@online{037:20190320:apt38:4c7f1d4, author = {@037}, title = {{APT38 DYEPACK FRAMEWORK}}, date = {2019-03-20}, organization = {Github (649)}, url = {https://github.com/649/APT38-DYEPACK}, language = {English}, urldate = {2019-12-17} } @online{0r:20210306:microsoft:099b122, author = {Auth 0r}, title = {{Microsoft Exchange Zero Day’s – Mitigations and Detections.}}, date = {2021-03-06}, organization = {Blue Team Blog}, url = {https://blueteamblog.com/microsoft-exchange-zero-days-mitigations-and-detections}, language = {English}, urldate = {2021-03-11} } @online{0r:20210514:darkside:bf9c5bc, author = {Auth 0r}, title = {{DarkSide Ransomware Operations – Preventions and Detections.}}, date = {2021-05-14}, organization = {Blue Team Blog}, url = {https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections}, language = {English}, urldate = {2021-05-17} } @online{0verfl0w:20190115:analyzing:bf3b215, author = {0verfl0w_}, title = {{Analyzing COMmunication in Malware}}, date = {2019-01-15}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190205:revisiting:8e39d7e, author = {0verfl0w_}, title = {{Revisiting Hancitor in Depth}}, date = {2019-02-05}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190313:analysing:1f83706, author = {0verfl0w_}, title = {{Analysing ISFB – The First Loader}}, date = {2019-03-13}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190525:analyzing:84874ea, author = {0verfl0w_}, title = {{Analyzing ISFB – The Second Loader}}, date = {2019-05-25}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/}, language = {English}, urldate = {2020-01-13} } @online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } @online{0verfl0w:20190708:analyzing:b984acf, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190708:analyzing:f246b28, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20200607:dealing:b50665d, author = {0verfl0w_}, title = {{Dealing with Obfuscated Macros, Statically - NanoCore}}, date = {2020-06-07}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/}, language = {English}, urldate = {2020-06-11} } @online{0x09al:20181020:dropboxc2c:bf05a34, author = {0x09AL}, title = {{DropboxC2C}}, date = {2018-10-20}, url = {https://github.com/0x09AL/DropboxC2C}, language = {English}, urldate = {2020-03-06} } @online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } @online{0x0:20200404:nanocore:6649008, author = {Myrtus 0x0}, title = {{Nanocore & CypherIT}}, date = {2020-04-04}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/defeating-nanocore-and-cypherit/}, language = {English}, urldate = {2020-04-07} } @online{0x1c3n:20210827:anubis:1705302, author = {0x1c3N}, title = {{Anubis Android Malware Analysis}}, date = {2021-08-27}, organization = {0x1c3n.tech}, url = {https://0x1c3n.tech/anubis-android-malware-analysis}, language = {English}, urldate = {2021-09-02} } @online{0xastrovax:20201121:deep:89c1a51, author = {0xastrovax}, title = {{Deep Dive Into HERMES Ransomware}}, date = {2020-11-21}, organization = {vxhive blog}, url = {https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html}, language = {English}, urldate = {2021-12-13} } @online{0xastrovax:20210123:deep:47d960f, author = {0xastrovax}, title = {{Deep Dive Into SectopRat}}, date = {2021-01-23}, organization = {vxhive blog}, url = {https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html}, language = {English}, urldate = {2021-01-25} } @online{0xca7:20210504:malware:7647ea6, author = {0xca7}, title = {{Malware - Anti-Analysis}}, date = {2021-05-04}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=42yldTQ-fWA}, language = {English}, urldate = {2022-05-04} } @online{0xca7:20210603:fatalrat:b54478b, author = {0xca7}, title = {{FatalRAT: Dumping the "payload" aka. Cat vs RAT}}, date = {2021-06-03}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=gjvnVZc11Vg}, language = {English}, urldate = {2022-03-15} } @online{0xca7:20210707:snakekeylogger:fccf1d2, author = {0xca7}, title = {{Snakekeylogger - Information Stealer}}, date = {2021-07-07}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=vzyJp2w8bPE}, language = {English}, urldate = {2022-03-17} } @online{0xca7:20220109:cat:ca6499b, author = {0xca7}, title = {{Cat vs. RAT II - Bitrat}}, date = {2022-01-09}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=CYm3g4zkQdw}, language = {English}, urldate = {2022-03-17} } @online{0xca7:20220322:blackguard:05392f9, author = {0xca7}, title = {{Blackguard Infostealer}}, date = {2022-03-22}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=Fd8WjxzY2_g}, language = {English}, urldate = {2022-05-04} } @online{0xca7:20220403:powershell:397a431, author = {0xca7}, title = {{Powershell Script Deobfuscation}}, date = {2022-04-03}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=ip4aWFfdx4g}, language = {English}, urldate = {2022-05-04} } @online{0xebfe:20130330:fooled:88d133a, author = {0xEBFE}, title = {{Fooled by Andromeda}}, date = {2013-03-30}, organization = {0xEBFE Blog about life}, url = {http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/}, language = {English}, urldate = {2019-07-27} } @online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } @online{0xffff0800:20190222:pe:ea39c56, author = {0xffff0800}, title = {{Tweet on PE}}, date = {2019-02-22}, organization = {Twitter}, url = {https://twitter.com/i/web/status/1099147896950185985}, language = {English}, urldate = {2020-01-08} } @online{0xffff0800:20190302:opjerusalm:4743e08, author = {@0xffff0800}, title = {{Tweet on #OpJerusalm Ransomware}}, date = {2019-03-02}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1102078898320302080}, language = {English}, urldate = {2019-07-08} } @online{0xthreatintel:20201212:reversing:945a5b8, author = {0xthreatintel}, title = {{Reversing QakBot [ TLP: White]}}, date = {2020-12-12}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7}, language = {English}, urldate = {2020-12-14} } @online{0xthreatintel:20201215:reversing:eddc936, author = {0xthreatintel}, title = {{Reversing Conti Ransomware}}, date = {2020-12-15}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74}, language = {English}, urldate = {2020-12-15} } @online{0xthreatintel:20210126:reversing:716c09c, author = {0xthreatintel}, title = {{Reversing APT Tool : SManager (Unpacked)}}, date = {2021-01-26}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4}, language = {English}, urldate = {2021-01-27} } @online{0xthreatintel:20210201:uncovering:d7b9216, author = {0xthreatintel}, title = {{Uncovering APT-C-41 (StrongPity) Backdoor}}, date = {2021-02-01}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4}, language = {English}, urldate = {2021-02-02} } @online{0xthreatintel:20210219:how:5fed055, author = {0xthreatintel}, title = {{How to unpack SManager APT tool?}}, date = {2021-02-19}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214}, language = {English}, urldate = {2021-02-20} } @online{0xtornado:20211115:exchange:2920728, author = {0xtornado and v3t0_}, title = {{Exchange Exploit Leads to Domain Wide Ransomware}}, date = {2021-11-15}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2021-11-17} } @online{0xtornado:20220404:stolen:3df91a7, author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0}, title = {{Stolen Images Campaign Ends in Conti Ransomware}}, date = {2022-04-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/}, language = {English}, urldate = {2022-04-04} } @online{1d8:20200713:remcos:531702d, author = {1d8}, title = {{Remcos RAT Macro Dropper Doc}}, date = {2020-07-13}, organization = {Github (1d8)}, url = {https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD}, language = {English}, urldate = {2020-07-16} } @online{1umos:20210616:cerberus:9fc9528, author = {Twitter (@1umos_)}, title = {{Cerberus Analysis - Android Banking Trojan}}, date = {2021-06-16}, organization = {nur.pub}, url = {https://nur.pub/cerberus-analysis}, language = {English}, urldate = {2021-06-21} } @online{20140313:20140313:energy:8736af5, author = {2014-03-13}, title = {{Energy Watering Hole Attack Used LightsOut Exploit Kit}}, date = {2014-03-13}, organization = {Threatpost}, url = {https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/}, language = {English}, urldate = {2020-01-08} } @online{2ero:20210805:attacks:200d665, author = {2ero}, title = {{Attacks on NCGSA, MOITT, MOD, NSCP and SCO in Pakistan}}, date = {2021-08-05}, organization = {Twitter (@BaoshengbinCumt)}, url = {https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA}, language = {Chinese}, urldate = {2021-08-06} } @online{360:20160531:operation:406d937, author = {360}, title = {{Operation Mermaid: 6 years of overseas targeted attacks revealed}}, date = {2016-05-31}, organization = {Freebuf}, url = {https://www.freebuf.com/articles/network/105726.html}, language = {Chinese}, urldate = {2021-03-04} } @online{360:20180712:blue:ca92dea, author = {360}, title = {{Blue Pork Mushroom (APT-C-12) targeted attack technical details revealed}}, date = {2018-07-12}, organization = {360 Threat Intelligence}, url = {https://mp.weixin.qq.com/s/S-hiGFNC6WXGrkjytAVbpA}, language = {Chinese}, urldate = {2020-04-06} } @online{360:20180921:poison:d1cab92, author = {Qihoo 360}, title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}}, date = {2018-09-21}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT_C_01_en.html}, language = {English}, urldate = {2019-11-29} } @online{360:20181205:operation:65a4907, author = {360}, title = {{Operation Poison Needles - APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day}}, date = {2018-12-05}, organization = {360}, url = {http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN}, language = {English}, urldate = {2020-01-06} } @online{360:20190228:urlzone:e1814da, author = {360威胁情报中心}, title = {{URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees}}, date = {2019-02-28}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA}, language = {Chinese}, urldate = {2019-11-27} } @online{360:20200302:cia:d88b9c9, author = {Qihoo 360}, title = {{The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China's Critical Industries for 11 Years}}, date = {2020-03-02}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT-C-39_CIA_EN.html}, language = {English}, urldate = {2020-03-03} } @online{360:20200406:darkhotel:78f0a7f, author = {Qihoo 360}, title = {{The DarkHotel (APT-C-06) Attacked Chinese Institutions Abroad via Exploiting SangFor VPN Vulnerability}}, date = {2020-04-06}, organization = {360.cn}, url = {https://blogs.360.cn/post/APT_Darkhotel_attacks_during_coronavirus_pandemic.html}, language = {English}, urldate = {2020-04-07} } @online{360:20200828:sneak:bc0fea4, author = {360威胁情报中心}, title = {{The "sneak camera" in mobile pornography software}}, date = {2020-08-28}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/shou-ji-se-qing-ruan-jian-zhong-de-tou-pai-zhe.html}, language = {English}, urldate = {2020-09-06} } @online{360:20201026:aptc44:a336bf6, author = {360}, title = {{北非狐(APT-C-44)攻击活动揭露}}, date = {2020-10-26}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-44.html}, language = {Chinese}, urldate = {2020-11-09} } @online{360:20201030:aptc35:0c53f1a, author = {360}, title = {{肚脑虫组织( APT-C-35)疑似针对巴基斯坦军事人员的最新攻击活动}}, date = {2020-10-30}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html}, language = {Chinese}, urldate = {2020-11-02} } @online{360:20201204:domestic:4c457ee, author = {360}, title = {{Domestic Kitten组织(APT-C-50)针对中东地区反政府群体的监控活动}}, date = {2020-12-04}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-50.html}, language = {Chinese}, urldate = {2020-12-17} } @online{360quake:20201218:solarwinds:1b22539, author = {360Quake}, title = {{SolarWinds失陷服务器测绘分析报告}}, date = {2020-12-18}, organization = {360Quake}, url = {https://www.anquanke.com/post/id/226029}, language = {Chinese}, urldate = {2020-12-23} } @online{3xp0rt:20200405:lets:fb49d9f, author = {3xp0rt}, title = {{Let's check: Sorano Stealer}}, date = {2020-04-05}, url = {https://3xp0rt.xyz/lpmkikVic}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200407:decompiled:83e10aa, author = {3xp0rt}, title = {{Decompiled SoranoStealer}}, date = {2020-04-07}, organization = {Github (3xp0rt)}, url = {https://github.com/3xp0rt/SoranoStealer}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200624:new:6b725c2, author = {3xp0rt}, title = {{Tweet on new version of TaurusStealer (v1.4)}}, date = {2020-06-24}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1275746149719252992}, language = {English}, urldate = {2020-06-24} } @online{3xp0rt:20200814:osiris:5de6596, author = {3xp0rt}, title = {{Tweet on Osiris}}, date = {2020-08-14}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1294157781415743488}, language = {English}, urldate = {2020-08-18} } @online{3xp0rt:20200906:of:b1e77c3, author = {3xp0rt}, title = {{Tweet and description of NixScare Stealer}}, date = {2020-09-06}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1302584919592501248}, language = {English}, urldate = {2020-09-15} } @online{3xp0rt:20201027:ficker:b890340, author = {3xp0rt}, title = {{Tweet on Ficker Stealer}}, date = {2020-10-27}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1321209656774135810}, language = {English}, urldate = {2021-12-17} } @online{3xp0rt:20201106:hunter:90ca7c9, author = {3xp0rt}, title = {{Tweet on Hunter Stealer}}, date = {2020-11-06}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1324800226381758471}, language = {English}, urldate = {2020-11-12} } @online{3xp0rt:20201126:xenon:83af8c2, author = {3xp0rt}, title = {{Tweet on Xenon Stealer}}, date = {2020-11-26}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1331974232192987142}, language = {English}, urldate = {2020-12-03} } @online{3xp0rt:20201230:alfonso:d99501e, author = {3xp0rt}, title = {{Tweet on Alfonso Stealer}}, date = {2020-12-30}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1344352253294104576}, language = {English}, urldate = {2021-01-11} } @online{3xp0rt:20210323:chminer:02aed99, author = {3xp0rt}, title = {{Tweet on chMiner RAT}}, date = {2021-03-23}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1374080720906420227}, language = {English}, urldate = {2021-04-16} } @online{3xp0rt:20210326:cypress:42266e4, author = {3xp0rt}, title = {{Tweet on Cypress Stealer}}, date = {2021-03-26}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1375547064348782595}, language = {English}, urldate = {2021-04-06} } @online{3xp0rt:20210408:bloody:403ff45, author = {3xp0rt}, title = {{Tweet on Bloody Stealer}}, date = {2021-04-08}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1380087553676697617}, language = {English}, urldate = {2021-05-19} } @online{3xp0rt:20210430:zenar:be4f5e3, author = {3xp0rt}, title = {{Tweet on Zenar Miner}}, date = {2021-04-30}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1387996083712888832?s=20}, language = {English}, urldate = {2021-05-19} } @online{3xp0rt:20210505:toxin:00d47c5, author = {3xp0rt}, title = {{Tweet on Toxin Miner}}, date = {2021-05-05}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1389692430061027328}, language = {English}, urldate = {2021-05-08} } @online{3xp0rt:20211112:tweets:fbce5a2, author = {3xp0rt}, title = {{Tweets on DarkLoader}}, date = {2021-11-12}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1459081435361517585}, language = {English}, urldate = {2021-12-22} } @online{3xp0rt:20211225:new:f35c1ac, author = {3xp0rt}, title = {{A new version of X-Files Stealer}}, date = {2021-12-25}, organization = {3xp0rt}, url = {https://twitter.com/3xp0rtblog/status/1473323635469438978}, language = {English}, urldate = {2022-04-20} } @online{3xp0rt:20220201:mars:3ff37ea, author = {3xp0rt}, title = {{Mars Stealer: Oski refactoring}}, date = {2022-02-01}, organization = {3xp0rt}, url = {https://3xp0rt.com/posts/mars-stealer}, language = {English}, urldate = {2022-04-15} } @online{3xp0rt:20220331:eternity:86e2c72, author = {3xp0rt}, title = {{Tweet on Eternity stealer}}, date = {2022-03-31}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1509601846494695438}, language = {English}, urldate = {2022-05-04} } @online{3xp0rt:20220401:000stealer:8b1ea3c, author = {3xp0rt}, title = {{Tweet on 000stealer, written in GO and its panel}}, date = {2022-04-01}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1509978637189419008}, language = {English}, urldate = {2022-05-04} } @online{3xp0rt:20220411:safire:69718f1, author = {3xp0rt}, title = {{Tweet on Safire Miner}}, date = {2022-04-11}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1513099720578801670}, language = {English}, urldate = {2022-05-04} } @online{42:20171027:tracking:bde654e, author = {Unit 42}, title = {{Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository}}, date = {2017-10-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/}, language = {English}, urldate = {2019-12-20} } @online{42:20190222:new:7bda906, author = {Unit 42}, title = {{New BabyShark Malware Targets U.S. National Security Think Tanks}}, date = {2019-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/}, language = {English}, urldate = {2020-01-07} } @online{42:20190312:operation:3610bc8, author = {Unit 42}, title = {{Operation Comando: How to Run a Cheap and Effective Credit Card Business}}, date = {2019-03-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/}, language = {English}, urldate = {2019-10-23} } @online{42:20191202:imminent:462e901, author = {Unit 42}, title = {{Imminent Monitor – a RAT Down Under}}, date = {2019-12-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/}, language = {English}, urldate = {2020-01-06} } @online{42:20201214:threat:032b92d, author = {Unit 42}, title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}}, date = {2020-12-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/}, language = {English}, urldate = {2020-12-15} } @online{42:20201223:timeline:466b51a, author = {Unit 42}, title = {{A Timeline Perspective of the SolarStorm Supply-Chain Attack}}, date = {2020-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline}, language = {English}, urldate = {2020-12-26} } @online{42:20210309:remediation:4973903, author = {Unit 42}, title = {{Remediation Steps for the Microsoft Exchange Server Vulnerabilities}}, date = {2021-03-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/}, language = {English}, urldate = {2021-03-11} } @online{42:20210311:microsoft:c51c694, author = {Unit 42}, title = {{Microsoft Exchange Server Attack Timeline}}, date = {2021-03-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/}, language = {English}, urldate = {2021-03-12} } @online{42:20210326:threat:343faf5, author = {Unit 42}, title = {{Threat Assessment: Matrix Ransomware}}, date = {2021-03-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/matrix-ransomware/}, language = {English}, urldate = {2021-03-30} } @online{42:20210703:threat:b329d9c, author = {Unit 42}, title = {{Threat Brief: Kaseya VSA Ransomware Attack}}, date = {2021-07-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/}, language = {English}, urldate = {2021-07-12} } @online{42:20210730:bazarloader:43bdc2c, author = {Unit 42}, title = {{Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability}}, date = {2021-07-30}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20}, language = {English}, urldate = {2021-08-02} } @online{42:20211105:ta551:98c564e, author = {Unit 42}, title = {{Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops}}, date = {2021-11-05}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1458113934024757256}, language = {English}, urldate = {2021-11-17} } @online{42:20211117:matanbuchus:9e3556c, author = {Unit 42}, title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}}, date = {2021-11-17}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1461004489234829320}, language = {English}, urldate = {2021-11-25} } @online{42:20220203:russias:920c595, author = {Unit 42}, title = {{Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine}}, date = {2022-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/}, language = {English}, urldate = {2022-02-07} } @online{42:20220222:russiaukraine:63a2dfc, author = {Unit 42}, title = {{Russia-Ukraine Crisis: How to Protect Against the Cyber Impact}}, date = {2022-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/}, language = {English}, urldate = {2022-03-02} } @online{42:20220224:sockdetour:c8b1500, author = {Unit 42}, title = {{SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors}}, date = {2022-02-24}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sockdetour/}, language = {English}, urldate = {2022-03-10} } @online{42:20220225:spear:34925b2, author = {Unit 42}, title = {{Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot}}, date = {2022-02-25}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/}, language = {English}, urldate = {2022-03-01} } @techreport{42:20220324:ransomware:5478011, author = {Unit 42}, title = {{Ransomware Threat Report 2022}}, date = {2022-03-24}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf}, language = {English}, urldate = {2022-03-28} } @online{42:20220613:gallium:d89b0b2, author = {Unit 42}, title = {{GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool}}, date = {2022-06-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pingpull-gallium/}, language = {English}, urldate = {2022-06-15} } @online{471:20200331:revil:0e5226a, author = {Intel 471}, title = {{REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation}}, date = {2020-03-31}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/}, language = {English}, urldate = {2020-04-01} } @online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } @online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } @online{471:20200708:irans:0bc8398, author = {Intel 471}, title = {{Iran’s domestic espionage: Lessons from recent data leaks}}, date = {2020-07-08}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/08/irans-domestic-espionage-lessons-from-recent-data-leaks/}, language = {English}, urldate = {2020-07-11} } @online{471:20200715:flowspec:683a5a1, author = {Intel 471}, title = {{Flowspec – TA505’s bulletproof hoster of choice}}, date = {2020-07-15}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/}, language = {English}, urldate = {2020-07-16} } @online{471:20200812:prioritizing:83e5896, author = {Intel 471}, title = {{Prioritizing “critical” vulnerabilities: A threat intelligence perspective}}, date = {2020-08-12}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/08/12/prioritizing-critical-vulnerabilities-a-threat-intelligence-perspective/}, language = {English}, urldate = {2020-08-14} } @online{471:20200916:partners:c65839f, author = {Intel 471}, title = {{Partners in crime: North Koreans and elite Russian-speaking cybercriminals}}, date = {2020-09-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/}, language = {English}, urldate = {2020-09-23} } @online{471:20201015:that:2d4b495, author = {Intel 471}, title = {{That was quick: Trickbot is back after disruption attempts}}, date = {2020-10-15}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/}, language = {English}, urldate = {2020-10-15} } @online{471:20201020:global:570e26f, author = {Intel 471}, title = {{Global Trickbot disruption operation shows promise}}, date = {2020-10-20}, organization = {Intel 471}, url = {https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/}, language = {English}, urldate = {2020-10-21} } @online{471:20201028:alleged:46a2bb1, author = {Intel 471}, title = {{Alleged REvil member spills details on group’s ransomware operations}}, date = {2020-10-28}, organization = {Intel 471}, url = {https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/}, language = {English}, urldate = {2020-11-02} } @online{471:20201110:trickbot:5db76db, author = {Intel 471}, title = {{Trickbot down, but is it out?}}, date = {2020-11-10}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/}, language = {English}, urldate = {2020-11-11} } @online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } @online{471:20201123:heres:1435e96, author = {Intel 471}, title = {{Here’s what happens after a business gets hit with ransomware}}, date = {2020-11-23}, organization = {Intel 471}, url = {https://intel471.com/blog/how-to-recover-from-a-ransomware-attack/}, language = {English}, urldate = {2020-12-17} } @online{471:20201201:steal:db9aadd, author = {Intel 471}, title = {{Steal, then strike: Access merchants are first clues to future ransomware attacks}}, date = {2020-12-01}, organization = {Intel 471}, url = {https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/}, language = {English}, urldate = {2020-12-17} } @online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } @online{471:20201216:intel471s:f245d05, author = {Intel 471}, title = {{Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground}}, date = {2020-12-16}, organization = {Intel 471}, url = {https://twitter.com/Intel471Inc/status/1339233255741120513}, language = {English}, urldate = {2020-12-17} } @online{471:20201218:ta505s:8fb97af, author = {Intel 471}, title = {{TA505’s modified loader means new attack campaign could be coming}}, date = {2020-12-18}, organization = {Intel 471}, url = {https://intel471.com/blog/ta505-get2-loader-malware-december-2020/}, language = {English}, urldate = {2020-12-19} } @online{471:20210115:last:c976da0, author = {Intel 471}, title = {{Last Dash for Joker’s Stash: Carding forum may close in 30 days}}, date = {2021-01-15}, organization = {Intel 471}, url = {https://intel471.com/blog/jokers-stash-closed-february-2021/}, language = {English}, urldate = {2021-01-18} } @online{471:20210127:emotet:0a7344b, author = {Intel 471}, title = {{Emotet takedown is not like the Trickbot takedown}}, date = {2021-01-27}, organization = {Intel 471}, url = {https://intel471.com/blog/emotet-takedown-2021/}, language = {English}, urldate = {2021-01-29} } @online{471:20210217:egregor:6194a4b, author = {Intel 471}, title = {{Egregor operation takes huge hit after police raids}}, date = {2021-02-17}, organization = {Intel 471}, url = {https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware}, language = {English}, urldate = {2021-02-20} } @online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } @online{471:20210419:how:2cba4f2, author = {Intel 471}, title = {{How China’s cybercrime underground is making money off big data}}, date = {2021-04-19}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-big-data-privacy-laws/}, language = {English}, urldate = {2021-04-20} } @online{471:20210426:cybercriminal:a1f6da3, author = {Intel 471}, title = {{The cybercriminal underground hasn’t forgotten about financial services}}, date = {2021-04-26}, organization = {Intel 471}, url = {https://www.intel471.com/blog/financial-cybercrime-2021-jackpotting-atm-malware}, language = {English}, urldate = {2021-05-03} } @online{471:20210510:heres:ebc6e81, author = {Intel 471}, title = {{Here’s what we know about DarkSide ransomware}}, date = {2021-05-10}, organization = {Intel 471}, url = {https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack}, language = {English}, urldate = {2021-05-13} } @online{471:20210514:moral:83d138a, author = {Intel 471}, title = {{The moral underground? Ransomware operators retreat after Colonial Pipeline hack}}, date = {2021-05-14}, organization = {Intel 471}, url = {https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime}, language = {English}, urldate = {2021-05-17} } @online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } @online{471:20210608:blurry:5b278e5, author = {Intel 471}, title = {{The blurry boundaries between nation-state actors and the cybercrime underground}}, date = {2021-06-08}, organization = {Intel 471}, url = {https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state}, language = {English}, urldate = {2021-06-16} } @online{471:20210714:how:0cf4b03, author = {Intel 471}, title = {{How cybercriminals create turbulence for the transportation industry}}, date = {2021-07-14}, organization = {Intel 471}, url = {https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry}, language = {English}, urldate = {2021-07-29} } @online{471:20210823:heres:49f1424, author = {Intel 471}, title = {{Here's how to guard your enterprise against ShinyHunters}}, date = {2021-08-23}, organization = {Intel 471}, url = {https://intel471.com/blog/shinyhunters-data-breach-mitre-attack}, language = {English}, urldate = {2021-08-25} } @online{471:20211020:cybercriminals:494dd97, author = {Intel 471}, title = {{Cybercriminals cash in on black market vaccine schemes}}, date = {2021-10-20}, organization = {Intel 471}, url = {https://intel471.com/blog/fake-covid-vaccination-cards-cybercrime}, language = {English}, urldate = {2021-11-03} } @online{471:20211102:cybercrime:4d53035, author = {Intel 471}, title = {{Cybercrime underground flush with shipping companies’ credentials}}, date = {2021-11-02}, organization = {Intel 471}, url = {https://intel471.com/blog/shipping-companies-ransomware-credentials}, language = {English}, urldate = {2021-11-03} } @online{471:20211116:how:dfdf383, author = {Intel 471}, title = {{How cryptomixers allow cybercriminals to clean their ransoms}}, date = {2021-11-16}, organization = {Intel 471}, url = {https://intel471.com/blog/cryptomixers-ransomware}, language = {English}, urldate = {2021-11-18} } @online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } @online{471:20220215:how:c105692, author = {Intel 471}, title = {{How the Russia-Ukraine conflict is impacting cybercrime}}, date = {2022-02-15}, organization = {Intel 471}, url = {https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground}, language = {English}, urldate = {2022-02-17} } @online{471:20220323:conti:694f144, author = {Intel 471}, title = {{Conti puts the ‘organized’ in organized crime}}, date = {2022-03-23}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-leaks-cybercrime-fire-team}, language = {English}, urldate = {2022-03-23} } @online{471:20220405:move:d589859, author = {Intel 471}, title = {{Move fast and commit crimes: Conti’s development teams mirror corporate tech}}, date = {2022-04-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-leaks-ransomware-development}, language = {English}, urldate = {2022-04-07} } @online{471:20220426:conti:6bcff7d, author = {Intel 471}, title = {{Conti and Emotet: A constantly destructive duo}}, date = {2022-04-26}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks}, language = {English}, urldate = {2022-04-29} } @online{471:20220505:cybercrime:f091e4f, author = {Intel 471}, title = {{Cybercrime loves company: Conti cooperated with other ransomware gangs}}, date = {2022-05-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker}, language = {English}, urldate = {2022-05-05} } @online{471:20220512:what:05369d4, author = {Intel 471}, title = {{What malware to look for if you want to prevent a ransomware attack}}, date = {2022-05-12}, organization = {Intel 471}, url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike}, language = {English}, urldate = {2022-05-13} } @online{4rchibld:20210227:nice:e7960f8, author = {4rchibld}, title = {{Nice to meet you, too. My name is Ryuk.