date = {2017-12-06}, organization = {Botconf}, url = {https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22}, language = {English}, urldate = {2020-01-09} } @online{mark:20190522:trickbot:277256b, author = {sneakymonk3y (Mark)}, title = {{TRICKBOT - Analysis}}, date = {2019-05-22}, url = {https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/}, language = {English}, urldate = {2020-01-06} } @online{marn:20190729:analysis:c32955f, author = {Alberto Marín}, title = {{An analysis of a spam distribution botnet: the inner workings of Onliner Spambot}}, date = {2019-07-29}, organization = {Blueliv}, url = {https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/}, language = {English}, urldate = {2019-12-17} } @online{marques:20160331:evolution:90e1373, author = {Thiago Marques}, title = {{The evolution of Brazilian Malware}}, date = {2016-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat}, language = {English}, urldate = {2019-12-20} } @online{marschalek:20141216:evilbunny:8e78c65, author = {Marion Marschalek}, title = {{EvilBunny: Malware Instrumented By Lua}}, date = {2014-12-16}, organization = {Cyphort}, url = {https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/}, language = {English}, urldate = {2020-06-08} } @online{marschalek:20150218:babar:f8c92b6, author = {Marion Marschalek}, title = {{Babar: Suspected Nation State Spyware In The Spotlight}}, date = {2015-02-18}, organization = {Cyphort}, url = {https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/}, language = {English}, urldate = {2020-06-08} } @online{marschalek:20150218:shooting:91fead0, author = {Marion Marschalek}, title = {{Shooting Elephants}}, date = {2015-02-18}, organization = {Cyphort}, url = {https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/}, language = {English}, urldate = {2020-01-08} } @online{marten4n6:20180817:evilosx:f44da6e, author = {Marten4n6}, title = {{EvilOSX}}, date = {2018-08-17}, organization = {Github (Marten4n6)}, url = {https://github.com/Marten4n6/EvilOSX}, language = {English}, urldate = {2020-01-09} } @online{martin:20100125:leveraging:2c0f7d8, author = {Ernesto Martin}, title = {{Leveraging ZeuS to send spam through social networks}}, date = {2010-01-25}, url = {http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html}, language = {English}, urldate = {2019-10-28} } @online{martin:20160304:tracing:ca8f6d7, author = {David Martin}, title = {{Tracing the Lineage of DarkSeoul}}, date = {2016-03-04}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787}, language = {English}, urldate = {2019-12-17} } @online{martin:20191127:threat:e91b6bf, author = {Adam Martin}, title = {{Threat Spotlight: Machete Info-Stealer}}, date = {2019-11-27}, organization = {ThreatVector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html}, language = {English}, urldate = {2020-01-08} } @online{martinez:20200115:alien:a57585f, author = {Fernando Martinez}, title = {{Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37}}, date = {2020-01-15}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37}, language = {English}, urldate = {2020-01-22} } @online{martire:20190516:stealthy:930aa98, author = {Luigi Martire and Davide Testa and Antonio Pirozzi and Luca Mella}, title = {{The Stealthy Email Stealer in the TA505 Arsenal}}, date = {2019-05-16}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/}, language = {English}, urldate = {2019-10-14} } @online{martire:20200221:transparent:eb18469, author = {Luigi Martire and Pietro Melillo and Antonio Pirozzi}, title = {{Transparent Tribe: Four Years Later}}, date = {2020-02-21}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/transparent-tribe-four-years-later}, language = {English}, urldate = {2020-03-06} } @online{mascarenhas:20160823:russian:17f62ab, author = {Hyacinth Mascarenhas}, title = {{Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say}}, date = {2016-08-23}, organization = {International Business Times}, url = {http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508}, language = {English}, urldate = {2020-01-08} } @online{maslennikov:20111006:zeusinthemobile:ea34d2e, author = {Denis Maslennikov}, title = {{ZeuS-in-the-Mobile – Facts and Theories}}, date = {2011-10-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/}, language = {English}, urldate = {2020-02-04} } @online{mass:20150114:catching:33c67af, author = {Tony Massé}, title = {{Catching the “Inception Framework” Phishing Attack}}, date = {2015-01-14}, organization = {LogRhythm}, url = {https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/}, language = {English}, urldate = {2020-04-21} } @techreport{matrosov:20110103:stuxnet:420d733, author = {Aleksandr Matrosov and Eugene Rodionov and David Harley and Juraj Malcho}, title = {{Stuxnet Under the Microscope}}, date = {2011-01-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf}, language = {English}, urldate = {2019-12-20} } @techreport{matrosov:20120302:win32carberp:638558a, author = {Aleksandr Matrosov and Eugene Rodionov and Dmitry Volkov and David Harley}, title = {{Win32/Carberp: When You're in a Black Hole, Stop Digging}}, date = {2012-03-02}, institution = {ESET Research}, url = {https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf}, language = {English}, urldate = {2020-02-11} } @online{matrosov:20120605:smartcard:88d7163, author = {Aleksandr Matrosov}, title = {{Smartcard vulnerabilities in modern banking malware}}, date = {2012-06-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/}, language = {English}, urldate = {2019-11-14} } @online{matrosov:20120713:rovnix:7988101, author = {Aleksandr Matrosov}, title = {{Rovnix bootkit framework updated}}, date = {2012-07-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/}, language = {English}, urldate = {2019-11-14} } @online{matrosov:20121219:win32spyranbyus:955d383, author = {Aleksandr Matrosov}, title = {{Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems}}, date = {2012-12-19}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/}, language = {English}, urldate = {2019-11-14} } @online{matrosov:20130204:what:56f7bcb, author = {Aleksandr Matrosov}, title = {{What do Win32/Redyms and TDL4 have in common?}}, date = {2013-02-04}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/}, language = {English}, urldate = {2019-11-14} } @online{m