}}, date = {2021-02-27}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/}, language = {English}, urldate = {2021-05-11} } @online{4rchibld:20210405:cruloader:b04f4b6, author = {4rchibld}, title = {{CruLoader Analysis}}, date = {2021-04-05}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/malwareanalysis/CruLoader/}, language = {English}, urldate = {2021-05-11} } @online{4rchibld:20210411:icedid:4135c21, author = {4rchibld}, title = {{IcedID on my neck I’m the coolest}}, date = {2021-04-11}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/}, language = {English}, urldate = {2021-05-11} } @online{51ddh4r7h4:20180820:advanced:9eb6e5c, author = {51ddh4r7h4}, title = {{Advanced Brazilian Malware Analysis}}, date = {2018-08-20}, organization = {ReversingMinds' Blog}, url = {http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware}, language = {English}, urldate = {2020-01-13} } @online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } @online{773:20220412:tween:9f9a70c, author = {Section 773}, title = {{Tween on Lapsus$ (UNC3661) Attack chain of compromise via Sitel (Okta subprocessor)'s systems}}, date = {2022-04-12}, organization = {Twitter (@apt773)}, url = {https://twitter.com/apt773/status/1513909922643476485}, language = {English}, urldate = {2022-04-15} } @online{80vul:20210426:hunting:e8be278, author = {Twitter (@80vul)}, title = {{Hunting Cobalt Strike DNS redirectors by using ZoomEye}}, date = {2021-04-26}, organization = {getrevue}, url = {https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734}, language = {English}, urldate = {2021-04-29} } @online{8thgreyowl:20210205:calmthorn:8397a05, author = {8thGreyOwl}, title = {{Tweet on CALMTHORN, used by Tonto Team}}, date = {2021-02-05}, organization = {Twitter (@8th_grey_owl)}, url = {https://twitter.com/8th_grey_owl/status/1357550261963689985}, language = {English}, urldate = {2021-02-09} } @online{8thgreyowl:20220113:selfmake:b0e52ab, author = {8thGreyOwl}, title = {{Tweet on SelfMake Loader}}, date = {2022-01-13}, organization = {Twitter (@8th_grey_owl)}, url = {https://twitter.com/8th_grey_owl/status/1481433481485844483}, language = {English}, urldate = {2022-01-19} } @online{9b:20180627:latest:5770e87, author = {9b}, title = {{Latest observed JS payload used for APT32 profiling}}, date = {2018-06-27}, organization = {Github (9b)}, url = {https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef}, language = {English}, urldate = {2020-01-09} } @online{:2010:trojandownloaderw32chyminea:30597d8, author = {_}, title = {{Trojan-Downloader:W32/Chymine.A}}, date = {2010}, organization = {F-Secure}, url = {https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml}, language = {English}, urldate = {2019-09-22} } @online{:20130203:forum:e9bf784, author = {小男孩}, title = {{Forum Post: GetPwd_K8 one-click to get the plain text password of the system login user based on French ...}}, date = {2013-02-03}, url = {https://ihonker.org/thread-1504-1-1.html}, language = {Chinese}, urldate = {2020-01-23} } @online{:20131217:bebloh:dcd1f5f, author = {}, title = {{Bebloh – a well-known banking Trojan with noteworthy innovations}}, date = {2013-12-17}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations}, language = {English}, urldate = {2019-10-28} } @online{:20141022:cryakl:aaecc86, author = {Артём Семенченко and Федор Синицын and Татьяна Куликова}, title = {{Шифровальщик Cryakl или Фантомас разбушевался}}, date = {2014-10-22}, organization = {Kaspersky Labs}, url = {https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/}, language = {Russian}, urldate = {2019-12-16} } @techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } @online{:20180602:hidden:674cfb9, author = {安全豹}, title = {{"Hidden Bee" strikes: Kingsoft Internet Security intercepts the world's first bootkit-level mining botnet (Part 1)}}, date = {2018-06-02}, organization = {Freebuf}, url = {https://www.freebuf.com/column/174581.html}, language = {Chinese}, urldate = {2020-01-13} } @online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } @online{:20181005:post:4890d7d, author = {_}, title = {{Post 0x17.2: Analyzing Turla’s Keylogger}}, date = {2018-10-05}, url = {https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/}, language = {English}, urldate = {2019-07-27} } @online{:20181225:bittertapt17:faf6bde, author = {腾讯电脑管家}, title = {{BITTER/T-APT-17 reports on the latest attacks on sensitive agencies such as military, nuclear, and government agencies in China}}, date = {2018-12-25}, organization = {Tencent}, url = {https://www.freebuf.com/articles/database/192726.html}, language = {Chinese}, urldate = {2020-03-02} } @online{:20190124:excel:2dd401c, author = {事件追踪}, title = {{Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently}}, date = {2019-01-24}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/}, language = {English}, urldate = {2019-12-02} } @online{:20190214:suspected:25adc45, author = {奇安信威胁情报中心}, title = {{Suspected Molerats New Attack in the Middle East}}, date = {2019-02-14}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/}, language = {Chinese}, urldate = {2019-10-12} } @online{:20190214:suspected:5df65f1, author = {事件追踪}, title = {{Suspected Molerats' New Attack in the Middle East}}, date = {2019-02-14}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/}, language = {English}, urldate = {2020-01-07} } @online{:20190306:taidoor:651efa6, author = {NTT セキュリティ and ジャパン株式会社}, title = {{Taidoor を用いた標的型攻撃}}, date = {2019-03-06}, organization = {Unit CANARY}, url = {https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1}, language = {English}, urldate = {2020-01-13} } @online{:20190319:aptc27:6ab4857, author = {奇安信威胁情报中心}, title = {{APT-C-27 (Goldmouse): Suspected Target Attack against the Middle East with WinRAR Exploit}}, date = {2019-03-19}, url = {https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/}, language = {English}, urldate = {2019-10-26} } @online{:20190813::eae3d10, author = {奇安信威胁情报中心}, title = {{洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露}}, date = {2019-08-13}, url = {https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts}, language = {Chinese}, urldate = {2020-01-13} } @online{:20200723::adadd32, author = {AhnLab ASEC 분석팀}, title = {{국내 인터넷 커뮤니티 사이트에서 악성코드 유포 (유틸리티 위장)}}, date = {2020-07-23}, organization = {AhnLab}, url = {https://asec.ahnlab.com/1360}, language = {Korean}, urldate = {2020-07-30} } @online{:20200816:wastedlocker:4210f22, author = {谷川哲司}, title = {{WastedLocker IoC collection}}, date = {2020-08-16}, organization = {Hatena Blog}, url = {https://ioc.hatenablog.com/entry/2020/08/16/132853}, language = {Japanese}, urldate = {2020-10-02} } @online{:20200819:njrat:a8e3234, author = {AhnLab ASEC 분석팀}, title = {{국내 유명 웹하드를 통해 유포되는 njRAT 악성코드}}, date = {2020-08-19}, organization = {AhnLab}, url = {https://asec.ahnlab.com/1369}, language = {Korean}, urldate = {2020-08-25} } @online{:20210127:emotet:abc27db, author = {Національна поліція України}, title = {{Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні вірусу EMOTET}}, date = {2021-01-27}, organization = {Youtube (Національна поліція України)}, url = {https://www.youtube.com/watch?v=_BLOmClsSpc}, language = {Ukrainian}, urldate = {2021-01-27} } @techreport{:20210521:research:1e23090, author = {Ростелеком-Солар and НКЦКИ - Главная}, title = {{Research report of the series of attacks on the state authorities of the Russian Federation}}, date = {2021-05-21}, institution = {}, url = {https://rt-solar.ru/upload/iblock/b55/Ataki-na-FOIV_otchet-NKTSKI-i-Rostelekom_Solar_otkrytyy.pdf}, language = {Russian}, urldate = {2021-06-21} } @online{:20210616:clop:28caf8c, author = {Національна поліція України}, title = {{Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)}}, date = {2021-06-16}, organization = {Youtube (Національна поліція України)}, url = {https://www.youtube.com/watch?v=PqGaZgepNTE}, language = {Ukrainian}, urldate = {2021-06-21} } @online{:20210616:cyberpolice:f455d86, author = {Національна поліція України}, title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}}, date = {2021-06-16}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-06-21} } @online{:20210618:atomic:d62e18f, author = {손덕호 기자 and Son Deok-ho}, title = {{The Atomic Energy Research Institute has been breached by a North Korean hacker organization Kimsuky}}, date = {2021-06-18}, organization = {Chosun Biz}, url = {https://biz.chosun.com/policy/politics/2021/06/18/V4DTFCEXPRA4DFCBVVJO3DPR5I/}, language = {Korean}, urldate = {2021-06-22} } @online{:20210906:operation:3e2fd42, author = {猎影实验室}, title = {{假面行动(Operation MaskFace)-疑似针对境外银行的利用问卷调查为主题的钓鱼攻击事件分析}}, date = {2021-09-06}, organization = {dbappsecurity}, url = {https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/}, language = {Chinese}, urldate = {2021-10-24} } @online{:20211025:ukrainian:8b0814a, author = {Національна поліція України}, title = {{Ukrainian law enforcement officers blocked the activities of members of an international transnational hacker group}}, date = {2021-10-25}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/ukrajinski-pravooxoronczi-blokuvali-diyalnist-chleniv-mizhnarodnogo-transnaczionalnogo-xakerskogo-ugrupovannya/}, language = {Ukrainian}, urldate = {2021-11-03} } @online{:20211029:cyberpolice:fc43b20, author = {Національна поліція України}, title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}}, date = {2021-10-29}, organization = {Національна поліція України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-11-02} } @online{a:2016:cyber:140f384, author = {Monnappa K A}, title = {{CYBER ATTACK IMPERSONATING IDENTITY OF INDIAN THINK TANK TO TARGET CENTRAL BUREAU OF INVESTIGATION (CBI) AND POSSIBLY INDIAN ARMY OFFICIALS}}, date = {2016}, organization = {Cysinfo}, url = {https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials}, language = {English}, urldate = {2020-01-07} } @online{a:20180910:turla:c92b687, author = {Monnappa K A}, title = {{turla gazer backdoor code injection & winlogon shell persistence}}, date = {2018-09-10}, organization = {Youtube ( Monnappa K A)}, url = {https://www.youtube.com/watch?v=Pvzhtjl86wc}, language = {English}, urldate = {2020-01-13} } @online{a:20190513:chacha:840508a, author = {Amigo A}, title = {{ChaCha Ransomware}}, date = {2019-05-13}, url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html}, language = {Russian}, urldate = {2019-12-02} } @online{a:20200411:rhino:c3d7b04, author = {Amigo A}, title = {{Rhino Ransomware}}, date = {2020-04-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/rhino-ransomware.html}, language = {Russian}, urldate = {2020-05-18} } @online{a:20201016:geofenced:8c31198, author = {Cassandra A. and Proofpoint Threat Research Team}, title = {{Geofenced Amazon Japan Credential Phishing Volumes Rival Emotet}}, date = {2020-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet}, language = {English}, urldate = {2020-10-23} } @online{a:20211216:mrac:d625fc1, author = {Amigo A}, title = {{MRAC Ransomware}}, date = {2021-12-16}, url = {https://id-ransomware.blogspot.com/2021/12/mrac-ransomware.html}, language = {Russian}, urldate = {2022-02-01} } @online{abbasi:20180716:danabot:08d5942, author = {Fahim Abbasi}, title = {{DanaBot Riding Fake MYOB Invoice Emails}}, date = {2018-07-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/}, language = {English}, urldate = {2020-01-10} } @online{abbati:20161108:analysis:374eea4, author = {Amaud Abbati}, title = {{Analysis of IOS.GUIINJECT Adware Library}}, date = {2016-11-08}, organization = {SentinelOne}, url = {https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/}, language = {English}, urldate = {2020-01-08} } @online{abbati:20170823:cs:1ecb9bb, author = {Arnaud Abbati}, title = {{CS: Go Hacks for Mac – OSX.Pwnet.A}}, date = {2017-08-23}, organization = {SentinelOne}, url = {https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/}, language = {English}, urldate = {2019-08-07} } @online{abbati:20171128:osxcpumeaner:23f69f0, author = {Arnaud Abbati}, title = {{OSX.CPUMEANER: New Cryptocurrency Mining Trojan Targets MacOS}}, date = {2017-11-28}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/}, language = {English}, urldate = {2019-12-05} } @online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } @online{abdo:20220404:fin7:305d62b, author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague}, title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}}, date = {2022-04-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/evolution-of-fin7}, language = {English}, urldate = {2022-06-27} } @online{abdulrhman:20220617:unpacking:50af663, author = {Motawkkel Abdulrhman}, title = {{Unpacking Kovter malware}}, date = {2022-06-17}, organization = {Github (0xchrollo)}, url = {https://0xchrollo.github.io/articles/unpacking-kovter-malware/}, language = {English}, urldate = {2022-06-27} } @online{abel:20180720:malware:62e1c9e, author = {Robert Abel}, title = {{Malware author ‘Anarchy’ builds 18,000-strong Huawei router botnet}}, date = {2018-07-20}, url = {https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/}, language = {English}, urldate = {2019-11-27} } @online{aboud:20220311:indepth:7f4eb47, author = {Marah Aboud and Janet Jose and Hansika Saxena}, title = {{In-depth Technical Analysis of Colibri Loader Malware}}, date = {2022-03-11}, organization = {Cloudsek}, url = {https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/}, language = {English}, urldate = {2022-03-14} } @online{abrams:20160214:padcrypt:626523d, author = {Lawrence Abrams}, title = {{PadCrypt: The first ransomware with Live Support Chat and an Uninstaller}}, date = {2016-02-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160408:cryptohost:d0f5780, author = {Lawrence Abrams}, title = {{CryptoHost Decrypted: Locks files in a password protected RAR File}}, date = {2016-04-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160722:stampado:207584f, author = {Lawrence Abrams}, title = {{Stampado Ransomware campaign decrypted before it Started}}, date = {2016-07-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160908:philadelphia:18b2e18, author = {Lawrence Abrams}, title = {{The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals}}, date = {2016-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160928:introducing:f09b941, author = {Lawrence Abrams}, title = {{Introducing Her Royal Highness, the Princess Locker Ransomware}}, date = {2016-09-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160930:hacked:760d56c, author = {Lawrence Abrams}, title = {{Hacked Steam accounts spreading Remote Access Trojan}}, date = {2016-09-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161027:indev:79b8937, author = {Lawrence Abrams}, title = {{In-Dev Ransomware forces you do to Survey before unlocking Computer}}, date = {2016-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161115:cryptoluck:19599ea, author = {Lawrence Abrams}, title = {{CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits}}, date = {2016-11-15}, organization = {Bleeping Computer}, url = {http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170207:erebus:2328bb9, author = {Lawrence Abrams}, title = {{Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment}}, date = {2017-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170315:revenge:b047d2f, author = {Lawrence Abrams}, title = {{Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit}}, date = {2017-03-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170816:locky:7445bd0, author = {Lawrence Abrams}, title = {{Locky Ransomware switches to the Lukitus extension for Encrypted Files}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170816:synccrypt:c8d0c48, author = {Lawrence Abrams}, title = {{SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170825:new:a2d73b9, author = {Lawrence Abrams}, title = {{New Arena Crysis Ransomware Variant Released}}, date = {2017-08-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170828:new:4c237c7, author = {Lawrence Abrams}, title = {{New Nuclear BTCWare Ransomware Released (Updated)}}, date = {2017-08-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171031:oni:b366161, author = {Lawrence Abrams}, title = {{ONI Ransomware Used in Month-Long Attacks Against Japanese Companies}}, date = {2017-10-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171213:work:d439b4b, author = {Lawrence Abrams}, title = {{WORK Cryptomix Ransomware Variant Released}}, date = {2017-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171222:new:eadbe96, author = {Lawrence Abrams}, title = {{New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway}}, date = {2017-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180121:evrial:5df289b, author = {Lawrence Abrams}, title = {{Evrial Trojan Switches Bitcoin Addresses Copied to Windows Clipboard}}, date = {2018-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180126:velso:4b06608, author = {Lawrence Abrams}, title = {{The Velso Ransomware Being Manually Installed by Attackers}}, date = {2018-01-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180129:gandcrab:9e003f9, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension}}, date = {2018-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180208:gandcrab:40fb494, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts}}, date = {2018-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:black:85fdc3c, author = {Lawrence Abrams}, title = {{Black Ruby Ransomware Skips Victims in Iran and Adds a Miner for Good Measure}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:dexcrypt:a7d1f62, author = {Lawrence Abrams}, title = {{DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180226:thanatos:546a986, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up Encryption}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180323:avcrypt:edb1b07, author = {Lawrence Abrams}, title = {{The AVCrypt Ransomware Tries To Uninstall Your AV Software}}, date = {2018-03-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180514:stalinlocker:5c9f91e, author = {Lawrence Abrams}, title = {{StalinLocker Deletes Your Files Unless You Enter the Right Code}}, date = {2018-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20180626:thanatos:bbe20fc, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Decryptor Released by the Cisco Talos Group}}, date = {2018-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180912:feedify:7beba8a, author = {Lawrence Abrams}, title = {{Feedify Hacked with Magecart Information Stealing Script}}, date = {2018-09-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180914:kraken:643744c, author = {Lawrence Abrams}, title = {{Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program}}, date = {2018-09-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181001:roaming:3a9e1c5, author = {Lawrence Abrams}, title = {{Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181113:hookads:ef89e4e, author = {Lawrence Abrams}, title = {{HookAds Malvertising Installing Malware via the Fallout Exploit Kit}}, date = {2018-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181119:visiondirect:6c2560e, author = {Lawrence Abrams}, title = {{VisionDirect Data Breach Caused by MageCart Attack}}, date = {2018-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190104:how:8932d09, author = {Lawrence Abrams}, title = {{How to Decrypt the Aurora Ransomware with AuroraDecrypter}}, date = {2019-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/}, language = {English}, urldate = {2019-12-17} } @online{abrams:20190115:djvu:a8b1d06, author = {Lawrence Abrams}, title = {{Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles}}, date = {2019-01-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190117:blackrouter:2e83ebf, author = {Lawrence Abrams}, title = {{BlackRouter Ransomware Promoted as a RaaS by Iranian Developer}}, date = {2019-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20190426:closer:ba13483, author = {Lawrence Abrams}, title = {{A Closer Look at the RobbinHood Ransomware}}, date = {2019-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190601:gandcrab:cb581e3, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion}}, date = {2019-06-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190613:pylocky:15be611, author = {Lawrence Abrams}, title = {{pyLocky Decryptor Released by French Authorities}}, date = {2019-06-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20190906:lilocked:4042feb, author = {Lawrence Abrams}, title = {{Lilocked Ransomware Actively Targeting Servers and Web Sites}}, date = {2019-09-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190911:ryuk:8a18715, author = {Lawrence Abrams}, title = {{Ryuk Related Malware Steals Confidential Military, Financial Files}}, date = {2019-09-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190917:tflower:31c9072, author = {Lawrence Abrams}, title = {{TFlower Ransomware - The Latest Attack Targeting Businesses}}, date = {2019-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/}, language = {English}, urldate = {2019-10-15} } @online{abrams:20191010:nemty:319e3b7, author = {Lawrence Abrams}, title = {{Nemty Ransomware Decryptor Released, Recover Files for Free}}, date = {2019-10-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191025:new:f7feebd, author = {Lawrence Abrams}, title = {{New FuxSocy Ransomware Impersonates the Notorious Cerber}}, date = {2019-10-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } @online{abrams:20191121:allied:a3d69d7, author = {Lawrence Abrams}, title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}}, date = {2019-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20191211:maze:acb23da, author = {Lawrence Abrams}, title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}}, date = {2019-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191212:another:77246f4, author = {Lawrence Abrams}, title = {{Another Ransomware Will Now Publish Victims' Data If Not Paid}}, date = {2019-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/}, language = {English}, urldate = {2020-01-05} } @online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191224:maze:33a4e28, author = {Lawrence Abrams}, title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}}, date = {2019-12-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20200108:snake:aaf992f, author = {Lawrence Abrams}, title = {{SNAKE Ransomware Is the Next Threat Targeting Business Networks}}, date = {2020-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/}, language = {English}, urldate = {2020-01-12} } @online{abrams:20200109:sodinokibi:c0204cc, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another}}, date = {2020-01-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20200111:sodinokibi:8fe0ebe, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Publishes Stolen Data for the First Time}}, date = {2020-01-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20200114:united:a309baa, author = {Lawrence Abrams}, title = {{United Nations Targeted With Emotet Malware Phishing Attack}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200118:new:4ad3c25, author = {Lawrence Abrams}, title = {{New Jersey Synagogue Suffers Sodinokibi Ransomware Attack}}, date = {2020-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200121:bitpylock:ded9871, author = {Lawrence Abrams}, title = {{BitPyLock Ransomware Now Threatens to Publish Stolen Data}}, date = {2020-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200123:trickbot:5ca7827, author = {Lawrence Abrams}, title = {{TrickBot Now Steals Windows Active Directory Credentials}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/}, language = {English}, urldate = {2020-01-27} } @online{abrams:20200124:new:05d5a6a, author = {Lawrence Abrams}, title = {{New Ryuk Info Stealer Targets Government and Military Secrets}}, date = {2020-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } @online{abrams:20200129:malware:920dc7e, author = {Lawrence Abrams}, title = {{Malware Tries to Trump Security Software With POTUS Impeachment}}, date = {2020-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200130:trickbot:22db786, author = {Lawrence Abrams}, title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}}, date = {2020-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } @online{abrams:20200206:ransomware:8b6a606, author = {Lawrence Abrams}, title = {{Ransomware Exploits GIGABYTE Driver to Kill AV Processes}}, date = {2020-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20200213:parallax:9842604, author = {Lawrence Abrams}, title = {{Parallax RAT: Common Malware Payload After Hacker Forums Promotion}}, date = {2020-02-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/}, language = {English}, urldate = {2020-04-01} } @online{abrams:20200225:doppelpaymer:9ca20ab, author = {Lawrence Abrams}, title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}}, date = {2020-02-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20200226:sodinokibi:7d730ac, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices}}, date = {2020-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200302:new:e4cb07c, author = {Lawrence Abrams}, title = {{New PwndLocker Ransomware Targeting U.S. Cities, Enterprises}}, date = {2020-03-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } @online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } @online{abrams:20200305:pwndlocker:d9b200a, author = {Lawrence Abrams}, title = {{PwndLocker Ransomware Gets Pwned: Decryption Now Available}}, date = {2020-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/}, language = {English}, urldate = {2020-03-05} } @online{abrams:20200307:ransomware:f839049, author = {Lawrence Abrams}, title = {{Ransomware Threatens to Reveal Company's 'Dirty' Secrets}}, date = {2020-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/}, language = {English}, urldate = {2020-03-11} } @online{abrams:20200317:new:d6fa158, author = {Lawrence Abrams}, title = {{New Nefilim Ransomware Threatens to Release Victims' Data}}, date = {2020-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/}, language = {English}, urldate = {2020-03-19} } @online{abrams:20200319:redline:5966456, author = {Lawrence Abrams}, title = {{RedLine Info-Stealing Malware Spread by Folding@home Phishing}}, date = {2020-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } @online{abrams:20200411:sodinokibi:82f9f79, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware to stop taking Bitcoin to hide money trail}}, date = {2020-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/}, language = {English}, urldate = {2020-04-26} } @online{abrams:20200418:it:bb2d626, author = {Lawrence Abrams}, title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}}, date = {2020-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/}, language = {English}, urldate = {2020-04-20} } @online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } @online{abrams:20200608:new:c1f97ec, author = {Lawrence Abrams}, title = {{New Avaddon Ransomware launches in massive smiley spam campaign}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/}, language = {English}, urldate = {2020-06-10} } @online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } @online{abrams:20200626:new:d6e2d17, author = {Lawrence Abrams}, title = {{New Ransom X Ransomware used in Texas TxDOT cyberattack}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200626:ransom:9e453cd, author = {Lawrence Abrams}, title = {{Ransom .exx notes}}, date = {2020-06-26}, organization = {Github (Bleeping)}, url = {https://github.com/Bleeping/Ransom.exx}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200711:trickbot:7e70ad3, author = {Lawrence Abrams}, title = {{TrickBot malware mistakenly warns victims that they are infected}}, date = {2020-07-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200713:new:a9e2a62, author = {Lawrence Abrams}, title = {{New AgeLocker Ransomware uses Googler's utility to encrypt files}}, date = {2020-07-13}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-agelocker-ransomware-uses-googlers-utility-to-encrypt-files/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } @online{abrams:20200821:darkside:3ebbc35, author = {Lawrence Abrams}, title = {{DarkSide: New targeted ransomware demands million dollar ransoms}}, date = {2020-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/}, language = {English}, urldate = {2020-08-24} } @online{abrams:20200825:ryuk:fbd5d99, author = {Lawrence Abrams}, title = {{Ryuk successor Conti Ransomware releases data leak site}}, date = {2020-08-25}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/}, language = {English}, urldate = {2020-08-26} } @online{abrams:20200826:suncrypt:426964e, author = {Lawrence Abrams}, title = {{SunCrypt Ransomware sheds light on the Maze ransomware cartel}}, date = {2020-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/}, language = {English}, urldate = {2020-08-27} } @online{abrams:20200917:maze:81b8c38, author = {Lawrence Abrams}, title = {{Maze ransomware now encrypts via virtual machines to evade detection}}, date = {2020-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/}, language = {English}, urldate = {2020-09-21} } @online{abrams:20200923:agelocker:1826fc8, author = {Lawrence Abrams}, title = {{AgeLocker ransomware targets QNAP NAS devices, steals data}}, date = {2020-09-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/agelocker-ransomware-targets-qnap-nas-devices-steals-data/}, language = {English}, urldate = {2020-09-25} } @online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } @online{abrams:20200924:mount:0456f2a, author = {Lawrence Abrams}, title = {{Mount Locker ransomware joins the multi-million dollar ransom game}}, date = {2020-09-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/}, language = {English}, urldate = {2020-10-02} } @online{abrams:20201016:thunderx:7e8ece8, author = {Lawrence Abrams}, title = {{ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site}}, date = {2020-10-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/}, language = {English}, urldate = {2020-10-23} } @online{abrams:20201020:barnes:f210b39, author = {Lawrence Abrams}, title = {{Barnes & Noble hit by Egregor ransomware, strange data leaked}}, date = {2020-10-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/}, language = {English}, urldate = {2020-10-23} } @online{abrams:20201022:french:6d52e19, author = {Lawrence Abrams}, title = {{French IT giant Sopra Steria hit by Ryuk ransomware}}, date = {2020-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/}, language = {English}, urldate = {2020-10-26} } @online{abrams:20201023:new:b9a8801, author = {Lawrence Abrams}, title = {{New RAT malware gets commands via Discord, has ransomware feature}}, date = {2020-10-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/}, language = {English}, urldate = {2020-10-27} } @online{abrams:20201027:steelcase:25f66a9, author = {Lawrence Abrams}, title = {{Steelcase furniture giant hit by Ryuk ransomware attack}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-28} } @online{abrams:20201029:hacking:c8d5379, author = {Lawrence Abrams}, title = {{Hacking group is targeting US hospitals with Ryuk ransomware}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } @online{abrams:20201029:maze:f90b399, author = {Lawrence Abrams}, title = {{Maze ransomware is shutting down its cybercrime operation}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/}, language = {English}, urldate = {2020-11-02} } @online{abrams:20201103:new:819bca9, author = {Lawrence Abrams}, title = {{New RegretLocker ransomware targets Windows virtual machines}}, date = {2020-11-03}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/}, language = {English}, urldate = {2020-11-06} } @online{abrams:20201105:capcom:e0ff215, author = {Lawrence Abrams}, title = {{Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/}, language = {English}, urldate = {2020-11-06} } @online{abrams:20201105:japanese:0221abc, author = {Lawrence Abrams}, title = {{Japanese game dev Capcom hit by cyberattack, business impacted}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/}, language = {English}, urldate = {2020-11-06} } @online{abrams:20201109:laptop:fa3207d, author = {Lawrence Abrams}, title = {{Laptop maker Compal hit by ransomware, $17 million demanded}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/}, language = {English}, urldate = {2020-11-11} } @online{abrams:20201113:darkside:82cdb5f, author = {Lawrence Abrams}, title = {{DarkSide ransomware is creating a secure data leak service in Iran}}, date = {2020-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/}, language = {English}, urldate = {2020-11-18} } @online{abrams:20201114:retail:f5192ae, author = {Lawrence Abrams}, title = {{Retail giant Cencosud hit by Egregor Ransomware attack, stores impacted}}, date = {2020-11-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/}, language = {English}, urldate = {2020-11-19} } @online{abrams:20201114:week:71b8a1e, author = {Lawrence Abrams}, title = {{The Week in Ransomware - November 13th 2020 - Extortion gone wild}}, date = {2020-11-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/}, language = {English}, urldate = {2021-06-01} } @online{abrams:20201118:revil:fda480b, author = {Lawrence Abrams}, title = {{REvil ransomware hits Managed.com hosting provider, 500K ransom}}, date = {2020-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/}, language = {English}, urldate = {2020-11-19} } @online{abrams:20201119:mount:0294998, author = {Lawrence Abrams}, title = {{Mount Locker ransomware now targets your TurboTax tax returns}}, date = {2020-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/}, language = {English}, urldate = {2020-11-23} } @online{abrams:20201120:lightbot:473b7c3, author = {Lawrence Abrams}, title = {{LightBot: TrickBot’s new reconnaissance malware for high-value targets}}, date = {2020-11-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/}, language = {English}, urldate = {2020-11-23} } @online{abrams:20201203:kmart:0795c86, author = {Lawrence Abrams}, title = {{Kmart nationwide retailer suffers a ransomware attack}}, date = {2020-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201203:ransomware:186759f, author = {Lawrence Abrams}, title = {{Ransomware gang says they stole 2 million credit cards from E-Land}}, date = {2020-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201204:largest:43455f7, author = {Lawrence Abrams}, title = {{Largest global staffing agency Randstad hit by Egregor ransomware}}, date = {2020-12-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201204:metro:3350ee7, author = {Lawrence Abrams}, title = {{Metro Vancouver's transit system hit by Egregor ransomware}}, date = {2020-12-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201207:foxconn:307c147, author = {Lawrence Abrams}, title = {{Foxconn electronics giant hit by ransomware, $34 million ransom}}, date = {2020-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201213:intels:ae85240, author = {Lawrence Abrams}, title = {{Intel's Habana Labs hacked by Pay2Key ransomware, data stolen}}, date = {2020-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/}, language = {English}, urldate = {2020-12-14} } @online{abrams:20201216:fireeye:d24dc6f, author = {Lawrence Abrams}, title = {{FireEye, Microsoft create kill switch for SolarWinds backdoor}}, date = {2020-12-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/}, language = {English}, urldate = {2020-12-17} } @online{abrams:20201219:solarwinds:0129ee8, author = {Lawrence Abrams}, title = {{The SolarWinds cyberattack: The hack, the victims, and what we know}}, date = {2020-12-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/}, language = {English}, urldate = {2020-12-19} } @online{abrams:20201221:trucking:2b6b278, author = {Lawrence Abrams}, title = {{Trucking giant Forward Air hit by new Hades ransomware gang}}, date = {2020-12-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-hit-by-new-hades-ransomware-gang/}, language = {English}, urldate = {2020-12-23} } @online{abrams:20201228:home:5e0aaf7, author = {Lawrence Abrams}, title = {{Home appliance giant Whirlpool hit in Nefilim ransomware attack}}, date = {2020-12-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/}, language = {English}, urldate = {2021-01-01} } @online{abrams:20210106:hackers:638f09c, author = {Lawrence Abrams}, title = {{Hackers start exploiting the new backdoor in Zyxel devices}}, date = {2021-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-the-new-backdoor-in-zyxel-devices/}, language = {English}, urldate = {2021-01-11} } @online{abrams:20210115:windows:350b568, author = {Lawrence Abrams}, title = {{Windows Finger command abused by phishing to download malware}}, date = {2021-01-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/}, language = {English}, urldate = {2021-01-21} } @online{abrams:20210118:iobit:398481c, author = {Lawrence Abrams}, title = {{IObit forums hacked to spread ransomware to its members}}, date = {2021-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/}, language = {English}, urldate = {2021-01-21} } @online{abrams:20210118:iobit:7539655, author = {Lawrence Abrams}, title = {{IObit forums hacked in widespread DeroHE ransomware attack}}, date = {2021-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-in-widespread-derohe-ransomware-attack/}, language = {English}, urldate = {2021-01-21} } @online{abrams:20210124:another:23e31f7, author = {Lawrence Abrams}, title = {{Another ransomware (Avaddon) now uses DDoS attacks to force victims to pay}}, date = {2021-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/}, language = {English}, urldate = {2021-01-25} } @online{abrams:20210202:babyk:0f0a60d, author = {Lawrence Abrams}, title = {{Babyk Ransomware won't hit charities, unless they support LGBT, BLM}}, date = {2021-02-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/}, language = {English}, urldate = {2021-02-04} } @online{abrams:20210207:new:704db11, author = {Lawrence Abrams}, title = {{New phishing attack uses Morse code to hide malicious URLs}}, date = {2021-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/}, language = {English}, urldate = {2021-02-09} } @online{abrams:20210310:norway:1db24ea, author = {Lawrence Abrams}, title = {{Norway parliament data stolen in Microsoft Exchange attack}}, date = {2021-03-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/norway-parliament-data-stolen-in-microsoft-exchange-attack/}, language = {English}, urldate = {2021-03-11} } @online{abrams:20210311:ransomware:0cd191c, author = {Lawrence Abrams}, title = {{Ransomware now attacks Microsoft Exchange servers with ProxyLogon exploits}}, date = {2021-03-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-dearcry-ransomware-is-targeting-microsoft-exchange-servers/}, language = {English}, urldate = {2021-03-12} } @online{abrams:20210319:revil:32f2221, author = {Lawrence Abrams}, title = {{REvil ransomware has a new ‘Windows Safe Mode’ encryption mode}}, date = {2021-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/}, language = {English}, urldate = {2021-03-24} } @online{abrams:20210325:insurance:5e12adf, author = {Lawrence Abrams}, title = {{Insurance giant CNA hit by new Phoenix CryptoLocker ransomware}}, date = {2021-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/}, language = {English}, urldate = {2021-03-30} } @online{abrams:20210326:ransomware:bc58d85, author = {Lawrence Abrams}, title = {{Ransomware gang urges victims’ customers to demand a ransom payment}}, date = {2021-03-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/}, language = {English}, urldate = {2021-03-31} } @online{abrams:20210418:discord:8787410, author = {Lawrence Abrams}, title = {{Discord Nitro gift codes now demanded as ransomware payments}}, date = {2021-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/}, language = {English}, urldate = {2021-08-26} } @online{abrams:20210420:fake:fca82a4, author = {Lawrence Abrams}, title = {{Fake Microsoft Store, Spotify sites spread info-stealing malware}}, date = {2021-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/}, language = {English}, urldate = {2021-06-16} } @online{abrams:20210421:logins:d779ad8, author = {Lawrence Abrams}, title = {{Logins for 1.3 million Windows RDP servers collected from hacker market}}, date = {2021-04-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/logins-for-13-million-windows-rdp-servers-collected-from-hacker-market/}, language = {English}, urldate = {2021-04-28} } @online{abrams:20210421:massive:1718928, author = {Lawrence Abrams}, title = {{Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices}}, date = {2021-04-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/}, language = {English}, urldate = {2021-04-28} } @online{abrams:20210424:ransomware:3358dd7, author = {Lawrence Abrams}, title = {{A ransomware gang made $260,000 in 5 days using the 7zip utility}}, date = {2021-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-ransomware-gang-made-260-000-in-5-days-using-the-7zip-utility/}, language = {English}, urldate = {2021-04-29} } @online{abrams:20210428:uk:2cce8c7, author = {Lawrence Abrams}, title = {{UK rail network Merseyrail likely hit by Lockbit ransomware}}, date = {2021-04-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/}, language = {English}, urldate = {2021-05-04} } @online{abrams:20210429:whistler:7e56ef7, author = {Lawrence Abrams}, title = {{Whistler resort municipality hit by new ransomware operation}}, date = {2021-04-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/whistler-resort-municipality-hit-by-new-ransomware-operation/}, language = {English}, urldate = {2021-05-08} } @online{abrams:20210503:apple:f499daf, author = {Lawrence Abrams}, title = {{Apple fixes 2 iOS zero-day vulnerabilities actively used in attacks}}, date = {2021-05-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/apple/apple-fixes-2-ios-zero-day-vulnerabilities-actively-used-in-attacks/}, language = {English}, urldate = {2021-05-04} } @online{abrams:20210503:n3tw0rm:a58b595, author = {Lawrence Abrams}, title = {{N3TW0RM ransomware emerges in wave of cyberattacks in Israel}}, date = {2021-05-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/n3tw0rm-ransomware-emerges-in-wave-of-cyberattacks-in-israel/}, language = {English}, urldate = {2021-05-04} } @online{abrams:20210507:data:c674b2b, author = {Lawrence Abrams}, title = {{Data leak marketplaces aim to take over the extortion economy}}, date = {2021-05-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/}, language = {English}, urldate = {2021-05-08} } @online{abrams:20210510:city:ba5dcd5, author = {Lawrence Abrams}, title = {{City of Tulsa's online services disrupted in ransomware incident}}, date = {2021-05-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/city-of-tulsas-online-services-disrupted-in-ransomware-incident/}, language = {English}, urldate = {2021-05-13} } @online{abrams:20210513:chemical:86f4f4a, author = {Lawrence Abrams}, title = {{Chemical distributor pays $4.4 million to DarkSide ransomware}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/}, language = {English}, urldate = {2021-05-17} } @online{abrams:20210513:meet:7ffacf5, author = {Lawrence Abrams}, title = {{Meet Lorenz — A new ransomware gang targeting the enterprise}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/}, language = {English}, urldate = {2021-05-13} } @online{abrams:20210513:popular:62e98c8, author = {Lawrence Abrams}, title = {{Popular Russian hacking forum XSS bans all ransomware topics}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/}, language = {English}, urldate = {2021-05-17} } @online{abrams:20210514:darkside:5169afb, author = {Lawrence Abrams}, title = {{DarkSide ransomware servers reportedly seized, REvil restricts targets}}, date = {2021-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/}, language = {English}, urldate = {2021-05-17} } @online{abrams:20210602:fbi:a9cb4ad, author = {Lawrence Abrams}, title = {{FBI: REvil cybergang behind the JBS ransomware attack}}, date = {2021-06-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } @online{abrams:20210602:fujifilm:eced96f, author = {Lawrence Abrams}, title = {{FUJIFILM shuts down network after suspected ransomware attack}}, date = {2021-06-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } @online{abrams:20210606:new:8c47cad, author = {Lawrence Abrams}, title = {{New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions}}, date = {2021-06-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/}, language = {English}, urldate = {2021-06-16} } @online{abrams:20210611:avaddon:0c89258, author = {Lawrence Abrams}, title = {{Avaddon ransomware shuts down and releases decryption keys}}, date = {2021-06-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/}, language = {English}, urldate = {2021-06-16} } @online{abrams:20210630:leaked:ea62d8a, author = {Lawrence Abrams}, title = {{Leaked Babuk Locker ransomware builder used in new attacks}}, date = {2021-06-30}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/}, language = {English}, urldate = {2021-07-02} } @online{abrams:20210702:revil:576023e, author = {Lawrence Abrams}, title = {{REvil ransomware hits 1,000+ companies in MSP supply-chain attack}}, date = {2021-07-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/}, language = {English}, urldate = {2021-07-26} } @online{abrams:20210713:revil:902b974, author = {Lawrence Abrams}, title = {{REvil ransomware gang's web sites mysteriously shut down}}, date = {2021-07-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/}, language = {English}, urldate = {2021-07-20} } @online{abrams:20210715:linux:87987af, author = {Lawrence Abrams}, title = {{Linux version of HelloKitty ransomware targets VMware ESXi servers}}, date = {2021-07-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/}, language = {English}, urldate = {2021-08-06} } @online{abrams:20210717:ecuadors:3940c8e, author = {Lawrence Abrams}, title = {{Ecuador's state-run CNT telco hit by RansomEXX ransomware}}, date = {2021-07-17}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/}, language = {English}, urldate = {2021-07-26} } @online{abrams:20210722:kaseya:7ec0805, author = {Lawrence Abrams}, title = {{Kaseya obtains universal decryptor for REvil ransomware victims}}, date = {2021-07-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/}, language = {English}, urldate = {2021-07-26} } @online{abrams:20210727:lockbit:095b8d6, author = {Lawrence Abrams}, title = {{LockBit ransomware now encrypts Windows domains using group policies}}, date = {2021-07-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/}, language = {English}, urldate = {2021-07-29} } @online{abrams:20210731:blackmatter:924d440, author = {Lawrence Abrams}, title = {{BlackMatter ransomware gang rises from the ashes of DarkSide, REvil}}, date = {2021-07-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/}, language = {English}, urldate = {2021-08-02} } @online{abrams:20210731:darkside:1d6ac34, author = {Lawrence Abrams}, title = {{DarkSide ransomware gang returns as new BlackMatter operation}}, date = {2021-07-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/}, language = {English}, urldate = {2021-08-02} } @online{abrams:20210803:ransomware:d1b938f, author = {Lawrence Abrams}, title = {{Ransomware attack hits Italy's Lazio region, affects COVID-19 site}}, date = {2021-08-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/}, language = {English}, urldate = {2021-08-06} } @online{abrams:20210804:lockbit:c6ab8ec, author = {Lawrence Abrams}, title = {{LockBit ransomware recruiting insiders to breach corporate networks}}, date = {2021-08-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/}, language = {English}, urldate = {2021-08-06} } @online{abrams:20210805:angry:a9916d3, author = {Lawrence Abrams}, title = {{Angry Conti ransomware affiliate leaks gang's attack playbook}}, date = {2021-08-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/}, language = {English}, urldate = {2021-08-06} } @online{abrams:20210805:linux:d6e65f8, author = {Lawrence Abrams}, title = {{Linux version of BlackMatter ransomware targets VMware ESXi servers}}, date = {2021-08-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/}, language = {English}, urldate = {2021-08-09} } @online{abrams:20210811:kaseyas:93f86e6, author = {Lawrence Abrams}, title = {{Kaseya's universal REvil decryption key leaked on a hacking forum}}, date = {2021-08-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/}, language = {English}, urldate = {2021-08-16} } @online{abrams:20210824:ransomware:7095151, author = {Lawrence Abrams}, title = {{Ransomware gang's script shows exactly the files they're after}}, date = {2021-08-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/}, language = {English}, urldate = {2022-01-28} } @online{abrams:20210906:trickbot:652a467, author = {Lawrence Abrams}, title = {{TrickBot gang developer arrested when trying to leave Korea}}, date = {2021-09-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/}, language = {English}, urldate = {2021-09-10} } @online{abrams:20210907:revil:121f953, author = {Lawrence Abrams}, title = {{REvil ransomware's servers mysteriously come back online}}, date = {2021-09-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/}, language = {English}, urldate = {2021-09-10} } @online{abrams:20211017:revil:b53b66f, author = {Lawrence Abrams}, title = {{REvil ransomware shuts down again after Tor sites were hijacked}}, date = {2021-10-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/}, language = {English}, urldate = {2021-10-25} } @online{abrams:20211021:evil:71bc16a, author = {Lawrence Abrams}, title = {{Evil Corp demands $40 million in new Macaw ransomware attacks}}, date = {2021-10-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/}, language = {English}, urldate = {2022-05-17} } @online{abrams:20211021:massive:89295e6, author = {Lawrence Abrams}, title = {{Massive campaign uses YouTube to push password-stealing malware}}, date = {2021-10-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/}, language = {English}, urldate = {2021-11-02} } @online{abrams:20211103:blackmatter:5681de9, author = {Lawrence Abrams}, title = {{BlackMatter ransomware moves victims to LockBit after shutdown}}, date = {2021-11-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/}, language = {English}, urldate = {2021-11-08} } @online{abrams:20211115:emotet:8de6d81, author = {Lawrence Abrams}, title = {{Emotet malware is back and rebuilding its botnet via TrickBot}}, date = {2021-11-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/}, language = {English}, urldate = {2021-11-17} } @online{abrams:20211207:emotet:f33c999, author = {Lawrence Abrams}, title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}}, date = {2021-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/}, language = {English}, urldate = {2021-12-08} } @online{abrams:20211220:log4j:1a80230, author = {Lawrence Abrams}, title = {{Log4j vulnerability now used to install Dridex banking malware}}, date = {2021-12-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/}, language = {English}, urldate = {2021-12-21} } @online{abrams:20220102:malicious:a53af29, author = {Lawrence Abrams}, title = {{Malicious CSV text files used to install BazarBackdoor malware}}, date = {2022-01-02}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/}, language = {English}, urldate = {2022-02-02} } @online{abrams:20220108:trojanized:00522d1, author = {Lawrence Abrams}, title = {{Trojanized dnSpy app drops malware cocktail on researchers, devs}}, date = {2022-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/}, language = {English}, urldate = {2022-01-18} } @online{abrams:20220120:fbi:e5f3fc1, author = {Lawrence Abrams}, title = {{FBI links Diavol ransomware to the TrickBot cybercrime group}}, date = {2022-01-20}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/}, language = {English}, urldate = {2022-01-24} } @online{abrams:20220125:new:5f8b7cf, author = {Lawrence Abrams}, title = {{New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key}}, date = {2022-01-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/}, language = {English}, urldate = {2022-01-28} } @online{abrams:20220209:ransomware:e36973b, author = {Lawrence Abrams}, title = {{Ransomware dev releases Egregor, Maze master decryption keys}}, date = {2022-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/}, language = {English}, urldate = {2022-02-10} } @online{abrams:20220227:conti:bf48bb7, author = {Lawrence Abrams}, title = {{Conti ransomware's internal chats leaked after siding with Russia}}, date = {2022-02-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/}, language = {English}, urldate = {2022-03-01} } @online{abrams:20220301:conti:4cd4535, author = {Lawrence Abrams}, title = {{Conti Ransomware source code leaked by Ukrainian researcher}}, date = {2022-03-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/}, language = {English}, urldate = {2022-03-07} } @online{abrams:20220303:malware:e800ffb, author = {Lawrence Abrams}, title = {{Malware campaign impersonates VC firm looking to buy sites}}, date = {2022-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-campaign-impersonates-vc-firm-looking-to-buy-sites/}, language = {English}, urldate = {2022-03-04} } @online{abrams:20220305:malware:5ab8b53, author = {Lawrence Abrams}, title = {{Malware now using NVIDIA's stolen code signing certificates}}, date = {2022-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/}, language = {English}, urldate = {2022-03-10} } @online{abrams:20220306:mozilla:fabd07e, author = {Lawrence Abrams}, title = {{Mozilla Firefox 97.0.2 fixes two actively exploited zero-day bugs (CVE-2022-26485 & CVE-2022-26486)}}, date = {2022-03-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mozilla-firefox-9702-fixes-two-actively-exploited-zero-day-bugs/}, language = {English}, urldate = {2022-03-07} } @online{abrams:20220319:new:197ca68, author = {Lawrence Abrams}, title = {{New Phishing toolkit lets anyone create fake Chrome browser windows}}, date = {2022-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-lets-anyone-create-fake-chrome-browser-windows/}, language = {English}, urldate = {2022-03-22} } @online{abrams:20220322:microsoft:54e0518, author = {Lawrence Abrams}, title = {{Microsoft confirms they were hacked by Lapsus$ extortion group}}, date = {2022-03-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/}, language = {English}, urldate = {2022-03-23} } @online{abrams:20220325:raccoon:c99dbc5, author = {Lawrence Abrams}, title = {{Raccoon Stealer malware suspends operations due to war in Ukraine}}, date = {2022-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/}, language = {English}, urldate = {2022-04-07} } @online{abrams:20220327:hive:4b2408f, author = {Lawrence Abrams}, title = {{Hive ransomware ports its Linux VMware ESXi encryptor to Rust}}, date = {2022-03-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/}, language = {English}, urldate = {2022-03-29} } @online{abrams:20220401:week:14d9669, author = {Lawrence Abrams}, title = {{The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'}}, date = {2022-04-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/}, language = {English}, urldate = {2022-04-05} } @online{abrams:20220409:hackers:0a9cea8, author = {Lawrence Abrams}, title = {{Hackers use Conti's leaked ransomware to attack Russian companies}}, date = {2022-04-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/}, language = {English}, urldate = {2022-05-05} } @online{abrams:20220426:american:621959c, author = {Lawrence Abrams}, title = {{American Dental Association hit by new Black Basta ransomware}}, date = {2022-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/}, language = {English}, urldate = {2022-05-03} } @online{abrams:20220430:fake:a553f90, author = {Lawrence Abrams}, title = {{Fake Windows 10 updates infect you with Magniber ransomware}}, date = {2022-04-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/}, language = {English}, urldate = {2022-05-03} } @online{abrams:20220501:revil:0d6a35a, author = {Lawrence Abrams}, title = {{REvil ransomware returns: New malware sample confirms gang is back}}, date = {2022-05-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/}, language = {English}, urldate = {2022-05-03} } @online{abrams:20220515:fake:13bfa09, author = {Lawrence Abrams}, title = {{Fake Pixelmon NFT site infects you with password-stealing malware}}, date = {2022-05-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/}, language = {English}, urldate = {2022-05-17} } @online{abrams:20220609:roblox:19b3f09, author = {Lawrence Abrams}, title = {{Roblox Game Pass store used to sell ransomware decryptor}}, date = {2022-06-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/}, language = {English}, urldate = {2022-06-10} } @online{abusech:20130118:feodo:5354db0, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2013-01-18}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/?filter=version_e}, language = {English}, urldate = {2020-01-13} } @online{abusech:2018:feodo:3a9a017, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2018}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/}, language = {English}, urldate = {2019-11-17} } @online{abusech:20210321:vjw0rm:d90bf99, author = {abuse.ch}, title = {{Vjw0rm malware samples}}, date = {2021-03-21}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/Vjw0rm/}, language = {English}, urldate = {2021-03-22} } @online{abusech:20210806:zgrat:bfbf906, author = {abuse.ch}, title = {{zgRAT malware samples}}, date = {2021-08-06}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/zgRAT/}, language = {English}, urldate = {2021-08-06} } @online{abusech:20210828:malwarebazaar:d3dbedb, author = {abuse.ch}, title = {{MalwareBazaar | GCleaner}}, date = {2021-08-28}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/GCleaner/}, language = {English}, urldate = {2021-08-31} } @online{abusech:20211104:malwarebazaar:27b4390, author = {abuse.ch}, title = {{MalwareBazaar Report for Misha sample}}, date = {2021-11-04}, organization = {MalwareBazaar}, url = {https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/}, language = {English}, urldate = {2021-11-09} } @online{abusech:20220123:nw0rm:3ff0a18, author = {abuse.ch}, title = {{N-W0rm malware samples}}, date = {2022-01-23}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/tag/N-W0rm/}, language = {English}, urldate = {2022-01-25} } @online{abuseio:20190504:abuseio:d5062ca, author = {Abuse.io}, title = {{Abuse.io Report - Lockergoga}}, date = {2019-05-04}, organization = {Abuse.io}, url = {https://www.abuse.io/lockergoga.txt}, language = {English}, urldate = {2020-01-07} } @online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } @online{accenture:2018:hogfish:4bd6290, author = {Accenture}, title = {{HOGFISH REDLEAVES CAMPAIGN}}, date = {2018}, organization = {Accenture}, url = {http://blog.alyac.co.kr/1853}, language = {English}, urldate = {2020-01-06} } @online{accenture:20211210:karakurt:5bb6d9c, author = {Accenture}, title = {{Karakurt rises from its lair}}, date = {2021-12-10}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation}, language = {English}, urldate = {2021-12-15} } @techreport{accenture:20220415:global:7244169, author = {Accenture}, title = {{Global Incident Report: Russia-Ukraine Crisis}}, date = {2022-04-15}, institution = {Accenture}, url = {https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/04/Global-incident-report-Russia-Ukraine-Crisis-April-14.pdf}, language = {English}, urldate = {2022-04-20} } @online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } @online{ackerman:20190821:taking:3b8daac, author = {Pascal Ackerman}, title = {{Taking a Closer Look at the LookBack Malware Campaign – Part 1}}, date = {2019-08-21}, organization = {Threatgen}, url = {https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/}, language = {English}, urldate = {2020-01-13} } @online{ackerman:20220328:forged:3105d8e, author = {Geoff Ackerman and Tufail Ahmed and James Maclachlan and Dallin Warne and John Wolfram and Brandon Wilbur}, title = {{Forged in Fire: A Survey of MobileIron Log4Shell Exploitation}}, date = {2022-03-28}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mobileiron-log4shell-exploitation}, language = {English}, urldate = {2022-03-30} } @online{acpenw:20210522:lessons:6747f56, author = {YouTube (ACPEnw)}, title = {{Lessons Learned from a Cyber Attack System Admin Perspective}}, date = {2021-05-22}, organization = {Youtube (ACPEnw)}, url = {https://www.youtube.com/watch?v=HwfRxjV2wok}, language = {English}, urldate = {2021-06-21} } @online{acsc:20200523:summary:32bbf2b, author = {Australian Cyber Security Centre (ACSC)}, title = {{Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks}}, date = {2020-05-23}, organization = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/threats/summary-of-tradecraft-trends-for-2019-20-tactics-techniques-and-procedures-used-to-target-australian-networks}, language = {English}, urldate = {2020-05-23} } @techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } @online{acsc:20200619:advisory:bfa3598, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-19}, organization = {Australian Signals Directorate}, url = {https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks}, language = {English}, urldate = {2022-04-20} } @online{acsc:20200619:copypaste:3df3d7e, author = {Australian Cyber Security Centre (ACSC)}, title = {{Copy-paste compromises}}, date = {2020-06-19}, organization = {ACSC}, url = {https://www.cyber.gov.au/acsc/view-all-content/alerts/copy-paste-compromises}, language = {English}, urldate = {2022-04-25} } @online{acsc:20201112:biotech:edf0f4a, author = {Australian Cyber Security Centre (ACSC)}, title = {{Biotech research firm Miltenyi Biotec hit by ransomware, data leaked}}, date = {2020-11-12}, organization = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector}, language = {English}, urldate = {2020-11-18} } @techreport{acsc:20210508:2021003:ac0c913, author = {Australian Cyber Security Centre (ACSC)}, title = {{2021-003: Ongoing campaign using Avaddon Ransomware}}, date = {2021-05-08}, institution = {Australian Signals Directorate}, url = {https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf}, language = {English}, urldate = {2021-05-11} } @online{action09:20181116:c0ld:89e6c06, author = {Action09}, title = {{(C)0ld Case : From Aerospace to China’s interests.}}, date = {2018-11-16}, organization = {CyberThreatIntelligence Blog}, url = {https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/}, language = {English}, urldate = {2020-01-07} } @online{actiondan:20180219:intro:0d978b0, author = {ActionDan}, title = {{Intro to Using GScript for Red Teams}}, date = {2018-02-19}, url = {http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html}, language = {English}, urldate = {2019-12-20} } @online{actions:20210512:executive:b437939, author = {Presidential Actions}, title = {{Executive Order on Improving the Nation’s Cybersecurity}}, date = {2021-05-12}, organization = {THE WHITE HOUSE}, url = {https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/}, language = {English}, urldate = {2021-05-13} } @online{adair:20161109:powerduke:335bceb, author = {Steven Adair}, title = {{PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs}}, date = {2016-11-09}, organization = {Volexity}, url = {https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/}, language = {English}, urldate = {2019-12-24} } @online{adair:20201106:oceanlotus:f7b11ac, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}}, date = {2020-11-06}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/}, language = {English}, urldate = {2020-11-09} } @online{adair:20220203:operation:fd96d5c, author = {Steven Adair and Thomas Lancaster}, title = {{Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra}}, date = {2022-02-03}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/}, language = {English}, urldate = {2022-02-07} } @online{adair:20220615:driftingcloud:58322a8, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach}}, date = {2022-06-15}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/}, language = {English}, urldate = {2022-06-17} } @online{adamitis:20181105:persian:5adf8c2, author = {Danny Adamitis and Warren Mercer and Paul Rascagnères and Vitor Ventura and Eric Kuhla}, title = {{Persian Stalker pillages Iranian users of Instagram and Telegram}}, date = {2018-11-05}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/11/persian-stalker.html}, language = {English}, urldate = {2019-11-27} } @online{adamitis:20190417:dns:0146532, author = {Danny Adamitis and David Maynor and Warren Mercer and Matthew Olney and Paul Rascagnères}, title = {{DNS Hijacking Abuses Trust In Core Internet Service}}, date = {2019-04-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/seaturtle.html}, language = {English}, urldate = {2020-01-09} } @online{adamitis:20190520:recent:4bb543f, author = {Danny Adamitis and David Maynor and Kendall McKay}, title = {{Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques}}, date = {2019-05-20}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html}, language = {English}, urldate = {2020-01-07} } @online{adamitis:20190709:sea:62515b8, author = {Danny Adamitis and Paul Rascagnères}, title = {{Sea Turtle Keeps on Swimming}}, date = {2019-07-09}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20200107:summer:637a53f, author = {Danny Adamitis}, title = {{Summer Mirage}}, date = {2020-01-07}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/01/summer-mirage.html}, language = {English}, urldate = {2020-01-12} } @online{adamitis:20200206:triune:ada8ad3, author = {Danny Adamitis}, title = {{The Triune Threat: MasterMana Returns}}, date = {2020-02-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html}, language = {English}, urldate = {2020-04-13} } @online{adamitis:20200506:phantom:2a752f7, author = {Danny Adamitis}, title = {{Phantom in the Command Shell}}, date = {2020-05-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html}, language = {English}, urldate = {2020-05-07} } @online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20220105:new:4342d69, author = {Danny Adamitis and Steve Rudd}, title = {{New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs}}, date = {2022-01-05}, organization = {Lumen}, url = {https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/}, language = {English}, urldate = {2022-01-25} } @online{adamov:20170502:targeted:31454f7, author = {Alexander Adamov}, title = {{Targeted attack against the Ukrainian military}}, date = {2017-05-02}, url = {https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html}, language = {English}, urldate = {2019-12-17} } @techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } @online{adamtheanalyst:20210628:suspected:a9109b3, author = {AdamTheAnalyst}, title = {{Tweet on suspected REvil exfiltration (over RClone FTP) server}}, date = {2021-06-28}, organization = {Twitter (@AdamTheAnalyst)}, url = {https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20}, language = {English}, urldate = {2021-06-29} } @online{adetomiwa:20220204:static:86b3c83, author = {Adetomiwa}, title = {{Static analysis of Goldenhelper Malware (Golden Tax malware)}}, date = {2022-02-04}, organization = {Medium tomiwa-xy}, url = {https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d}, language = {English}, urldate = {2022-02-17} } @online{adlab:20210616:apt34:4697e7c, author = {ADLab}, title = {{APT34 organization latest in-depth analysis report on attack activities}}, date = {2021-06-16}, organization = {Venustech}, url = {https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ}, language = {Chinese}, urldate = {2021-06-21} } @online{admin001:20191120:shadow:49b26ff, author = {admin001}, title = {{Shadow of the Circle Hovering Over Central Asia - The Golden Eagle (APT-C-34) Organizing Attack Revealed}}, date = {2019-11-20}, organization = {360}, url = {http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html}, language = {English}, urldate = {2020-01-10} } @online{adobe:20210209:adobe:02148d5, author = {Adobe}, title = {{Adobe Security Bulletin for 0-day CVE-2021-21017 (exploited ITW)}}, date = {2021-02-09}, organization = {Adobe}, url = {https://helpx.adobe.com/security/products/acrobat/apsb21-09.html}, language = {English}, urldate = {2021-02-10} } @techreport{advisory:20200528:sandworm:d509ae5, author = {Cybersecurity Advisory}, title = {{Sandworm Actors Exploiting Vulnerability in EXIM Mail Transfer Agent}}, date = {2020-05-28}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf}, language = {English}, urldate = {2020-05-29} } @online{affairs:20140202:us:872a22b, author = {Office of Public Affairs}, title = {{U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator}}, date = {2014-02-02}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware}, language = {English}, urldate = {2020-01-08} } @online{affairs:20170328:russian:e9c593c, author = {Office of Public Affairs}, title = {{Russian Citizen Pleads Guilty for Involvement in Global Botnet Conspiracy}}, date = {2017-03-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy}, language = {English}, urldate = {2020-01-07} } @online{affairs:20180523:justice:806d785, author = {Office of Public Affairs}, title = {{Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices}}, date = {2018-05-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected}, language = {English}, urldate = {2020-01-06} } @online{affairs:20180906:north:9b30dd0, author = {Office of Public Affairs}, title = {{North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions}}, date = {2018-09-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and}, language = {English}, urldate = {2020-01-07} } @online{affairs:20181128:two:9032b25, author = {Office of Public Affairs}, title = {{Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses}}, date = {2018-11-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public}, language = {English}, urldate = {2020-01-08} } @online{affairs:20190213:former:3518c47, author = {Office of Public Affairs}, title = {{Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues}}, date = {2019-02-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber}, language = {English}, urldate = {2019-10-14} } @online{affairs:20190411:two:8ce139a, author = {Office of Public Affairs}, title = {{Two Romanian Cybercriminals Convicted of All 21 Counts Relating to Infecting Over 400,000 Victim Computers with Malware and Stealing Millions of Dollars}}, date = {2019-04-11}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim}, language = {English}, urldate = {2019-10-13} } @online{affairs:20190516:goznym:714f938, author = {Office of Public Affairs}, title = {{GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation}}, date = {2019-05-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled}, language = {English}, urldate = {2020-01-08} } @online{affairs:20210507:four:8efdc7e, author = {Office of Public Affairs}, title = {{Four Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals}}, date = {2021-05-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals}, language = {English}, urldate = {2021-05-11} } @online{affairs:20210601:justice:1ed9656, author = {Office of Public Affairs}, title = {{Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development}}, date = {2021-06-01}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear}, language = {English}, urldate = {2021-06-09} } @online{affairs:20210604:latvian:4403f09, author = {Office of Public Affairs}, title = {{Latvian National Charged for Alleged Role in Transnational Cybercrime Organization}}, date = {2021-06-04}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization}, language = {English}, urldate = {2021-06-16} } @online{affairs:20210607:department:d8a05d5, author = {Office of Public Affairs}, title = {{Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside}}, date = {2021-06-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside}, language = {English}, urldate = {2021-06-09} } @online{affairs:20210616:russian:42a61cf, author = {Office of Public Affairs}, title = {{Russian National Convicted of Charges Relating to Kelihos Botnet}}, date = {2021-06-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet}, language = {English}, urldate = {2021-06-21} } @online{affairs:20210624:highlevel:28f0725, author = {Office of Public Affairs}, title = {{High-Level Member of Hacking Group Sentenced to Prison for Scheme that Compromised Tens of Millions of Debit and Credit Cards}}, date = {2021-06-24}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/high-level-member-hacking-group-sentenced-prison-scheme-compromised-tens-millions-debit-and}, language = {English}, urldate = {2021-06-29} } @online{affairs:20210719:four:083a598, author = {Office of Public Affairs}, title = {{Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research}}, date = {2021-07-19}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion}, language = {English}, urldate = {2021-07-26} } @online{affairs:20220309:sodinokibirevil:7c18d03, author = {Office of Public Affairs}, title = {{Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas}}, date = {2022-03-09}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas}, language = {English}, urldate = {2022-03-10} } @online{affairs:20220324:americas:024ab10, author = {U.S. Senate Committee on Homeland Security & Governmental Affairs}, title = {{America's Data Held Hostage: Case Studies in Ransomware Attacks on American Companies}}, date = {2022-03-24}, organization = {United States Senate}, url = {https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422}, language = {English}, urldate = {2022-03-25} } @online{affairs:20220324:new:bfc2f76, author = {U.S. Senate Committee on Homeland Security & Governmental Affairs}, title = {{New Portman Report Demonstrates Threat Ransomware Presents to the United States}}, date = {2022-03-24}, organization = {United States Senate}, url = {https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states}, language = {English}, urldate = {2022-03-25} } @online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } @techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2020-12-16} } @online{ag:20210107:lazarus:963b364, author = {HvS-Consulting AG}, title = {{Lazarus / APT37 IOCs}}, date = {2021-01-07}, organization = {Github (hvs-consulting)}, url = {https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37}, language = {English}, urldate = {2021-01-21} } @techreport{ag:20220214:fallout:c2111fe, author = {HvS-Consulting AG}, title = {{The APT Fallout of Vulnerabilities such as ProxyLogon, OGNL Injection, and log4shell}}, date = {2022-02-14}, institution = {}, url = {https://www.hvs-consulting.de/public/ThreatReport-EmissaryPanda.pdf}, language = {English}, urldate = {2022-02-16} } @online{agarwal:20210726:from:71cb8dd, author = {Kabir Agarwal and Sangeeta Barooah Pisharoty}, title = {{From Army and BSF to RAW, Spyware Threat Touched National Security Field Too}}, date = {2021-07-26}, organization = {The Wire}, url = {https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat}, language = {English}, urldate = {2021-08-02} } @online{agcaoili:20210427:hello:b3c5de5, author = {Janus Agcaoili}, title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html}, language = {English}, urldate = {2021-04-29} } @online{agcaoili:20210427:legitimate:b293526, author = {Janus Agcaoili and Earle Earnshaw}, title = {{Legitimate Tools Weaponized for Ransomware in 2021}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021}, language = {English}, urldate = {2021-05-03} } @online{agcaoili:20210615:ransomware:41013af, author = {Janus Agcaoili and Miguel Ang and Earle Earnshaw and Byron Gelera and Nikko Tamana}, title = {{Ransomware Double Extortion and Beyond: REvil, Clop, and Conti}}, date = {2021-06-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti}, language = {English}, urldate = {2021-06-21} } @online{agency:20191025:qsnatch:9631c95, author = {Finnish Transport & Communications Agency}, title = {{QSnatch - Malware designed for QNAP NAS devices}}, date = {2019-10-25}, organization = {Finnish Transport & Communications Agency}, url = {https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices}, language = {English}, urldate = {2020-01-10} } @techreport{agency:20200813:russian:c0ae2d5, author = {National Security Agency and Federal Bureau of Investigation}, title = {{Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware}}, date = {2020-08-13}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF}, language = {English}, urldate = {2020-08-14} } @techreport{agency:202008:finspy:9de4cba, author = {Defensive Lab Agency}, title = {{FinSpy Android Technical Analysis}}, date = {2020-08}, institution = {Defensive Lab Agency}, url = {https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{agency:20201020:chinese:73ad10e, author = {National Security Agency}, title = {{Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities}}, date = {2020-10-20}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF}, language = {English}, urldate = {2020-10-23} } @online{agman:20200817:uncover:948e868, author = {Yaniv Agman}, title = {{Uncover Malware Payload Executions Automatically with Tracee}}, date = {2020-08-17}, organization = {Aqua}, url = {https://blog.aquasec.com/ebpf-container-tracing-malware-detection}, language = {English}, urldate = {2020-08-21} } @online{agu:20201209:yara:12fa707, author = {Anyasor Chukwuemeka Agu}, title = {{Yara Rules + Assembly == ??}}, date = {2020-12-09}, organization = {Linkedin}, url = {https://www.linkedin.com/pulse/yara-rules-assembly-emeka-agu?trk=public_profile_article_view}, language = {English}, urldate = {2021-10-05} } @techreport{ahinkaya:20200828:cerberus:5575c7b, author = {Ali Rıza Şahinkaya and Can Atakan Işık and Rıdvan Ethem Canavar}, title = {{Cerberus Banking Trojan Analysis}}, date = {2020-08-28}, institution = {CYBER WISE}, url = {https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf}, language = {English}, urldate = {2020-09-03} } @online{ahinkaya:20200831:cerberus:ecd6606, author = {Ali Rıza Şahinkaya and Can Atakan Işık and Rıdvan Ethem Canavar}, title = {{Cerberus Banking Trojan Research}}, date = {2020-08-31}, organization = {Github (ics-iot-bootcamp)}, url = {https://github.com/ics-iot-bootcamp/cerberus_research}, language = {English}, urldate = {2020-09-21} } @online{ahl:20130807:breaking:aff06e9, author = {Ian Ahl and Tony Lee and Dennis Hanzlik}, title = {{Breaking Down the China Chopper Web Shell - Part I}}, date = {2013-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html}, language = {English}, urldate = {2019-12-20} } @online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } @online{ahn:20190304:kimsuky:e84d908, author = {Chang-Yong Ahn}, title = {{Kimsuky}}, date = {2019-03-04}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28102}, language = {Korean}, urldate = {2019-10-23} } @online{ahnlab:20180330:magniber:5d13799, author = {AhnLab}, title = {{Magniber}}, date = {2018-03-30}, organization = {AhnLab}, url = {http://asec.ahnlab.com/1124}, language = {English}, urldate = {2019-07-09} } @techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } @techreport{ahnlab:20180625:asec:dcc35cb, author = {AhnLab}, title = {{ASEC Report vol. 91 (2018)}}, date = {2018-06-25}, institution = {AhnLab}, url = {http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf}, language = {Korean}, urldate = {2020-01-10} } @techreport{ahnlab:20190221:operation:3e3c720, author = {AhnLab}, title = {{Operation Kabar Cobra}}, date = {2019-02-21}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/%5bAnalysis_Report%5dOperation_Kabar_Cobra.pdf}, language = {Korean}, urldate = {2019-12-02} } @techreport{ahnlab:20200302:analysis:c0c47c3, author = {AhnLab}, title = {{Analysis Report: MyKings Botnet}}, date = {2020-03-02}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf}, language = {Korean}, urldate = {2020-03-04} } @online{ahnlab:20200406:shadow:450342b, author = {AhnLab}, title = {{Shadow Force behind normal certificate reveals seven years}}, date = {2020-04-06}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=29129}, language = {Korean}, urldate = {2020-05-18} } @online{ahnlab:20210628:cryptbot:6d593f3, author = {AhnLab}, title = {{CryptBot Info-stealer Malware Being Distributed in Different Forms}}, date = {2021-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/24423/}, language = {English}, urldate = {2022-04-07} } @online{ahuje:20220127:new:3b60ed4, author = {Manoj Ahuje}, title = {{New Docker Cryptojacking Attempts Detected Over 2021 End-of-Year Holidays}}, date = {2022-01-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-docker-cryptojacking-attempts-detected-over-2021-holidays/}, language = {English}, urldate = {2022-02-01} } @online{ahuje:20220421:lemonduck:6b61d01, author = {Manoj Ahuje}, title = {{LemonDuck Targets Docker for Cryptomining Operations}}, date = {2022-04-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/}, language = {English}, urldate = {2022-04-24} } @online{ai:20210804:what:2c27f4a, author = {Cybots AI}, title = {{What Is Lemon Duck Attack?}}, date = {2021-08-04}, url = {https://cybotsai.com/lemon-duck-attack/}, language = {English}, urldate = {2022-02-19} } @online{ai:20211216:road:a658d43, author = {CyCraft AI}, title = {{The Road to Ransomware Resilience, Part One: The State of Ransomware}}, date = {2021-12-16}, organization = {CyCraft}, url = {https://medium.com/cycraft/the-road-to-ransomware-resilience-24f8f82c1b6}, language = {English}, urldate = {2022-03-02} } @online{ai:20220124:road:2070066, author = {CyCraft AI}, title = {{The Road to Ransomware Resilience, Part 2: Behavior Analysis}}, date = {2022-01-24}, organization = {CyCraft}, url = {https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd}, language = {English}, urldate = {2022-03-02} } @online{ai:20220221:indepth:73e8778, author = {CyCraft AI}, title = {{An in-depth analysis of the Operation Cache Panda organized supply chain attack on Taiwan's financial industry}}, date = {2022-02-21}, organization = {CyCraft}, url = {https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934}, language = {Chinese}, urldate = {2022-02-26} } @online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } @online{ajjan:20130305:russian:4bb6a48, author = {Anand Ajjan}, title = {{Russian ransomware takes advantage of Windows PowerShell}}, date = {2013-03-05}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/}, language = {English}, urldate = {2020-01-27} } @online{ak1001:20210703:analyzing:65452fa, author = {AK1001}, title = {{Analyzing Cobalt Strike PowerShell Payload}}, date = {2021-07-03}, organization = {Medium AK1001}, url = {https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b}, language = {English}, urldate = {2022-01-31} } @techreport{akamai:20160404:threat:14239df, author = {Akamai}, title = {{Threat Advisory: “BillGates” Botnet}}, date = {2016-04-04}, institution = {Akamai}, url = {https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{akamai:20161001:kaitenstd:40de1e6, author = {Akamai}, title = {{Kaiten/STD router DDoS Malware}}, date = {2016-10-01}, institution = {Akamai}, url = {https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{akamei:20171016:upnproxy:044596d, author = {Akamei}, title = {{UPnProxy: Blackhat Proxies via NAT Injections}}, date = {2017-10-16}, institution = {Akamai}, url = {https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf}, language = {English}, urldate = {2019-12-10} } @techreport{akbanov:201901:wannacry:60d302c, author = {Maxat Akbanov and Vassilios G. Vassilakis and Michael D. Logothetis}, title = {{WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms}}, date = {2019-01}, institution = {Journal of Telecommunications and Information Technology}, url = {https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf}, language = {English}, urldate = {2021-01-11} } @online{akhtar:20220303:threat:533eac8, author = {Syed Hasan Akhtar}, title = {{Threat Hunting for Malicious PowerShell Usage in Gigasheet}}, date = {2022-03-03}, organization = {gigasheet}, url = {https://www.gigasheet.co/post/threat-hunting-for-malicious-powershell-usage-in-gigasheet}, language = {English}, urldate = {2022-03-07} } @techreport{akinci:20210727:diamondfox:f648c5c, author = {Abdulsamet Akinci}, title = {{Diamondfox Technical Analysis Report}}, date = {2021-07-27}, institution = {ZAYOTEM}, url = {https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF}, language = {English}, urldate = {2021-08-24} } @online{albassam:20160816:equation:e185e6b, author = {Mustafa Al-Bassam}, title = {{Equation Group firewall operations catalogue}}, date = {2016-08-16}, url = {https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html}, language = {English}, urldate = {2019-11-20} } @online{albors:20151216:nemucod:b1c1305, author = {Josep Albors}, title = {{Nemucod malware spreads ransomware Teslacrypt around the world}}, date = {2015-12-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/}, language = {English}, urldate = {2019-11-14} } @online{alert:20191203:threat:f7b8cb6, author = {Red Alert}, title = {{THREAT ACTOR TARGETING HONG KONG PRO-DEMOCRACY FIGURES}}, date = {2019-12-03}, organization = {NSHC}, url = {https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists}, language = {English}, urldate = {2020-06-03} } @techreport{alert:201912:cybercrime:b12d39c, author = {Visa Security Alert}, title = {{Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants}}, date = {2019-12}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf}, language = {English}, urldate = {2020-07-23} } @techreport{alert:202008:baka:586781b, author = {Visa Security Alert}, title = {{‘Baka’ JavaScript Skimmer Identified}}, date = {2020-08}, institution = {VISA}, url = {https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/visa-security-alert-baka-javascript-skimmer.pdf}, language = {English}, urldate = {2020-09-06} } @techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } @online{alert:20211104:threat:4505399, author = {Red Alert}, title = {{Threat Actor targeted attack against Finance and Investment industry}}, date = {2021-11-04}, organization = {NSHC RedAlert Labs}, url = {https://redalert.nshc.net/2021/11/04/threat-actor-targeted-attack-against-finance-and-investment-industry/}, language = {Korean}, urldate = {2021-11-08} } @online{alessandroz:20200914:lazagne:b0b9e44, author = {AlessandroZ}, title = {{The LaZagne Project !!!}}, date = {2020-09-14}, organization = {Github (AlessandroZ)}, url = {https://github.com/AlessandroZ/LaZagne}, language = {English}, urldate = {2020-10-28} } @online{alexturing:20200202:new:4a4ebd9, author = {Alex.Turing and Hui Wang and Liu Yang}, title = {{New Threat: Matryosh Botnet Is Spreading}}, date = {2020-02-02}, organization = {360 netlab}, url = {https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/}, language = {English}, urldate = {2021-02-04} } @online{alexturing:20210312:new:37158fe, author = {Alex.Turing and liuyang and YANG XU}, title = {{New Threat: ZHtrap botnet implements honeypot to facilitate finding more victims}}, date = {2021-03-12}, organization = {360 netlab}, url = {https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/}, language = {English}, urldate = {2021-03-16} } @online{alexturing:20210527:analysis:bc5ec0e, author = {Alex.Turing and Jinye and Chai Linyuan}, title = {{Analysis report of the Facefish rootkit}}, date = {2021-05-27}, organization = {360 netlab}, url = {https://blog.netlab.360.com/ssh_stealer_facefish_en/}, language = {English}, urldate = {2021-06-07} } @online{alexturing:20210830:mostly:d4d0f30, author = {Alex.Turing and Hui Wang and GenShen Ye}, title = {{The Mostly Dead Mozi and Its’ Lingering Bots}}, date = {2021-08-30}, organization = {360 netlab}, url = {https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/}, language = {English}, urldate = {2021-08-31} } @online{alexturing:20211109:abcbot:8e1eee4, author = {Alex.Turing and Hui Wang}, title = {{Abcbot, an evolving botnet}}, date = {2021-11-09}, organization = {360 netlab}, url = {https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/}, language = {English}, urldate = {2021-11-17} } @online{alexturing:20211112:malware:70f965d, author = {Alex.Turing and Hui Wang and YANG XU}, title = {{Malware uses namesilo Parking pages and Google's custom pages to spread}}, date = {2021-11-12}, organization = {360 netlab}, url = {https://blog.netlab.360.com/zhatuniubility-malware-uses-namesilo-parking-pages-and-googles-custom-pages-to-spread/}, language = {English}, urldate = {2021-11-17} } @online{alexturing:20211130:ewdoor:aa6e76e, author = {Alex.Turing and Hui Wang}, title = {{EwDoor Botnet Is Attacking AT&T Customers}}, date = {2021-11-30}, organization = {360 netlab}, url = {https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/}, language = {English}, urldate = {2021-12-07} } @online{alexturing:20220315:new:3b64b05, author = {Alex.Turing and Hui Wang}, title = {{New Threat: Linux Backdoor B1txor20 using DNS Tunnel technology is spreading through the Log4j vulnerability}}, date = {2022-03-15}, organization = {360 netlab}, url = {https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/}, language = {Chinese}, urldate = {2022-03-15} } @online{alexuiop1337:20190731:github:215c261, author = {Alexuiop1337}, title = {{Github Repository for SoranoStealer}}, date = {2019-07-31}, organization = {Github (Alexuiop1337)}, url = {https://github.com/Alexuiop1337/SoranoStealer}, language = {English}, urldate = {2020-01-06} } @online{algayar:20171224:lilyofthevalley:40d90c1, author = {Mustapha Algayar}, title = {{LilyOfTheValley Repository}}, date = {2017-12-24}, organization = {Github (LilyOfTheValley)}, url = {https://github.com/En14c/LilyOfTheValley}, language = {English}, urldate = {2020-01-10} } @online{alguacil:201911:vb2019:a565e76, author = {Alexandre Mundo Alguacil and John Fokker}, title = {{VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth}}, date = {2019-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/}, language = {English}, urldate = {2020-01-08} } @online{ali:20210505:roaming:b3131fd, author = {Kashif Ali}, title = {{Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware}}, date = {2021-05-05}, organization = {Kashif Ali Surfeit and Blasé Security}, url = {https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/}, language = {English}, urldate = {2021-05-08} } @online{ali:20220106:unpacking:57cdd55, author = {Muhammad Hasan Ali}, title = {{Unpacking Emotet malware part 01}}, date = {2022-01-06}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/emotet-part-1/}, language = {English}, urldate = {2022-02-14} } @online{ali:20220107:unpacking:e59d104, author = {Muhammad Hasan Ali}, title = {{Unpacking Emotet malware part 02}}, date = {2022-01-07}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/emotet-part-2/}, language = {English}, urldate = {2022-02-14} } @online{ali:20220108:unpacking:498463e, author = {Muhammad Hasan Ali}, title = {{Unpacking Hancitor malware}}, date = {2022-01-08}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/hancitor/}, language = {English}, urldate = {2022-01-19} } @online{ali:20220109:unpacking:04bcf90, author = {Muhammad Hasan Ali}, title = {{Unpacking Vmprotect packer}}, date = {2022-01-09}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/Vmprotect/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220111:unpacking:2fe091c, author = {Muhammad Hasan Ali}, title = {{Unpacking Dridex malware}}, date = {2022-01-11}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/dridex/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220112:unpacking:035e302, author = {Muhammad Hasan Ali}, title = {{Unpacking Ramnit malware}}, date = {2022-01-12}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/ramnit/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220113:unpacking:09ab5c5, author = {Muhammad Hasan Ali}, title = {{Unpacking Remcos malware}}, date = {2022-01-13}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/remcos/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220121:deep:fe5caf7, author = {Gameel Ali}, title = {{Deep Analysis Agent Tesla Malware}}, date = {2022-01-21}, organization = {MalGamy}, url = {https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220212:full:2c09100, author = {Muhammad Hasan Ali}, title = {{Full Hancitor malware analysis}}, date = {2022-02-12}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/fullHancitor/}, language = {English}, urldate = {2022-02-14} } @online{ali:20220425:full:d0f9c5d, author = {Muhammad Hasan Ali}, title = {{Full RedLine malware analysis | IoCs | Stealing information}}, date = {2022-04-25}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/fullredline/}, language = {English}, urldate = {2022-04-29} } @online{ali:20220505:analysis:3ec712d, author = {Muhammad Hasan Ali}, title = {{Analysis of MS Word to drop Remcos RAT | VBA extraction and analysis | IoCs}}, date = {2022-05-05}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/mal-document/remcosdoc/}, language = {English}, urldate = {2022-05-08} } @online{ali:20220529:full:cf742e7, author = {Muhammad Hasan Ali}, title = {{Full Anubis android malware analysis}}, date = {2022-05-29}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/anubis/}, language = {English}, urldate = {2022-05-29} } @online{alienvault:20190801:hexane:3d63fd0, author = {AlienVault}, title = {{Hexane Targeting Oil and Gas}}, date = {2019-08-01}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f}, language = {English}, urldate = {2019-11-28} } @online{alienvault:20201209:sidewinder:65e0781, author = {AlienVault}, title = {{SideWinder APT South Asian Territorial Themed Spear Phishing and Mobile Device Attacks}}, date = {2020-12-09}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/}, language = {English}, urldate = {2021-03-12} } @online{alienvault:20210611:prism:a13c100, author = {AlienVault}, title = {{PRISM attacks manage to stay under the radar}}, date = {2021-06-11}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/60c31c4e4978e9721446c121}, language = {English}, urldate = {2021-06-16} } @online{alienvault:20210628:revil:1b4ddb9, author = {AlienVault}, title = {{REvil ransomware Linux version (with YARA rule)}}, date = {2021-06-28}, organization = {AT&T}, url = {https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5}, language = {English}, urldate = {2021-07-02} } @online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } @techreport{alintanahin:20150513:operation:a90911a, author = {Kervin Alintanahin}, title = {{Operation Tropic Trooper}}, date = {2015-05-13}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf}, language = {English}, urldate = {2020-01-06} } @online{aljaberi:20220226:hunting:270b30c, author = {Zayed AlJaberi}, title = {{Hunting Recent QakBot Malware}}, date = {2022-02-26}, organization = {LinkedIn (Zayed AlJaberi)}, url = {https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4}, language = {English}, urldate = {2022-03-01} } @online{allievi:20141028:threat:a302fbd, author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba}, title = {{Threat Spotlight: Group 72, Opening the ZxShell}}, date = {2014-10-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/talos/opening-zxshell}, language = {English}, urldate = {2019-10-15} } @online{allievi:20150320:threat:2f200b6, author = {Andrea Allievi and Ben Baker and Nick Biasini and JJ Cummings and Douglas Goddard and William Largent and Angel Villegas and Alain Zidouemba}, title = {{Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware}}, date = {2015-03-20}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/poseidon}, language = {English}, urldate = {2020-01-13} } @online{allievi:20150427:threat:3754b13, author = {Andrea Allievi and Earl Carter and Emmanuel Tacheau}, title = {{Threat Spotlight: TeslaCrypt – Decrypt It Yourself}}, date = {2015-04-27}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/teslacrypt}, language = {English}, urldate = {2019-10-15} } @online{almaskati:20220405:peace:8678b53, author = {Mohammed Al-Maskati and Front Line Defenders and Bill Marczak and Siena Anstis and Ron Deibert and CitizenLab}, title = {{Peace through Pegasus Jordanian Human Rights Defenders and Journalists Hacked with Pegasus Spyware}}, date = {2022-04-05}, organization = {CitizenLab}, url = {https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/}, language = {English}, urldate = {2022-04-07} } @online{alnakal:20211118:malware:a0b177d, author = {Hamad Alnakal}, title = {{Malware reverse engineering (Ryuk Ransomware)}}, date = {2021-11-18}, organization = {Medium 0xchina}, url = {https://0xchina.medium.com/malware-reverse-engineering-31039450af27}, language = {English}, urldate = {2021-11-19} } @online{alonso:20170224:hunting:073d36e, author = {Angel Alonso}, title = {{Hunting Retefe with Splunk - some interesting points}}, date = {2017-02-24}, organization = {Some stuff about security.. Blog}, url = {http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html}, language = {English}, urldate = {2020-01-06} } @online{alonsoparrizas:20151028:reversing:92cdf4f, author = {Angel Alonso-Parrizas}, title = {{Reversing the C2C HTTP Emmental communication}}, date = {2015-10-28}, url = {http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html}, language = {English}, urldate = {2019-12-05} } @online{alonsoparrizas:20151103:reversing:762708a, author = {Angel Alonso-Parrizas}, title = {{Reversing the SMS C&C protocol of Emmental (1st part - understanding the code)}}, date = {2015-11-03}, url = {http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html}, language = {English}, urldate = {2019-10-14} } @techreport{alperovitch:20140224:art:df5650c, author = {Dmitri Alperovitch}, title = {{The Art of Attribution Identifying and Pursuing your Cyber Adversaries}}, date = {2014-02-24}, institution = {RSA Conference}, url = {https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf}, language = {English}, urldate = {2020-04-06} } @online{alperovitch:20140707:deep:63e59f7, author = {Dmitri Alperovitch}, title = {{Deep in Thought: Chinese Targeting of National Security Think Tanks}}, date = {2014-07-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20141014:crowdstrike:9be6684, author = {Dmitri Alperovitch}, title = {{CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda}}, date = {2014-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20150413:cyber:93796f8, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20150413:cyber:9cee61c, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2022-03-14} } @online{alperovitch:20210419:great:4cdaa13, author = {Dmitri Alperovitch and Erica Borghard and Jason Healey and Ryan Evans}, title = {{Great Power Cyber Party}}, date = {2021-04-19}, organization = {WAR ON THE ROCKS}, url = {https://warontherocks.com/2021/04/great-power-cyber-party/}, language = {English}, urldate = {2021-04-29} } @online{altheide:20201021:media:fce4b18, author = {Cory Altheide and DAnon and Sam S. and Proofpoint Threat Research Team}, title = {{Media Coverage Doesn’t Deter Actor From Threatening Democratic Voters}}, date = {2020-10-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/media-coverage-doesnt-deter-actor-threatening-democratic-voters}, language = {English}, urldate = {2020-10-26} } @online{althouse:20201117:easily:172bd6d, author = {John Althouse}, title = {{Easily Identify Malicious Servers on the Internet with JARM}}, date = {2020-11-17}, organization = {Salesforce Engineering}, url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a}, language = {English}, urldate = {2020-12-03} } @online{alvares:20190805:smokeloaders:3ee435d, author = {Marcos Alvares}, title = {{Smokeloader's Hardcoded Domains - Sneaky Third Party Vendor or Cheap Buyer?}}, date = {2019-08-05}, organization = {security.neurolabs}, url = {http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html}, language = {English}, urldate = {2021-09-19} } @online{alvares:20191031:dynamic:a295d00, author = {Marcos Alvares}, title = {{Dynamic Imports and Working Around Indirect Calls - Smokeloader Study Case}}, date = {2019-10-31}, organization = {m.alvar.es}, url = {https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html}, language = {English}, urldate = {2021-11-17} } @online{alvares:20200610:unpacking:38f29d6, author = {Marcos Alvares}, title = {{Unpacking Smokeloader and Reconstructing PE Programatically using LIEF}}, date = {2020-06-10}, organization = {m.alvar.es}, url = {https://m.alvar.es/2020/06/unpacking-smokeloader-and.html}, language = {English}, urldate = {2021-11-17} } @online{alvares:20200622:comparative:270905b, author = {Marcos Alvares}, title = {{Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case}}, date = {2020-06-22}, organization = {m.alvar.es}, url = {https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html}, language = {English}, urldate = {2021-11-09} } @online{alvarez:20121203:compromised:1e6dcb7, author = {Raul Alvarez}, title = {{Compromised library}}, date = {2012-12-03}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library}, language = {English}, urldate = {2019-12-17} } @online{alvarez:20140718:birds:9f9e509, author = {Raul Alvarez}, title = {{Bird's nest}}, date = {2014-07-18}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest}, language = {English}, urldate = {2019-11-28} } @online{alvarezperez:20171215:in:c0e0afe, author = {David Alvarez-Perez}, title = {{In depth analysis of malware exploiting CVE-2017-11826}}, date = {2017-12-15}, organization = {Gradiant}, url = {https://www.gradiant.org/noticia/analysis-malware-cve-2017/}, language = {English}, urldate = {2021-01-21} } @online{alwar:20210129:cloudy:e701758, author = {Partha Alwar and Carly Battaile and Alex Parsons}, title = {{Cloudy with a Chance of Persistent Email Access}}, date = {2021-01-29}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/}, language = {English}, urldate = {2021-02-09} } @online{alyac:20190131:lazarus:bbb47f8, author = {Alyac}, title = {{Lazarus APT Organization Attacks with Operation Extreme Job}}, date = {2019-01-31}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2105}, language = {Korean}, urldate = {2019-10-21} } @online{alyac:20190327:lazarus:2172304, author = {Alyac}, title = {{라자루스(Lazarus) 그룹, 이스라엘 군수업체 대상 APT 역습}}, date = {2019-03-27}, url = {https://blog.alyac.co.kr/m/2219}, language = {Korean}, urldate = {2020-07-15} } @online{alyac:20190327:lazarus:df092d7, author = {Alyac}, title = {{Lazarus Group APT Counterattack Against Israeli Military}}, date = {2019-03-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2219}, language = {Korean}, urldate = {2020-06-29} } @online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } @online{alyac:20190627:lazarus:9afc51d, author = {Alyac}, title = {{Lazarus APT Group attacks with a malicious '진실겜.xls' via the Telegram messenger}}, date = {2019-06-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2388}, language = {Korean}, urldate = {2020-03-17} } @techreport{alyac:20200330:spy:e23215b, author = {Alyac}, title = {{The 'Spy Cloud' Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection}}, date = {2020-03-30}, institution = {EST Security}, url = {https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf}, language = {English}, urldate = {2020-04-07} } @online{alyac:20200725:special:ca84b90, author = {Alyac}, title = {{[Special Report] Thallium Group sued by Microsoft in the US, threatens 'Fake Striker' APT campaign against South Korea}}, date = {2020-07-25}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3120}, language = {Korean}, urldate = {2020-07-30} } @online{alyac:20201016:thallium:aff8d61, author = {Alyac}, title = {{탈륨조직의 국내 암호화폐 지갑 펌웨어로 위장한 다차원 APT 공격 분석출처 ( THALLIUM)}}, date = {2020-10-16}, organization = {Alyac}, url = {https://blog.alyac.co.kr/3310}, language = {Korean}, urldate = {2020-10-23} } @online{alyac:20201021:zloader:d78b7b7, author = {Alyac}, title = {{ZLoader 악성코드, 사업 정지 경고로 위장해 유포중}}, date = {2020-10-21}, organization = {Alyac}, url = {https://blog.alyac.co.kr/3322}, language = {Korean}, urldate = {2020-10-29} } @online{alyac:20201104:apt:668b6b4, author = {Alyac}, title = {{북한 연계 해킹조직 탈륨, 미국 대선 예측 언론 문서로 위장한 APT 공격 수행 출처}}, date = {2020-11-04}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3352}, language = {Korean}, urldate = {2020-11-04} } @online{alyac:20201112:blue:68c4df2, author = {Alyac}, title = {{北 연계 탈륨조직, '블루 에스티메이트(Blue Estimate)' APT 캠페인 지속}}, date = {2020-11-12}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3368}, language = {Korean}, urldate = {2020-11-18} } @online{alyac:20201215:goldstar:c592b26, author = {Alyac}, title = {{Goldstar 121 organization proceeds with HWP OLE-based APT attack}}, date = {2020-12-15}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3451}, language = {Korean}, urldate = {2020-12-16} } @online{alyac:20201217:thallium:d04a7df, author = {Alyac}, title = {{Thallium organization attacks domestic blockchain company with documents of non-delinquency confirmation}}, date = {2020-12-17}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3458}, language = {Korean}, urldate = {2020-12-18} } @online{alyac:20210103:thallium:cad0add, author = {Alyac}, title = {{Thallium organization exploits private stock investment messenger to attack software supply chain}}, date = {2021-01-03}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3489}, language = {Korean}, urldate = {2021-01-10} } @online{alyac:20210201:thallium:4821887, author = {Alyac}, title = {{Thallium organization conducts elaborate cyber attack against Russian researchers working in the North Korean economyPerforming sophisticated cyber attacks against researchers}}, date = {2021-02-01}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3550}, language = {Korean}, urldate = {2021-02-02} } @online{alyushin:20150914:shade:3558938, author = {Victor Alyushin and Fedor Sinitsyn}, title = {{The Shade Encryptor: a Double Threat}}, date = {2015-09-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-shade-encryptor-a-double-threat/72087/}, language = {English}, urldate = {2019-12-20} } @online{amawaka:20200310:apt40:2199052, author = {Asuna Amawaka}, title = {{APT40 goes from Template Injections to OLE-Linkings for payload delivery}}, date = {2020-03-10}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200315:dad:5cad035, author = {Asuna Amawaka}, title = {{Dad! There’s A Rat In Here!}}, date = {2020-03-15}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200316:shadows:2ee247e, author = {Asuna Amawaka}, title = {{Shadows in the Rain}}, date = {2020-03-16}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20200506:shadows:889fc47, author = {Asuna Amawaka}, title = {{Shadows with a chance of BlackNix}}, date = {2020-05-06}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20200520:what:e02d9a4, author = {Asuna Amawaka}, title = {{What happened between the BigBadWolf and the Tiger?}}, date = {2020-05-20}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20201130:do:ff3adb4, author = {Asuna Amawaka}, title = {{Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.}}, date = {2020-11-30}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20201220:look:8cd19a2, author = {Asuna Amawaka}, title = {{A Look into SUNBURST’s DGA}}, date = {2020-12-20}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20210829:quarians:7788603, author = {Asuna Amawaka}, title = {{Quarians, Turians and…QuickHeal}}, date = {2021-08-29}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42}, language = {English}, urldate = {2021-10-20} } @online{amawaka:20211119:its:bd24ebf, author = {Asuna Amawaka}, title = {{It’s a BEE! It’s a… no, it’s ShadowPad.}}, date = {2021-11-19}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2}, language = {English}, urldate = {2021-11-25} } @online{amazon:20220304:amazons:33ad1cf, author = {Amazon}, title = {{Amazon's assistance in Ukraine}}, date = {2022-03-04}, organization = {Amazon}, url = {https://www.aboutamazon.com/news/community/amazons-assistance-in-ukraine#March4}, language = {English}, urldate = {2022-03-07} } @online{ambite:20210521:leveraging:55f56da, author = {Pablo Ambite}, title = {{Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic}}, date = {2021-05-21}, organization = {blackarrow}, url = {https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/}, language = {English}, urldate = {2021-06-22} } @online{amnpardaz:20210713:trojanwin32breakwin:3654b7d, author = {amnpardaz}, title = {{Trojan.Win32.BreakWin}}, date = {2021-07-13}, organization = {amnpardaz}, url = {https://threats.amnpardaz.com/malware/trojan-win32-breakwin/}, language = {Persian}, urldate = {2021-07-20} } @online{amon:20210629:security:bf73b27, author = {Nicholas Amon and Jon Baker}, title = {{Security Control Mappings: A Starting Point for Threat-Informed Defense}}, date = {2021-06-29}, organization = {Medium MITRE-Engenuity}, url = {https://medium.com/mitre-engenuity/security-control-mappings-a-starting-point-for-threat-informed-defense-a3aab55b1625}, language = {English}, urldate = {2021-07-02} } @online{amr:20190410:project:460b6e5, author = {AMR and GReAT}, title = {{Project TajMahal – a sophisticated new APT framework}}, date = {2019-04-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/project-tajmahal/90240/}, language = {English}, urldate = {2019-12-20} } @online{amr:20190925:ransomware:ec80bad, author = {AMR}, title = {{Ransomware: two pieces of good news}}, date = {2019-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomware-two-pieces-of-good-news/93355/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191101:chrome:4c689f4, author = {AMR and GReAT}, title = {{Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium}}, date = {2019-11-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191210:windows:1a5c25d, author = {AMR and GReAT}, title = {{Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium}}, date = {2019-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432}, language = {English}, urldate = {2020-05-05} } @online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } @online{amr:20210402:browser:7dc98ab, author = {AMR}, title = {{Browser lockers: extortion disguised as a fine}}, date = {2021-04-02}, organization = {Kaspersky}, url = {https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735}, language = {English}, urldate = {2021-04-06} } @online{amr:20210916:exploitation:f015aee, author = {AMR}, title = {{Exploitation of the CVE-2021-40444 vulnerability in MSHTML}}, date = {2021-09-16}, organization = {Kaspersky}, url = {https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/}, language = {English}, urldate = {2021-09-19} } @online{amr:20220404:spring4shell:db1b469, author = {AMR}, title = {{Spring4Shell (CVE-2022-22965): details and mitigations}}, date = {2022-04-04}, organization = {Kaspersky}, url = {https://securelist.com/spring4shell-cve-2022-22965/106239/}, language = {English}, urldate = {2022-04-07} } @online{amr:20220413:emotet:113c0db, author = {AMR}, title = {{Emotet modules and recent attacks}}, date = {2022-04-13}, organization = {Kaspersky}, url = {https://securelist.com/emotet-modules-and-recent-attacks/106290/}, language = {English}, urldate = {2022-04-15} } @online{amr:20220418:how:6783da1, author = {AMR}, title = {{How to recover files encrypted by Yanlouwang}}, date = {2022-04-18}, organization = {Kaspersky}, url = {https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/}, language = {English}, urldate = {2022-04-20} } @online{amrthabet:20110909:stuxnet:07c5348, author = {AmrThabet}, title = {{Stuxnet Malware Analysis Paper}}, date = {2011-09-09}, organization = {CodeProject}, url = {https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper}, language = {English}, urldate = {2020-11-13} } @online{an:20211110:north:feab945, author = {Jungsoo An and Asheer Malhotra and Kendall McKay}, title = {{North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets}}, date = {2021-11-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html}, language = {English}, urldate = {2021-11-17} } @online{an:20220505:mustang:cbc06e9, author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay}, title = {{Mustang Panda deploys a new wave of malware targeting Europe}}, date = {2022-05-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html}, language = {English}, urldate = {2022-05-05} } @online{analysis:20170314:rig:56f3334, author = {Broad Analysis}, title = {{Rig Exploit Kit via the EiTest delivers CryptoShield/REVENGE ransomware}}, date = {2017-03-14}, organization = {Broad Analysis}, url = {http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{analysis:20190412:rig:0230572, author = {Analysis}, title = {{Rig Exploit Kit delivers Bunitu Malware}}, date = {2019-04-12}, organization = {BroadAnalysis}, url = {https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/}, language = {English}, urldate = {2020-01-10} } @online{anand:20200521:blox:14090c1, author = {Chetan Anand}, title = {{Blox Tales #6: Subpoena-Themed Phishing With CAPTCHA Redirect}}, date = {2020-05-21}, organization = {Armorblox}, url = {https://www.armorblox.com/blog/blox-tales-6-subpoena-themed-phishing-with-captcha-redirect/}, language = {English}, urldate = {2020-05-23} } @online{anbalagan:20200605:new:9f3abf8, author = {Gayathri Anbalagan}, title = {{New Campaign Abusing StackBlitz Tool to Host Phishing Pages}}, date = {2020-06-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-campaign-abusing-stackblitz-tool-host-phishing-pages}, language = {English}, urldate = {2020-08-05} } @online{ancarani:20201120:detecting:79afa40, author = {Riccardo Ancarani}, title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}}, date = {2020-11-20}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis}, language = {English}, urldate = {2020-11-23} } @online{ancarani:20210409:detecting:01d28ed, author = {Riccardo Ancarani and Giulio Ginesi}, title = {{Detecting Exposed Cobalt Strike DNS Redirectors}}, date = {2021-04-09}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors}, language = {English}, urldate = {2021-04-14} } @online{ancarani:20220504:scheduled:9cd69c7, author = {Riccardo Ancarani}, title = {{Scheduled Task Tampering}}, date = {2022-05-04}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/scheduled-task-tampering/}, language = {English}, urldate = {2022-05-06} } @online{ancel:20150930:when:ed6915f, author = {Benoît Ancel}, title = {{When ELF.BillGates met Windows}}, date = {2015-09-30}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/}, language = {English}, urldate = {2020-01-13} } @online{ancel:20161020:nexter91:909eaee, author = {Benoît Ancel}, title = {{Tweet on nexter91 Panel}}, date = {2016-10-20}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/789006720668405760}, language = {English}, urldate = {2020-01-07} } @online{ancel:20170227:spambot:b40e584, author = {Benoît Ancel}, title = {{Spambot safari #2 - Online Mail System}}, date = {2017-02-27}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html}, language = {English}, urldate = {2020-01-09} } @online{ancel:20170816:quick:e3a37c1, author = {Benoît Ancel}, title = {{Quick look at another Alina fork: XBOT-POS}}, date = {2017-08-16}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html}, language = {English}, urldate = {2020-01-10} } @online{ancel:20170829:from:7ef6dac, author = {Benoît Ancel}, title = {{From Onliner Spambot to millions of email's lists and credentials}}, date = {2017-08-29}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html}, language = {English}, urldate = {2020-01-06} } @online{ancel:20190607:zeusaction:5977152, author = {Benoît Ancel}, title = {{Tweet on ZeusAction hashes}}, date = {2019-06-07}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1136983062699487232}, language = {English}, urldate = {2020-01-06} } @techreport{ancel:2019:dreambot:e29023e, author = {Benoît Ancel and Peter Kruse}, title = {{Dreambot Business overview 2019}}, date = {2019}, institution = {CSIS}, url = {http://benkow.cc/DreambotSAS19.pdf}, language = {English}, urldate = {2019-12-10} } @online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } @online{ancel:20200501:end:939414e, author = {Benoît Ancel}, title = {{The end of Dreambot? Obituary for a loved piece of Gozi.}}, date = {2020-05-01}, organization = {CSIS}, url = {https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122}, language = {English}, urldate = {2020-05-05} } @online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } @online{ancel:20210125:nemty:7e56d61, author = {Benoît Ancel}, title = {{The Nemty affiliate model}}, date = {2021-01-25}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b}, language = {English}, urldate = {2021-01-25} } @online{ancel:20210128:bagsu:7de60de, author = {Benoît Ancel}, title = {{The Bagsu banker case}}, date = {2021-01-28}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=EyDiIAt__dI}, language = {English}, urldate = {2021-02-01} } @online{ancel:20210716:deeprat:d7d7959, author = {Benoît Ancel}, title = {{Tweet on DeepRAT}}, date = {2021-07-16}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1415797114794397701}, language = {English}, urldate = {2021-07-26} } @online{anderson:20170612:bahamut:9810646, author = {Collin Anderson}, title = {{Bahamut, Pursuing a Cyber Espionage Actor in the Middle East}}, date = {2017-06-12}, organization = {Bellingcat}, url = {https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/}, language = {English}, urldate = {2020-01-13} } @online{anderson:20171027:bahamut:e17abf8, author = {Collin Anderson}, title = {{Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia}}, date = {2017-10-27}, organization = {Bellingcat}, url = {https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/}, language = {English}, urldate = {2020-01-06} } @online{anderson:20180104:irans:dcad15c, author = {Collin Anderson and Karim Sadjapour}, title = {{Iran’s Cyber Ecosystem: Who Are the Threat Actors?}}, date = {2018-01-04}, organization = {Carnegie Endowment for International Peace}, url = {https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140}, language = {English}, urldate = {2020-04-25} } @online{anderson:20180703:iranian:8f4a4d5, author = {Collin Anderson}, title = {{Tweet on Iranian Malware}}, date = {2018-07-03}, organization = {Twitter (@CDA)}, url = {https://twitter.com/CDA/status/1014144988454772736}, language = {English}, urldate = {2020-09-21} } @online{anderson:20200820:revealing:7a1da00, author = {Chad Anderson}, title = {{Revealing REvil Ransomware With DomainTools and Maltego}}, date = {2020-08-20}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego}, language = {English}, urldate = {2020-08-24} } @online{anderson:20210427:winter:da59fc3, author = {Chad Anderson}, title = {{Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages}}, date = {2021-04-27}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs}, language = {English}, urldate = {2021-04-29} } @online{anderson:20210429:domaintools:d9fc32c, author = {Chad Anderson}, title = {{DomainTools And Digital Archeology: A Look At RotaJakiro}}, date = {2021-04-29}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro}, language = {English}, urldate = {2021-05-04} } @online{anderson:20210610:cloud:c2efde5, author = {Chad Anderson}, title = {{Cloud Atlas Navigates Us Into New Waters}}, date = {2021-06-10}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/cloud-atlas-navigates-us-into-new-waters}, language = {English}, urldate = {2021-06-21} } @online{anderson:20210701:most:39f64b8, author = {Chad Anderson}, title = {{The Most Prolific Ransomware Families: A Defenders Guide}}, date = {2021-07-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide}, language = {English}, urldate = {2021-07-11} } @online{anderson:20210715:american:b688a5d, author = {Chad Anderson}, title = {{American Rescue Plan Act Lures in the Wild}}, date = {2021-07-15}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/american-rescue-plan-act-lures-in-the-wild}, language = {English}, urldate = {2021-07-24} } @online{anderson:20210728:finding:e853c97, author = {Chad Anderson}, title = {{Finding AnchorDNS C2s With Iris Investigate}}, date = {2021-07-28}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate}, language = {English}, urldate = {2021-08-02} } @online{andersson:20210706:how:5087e07, author = {Alexander Andersson}, title = {{How the Kaseya VSA Zero Day Exploit Worked}}, date = {2021-07-06}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit}, language = {English}, urldate = {2021-07-20} } @online{andonov:20151207:thriving:196c5eb, author = {Dimiter Andonov and William Ballenthin and Nalani Fraser and Will Matson and Jay Taylor}, title = {{Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record}}, date = {2015-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html}, language = {English}, urldate = {2020-04-21} } @online{andrewcs:20210305:20210305:e34f0e7, author = {Andrew-CS}, title = {{2021-03-05 - Cool Query Friday - Hunting For Renamed Command Line Programs}}, date = {2021-03-05}, organization = {Reddit Crowdstrike}, url = {https://www.reddit.com/r/crowdstrike/comments/lyhga8/20210305_cool_query_friday_hunting_for_renamed/}, language = {English}, urldate = {2021-03-11} } @online{andrewjess:20191213:python:8af049c, author = {@AndrewJess}, title = {{Стиллер паролей на python с отправкой на почту}}, date = {2019-12-13}, url = {https://habr.com/en/sandbox/135410/}, language = {Russian}, urldate = {2020-03-04} } @online{andrews:20210719:australia:8ca5b16, author = {Karen Andrews and Peter Dutton}, title = {{Australia joins international partners in attribution of malicious cyber activity to China}}, date = {2021-07-19}, organization = {Minister for Foreign Affairs of Australia}, url = {https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china}, language = {English}, urldate = {2021-07-22} } @techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } @online{ang:20180426:necurs:83d08fc, author = {Miguel Ang}, title = {{Necurs Evolves to Evade Spam Detection via Internet Shortcut File}}, date = {2018-04-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/}, language = {English}, urldate = {2020-01-10} } @online{ang:20200428:loki:169b27e, author = {Miguel Ang}, title = {{Loki Info Stealer Propagates through LZH Files}}, date = {2020-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files}, language = {English}, urldate = {2020-08-14} } @online{anishell:20110603:anishell:6870af0, author = {Ani-Shell}, title = {{Ani-Shell}}, date = {2011-06-03}, organization = {Sourceforge}, url = {http://ani-shell.sourceforge.net/}, language = {English}, urldate = {2020-01-13} } @online{anjos:20210318:server:10b99ea, author = {Cesar Anjos}, title = {{Server Side Data Exfiltration via Telegram API}}, date = {2021-03-18}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/03/server-side-data-exfiltration-via-telegram-api.html}, language = {English}, urldate = {2021-03-19} } @techreport{anomali:20171102:country:853fdd8, author = {Anomali}, title = {{Country Profile: Russian Federation}}, date = {2017-11-02}, institution = {Anomali}, url = {https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf}, language = {English}, urldate = {2020-09-23} } @online{anonymous:20170210:rebranding:877e1bd, author = {Anonymous}, title = {{Rebranding iSpy Keylogger: Gear Informer}}, date = {2017-02-10}, organization = {Wapack Labs}, url = {https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html}, language = {English}, urldate = {2020-01-07} } @online{anonymous:20201216:paste:a02ef52, author = {Anonymous}, title = {{Paste of subdomain & DGA domain names used in SolarWinds attack}}, date = {2020-12-16}, organization = {Pastebin}, url = {https://pastebin.com/6EDgCKxd}, language = {English}, urldate = {2021-01-13} } @techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } @techreport{anssi:20190725:analysis:9df2d22, author = {ANSSI}, title = {{ANALYSIS OF THE AMCACHE}}, date = {2019-07-25}, institution = {ANSSI}, url = {https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf}, language = {English}, urldate = {2020-12-08} } @techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } @online{anssi:20210721:indicateurs:9f20dae, author = {ANSSI}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR}}, date = {2021-07-21}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003}, language = {French}, urldate = {2021-12-17} } @techreport{anssi:20211026:identification:9444ac3, author = {ANSSI}, title = {{Identification of a new cyber criminal group: Lockean}}, date = {2021-10-26}, institution = {}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf}, language = {English}, urldate = {2022-01-25} } @online{anssi:20211103:identification:3143cbb, author = {ANSSI}, title = {{Identification of a new cybercriminal group: Lockean}}, date = {2021-11-03}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/}, language = {English}, urldate = {2021-11-03} } @techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } @online{antenucci:20190327:psixbot:9e1a258, author = {Stefano Antenucci and Antonio Parata}, title = {{PsiXBot: The Evolution Of A Modular .NET Bot}}, date = {2019-03-27}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/}, language = {English}, urldate = {2019-10-12} } @online{antil:20190912:innfirat:22e8987, author = {Sahil Antil and Rohit Chaturvedi}, title = {{InnfiRAT: A new RAT aiming for your cryptocurrency and more}}, date = {2019-09-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more}, language = {English}, urldate = {2020-01-10} } @online{antil:20220120:new:2bc6613, author = {Sahil Antil and Sudeep Singh}, title = {{New espionage attack by Molerats APT targeting users in the Middle East}}, date = {2022-01-20}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east}, language = {English}, urldate = {2022-01-24} } @online{antivirnews:20110120:beschreibung:678e455, author = {antivirnews}, title = {{Beschreibung des Virus Backdoor.Win32. Buterat.afj}}, date = {2011-01-20}, url = {http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html}, language = {Russian}, urldate = {2020-01-10} } @online{anton:20200602:hunting:5aa320f, author = {Anton}, title = {{Hunting Malicious Macros}}, date = {2020-06-02}, organization = {Pwntario Blog}, url = {https://blog.pwntario.com/team-posts/antons-posts/hunting-malicious-macros#first}, language = {English}, urldate = {2020-06-03} } @online{anubhav:20160923:hancitor:220140e, author = {Ankit Anubhav and Dileep Kumar Jallepalli}, title = {{Hancitor (AKA Chanitor) observed using multiple attack approaches}}, date = {2016-09-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html}, language = {English}, urldate = {2019-12-20} } @online{anubhav:20180718:huawai:e28ad1e, author = {Ankit Anubhav}, title = {{Tweet on Huawai Router Hacker Anarchy}}, date = {2018-07-18}, organization = {Twitter (@anit_anubhav)}, url = {https://twitter.com/ankit_anubhav/status/1019647993547550720}, language = {English}, urldate = {2020-01-13} } @techreport{anubislabs:20151015:dridex:4dafca8, author = {AnubisLabs}, title = {{Dridex: Chasing a botnet from the inside}}, date = {2015-10-15}, institution = {BitSight}, url = {https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf}, language = {English}, urldate = {2020-08-06} } @online{anurag:20200405:trojan:2bb6584, author = {Anurag}, title = {{Trojan Agent Tesla – Malware Analysis}}, date = {2020-04-05}, organization = {MalwrAnalysis}, url = {https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-04-08} } @online{anurag:20200622:njrat:381c066, author = {Anurag}, title = {{njRat Malware Analysis}}, date = {2020-06-22}, url = {https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/}, language = {English}, urldate = {2020-06-22} } @online{anwar:20220410:threatening:784ed0e, author = {Hura Anwar}, title = {{Threatening Redirect Web Service Instills Malicious Campaigns In Over 16,500 Websites}}, date = {2022-04-10}, organization = {Digital Information World}, url = {https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html}, language = {English}, urldate = {2022-05-05} } @online{anxin:20190116:latest:60776ef, author = {Qi Anxin}, title = {{Latest Target Attack of DarkHydruns Group Against Middle East}}, date = {2019-01-16}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/}, language = {English}, urldate = {2019-12-15} } @online{anyrun:20180208:anyrun:611fc13, author = {ANY.RUN}, title = {{ANY.RUN analysis of MBRLock}}, date = {2018-02-08}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d}, language = {English}, urldate = {2020-01-13} } @online{anyrun:20180321:bandios:cd8a14c, author = {ANY.RUN}, title = {{Tweet on Bandios / Colony}}, date = {2018-03-21}, organization = {Twitter (@anyrun_app)}, url = {https://twitter.com/anyrun_app/status/976385355384590337}, language = {English}, urldate = {2020-01-07} } @online{anyrun:20190719:anyrun:890dfc0, author = {ANY.RUN}, title = {{ANY.RUN analysis on URL}}, date = {2019-07-19}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/}, language = {English}, urldate = {2020-01-08} } @online{anyrun:20190924:anyrun:649c085, author = {ANY.RUN}, title = {{ANY.RUN analysis on unidentified sample}}, date = {2019-09-24}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/4e48bcbf-015b-4a57-bb98-50f9531ff37a}, language = {English}, urldate = {2020-01-13} } @online{anyrun:20211007:anyrun:c7453bb, author = {ANY.RUN}, title = {{ANY.RUN report for activity of the downloader}}, date = {2021-10-07}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/cd25d8c3-1944-4fa0-a4be-436dc1389fca/}, language = {English}, urldate = {2021-10-11} } @online{apra:20200929:cobaltstrikescan:ab5f221, author = {Apra}, title = {{CobaltStrikeScan}}, date = {2020-09-29}, organization = {Github (Apr4h)}, url = {https://github.com/Apr4h/CobaltStrikeScan}, language = {English}, urldate = {2020-10-05} } @online{aprozper:20180322:ghostminer:711cbd2, author = {Asaf Aprozper and Gal Bitensky}, title = {{GhostMiner: Cryptomining Malware Goes Fileless}}, date = {2018-03-22}, organization = {Minerva}, url = {https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless}, language = {English}, urldate = {2020-01-07} } @online{aprozper:20190128:azorult:78563e2, author = {Asaf Aprozper and Gal Bitensky}, title = {{AZORult: Now, as A Signed “Google Update”}}, date = {2019-01-28}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update}, language = {English}, urldate = {2019-12-04} } @online{apvrille:20170315:teardown:76fb758, author = {Axelle Apvrille}, title = {{Teardown of a Recent Variant of Android/Ztorg (Part 1)}}, date = {2017-03-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1}, language = {English}, urldate = {2019-12-10} } @online{apvrille:20170315:teardown:e3c30e6, author = {Axelle Apvrille}, title = {{Teardown of Android/Ztorg (Part 2)}}, date = {2017-03-15}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2}, language = {English}, urldate = {2019-12-24} } @online{apvrille:20200918:locating:56e0b57, author = {Axelle Apvrille}, title = {{Locating the Trojan inside an infected COVID-19 contact tracing app}}, date = {2020-09-18}, organization = {Medium cryptax}, url = {https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe}, language = {English}, urldate = {2020-09-25} } @online{apvrille:20200925:into:cf7b514, author = {Axelle Apvrille}, title = {{Into Android Meterpreter and how the malware launches it - part 2}}, date = {2020-09-25}, organization = {Medium cryptax}, url = {https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12}, language = {English}, urldate = {2020-09-25} } @online{apvrille:20201213:decrypting:ee8b00f, author = {Axelle Apvrille}, title = {{Decrypting strings with a JEB script}}, date = {2020-12-13}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/decrypting-strings-with-a-jeb-script-1af522fa4979}, language = {English}, urldate = {2020-12-19} } @online{apvrille:20201215:unpacking:af6a6ee, author = {Axelle Apvrille}, title = {{Unpacking an Android malware with Dexcalibur and JEB}}, date = {2020-12-15}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/unpacking-an-android-malware-with-dexcalibur-and-jeb-59bdd905d4a7}, language = {English}, urldate = {2020-12-19} } @online{apvrille:20210329:androidflubot:01484cd, author = {Axelle Apvrille}, title = {{Android/Flubot: preparing for a new campaign?}}, date = {2021-03-29}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06}, language = {English}, urldate = {2021-03-31} } @online{apvrille:20210518:native:350d98f, author = {Axelle Apvrille}, title = {{A native packer for Android/MoqHao}}, date = {2021-05-18}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1}, language = {English}, urldate = {2021-05-19} } @online{apvrille:20220114:multidex:eaa6c6b, author = {Axelle Apvrille}, title = {{Multidex trick to unpack Android/BianLian}}, date = {2022-01-14}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56}, language = {English}, urldate = {2022-03-30} } @online{apvrille:20220429:warning:a17311e, author = {Axelle Apvrille}, title = {{Warning: GRIM and Magnus Android Botnets are Underground}}, date = {2022-04-29}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/grim-magnus-android-botnets}, language = {English}, urldate = {2022-05-09} } @online{aqeel:20210118:docx:aaa26f8, author = {Ali Aqeel}, title = {{Docx Files Template-Injection}}, date = {2021-01-18}, organization = {aaqeel01}, url = {https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/}, language = {English}, urldate = {2021-01-21} } @online{aqeel:20210207:dridex:871b7d0, author = {Ali Aqeel}, title = {{Dridex Malware Analysis}}, date = {2021-02-07}, organization = {Technical Blog of Ali Aqeel}, url = {https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/}, language = {English}, urldate = {2021-02-09} } @online{aqeel:20210409:icedid:a6e3243, author = {Ali Aqeel}, title = {{IcedID Analysis}}, date = {2021-04-09}, organization = {aaqeel01}, url = {https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/}, language = {English}, urldate = {2021-04-12} } @online{aqeel:20211018:zloader:898c290, author = {Ali Aqeel}, title = {{ZLoader Reversing}}, date = {2021-10-18}, url = {https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/}, language = {English}, urldate = {2021-10-22} } @online{aquilino:20130715:signed:013bd1d, author = {Broderick Aquilino}, title = {{Signed Mac Malware Using Right-to-Left Override Trick}}, date = {2013-07-15}, organization = {F-Secure}, url = {https://archive.f-secure.com/weblog/archives/00002576.html}, language = {English}, urldate = {2020-05-19} } @online{aquino:20140306:siesta:9a574bc, author = {Maharlito Aquino}, title = {{The Siesta Campaign: A New Targeted Attack Awakens}}, date = {2014-03-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/}, language = {English}, urldate = {2020-01-13} } @online{ar6s:20190106:rat:f0a6a2f, author = {Ar6s}, title = {{[RAT] DARK TRACK ALIEN 4.1}}, date = {2019-01-06}, organization = {Cracked.to Forum}, url = {https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1}, language = {English}, urldate = {2021-02-17} } @online{arada:20130924:osxleveragea:ba6e883, author = {Eduardo De La Arada}, title = {{OSX/Leverage.a Analysis}}, date = {2013-09-24}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis}, language = {English}, urldate = {2020-01-13} } @online{arai:20210618:cyber:efd5b54, author = {Yuu Arai and Twitter (@yarai1978)}, title = {{"Cyber ​​Security" Yu Arai, NTT DATA Executive Security Analyst}}, date = {2021-06-18}, organization = {YouTube (jnpc)}, url = {https://www.youtube.com/watch?v=2GRhJgF49vA&ab_channel=jnpc}, language = {Japanese}, urldate = {2021-06-22} } @online{archcloud:20201126:tracking:46717fb, author = {ArchCloud}, title = {{Tracking Cryptocurrency Malware in The Homelab}}, date = {2020-11-26}, organization = {Arch Cloud Labs}, url = {https://www.archcloudlabs.com/projects/tracking_cryptominer_domains/}, language = {English}, urldate = {2020-12-03} } @techreport{archer:20190531:qealler:2d73860, author = {Jeff Archer}, title = {{Qealler Unloaded}}, date = {2019-05-31}, institution = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf}, language = {English}, urldate = {2019-12-17} } @online{archer:20190815:micropsia:8ed52a1, author = {Jeff Archer}, title = {{MICROPSIA (APT-C-23)}}, date = {2019-08-15}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md}, language = {English}, urldate = {2019-12-10} } @online{archer:20190914:wsh:103aefa, author = {Jeff Archer}, title = {{WSH RAT (A variant of H-Worm/Houdini)}}, date = {2019-09-14}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20191103:dtrack:de46ce3, author = {Jeff Archer}, title = {{DTrack}}, date = {2019-11-03}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md}, language = {English}, urldate = {2019-12-18} } @online{archer:20191205:poshc2:3066e19, author = {Jeff Archer}, title = {{PoshC2 (specifically as used by APT33)}}, date = {2019-12-05}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20200211:metamorfo:663ae17, author = {Jeff Archer}, title = {{Metamorfo (aka Casbaneiro)}}, date = {2020-02-11}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md}, language = {English}, urldate = {2020-02-11} } @online{archer:20201213:highly:9fe1728, author = {Andrew Archer and Doug Bienstock and Chris DiGiamo and Glenn Edwards and Nick Hornick and Alex Pennino and Andrew Rector and Scott Runnels and Eric Scales and Nalani Fraiser and Sarah Jones and John Hultquist and Ben Read and Jon Leathery and Fred House and Dileep Jallepalli and Michael Sikorski and Stephen Eckels and William Ballenthin and Jay Smith and Alex Berry and Nick Richard and Isif Ibrahima and Dan Perez and Marcin Siedlarz and Ben Withnell and Barry Vengerik and Nicole Oppenheim and Ian Ahl and Andrew Thompson and Matt Dunwoody and Evan Reese and Steve Miller and Alyssa Rahman and John Gorman and Lennard Galang and Steve Stone and Nick Bennett and Matthew McWhirt and Mike Burns and Omer Baig and Nick Carr and Christopher Glyer and Ramin Nafisi and Microsoft}, title = {{Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor}}, date = {2020-12-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html}, language = {English}, urldate = {2020-12-19} } @online{archer:20211229:asyncrat:4b7c4d9, author = {Jeff Archer}, title = {{AsyncRAT Configuration Parser}}, date = {2021-12-29}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser}, language = {English}, urldate = {2021-12-31} } @online{arghire:20210429:chinese:0dcf839, author = {Ionut Arghire}, title = {{Chinese Cyberspies Target Military Organizations in Asia With New Malware}}, date = {2021-04-29}, organization = {SecurityWeek}, url = {https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware}, language = {English}, urldate = {2022-02-04} } @online{arkbird:20200817:short:a510811, author = {Arkbird}, title = {{Short twitter thread with analysis on Loup ATM malware}}, date = {2020-08-17}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1295396936896438272}, language = {English}, urldate = {2020-08-25} } @online{arkbird:20200903:development:cf8dd7d, author = {Arkbird}, title = {{Tweet on development in more_eggs}}, date = {2020-09-03}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1301536930069278727}, language = {English}, urldate = {2020-09-15} } @online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } @online{arkbird:20210830:mercurialgrabber:0c3b718, author = {Arkbird}, title = {{Tweet on MercurialGrabber}}, date = {2021-08-30}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1432127748001128459}, language = {English}, urldate = {2021-12-22} } @online{arkbird:20211112:tweets:3905e33, author = {Arkbird}, title = {{Tweets on Void Balaur using QuantLoader and ZStealer}}, date = {2021-11-12}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1458973883068043264}, language = {English}, urldate = {2021-12-22} } @online{arkbirdsolg:20200505:operation:448dc4a, author = {@Arkbird_SOLG}, title = {{Operation Flash Cobra}}, date = {2020-05-05}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md}, language = {English}, urldate = {2020-05-07} } @online{arkbirdsolg:20200622:ftcode:1f79b62, author = {Twitter (@Arkbird_SOLG)}, title = {{FTcode targets European countries}}, date = {2020-06-22}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md}, language = {English}, urldate = {2020-06-24} } @online{arkbirdsolg:20210327:terraloader:73371d5, author = {Twitter (@Arkbird_SOLG)}, title = {{Terraloader: Congrats, you have a new fake job!}}, date = {2021-03-27}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-}, language = {English}, urldate = {2021-05-03} } @online{armelli:20200708:named:c581e3d, author = {Matthew Armelli and Stuart Caudill and John Patrick Dees and Max Egar and Jennifer Keltz and Lan Pelekis and John Sakellariadis and Vipratap Vikram Singh and Katherine von Ofenheim and Neal Pollard}, title = {{Named But Hardly Shamed: What is the Impact of Information Disclosures on an APT Operations?}}, date = {2020-07-08}, organization = {COLUMBIA | SIPA}, url = {https://sipa.columbia.edu/file/12461/download?token=o5TRWZnI}, language = {English}, urldate = {2020-07-13} } @online{armor:20220105:threat:178f0e9, author = {Armor}, title = {{Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware}}, date = {2022-01-05}, organization = {ARMOR}, url = {https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/}, language = {English}, urldate = {2022-01-12} } @techreport{army:20200724:atp:37eeefe, author = {Department of the Army}, title = {{ATP 7-100.2: North Korean Tactics}}, date = {2020-07-24}, institution = {Department of the Army}, url = {https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN30043-ATP_7-100.2-000-WEB-2.pdf}, language = {English}, urldate = {2020-08-20} } @online{arndt:20200924:zloader:ad8bf21, author = {Jamie Arndt}, title = {{zLoader XLM Update: Macro code and behavior change}}, date = {2020-09-24}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/}, language = {English}, urldate = {2020-09-25} } @online{arndt:20210306:oleobject1bin:22436df, author = {Jamie Arndt}, title = {{oleObject1.bin – OLe10nATive – shellcode}}, date = {2021-03-06}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/}, language = {English}, urldate = {2021-03-11} } @online{arneson:20190124:cisco:58d9a8f, author = {John Arneson}, title = {{Cisco AMP tracks new campaign that delivers Ursnif}}, date = {2019-01-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html}, language = {English}, urldate = {2019-10-12} } @online{arnoud:20210215:analysis:6955fb8, author = {Stanislas Arnoud}, title = {{Analysis of an APT41 rootkit}}, date = {2021-02-15}, organization = {stan's blog}, url = {https://s4r.cc/analysis/2021/02/15/Analysis_of_an_APT41_rootkit.html}, language = {English}, urldate = {2021-02-18} } @online{arntz:20171031:analyzing:9d5c49e, author = {Pieter Arntz}, title = {{Analyzing malware by API calls}}, date = {2017-10-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/}, language = {English}, urldate = {2019-12-20} } @online{arntz:20200710:threat:f64cac0, author = {Pieter Arntz}, title = {{Threat spotlight: WastedLocker, customized ransomware}}, date = {2020-07-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/}, language = {English}, urldate = {2020-07-15} } @online{arntz:20200813:chrome:2120054, author = {Pieter Arntz}, title = {{Chrome extensions that lie about their permissions}}, date = {2020-08-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/puppum/2020/08/chrome-extensions-that-lie-about-their-permissions/}, language = {English}, urldate = {2020-08-14} } @online{arntz:20201215:threat:8286d80, author = {Pieter Arntz}, title = {{Threat profile: Egregor ransomware is making a name for itself}}, date = {2020-12-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/}, language = {English}, urldate = {2021-01-11} } @online{arntz:20210309:microsoft:9f7d246, author = {Pieter Arntz}, title = {{Microsoft Exchange attacks cause panic as criminals go shell collecting}}, date = {2021-03-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/}, language = {English}, urldate = {2021-03-11} } @online{arntz:20211021:chrome:0f71e05, author = {Pieter Arntz}, title = {{Chrome targeted by Magnitude exploit kit}}, date = {2021-10-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/magnitude-ek-has-been-spotted-targeting-the-chrome-browser/}, language = {English}, urldate = {2021-10-26} } @online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } @online{arsene:20160808:possibly:55e5441, author = {Liviu Arsene}, title = {{Possibly Italy-Born Android RAT Reported in China, Find Bitdefender Researchers}}, date = {2016-08-08}, organization = {Bitdefender}, url = {https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html}, language = {English}, urldate = {2020-01-06} } @online{arsene:20171026:keranger:a908ea4, author = {Liviu Arsene}, title = {{Keranger: the first “in-the-wild” ransomware for Macs. But certainly not the last}}, date = {2017-10-26}, organization = {Macworld}, url = {https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html}, language = {English}, urldate = {2020-01-08} } @online{arsene:20200107:hold:b9c1aa4, author = {Liviu Arsene}, title = {{Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining}}, date = {2020-01-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/}, language = {English}, urldate = {2020-01-13} } @techreport{arsene:20200318:new:2d895da, author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu}, title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}}, date = {2020-03-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf}, language = {English}, urldate = {2020-03-19} } @online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200325:new:51ce027, author = {Liviu Arsene}, title = {{New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer}}, date = {2020-03-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/}, language = {English}, urldate = {2020-03-30} } @online{arsene:20200326:android:946032b, author = {Liviu Arsene}, title = {{Android Apps and Malware Capitalize on Coronavirus}}, date = {2020-03-26}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200513:global:6217d6f, author = {Liviu Arsene}, title = {{Global Ransomware and Cyberattacks on Healthcare Spike during Pandemic}}, date = {2020-05-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/05/global-ransomware-and-cyberattacks-on-healthcare-spike-during-pandemic/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-07-06} } @techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } @techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } @techreport{arsene:20200820:more:a98fa7e, author = {Liviu Arsene and Victor Vrabie and Bogdan Rusu and Alexandru Maximciuc and Cristina Vatamanu}, title = {{More Evidence of APT Hackers-for-Hire Usedfor Industrial Espionage}}, date = {2020-08-20}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/365/Bitdefender-PR-Whitepaper-APTHackers-creat4740-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-08-27} } @online{arsene:20201123:trickbot:bcf3c42, author = {Liviu Arsene and Radu Tudorica}, title = {{TrickBot is Dead. Long Live TrickBot!}}, date = {2020-11-23}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/}, language = {English}, urldate = {2020-11-25} } @online{arsene:20210811:teaching:aeec28a, author = {Liviu Arsene}, title = {{Teaching an Old Dog New Tricks: 2017 Magniber Ransomware Uses PrintNightmare Vulnerability to Infect Victims in South Korea}}, date = {2021-08-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/}, language = {English}, urldate = {2021-09-02} } @online{arsium:20201227:horuseyesrat:255f0e8, author = {arsium}, title = {{HorusEyesRat}}, date = {2020-12-27}, organization = {Github (arsium)}, url = {https://github.com/arsium/HorusEyesRat_Public}, language = {English}, urldate = {2021-02-06} } @online{arzamendi:20180118:arc:384a9b0, author = {Pete Arzamendi and Matt Bing and Kirk Soluk}, title = {{The ARC of Satori}}, date = {2018-01-18}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/the-arc-of-satori/}, language = {English}, urldate = {2019-11-29} } @techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } @online{asec:20171016:operation:68f1182, author = {ASEC}, title = {{Operation Bitter Biscuit}}, date = {2017-10-16}, organization = {AhnLab}, url = {http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit}, language = {Korean}, urldate = {2020-01-13} } @online{asec:20210804:sw:fd538d1, author = {ASEC}, title = {{S/W Download Camouflage, Spreading Various Kinds of Malware}}, date = {2021-08-04}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/25837/}, language = {Korean}, urldate = {2022-03-07} } @online{asec:20220208:distribution:1e72a12, author = {ASEC}, title = {{Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed}}, date = {2022-02-08}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/31089/}, language = {English}, urldate = {2022-02-10} } @online{asec:20220221:cobalt:82a24d8, author = {ASEC}, title = {{Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers}}, date = {2022-02-21}, url = {https://asec.ahnlab.com/en/31811/}, language = {English}, urldate = {2022-02-26} } @online{asec:20220221:new:a4d0291, author = {ASEC}, title = {{New information takeover malware "ColdStealer" is being distributed}}, date = {2022-02-21}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/31703/}, language = {Korean}, urldate = {2022-03-02} } @online{asec:20220228:remcos:d53c470, author = {ASEC}, title = {{Remcos RAT malware disseminated by pretending to be tax invoices}}, date = {2022-02-28}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/32101/}, language = {Korean}, urldate = {2022-03-07} } @online{asec:20220303:dissemination:e2ce2f4, author = {ASEC}, title = {{Dissemination of malicious korean documents masquering as press releases for the 20th presidential election}}, date = {2022-03-03}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/32330/}, language = {Korean}, urldate = {2022-03-04} } @online{asec:20220307:distribution:d298aca, author = {ASEC}, title = {{Distribution of Remcos RAT Disguised as Tax Invoice}}, date = {2022-03-07}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/32376/}, language = {English}, urldate = {2022-03-07} } @online{asec:20220328:vbs:9f536ea, author = {ASEC}, title = {{VBS Script Disguised as PDF File Being Distributed (Kimsuky)}}, date = {2022-03-28}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/33032/}, language = {English}, urldate = {2022-03-30} } @online{asec:20220503:backdoors:43e357a, author = {ASEC}, title = {{Backdoors disguised as document editing and messenger programs (*.chm)}}, date = {2022-05-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/33948/}, language = {Korean}, urldate = {2022-05-05} } @online{asec:20220520:why:c6efba7, author = {ASEC}, title = {{Why Remediation Alone Is Not Enough When Infected by Malware}}, date = {2022-05-20}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/34549/}, language = {English}, urldate = {2022-05-24} } @online{asec:20220624:lockbit:a98a9bb, author = {ASEC}, title = {{LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed}}, date = {2022-06-24}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/35822/}, language = {English}, urldate = {2022-06-27} } @online{asec:20220628:new:df3f9bf, author = {ASEC}, title = {{New Info-stealer Disguised as Crack Being Distributed}}, date = {2022-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/35981/}, language = {English}, urldate = {2022-06-30} } @online{ash:20180626:rancor:99f5616, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-20} } @online{ash:20180626:rancor:cc2a967, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-18} } @online{ashford:20180802:three:1fa3b70, author = {Warwick Ashford}, title = {{Three Carbanak cyber heist gang members arrested}}, date = {2018-08-02}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested}, language = {English}, urldate = {2020-01-10} } @online{ashman:20190605:upgraded:519af7d, author = {Ofir Ashman}, title = {{Upgraded JasperLoader Infecting Machines with New Targets & Functional Improvements: What You Need to Know}}, date = {2019-06-05}, organization = {ThreatStop}, url = {https://blog.threatstop.com/upgraded-jasperloader-infecting-machines}, language = {English}, urldate = {2020-01-08} } @online{ashman:20220322:conti:7ffebe5, author = {Ofir Ashman}, title = {{Conti ransomware leaks - what happens when hackers support Russia}}, date = {2022-03-22}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/conti-ransomware-source-code-leaked}, language = {English}, urldate = {2022-04-07} } @online{ashman:20220524:gamaredon:7638a47, author = {Ofir Ashman}, title = {{Gamaredon Group: Understanding the Russian APT}}, date = {2022-05-24}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt}, language = {English}, urldate = {2022-05-25} } @online{ashman:20220615:first:a157972, author = {Ofir Ashman}, title = {{First Conti, then Hive: Costa Rica gets hit with ransomware again}}, date = {2022-06-15}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again}, language = {English}, urldate = {2022-06-27} } @online{ashraf:20220521:deep:0e3523b, author = {Mohamed Ashraf}, title = {{Deep Analysis of Mars Stealer}}, date = {2022-05-21}, organization = {Github (x-junior)}, url = {https://x-junior.github.io/malware%20analysis/MarsStealer/}, language = {English}, urldate = {2022-05-23} } @online{ashton:20200621:maersk:5121522, author = {Gavin Ashton}, title = {{Maersk, me & notPetya}}, date = {2020-06-21}, organization = {GVNSHTN}, url = {https://gvnshtn.com/maersk-me-notpetya/}, language = {English}, urldate = {2020-08-18} } @online{asic:20210127:accellion:939c001, author = {Australian Securities and Investments Commission (ASIC)}, title = {{Accellion cyber incident}}, date = {2021-01-27}, organization = {Australian Securities and Investments Commission (ASIC)}, url = {https://asic.gov.au/about-asic/news-centre/news-items/accellion-cyber-incident/}, language = {English}, urldate = {2021-01-29} } @online{asinovsky:20200618:ginp:724e3ef, author = {Pavel Asinovsky}, title = {{Ginp Malware Operations are on the Rise, Aiming to Expand in Turkey}}, date = {2020-06-18}, organization = {IBM Security}, url = {https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/}, language = {English}, urldate = {2020-06-19} } @online{askar:20190830:github:81bb2c2, author = {Askar}, title = {{Github Repository of Octopus}}, date = {2019-08-30}, organization = {Github (mhaskar)}, url = {https://github.com/mhaskar/Octopus}, language = {English}, urldate = {2021-01-04} } @online{askar:20200726:inmemory:5556cad, author = {Askar}, title = {{In-Memory shellcode decoding to evade AVs/EDRs}}, date = {2020-07-26}, organization = {Shells.System blog}, url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/}, language = {English}, urldate = {2020-07-30} } @online{asoltanei:20200331:infected:eaa940e, author = {Oana Asoltanei and Alin Mihai Barbatei and Ioan-Septimiu Dinulica}, title = {{Infected Zoom Apps for Android Target Work-From-Home Users}}, date = {2020-03-31}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users}, language = {English}, urldate = {2020-04-07} } @techreport{asoltanei:20200619:bitterapt:2e8e1d2, author = {Oana Asoltanei and Denis Cosmin Nutiu and Alin Mihai Barbatei}, title = {{BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool}}, date = {2020-06-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-06-21} } @online{asoltanei:20201008:fake:88db68e, author = {Oana Asoltanei and Elena Flondor and Alin Mihai Barbatei and Liviu Aarsene}, title = {{Fake Users Rave but Real Users Rant as Apps on Google Play Deal Aggressive Adware}}, date = {2020-10-08}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/10/fake-users-rave-but-real-users-rant-as-apps-on-google-play-deal-aggressive-adware/}, language = {English}, urldate = {2020-10-12} } @online{asrar:201901:destructive:f4cc200, author = {Irfan Asrar}, title = {{Destructive Attack "Dustman" Technical Report}}, date = {2019-01}, organization = {LinkedIn Irfan Asrar}, url = {https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/}, language = {English}, urldate = {2020-01-13} } @online{asrar:20200104:dustman:8df5168, author = {Irfan Asrar}, title = {{Tweet on Dustman}}, date = {2020-01-04}, organization = {Twitter (@Irfan_Asrar)}, url = {https://twitter.com/Irfan_Asrar/status/1213544175355908096}, language = {English}, urldate = {2020-01-09} } @online{assante:20151230:current:342c55e, author = {Michael J. Assante}, title = {{Current Reporting on the Cyber Attack in Ukraine Resulting in Power Outage}}, date = {2015-12-30}, organization = {SANS}, url = {https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage}, language = {English}, urldate = {2019-12-17} } @techreport{astolfi:20191009:corso:2a93766, author = {Riccardo Astolfi and Giacomo Ferro and Francesco Gobbi}, title = {{Corso di Codice Malevolo: Relazione sull’analisi del malware sample2.exe}}, date = {2019-10-09}, institution = {Github (GiacomoFerro)}, url = {https://github.com/GiacomoFerro/malware-analysis/blob/master/report/report-malware.pdf}, language = {Italian}, urldate = {2022-02-16} } @online{astrovax:20201114:deep:b50ae08, author = {astrovax}, title = {{Deep Dive Into Ryuk Ransomware}}, date = {2020-11-14}, organization = {Medium 0xastrovax}, url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12}, language = {English}, urldate = {2021-01-25} } @online{aswanda:20180622:formbook:ce3c98b, author = {Aswanda}, title = {{FormBook stealer: Data theft made easy}}, date = {2018-06-22}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/}, language = {English}, urldate = {2020-01-09} } @online{atch:20210819:how:53769da, author = {David Atch and Gil Regev and Ross Bevington}, title = {{How to proactively defend against Mozi IoT botnet}}, date = {2021-08-19}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/}, language = {English}, urldate = {2021-08-30} } @online{atlas:20210730:bear:04ae603, author = {Team Atlas}, title = {{Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers}}, date = {2021-07-30}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/541a465f/description}, language = {English}, urldate = {2021-08-02} } @techreport{atr:20210316:technical:8c4909a, author = {McAfee ATR}, title = {{Technical Analysis of Operation Diànxùn}}, date = {2021-03-16}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf}, language = {English}, urldate = {2021-03-22} } @techreport{atr:20210512:technical:24b2378, author = {McAfee ATR}, title = {{Technical Analysis of Access Token Theft and Manipulation}}, date = {2021-05-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-access-token-theft-manipulation-attacks.pdf}, language = {English}, urldate = {2021-05-13} } @online{attck:2019:admin338:c8e4d93, author = {MITRE ATT&CK}, title = {{Group description: admin@338}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0018/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt1:9f69f1f, author = {MITRE ATT&CK}, title = {{Group description: APT1}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0006/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt28:f03c2bd, author = {MITRE ATT&CK}, title = {{Group description: APT28}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0007/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt37:b488fef, author = {MITRE ATT&CK}, title = {{Group description: APT37}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0067/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt39:573abf3, author = {MITRE ATT&CK}, title = {{Group description: APT39}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0087/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:blackoasis:ceb12ff, author = {MITRE ATT&CK}, title = {{Group description: BlackOasis}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0063/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:bronze:b7965ff, author = {MITRE ATT&CK}, title = {{Group description: BRONZE BUTLER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0060/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:carbanak:0e2fe5c, author = {MITRE ATT&CK}, title = {{Group description: Carbanak}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0008/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:charming:f900c21, author = {MITRE ATT&CK}, title = {{Group description: Charming Kitten}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0058/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cleaver:ac864e2, author = {MITRE ATT&CK}, title = {{Group description: Cleaver}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0003/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cobalt:0e0496e, author = {MITRE ATT&CK}, title = {{Group description: Cobalt Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0080/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:copykittens:a691b76, author = {MITRE ATT&CK}, title = {{Group description: CopyKittens}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0052/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dark:01cd067, author = {MITRE ATT&CK}, title = {{Group description: Dark Caracal}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0070/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhotel:eab9170, author = {MITRE ATT&CK}, title = {{Group description: Darkhotel}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0012/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhydrus:b9db207, author = {MITRE ATT&CK}, title = {{Group description: DarkHydrus}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0079/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:deep:7220dc2, author = {MITRE ATT&CK}, title = {{Group description: Deep Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0009/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonfly:c84141f, author = {MITRE ATT&CK}, title = {{Group description: Dragonfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0035/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonok:f2cc4fa, author = {MITRE ATT&CK}, title = {{Group description: DragonOK}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0017/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dust:699660d, author = {MITRE ATT&CK}, title = {{Group description: Dust Storm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0031/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:elderwood:581a3e4, author = {MITRE ATT&CK}, title = {{Group description: Elderwood}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0066/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:equation:8b2ae74, author = {MITRE ATT&CK}, title = {{Group description: Equation}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin10:ae5d375, author = {MITRE ATT&CK}, title = {{Group description: FIN10}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0051/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin4:dd68444, author = {MITRE ATT&CK}, title = {{Group description: FIN4}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0085/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin5:48f7065, author = {MITRE ATT&CK}, title = {{Group description: FIN5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0053/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin6:791eaef, author = {MITRE ATT&CK}, title = {{Group description: FIN6}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0037/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin7:be45dfe, author = {MITRE ATT&CK}, title = {{Group description: FIN7}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0046/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin8:2b2b924, author = {MITRE ATT&CK}, title = {{Group description: FIN8}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0061}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gamaredon:982ecc4, author = {MITRE ATT&CK}, title = {{Group description: Gamaredon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0047/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gcman:23384a0, author = {MITRE ATT&CK}, title = {{Group description: GCMAN}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0036/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gorgon:f7c9936, author = {MITRE ATT&CK}, title = {{Group description: Gorgon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0078/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:group5:fcdeaa8, author = {MITRE ATT&CK}, title = {{Group description: Group5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:honeybee:9d1ffa6, author = {MITRE ATT&CK}, title = {{Group description: Honeybee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0072/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ke3chang:89a4a35, author = {MITRE ATT&CK}, title = {{Group description: Ke3chang}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0004/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lazarus:a298c2f, author = {MITRE ATT&CK}, title = {{Group description: Lazarus Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0032/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leafminer:c73518e, author = {MITRE ATT&CK}, title = {{Group description: Leafminer}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0077/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leviathan:249223a, author = {MITRE ATT&CK}, title = {{Group description: Leviathan}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0065/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lotus:98bf87a, author = {MITRE ATT&CK}, title = {{Group description: Lotus Blossom}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0030/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:magic:f2f07ab, author = {MITRE ATT&CK}, title = {{Group description: Magic Hound}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0059/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:menupass:8fde950, author = {MITRE ATT&CK}, title = {{Group description: menuPass}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0045/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:moafee:021312c, author = {MITRE ATT&CK}, title = {{Group description: Moafee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0002/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:molerats:9927c33, author = {MITRE ATT&CK}, title = {{Group description: Molerats}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0021/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:muddywater:b990d10, author = {MITRE ATT&CK}, title = {{Group description: MuddyWater}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:naikon:f6661ca, author = {MITRE ATT&CK}, title = {{Group description: Naikon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0019/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:neodymium:2979fa4, author = {MITRE ATT&CK}, title = {{Group description: NEODYMIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0055/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:night:45c6d39, author = {MITRE ATT&CK}, title = {{Group description: Night Dragon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0014/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:oilrig:40b5deb, author = {MITRE ATT&CK}, title = {{Group description: OilRig}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0049/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:orangeworm:7b6180d, author = {MITRE ATT&CK}, title = {{Group description: Orangeworm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0071/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:patchwork:b9fa9e1, author = {MITRE ATT&CK}, title = {{Group description: Patchwork}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0040/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:pittytiger:9fde514, author = {MITRE ATT&CK}, title = {{Group description: PittyTiger}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0011/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:platinum:7fbd5ec, author = {MITRE ATT&CK}, title = {{Group description: PLATINUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0068/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:poseidon:9c4e9d2, author = {MITRE ATT&CK}, title = {{Group description: Poseidon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0033/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:promethium:845588e, author = {MITRE ATT&CK}, title = {{Group description: PROMETHIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0056/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:putter:db997a2, author = {MITRE ATT&CK}, title = {{Group description: Putter Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0024/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rancor:d326bb1, author = {MITRE ATT&CK}, title = {{Group description: Rancor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0075/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rtm:24fd219, author = {MITRE ATT&CK}, title = {{Group description: RTM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0048/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sandworm:2c635f5, author = {MITRE ATT&CK}, title = {{Group description: Sandworm Team}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:scarlet:c7d064d, author = {MITRE ATT&CK}, title = {{Group description: Scarlet Mimic}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0029/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sowbug:1065fa1, author = {MITRE ATT&CK}, title = {{Group description: Sowbug}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0054/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stealth:5d9f9cd, author = {MITRE ATT&CK}, title = {{Group description: Stealth Falcon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0038/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stolen:1489d7d, author = {MITRE ATT&CK}, title = {{Group description: Stolen Pencil}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0086/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:strider:e8991a7, author = {MITRE ATT&CK}, title = {{Group description: Strider}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0041/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:suckfly:686a402, author = {MITRE ATT&CK}, title = {{Group description: Suckfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0039/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ta459:3a8408d, author = {MITRE ATT&CK}, title = {{Group description: TA459}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0062/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:taidoor:e2e9ac3, author = {MITRE ATT&CK}, title = {{Group description: Taidoor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0015/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tempveles:c62b7f7, author = {MITRE ATT&CK}, title = {{Group description: TEMP.Veles}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0088/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:threat:739dbdd, author = {MITRE ATT&CK}, title = {{Group description: Threat Group-3390}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0027/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:thrip:b7cf7c3, author = {MITRE ATT&CK}, title = {{Group description: Thrip}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0076/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:5022816, author = {MITRE ATT&CK}, title = {{Tool description: NanHaiShu}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0228/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ae50919, author = {MITRE ATT&CK}, title = {{Tool description: BUBBLEWRAP}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:aef0372, author = {MITRE ATT&CK}, title = {{Tool description: HALFBAKED}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0151/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:e80f843, author = {MITRE ATT&CK}, title = {{Tool description: ELMER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0064}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ebc79ce, author = {MITRE ATT&CK}, title = {{Tool description: BLACKCOFFEE}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:fd89dda, author = {MITRE ATT&CK}, title = {{Tool description: China Chopper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tropic:0324452, author = {MITRE ATT&CK}, title = {{Group description: Tropic Trooper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0081/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:turla:6c3dec8, author = {MITRE ATT&CK}, title = {{Group description: Turla}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0010/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:winnti:ad3b350, author = {MITRE ATT&CK}, title = {{Group description: Winnti Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0044/}, language = {English}, urldate = {2019-12-20} } @online{attck:20210106:attck:841bad7, author = {MITRE ATT&CK}, title = {{ATT&CK Navigator layer for UNC2452}}, date = {2021-01-06}, organization = {MITRE}, url = {https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json}, language = {English}, urldate = {2021-01-11} } @online{atweeteruser:20190726:malware:dce6863, author = {a_tweeter_user}, title = {{Tweet on Malware}}, date = {2019-07-26}, organization = {Twitter (@a_tweeter_user)}, url = {https://twitter.com/a_tweeter_user/status/1154764787823316993}, language = {English}, urldate = {2020-01-08} } @online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } @online{authos:20160320:hidden:151e4e4, author = {Tripwire Guest Authos}, title = {{Hidden Tear Project: Forbidden Fruit Is the Sweetest}}, date = {2016-03-20}, organization = {Tripwire}, url = {https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/}, language = {English}, urldate = {2020-01-08} } @online{avast:20171220:video:4c6aaa5, author = {Avast}, title = {{Video about Catelites Bot - Airbank Example}}, date = {2017-12-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=1LOy0ZyjEOk}, language = {English}, urldate = {2020-01-07} } @online{avast:2018:hide:cd78bb0, author = {Avast}, title = {{Hide 'N Seek}}, date = {2018}, organization = {Avast}, url = {https://threatlabs.avast.com/botnet}, language = {English}, urldate = {2019-12-17} } @online{avast:20211027:avast:6b44ea1, author = {Avast}, title = {{Avast releases decryptor for AtomSilo and LockFile ransomware}}, date = {2021-10-27}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/}, language = {English}, urldate = {2021-11-08} } @online{avastthreatlabs:20211109:by:9f805da, author = {Twitter (@AvastThreatLabs)}, title = {{Tweet by Avast on a new Android Banker they call MasterFred}}, date = {2021-11-09}, url = {https://twitter.com/AvastThreatLabs/status/1458162276708483073}, language = {English}, urldate = {2021-11-10} } @online{avery:20211117:dns:847b573, author = {Kyle Avery}, title = {{DNS Over HTTPS for Cobalt Strike}}, date = {2021-11-17}, organization = {Black Hills Information Security}, url = {https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/}, language = {English}, urldate = {2022-02-19} } @online{avllazagaj:20210601:inside:e8edbce, author = {Erin Avllazagaj}, title = {{Inside commercial malware sandboxes}}, date = {2021-06-01}, organization = {Github (Albocoder)}, url = {https://web.archive.org/web/20210613070852/https://albocoder.github.io/malware/2021/06/01/SandboxStudy.html}, language = {English}, urldate = {2021-07-27} } @online{aydinbas:20190502:formbook:d1ef715, author = {Johann Aydinbas}, title = {{FormBook - Hiding in plain sight}}, date = {2019-05-02}, organization = {Usual Suspect RE}, url = {https://usualsuspect.re/article/formbook-hiding-in-plain-sight}, language = {English}, urldate = {2020-01-13} } @online{aydinbas:20220301:python:1e7cf7b, author = {Johann Aydinbas}, title = {{Python script to decrypt embedded driver used in Daxin}}, date = {2022-03-01}, organization = {Github (usualsuspect)}, url = {https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6}, language = {English}, urldate = {2022-03-07} } @online{aydinbas:20220523:deal:00dc16f, author = {Johann Aydinbas and Colin Murphy}, title = {{A deal with the devil: Analysis of a recent Matanbuchus sample}}, date = {2022-05-23}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a}, language = {English}, urldate = {2022-05-24} } @techreport{ayers:20191113:through:70cc3b3, author = {Jen Ayers and Jason Rivera}, title = {{Through the Eyes of the Adversary}}, date = {2019-11-13}, institution = {CrowdStrike}, url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf}, language = {English}, urldate = {2020-03-22} } @online{azad:20211215:threatlabz:fcf4d6c, author = {Rubin Azad}, title = {{ThreatLabz analysis - Log4Shell CVE-2021-44228 Exploit Attempts}}, date = {2021-12-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts}, language = {English}, urldate = {2022-01-05} } @online{b:20200815:doublefantasy:6c843b6, author = {Adrien B}, title = {{Tweet on DoubleFantasy}}, date = {2020-08-15}, organization = {Twitter (@Int2e_)}, url = {https://twitter.com/Int2e_/status/1294565186939092994}, language = {English}, urldate = {2020-08-18} } @online{babaee:20200908:automated:eb3272c, author = {Hamidreza Babaee}, title = {{Automated dynamic import resolving using binary emulation}}, date = {2020-09-08}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/automated-dynamic-import-resolving}, language = {English}, urldate = {2020-09-09} } @online{babaee:20211017:building:4626116, author = {Hamidreza Babaee}, title = {{Building highly interactive honeypots: CVE-2021-41773 case study}}, date = {2021-10-17}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/building-highly-interactive-honeypots}, language = {English}, urldate = {2021-11-08} } @online{babayeva:20210203:dissecting:c116828, author = {Kamila Babayeva and Sebastian García}, title = {{Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic.}}, date = {2021-02-03}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic}, language = {English}, urldate = {2021-02-04} } @online{babayeva:20210510:dissecting:7ea0641, author = {Kamila Babayeva and Sebastian García}, title = {{Dissecting a RAT. Analysis of the HawkShaw.}}, date = {2021-05-10}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw}, language = {English}, urldate = {2021-05-12} } @online{babayeva:20210601:dissecting:edf6609, author = {Kamila Babayeva and Sebastian García}, title = {{Dissecting a RAT. Analysis of the Command-line AndroRAT.}}, date = {2021-06-01}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat}, language = {English}, urldate = {2021-06-09} } @online{babayeva:20210621:dissecting:98ec148, author = {Kamila Babayeva and Sebastian García}, title = {{Dissecting a RAT. Analysis of the Saefko RAT.}}, date = {2021-06-21}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2021/6/2/dissecting-a-rat-analysis-of-the-saefko-rat}, language = {English}, urldate = {2021-06-22} } @online{babe:201904:analyzing:3a404ff, author = {Cafe Babe}, title = {{Analyzing Emotet with Ghidra — Part 1}}, date = {2019-04}, url = {https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69}, language = {English}, urldate = {2019-12-06} } @online{babuder:20220314:nasty:8cfc0e3, author = {Lane Babuder}, title = {{Nasty Escobar Banking Trojan Is Targeting Google Authenticator Codes For Android}}, date = {2022-03-14}, organization = {HotHardware}, url = {https://hothardware.com/news/escobar-banking-trojan-targets-mfa-codes}, language = {English}, urldate = {2022-03-17} } @online{baca:20200326:would:a184711, author = {Alejandro Baca and Rodel Mendrez}, title = {{Would You Exchange Your Security for a Gift Card?}}, date = {2020-03-26}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/}, language = {English}, urldate = {2020-03-30} } @techreport{backdoor:201803:oceanlotus:a2c3636, author = {OceanLotus: Old techniques, new backdoor}, title = {{OceanLotus: Old techniques, new backdoor}}, date = {2018-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf}, language = {English}, urldate = {2020-01-07} } @online{backman:20210517:investigating:447e111, author = {Kent Backman}, title = {{Investigating the Watering Hole Linked to the Oldsmar Water Treatment Facility Breach}}, date = {2021-05-17}, organization = {Dragos}, url = {https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/}, language = {English}, urldate = {2021-05-19} } @online{bacurio:20160621:curious:8607f46, author = {Floser Bacurio and Roland Dela Paz}, title = {{The Curious Case of an Unknown Trojan Targeting German-Speaking Users}}, date = {2016-06-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html}, language = {English}, urldate = {2020-01-08} } @online{bacurio:20170214:remcos:e924c55, author = {Floser Bacurio and Joie Salvio}, title = {{REMCOS: A New RAT In The Wild}}, date = {2017-02-14}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2}, language = {English}, urldate = {2020-01-09} } @online{bacurio:20171207:peculiar:e4c095f, author = {Floser Bacurio and Joie Salvio}, title = {{A Peculiar Case of Orcus RAT Targeting Bitcoin Investors}}, date = {2017-12-07}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors}, language = {English}, urldate = {2020-01-08} } @online{bader:20150112:dga:b961e18, author = {Johannes Bader}, title = {{The DGA of Shiotob}}, date = {2015-01-12}, url = {https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/}, language = {English}, urldate = {2019-12-19} } @online{bader:20150210:dga:2ff5cf7, author = {Johannes Bader}, title = {{The DGA of Banjori}}, date = {2015-02-10}, organization = {Johannes Bader's Blog}, url = {https://www.johannesbader.ch/2015/02/the-dga-of-banjori/}, language = {English}, urldate = {2020-01-07} } @online{bader:20150306:dga:3673443, author = {Johannes Bader}, title = {{The DGA of DirCrypt}}, date = {2015-03-06}, url = {https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/}, language = {English}, urldate = {2019-11-28} } @online{bader:20150310:dga:4409507, author = {Johannes Bader}, title = {{The DGA of Pykspa}}, date = {2015-03-10}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/}, language = {English}, urldate = {2019-12-19} } @online{bader:20150522:dga:9ba1744, author = {Johannes Bader}, title = {{The DGA of Ranbyus}}, date = {2015-05-22}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/}, language = {English}, urldate = {2020-01-06} } @online{bader:20150610:win32upatrebi:36ea1eb, author = {Johannes Bader}, title = {{Win32/Upatre.BI - Part One}}, date = {2015-06-10}, url = {https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/}, language = {English}, urldate = {2019-12-02} } @online{bader:20150719:faulty:e287eee, author = {Johannes Bader}, title = {{The Faulty Precursor of Pykspa's DGA}}, date = {2015-07-19}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/}, language = {English}, urldate = {2020-01-09} } @online{bader:20151222:krakens:330079f, author = {Johannes Bader}, title = {{Kraken's two Domain Generation Algorithms}}, date = {2015-12-22}, organization = {Johannes Bader's Blog}, url = {https://web.archive.org/web/20160324035554/https://www.johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms//}, language = {English}, urldate = {2022-01-28} } @online{bader:20160110:dga:cb8a5e5, author = {Johannes Bader}, title = {{The DGA in Alureon/DNSChanger}}, date = {2016-01-10}, url = {https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/}, language = {English}, urldate = {2019-12-17} } @online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/phorpiex/}, language = {English}, urldate = {2020-01-06} } @online{bader:20160224:dga:735ff10, author = {Johannes Bader}, title = {{The DGA of Qakbot.T}}, date = {2016-02-24}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/}, language = {English}, urldate = {2020-01-06} } @online{bader:20160306:dga:fe673b7, author = {Johannes Bader}, title = {{The DGA of PadCrypt}}, date = {2016-03-06}, url = {https://johannesbader.ch/2016/03/the-dga-of-padcrypt/}, language = {English}, urldate = {2019-12-06} } @online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } @online{bader:20170725:dridex:44f64d8, author = {Johannes Bader}, title = {{Dridex Loot}}, date = {2017-07-25}, organization = {Github (viql)}, url = {https://viql.github.io/dridex/}, language = {English}, urldate = {2020-01-07} } @online{bader:20180429:new:b8e7b59, author = {Johannes Bader}, title = {{The new Domain Generation Algorithm of Nymaim}}, date = {2018-04-29}, url = {https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/}, language = {English}, urldate = {2020-01-07} } @online{bader:20190708:dga:0c56ba3, author = {Johannes Bader}, title = {{The DGA of Pitou}}, date = {2019-07-08}, url = {https://johannesbader.ch/2019/07/the-dga-of-pitou/}, language = {English}, urldate = {2020-01-10} } @online{bader:20191112:dga:0a1d2c8, author = {Johannes Bader}, title = {{The DGA of QSnatch}}, date = {2019-11-12}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/the-dga-of-qsnatch/}, language = {English}, urldate = {2020-01-13} } @online{bader:20200123:dga:129802e, author = {Johannes Bader}, title = {{The DGA of a Monero Miner Downloader}}, date = {2020-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-a-monero-miner-downloader/}, language = {English}, urldate = {2020-01-27} } @online{bader:20200426:dga:edd448c, author = {Johannes Bader}, title = {{The DGA of Zloader}}, date = {2020-04-26}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-zloader/}, language = {English}, urldate = {2020-04-26} } @online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @online{bader:20201216:next:a8f5998, author = {Johannes Bader}, title = {{Next Version of the Bazar Loader DGA}}, date = {2020-12-16}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/}, language = {English}, urldate = {2020-12-16} } @online{bader:20210123:yet:1274cbe, author = {Johannes Bader}, title = {{Yet Another Bazar Loader DGA}}, date = {2021-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/yet-another-bazarloader-dga/}, language = {English}, urldate = {2021-01-25} } @online{bader:20210809:bazarloader:e123577, author = {Johannes Bader}, title = {{A BazarLoader DGA that Breaks Down in the Summer}}, date = {2021-08-09}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/}, language = {English}, urldate = {2021-08-09} } @online{bader:20220111:reimplementation:f8b45d0, author = {Johannes Bader}, title = {{Reimplementation of Expiro's DGA}}, date = {2022-01-11}, organization = {Github (baderj)}, url = {https://github.com/baderj/domain_generation_algorithms/blob/master/expiro/dga.py}, language = {English}, urldate = {2022-02-10} } @online{bagnoli:20211117:sorveglianza:3272e30, author = {Lorenzo Bagnoli and Riccardo Coluccini}, title = {{Sorveglianza: l’azienda italiana che vuole sfidare i colossi NSO e Palantir}}, date = {2021-11-17}, organization = {Investigative reporting project Italy}, url = {https://irpimedia.irpi.eu/sorveglianze-cy4gate/}, language = {Italian}, urldate = {2021-11-18} } @online{bahtiarian:20220405:incident:abf42a6, author = {Brian Bahtiarian and David Blanton and Britton Manahan and Kyle Pellett}, title = {{Incident report: From CLI to console, chasing an attacker in AWS}}, date = {2022-04-05}, organization = {Expel}, url = {https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/}, language = {English}, urldate = {2022-04-08} } @techreport{bailey:201601:matryoshka:3c7753f, author = {Michael Bailey}, title = {{MATRYOSHKA MINING}}, date = {2016-01}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf}, language = {English}, urldate = {2019-11-27} } @online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20190423:carbanak:cbe986c, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis}}, date = {2019-04-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20200208:reversing:b033cdc, author = {Michael Bailey}, title = {{Reversing the Gophe SPambot: Confronting COM Code and Surmounting STL Snags}}, date = {2020-02-08}, organization = {FireEye}, url = {https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville}, language = {English}, urldate = {2020-10-05} } @online{bailey:20200407:thinking:7ee19d0, author = {Michael Bailey}, title = {{Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation}}, date = {2020-04-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html}, language = {English}, urldate = {2020-05-05} } @online{bailey:20210209:bazarbackdoors:a9cf426, author = {Zachary Bailey}, title = {{BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs}}, date = {2021-02-09}, organization = {Cofense}, url = {https://cofense.com/blog/bazarbackdoor-stealthy-infiltration}, language = {English}, urldate = {2021-02-09} } @online{baird:20170320:necurs:ee5da07, author = {Sean Baird and Edmund Brumaghin and Earl Carter and Jaeson Schultz}, title = {{Necurs Diversifies Its Portfolio}}, date = {2017-03-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/03/necurs-diversifies.html}, language = {English}, urldate = {2020-01-07} } @online{bajak:20201023:report:7bb3ff0, author = {Frank Bajak}, title = {{Report: Ransomware disables Georgia county election database}}, date = {2020-10-23}, organization = {AP News}, url = {https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c}, language = {English}, urldate = {2020-11-02} } @online{bajak:20210416:how:d6f8b5a, author = {Frank Bajak}, title = {{How the Kremlin provides a safe harbor for ransomware}}, date = {2021-04-16}, organization = {Associated Press}, url = {https://apnews.com/article/russia-safe-harbor-ransomeware-hacking-c9dab7eb3841be45dff2d93ed3102999}, language = {English}, urldate = {2021-04-19} } @online{bajak:20210416:sanctioned:84bffd0, author = {Frank Bajak and Matt O'Brien}, title = {{Sanctioned Russian IT firm was partner with Microsoft, IBM}}, date = {2021-04-16}, organization = {Associated Press}, url = {https://apnews.com/article/business-europe-hacking-russia-dd8c331ff30d366ea4f5d828e788c307}, language = {English}, urldate = {2021-04-19} } @online{baker:20150318:feds:e9fe961, author = {Mike Baker}, title = {{Feds warned Premera about security flaws before breach}}, date = {2015-03-18}, organization = {Seattle Times}, url = {https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/}, language = {English}, urldate = {2020-01-10} } @online{baker:20150504:threat:726f1f2, author = {Ben Baker and Alex Chiu}, title = {{Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors}}, date = {2015-05-04}, organization = {Cisco Talos}, url = {http://blogs.cisco.com/security/talos/rombertik}, language = {English}, urldate = {2020-01-06} } @online{baker:20160428:research:999032f, author = {Ben Baker}, title = {{Research Spotlight: The Resurgence of Qbot}}, date = {2016-04-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html}, language = {English}, urldate = {2021-03-04} } @online{baker:20161207:floki:69ffd12, author = {Ben Baker and Edmund Brumaghin and Mariano Graziano and Jonas Zaddach}, title = {{Floki Bot Strikes, Talos and Flashpoint Respond}}, date = {2016-12-07}, organization = {Cisco Talos}, url = {http://blog.talosintel.com/2016/12/flokibot-collab.html#more}, language = {English}, urldate = {2020-01-09} } @online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } @online{baker:20200706:wastedlocker:f33e129, author = {Ben Baker and Edmund Brumaghin and JJ Cummings and Arnaud Zobec}, title = {{WastedLocker Goes "Big-Game Hunting" in 2020}}, date = {2020-07-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html}, language = {English}, urldate = {2020-07-07} } @online{bakuei:20210125:fake:eeac584, author = {Matsukawa Bakuei and Marshall Chen and Vladimir Kropotov and Loseway Lu and Fyodor Yarochkin}, title = {{Fake Office 365 Used for Phishing Attacks on C-Suite Targets}}, date = {2021-01-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/fake-office-365-used-for-phishing-attacks-on-c-suite-targets.html}, language = {English}, urldate = {2021-01-27} } @online{balaam:20211028:rooting:fbbe47f, author = {Kristina Balaam and Paul Shunk}, title = {{Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign}}, date = {2021-10-28}, organization = {Lookout}, url = {https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign}, language = {English}, urldate = {2021-11-03} } @online{balaganesh:20220624:icedid:2bb9d0d, author = {BalaGanesh}, title = {{IcedID Banking Trojan returns with new TTPS – Detection & Response}}, date = {2022-06-24}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/}, language = {English}, urldate = {2022-06-27} } @online{ballenthin:20200117:404:cc95f5f, author = {William Ballenthin and Josh Madeley}, title = {{404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor}}, date = {2020-01-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html}, language = {English}, urldate = {2020-01-17} } @online{bambenek:20160502:osint:54b6791, author = {John Bambenek}, title = {{OSINT Feed}}, date = {2016-05-02}, organization = {John Bambenek}, url = {http://osint.bambenekconsulting.com/feeds/}, language = {English}, urldate = {2020-01-06} } @online{bambenek:20190207:inside:2a18c89, author = {John Bambenek}, title = {{An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group}}, date = {2019-02-07}, organization = {ThreatStop}, url = {https://blog.threatstop.com/russian-apt-gamaredon-group}, language = {English}, urldate = {2020-01-06} } @online{banasiakmrozek:20210621:lolifox:7b82098, author = {Marzena Banasiak-Mrozek}, title = {{Lolifox – kto za nim stał i co się z nim stało?}}, date = {2021-06-21}, organization = {payload.pl}, url = {https://payload.pl/co-sie-stalo-z-lolifoxem/}, language = {Polish}, urldate = {2021-06-22} } @online{bancal:20200130:cyber:0a267d4, author = {Damien Bancal}, title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}}, date = {2020-01-30}, organization = {ZATAZ}, url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/}, language = {French}, urldate = {2020-02-03} } @online{banksecurity:20190601:new:3ddfbf1, author = {Bank_Security}, title = {{New ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@Bank_Security)}, url = {https://twitter.com/Bank_Security/status/1134850646413385728}, language = {English}, urldate = {2019-11-17} } @online{banksecurity:20210416:are:88ed36e, author = {Bank_Security}, title = {{Are the hackers all Russian? Results of a 1 year espionage operation in the Top-tier Russian underground communities}}, date = {2021-04-16}, organization = {Medium (Bank Security)}, url = {https://bank-security.medium.com/are-the-hackers-all-russian-363d09a6610}, language = {English}, urldate = {2021-04-19} } @online{bansal:20201216:list:aa0388d, author = {R. Bansal}, title = {{List of domain infrastructure including DGA domain used by UNC2452}}, date = {2020-12-16}, organization = {Twitter (@0xrb)}, url = {https://twitter.com/0xrb/status/1339199268146442241}, language = {English}, urldate = {2020-12-17} } @online{bao:20200707:cobalt:cf80aa8, author = {Ladislav Bačo}, title = {{Cobalt Strike stagers used by FIN6}}, date = {2020-07-07}, organization = {MWLab}, url = {https://malwarelab.eu/posts/fin6-cobalt-strike/}, language = {English}, urldate = {2020-07-11} } @online{bao:20210809:cobalt:fc98da7, author = {Ladislav Bačo}, title = {{APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)}}, date = {2021-08-09}, organization = {IstroSec}, url = {https://www.istrosec.com/blog/apt-sk-cobalt/}, language = {English}, urldate = {2021-08-16} } @online{bar:20160502:prince:7769673, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-01-06} } @online{bar:20160502:prince:8b14d7f, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{bar:20160502:prince:cfd5940, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-04-06} } @online{bar:20160628:prince:b1d2cdd, author = {Tomer Bar and Lior Efraim and Simon Conant}, title = {{Prince of Persia – Game Over}}, date = {2016-06-28}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/}, language = {English}, urldate = {2019-10-28} } @online{bar:20170405:targeted:49e76a6, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-10} } @online{bar:20170405:targeted:feb4b54, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:db6038a, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:e7d5542, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2020-01-08} } @online{bar:20211124:new:3fc1309, author = {Tomer Bar}, title = {{New PowerShortShell Stealer Exploits Recent Microsoft MSHTML Vulnerability to Spy on Farsi Speakers}}, date = {2021-11-24}, organization = {safebreach}, url = {https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/}, language = {English}, urldate = {2021-11-29} } @online{barabosch:20200114:inside:2187ad3, author = {Thomas Barabosch}, title = {{Inside of CL0P’s ransomware operation}}, date = {2020-01-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824}, language = {English}, urldate = {2021-01-14} } @online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } @online{barabosch:20200203:dissecting:c1a6bca, author = {Thomas Barabosch}, title = {{Dissecting Emotet – Part 1}}, date = {2020-02-03}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612}, language = {English}, urldate = {2020-02-07} } @online{barabosch:20200306:dissecting:809bc54, author = {Thomas Barabosch}, title = {{Dissecting Emotet - Part 2}}, date = {2020-03-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128}, language = {English}, urldate = {2020-03-09} } @online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } @online{barabosch:20200514:lolsnif:c7a2736, author = {Thomas Barabosch}, title = {{LOLSnif – Tracking Another Ursnif-Based Targeted Campaign}}, date = {2020-05-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062}, language = {English}, urldate = {2020-05-14} } @online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } @online{barabosch:20201006:eager:54da318, author = {Thomas Barabosch}, title = {{Eager Beaver: A Short Overview of the Restless Threat Actor TA505}}, date = {2020-10-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546}, language = {English}, urldate = {2020-10-08} } @online{barabosch:20201217:smokeloader:937c780, author = {Thomas Barabosch}, title = {{Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs}}, date = {2020-12-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886}, language = {English}, urldate = {2020-12-18} } @online{barabosch:20201223:detect:bd873bc, author = {Thomas Barabosch}, title = {{Detect RC4 in (malicious) binaries}}, date = {2020-12-23}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries}, language = {English}, urldate = {2020-12-26} } @online{barabosch:20201228:never:f7e93aa, author = {Thomas Barabosch}, title = {{Never upload ransomware samples to the Internet}}, date = {2020-12-28}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/}, language = {English}, urldate = {2021-01-01} } @online{barabosch:20210108:malware:27c7ee2, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to aPLib decompression}}, date = {2021-01-08}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/}, language = {English}, urldate = {2021-01-11} } @online{barabosch:20210128:learn:8ffa412, author = {Thomas Barabosch}, title = {{Learn how to fix PE magic numbers with Malduck}}, date = {2021-01-28}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/fix-pe-magic-numbers-with-malduck/}, language = {English}, urldate = {2021-02-06} } @online{barabosch:20210517:lets:04a8b63, author = {Thomas Barabosch}, title = {{Let’s set ice on fire: Hunting and detecting IcedID infections}}, date = {2021-05-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240}, language = {English}, urldate = {2021-05-17} } @online{barabosch:20210914:flubots:a0b25c3, author = {Thomas Barabosch}, title = {{Flubot’s Smishing Campaigns under the Microscope}}, date = {2021-09-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368}, language = {English}, urldate = {2021-09-22} } @online{baranov:20121212:analysis:6e76df4, author = {Artem Baranov}, title = {{Analysis of VirTool:WinNT/Exforel.A rootkit}}, date = {2012-12-12}, url = {https://artemonsecurity.blogspot.com/2012/12/analysis-of-virtoolwinntexforela-rootkit.html}, language = {English}, urldate = {2020-09-25} } @online{baranov:20161003:remsec:3877dab, author = {Artem Baranov}, title = {{Remsec driver analysis}}, date = {2016-10-03}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161010:remsec:9ed5754, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 2}}, date = {2016-10-10}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161011:remsec:02eae63, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 3}}, date = {2016-10-11}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20170113:finfisher:436b89e, author = {Artem Baranov}, title = {{Finfisher rootkit analysis}}, date = {2017-01-13}, url = {https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html}, language = {English}, urldate = {2019-11-26} } @online{baranov:20170330:equationdrug:7255a48, author = {Artem Baranov}, title = {{EquationDrug rootkit analysis (mstcp32.sys)}}, date = {2017-03-30}, url = {http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html}, language = {English}, urldate = {2020-01-07} } @online{baranov:20170413:stuxnet:c221f57, author = {Artem Baranov}, title = {{Stuxnet drivers: detailed analysis}}, date = {2017-04-13}, organization = {A blog about rootkits research and the Windows kernel}, url = {http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html}, language = {English}, urldate = {2020-01-08} } @online{barbatei:20210601:threat:83b0dfc, author = {Alin Mihai Barbatei and Oana Asoltanei and Silviu Stahie}, title = {{Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android}}, date = {2021-06-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/}, language = {English}, urldate = {2021-06-09} } @online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } @online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } @online{barc:20180619:backswap:f0869a4, author = {Hubert Barc}, title = {{Backswap malware analysis}}, date = {2018-06-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/backswap-malware-analysis/}, language = {English}, urldate = {2019-12-10} } @online{barclay:20211109:capability:14dd962, author = {Michael Barclay}, title = {{Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications}}, date = {2021-11-09}, organization = {SpecterOps}, url = {https://posts.specterops.io/capability-abstraction-case-study-detecting-malicious-boot-configuration-modifications-1852e2098a65}, language = {English}, urldate = {2021-11-17} } @online{barda:20220124:scammers:df4feaf, author = {Dikla Barda and Romain Zaikin and Oded Vanunu}, title = {{Scammers are creating new fraudulent Crypto Tokens and misconfiguring smart contract’s to steal funds}}, date = {2022-01-24}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2022/scammers-are-creating-new-fraudulent-crypto-tokens-and-misconfiguring-smart-contracts-to-steal-funds/}, language = {English}, urldate = {2022-01-25} } @online{bareli:20210114:python:c95ebf6, author = {Shiran Bareli}, title = {{Python Cryptominer Botnet Quickly Adopts Latest Vulnerabilities}}, date = {2021-01-14}, organization = {Imperva}, url = {https://www.imperva.com/blog/python-cryptominer-botnet-quickly-adopts-latest-vulnerabilities/}, language = {English}, urldate = {2021-01-21} } @online{barker:20201001:duck:edcc017, author = {Dylan Barker and Quinten Bowen and Ryan Campbell}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1}}, date = {2020-10-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/}, language = {English}, urldate = {2020-10-07} } @online{barnea:20220210:fritzfrog:630a9b9, author = {Ben Barnea and Shiran Guez and Ophir Harpaz}, title = {{FritzFrog: P2P Botnet Hops Back on the Scene}}, date = {2022-02-10}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/fritzfrog-p2p}, language = {English}, urldate = {2022-02-14} } @online{barnea:20220413:critical:e87961f, author = {Ben Barnea and Ophir Harpaz}, title = {{Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime (CVE-2022-26809)}}, date = {2022-04-13}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/critical-remote-code-execution-vulnerabilities-windows-rpc-runtime}, language = {English}, urldate = {2022-04-15} } @online{barnett:20201020:404:c398034, author = {James Barnett}, title = {{404 Keylogger Campaigns}}, date = {2020-10-20}, organization = {Infoblox}, url = {https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89}, language = {English}, urldate = {2021-02-24} } @online{barnhart:20220323:not:ca8438c, author = {Michael Barnhart and Michelle Cantos and Jeffery Johnson and Elias fox and Gary Freas and Dan Scott}, title = {{Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations}}, date = {2022-03-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mapping-dprk-groups-to-government}, language = {English}, urldate = {2022-03-25} } @online{barrett:20091029:twoheaded:0032db0, author = {Larry Barrett}, title = {{Two-Headed Trojan Targets Online Banks}}, date = {2009-10-29}, organization = {InternetNews}, url = {http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm}, language = {English}, urldate = {2020-01-08} } @online{barrett:20210425:vpn:79e7c48, author = {Brian Barrett}, title = {{VPN Hacks Are a Slow-Motion Disaster}}, date = {2021-04-25}, organization = {wire}, url = {https://www.wired.com/story/vpn-hacks-pulse-secure-espionage/}, language = {English}, urldate = {2021-04-29} } @online{bartblaze:20141110:thoughts:d7d0d68, author = {BartBlaze}, title = {{Thoughts on Absolute Computrace}}, date = {2014-11-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html}, language = {English}, urldate = {2019-11-26} } @online{bartblaze:20150303:c99shell:a7f3a5b, author = {BartBlaze}, title = {{C99Shell not dead}}, date = {2015-03-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20150925:notes:79b37fe, author = {BartBlaze}, title = {{Notes on Linux/Xor.DDoS}}, date = {2015-09-25}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html}, language = {English}, urldate = {2020-01-08} } @online{bartblaze:20160202:vipasana:cf5cdd6, author = {BartBlaze}, title = {{Vipasana ransomware new ransom on the block}}, date = {2016-02-02}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html}, language = {English}, urldate = {2020-09-15} } @online{bartblaze:20160726:otx:b95458e, author = {BartBlaze}, title = {{OTX Pulse on R980 ransomware}}, date = {2016-07-26}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } @online{bartblaze:20171203:notes:53a752f, author = {BartBlaze}, title = {{Notes on Linux/BillGates}}, date = {2017-12-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20180320:unlock92:863a267, author = {BartBlaze}, title = {{Tweet on Unlock92 Ransomware}}, date = {2018-03-20}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/976188821078462465}, language = {English}, urldate = {2020-01-07} } @online{bartblaze:20180410:maktub:e67ade0, author = {BartBlaze}, title = {{Maktub ransomware: possibly rebranded as Iron}}, date = {2018-04-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html}, language = {English}, urldate = {2019-07-10} } @online{bartblaze:20180415:this:1eaf3ba, author = {BartBlaze}, title = {{This is Spartacus: new ransomware on the block}}, date = {2018-04-15}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html}, language = {English}, urldate = {2020-01-22} } @online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } @online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } @online{bartblaze:20200913:cryakl:3d29bf0, author = {BartBlaze}, title = {{Tweet on Cryakl 2.0.0.0}}, date = {2020-09-13}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/1305197264332369920}, language = {English}, urldate = {2020-09-15} } @online{bartblaze:20210614:digital:f5d4313, author = {BartBlaze}, title = {{Digital artists targeted in RedLine infostealer campaign}}, date = {2021-06-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html}, language = {English}, urldate = {2021-06-16} } @techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } @online{bartholomew:20170202:kopiluwak:d5c0245, author = {Brian Bartholomew}, title = {{KopiLuwak: A New JavaScript Payload from Turla}}, date = {2017-02-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/}, language = {English}, urldate = {2019-12-20} } @online{bartholomew:20191105:dadjoke:81e2a63, author = {Brian Bartholomew}, title = {{DADJOKE}}, date = {2019-11-05}, url = {https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/}, language = {English}, urldate = {2020-01-07} } @online{bartholomew:20200103:nice:ddc5c57, author = {Brian Bartholomew}, title = {{Nice One, Dad: Dissecting A Rare Malware Used By Leviathan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=vx9IB88wXSE}, language = {English}, urldate = {2020-01-13} } @online{bary:20200115:analyzing:02aabc4, author = {Guy Bary}, title = {{Analyzing Magecart Malware – From Zero to Hero}}, date = {2020-01-15}, organization = {PerimeterX}, url = {https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/}, language = {English}, urldate = {2020-01-17} } @online{bash:20211014:countering:eef058c, author = {Ajax Bash and Google Threat Analysis Group}, title = {{Countering threats from Iran (APT35)}}, date = {2021-10-14}, organization = {Google}, url = {https://blog.google/threat-analysis-group/countering-threats-iran/}, language = {English}, urldate = {2021-10-25} } @online{bashir:20220211:netwalker:7459a58, author = {Sadia Bashir}, title = {{Netwalker: from Powershell reflective loader to injected dll}}, date = {2022-02-11}, organization = {Github (0x00-0x7f)}, url = {https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/}, language = {English}, urldate = {2022-02-18} } @online{bashir:20220327:case:80e7471, author = {Sadia Bashir}, title = {{A Case of Vidar Infostealer - Part 1 (Unpacking)}}, date = {2022-03-27}, organization = {Github (0x00-0x7f)}, url = {https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/}, language = {English}, urldate = {2022-03-31} } @online{bashir:20220518:case:986df17, author = {Sadia Bashir}, title = {{A Case of Vidar Infostealer - Part 2}}, date = {2022-05-18}, organization = {Github (0x00-0x7f)}, url = {https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/}, language = {English}, urldate = {2022-05-25} } @online{bashis:20170306:0day:e03d5c7, author = {bashis}, title = {{0-Day: Dahua backdoor Generation 2 and 3}}, date = {2017-03-06}, url = {http://seclists.org/fulldisclosure/2017/Mar/7}, language = {English}, urldate = {2019-12-18} } @online{baskin:20200603:medusa:8d92754, author = {Brian Baskin}, title = {{Medusa Locker Ransomware}}, date = {2020-06-03}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/}, language = {English}, urldate = {2020-06-04} } @online{baskin:20200708:tau:4b05a00, author = {Brian Baskin}, title = {{TAU Threat Discovery: Conti Ransomware}}, date = {2020-07-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/}, language = {English}, urldate = {2020-07-08} } @online{basnett:20210714:investigating:585e2a1, author = {Chris Basnett}, title = {{Investigating a Suspicious Service}}, date = {2021-07-14}, organization = {MDSec}, url = {https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/}, language = {English}, urldate = {2021-07-20} } @online{bassat:20170807:new:d776333, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2}}, date = {2017-08-07}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found/}, language = {English}, urldate = {2019-12-17} } @online{bassat:20170913:new:376f00f, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2}}, date = {2017-09-13}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/}, language = {English}, urldate = {2019-12-24} } @online{bassat:20180529:iron:5943a09, author = {Omri Ben Bassat}, title = {{Iron Cybercrime Group Under The Scope}}, date = {2018-05-29}, organization = {Intezer}, url = {https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/}, language = {English}, urldate = {2019-12-05} } @techreport{bataille:201810:hunting:c5ffe40, author = {Adrian Bataille and Matias Bevilacqua}, title = {{Hunting for PLATINUM}}, date = {2018-10}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf}, language = {English}, urldate = {2020-01-07} } @online{bataille:20210901:too:5f62b52, author = {Adrien Bataille and Blaine Stancill}, title = {{Too Log; Didn't Read — Unknown Actor Using CLFS Log Files for Stealth}}, date = {2021-09-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html}, language = {English}, urldate = {2021-09-02} } @online{bataille:20211214:azure:bb96515, author = {Adrien Bataille and Anders Vejlby and Jared Scott Wilson and Nader Zaveri}, title = {{Azure Run Command for Dummies}}, date = {2021-12-14}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/azure-run-command-dummies}, language = {English}, urldate = {2022-01-03} } @online{batista:20220524:emotet:cae57f1, author = {João Batista and Pedro Umbelino and BitSight}, title = {{Emotet Botnet Rises Again}}, date = {2022-05-24}, organization = {BitSight}, url = {https://www.bitsight.com/blog/emotet-botnet-rises-again}, language = {English}, urldate = {2022-05-25} } @online{batra:20220404:detailed:eb43a08, author = {Anirudh Batra}, title = {{Detailed Analysis of LAPSUS$ Cybercriminal Group that has Compromised Nvidia, Microsoft, Okta, and Globant}}, date = {2022-04-04}, organization = {Cloudsek}, url = {https://cloudsek.com/profile-lapsus-cybercriminal-group/}, language = {English}, urldate = {2022-05-25} } @online{batsec:20200811:defending:7710531, author = {batsec}, title = {{Defending Your Malware}}, date = {2020-08-11}, organization = {Dylan Codes Blog}, url = {https://blog.dylan.codes/defending-your-malware/}, language = {English}, urldate = {2020-08-12} } @online{baughman:20211107:selling:2961086, author = {Maggie Baughman}, title = {{Selling China's Story}}, date = {2021-11-07}, organization = {ChinaTalk}, url = {https://shows.acast.com/g/episodes/selling-chinas-story2}, language = {English}, urldate = {2021-11-17} } @online{baumgartner:20141103:be2:ea8544a, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 custom plugins, router abuse, and target profiles}}, date = {2014-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20141208:penquin:afd9ae5, author = {Kurt Baumgartner and Costin Raiu}, title = {{The ‘Penquin’ Turla}}, date = {2014-12-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/67962/the-penquin-turla-2/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150217:be2:f7ce288, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 extraordinary plugins, Siemens targeting, dev fails}}, date = {2015-02-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150304:whos:0b8331c, author = {Kurt Baumgartner and Juan Andrés Guerrero-Saade}, title = {{Who’s Really Spreading through the Bright Star?}}, date = {2015-03-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-really-spreading-through-the-bright-star/68978/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150331:sinkholing:7a359b4, author = {Kurt Baumgartner and Costin Raiu}, title = {{Sinkholing Volatile Cedar DGA Infrastructure}}, date = {2015-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150514:naikon:9edea2f, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The Naikon APT}}, date = {2015-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69953/the-naikon-apt/}, language = {English}, urldate = {2019-12-20} } @techreport{baumgartner:20150529:msnmm:3d6b500, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{THE MsnMM CAMPAIGNS: The Earliest Naikon APT Campaigns}}, date = {2015-05-29}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{baumgartner:201505:msnmm:13a9145, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The MsnMM Campaigns - The Earliest Naikon APTCampaigns}}, date = {2015-05}, institution = {Kaspersky Labs}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2019-07-11} } @online{baumgartner:20150617:spring:dc116aa, author = {Kurt Baumgartner}, title = {{The Spring Dragon APT}}, date = {2015-06-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70726/the-spring-dragon-apt/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161006:strongpity:898bc2b, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-06}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users}, language = {English}, urldate = {2020-01-09} } @online{baumgartner:20210612:same:49bc254, author = {Kurt Baumgartner and Kaspersky}, title = {{Same and Different - sesame street level attribution}}, date = {2021-06-12}, organization = {YouTube (BSidesBoulder)}, url = {https://youtu.be/SW8kVkwDOrc?t=24706}, language = {English}, urldate = {2021-06-21} } @online{bautista:20190110:pylocky:92bf2fc, author = {Mike Bautista}, title = {{Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor}}, date = {2019-01-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html}, language = {English}, urldate = {2019-10-15} } @online{baylor:20210512:darkside:f63c2c2, author = {Ramarcus Baylor}, title = {{DarkSide Ransomware Gang: An Overview}}, date = {2021-05-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/darkside-ransomware/}, language = {English}, urldate = {2021-05-13} } @online{baz:20170228:dridexs:f72a5ec, author = {Magal Baz and Or Safran}, title = {{Dridex’s Cold War: Enter AtomBombing}}, date = {2017-02-28}, organization = {Security Intelligence}, url = {https://securityintelligence.com/dridexs-cold-war-enter-atombombing/}, language = {English}, urldate = {2019-12-16} } @online{bazally:20161227:pegasus:9fd5170, author = {Max Bazally}, title = {{Pegasus internals: Technical Teardown of the Pegasus malware and Trident exploit chain}}, date = {2016-12-27}, organization = {CCC}, url = {https://media.ccc.de/v/33c3-7901-pegasus_internals}, language = {English}, urldate = {2020-01-08} } @techreport{beauchampmustafaga:20210621:deciphering:997606b, author = {Nathan Beauchamp-Mustafaga and Derek Grossman and Kristen Gunness and Michael S. Chase and Marigold Black and Natalia D. Simmons-Thomas}, title = {{Deciphering Chinese Deterrence Signalling in the New Era An Analytic Framework and Seven Case Studies}}, date = {2021-06-21}, institution = {RAND Corporation}, url = {https://www.rand.org/content/dam/rand/pubs/research_reports/RRA1000/RR-A1074-1/RAND_RRA1074-1.pdf}, language = {English}, urldate = {2021-07-24} } @online{beaumont:20190321:how:ecfbbf1, author = {Kevin Beaumont}, title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}}, date = {2019-03-21}, organization = {DoublePulsar}, url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}, language = {English}, urldate = {2019-11-29} } @online{beaumont:20201016:second:197ec38, author = {Kevin Beaumont}, title = {{Second Zerologon attacker seen exploiting internet honeypot}}, date = {2020-10-16}, organization = {Medium Doublepulsar}, url = {https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef}, language = {English}, urldate = {2020-10-23} } @online{beaumont:20201219:twitter:7b4cb8f, author = {Kevin Beaumont}, title = {{A twitter thread on Azure sentinel hunting queries for detecting UNC2452 activity}}, date = {2020-12-19}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1340035657838850048}, language = {English}, urldate = {2020-12-19} } @online{beaumont:20210627:babuk:a031da5, author = {Kevin Beaumont}, title = {{Tweet on babuk ransomware builder}}, date = {2021-06-27}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1409117153182224386}, language = {English}, urldate = {2021-07-01} } @online{beaumont:20210703:kaseya:8013669, author = {Kevin Beaumont}, title = {{Kaseya supply chain attack delivers mass ransomware event to US companies}}, date = {2021-07-03}, organization = {Medium Doublepulsar}, url = {https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b}, language = {English}, urldate = {2021-07-24} } @online{beaumont:20210916:some:550bbaa, author = {Kevin Beaumont}, title = {{Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell}}, date = {2021-09-16}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1438500100238577670}, language = {English}, urldate = {2021-09-20} } @online{beaumont:20220507:bpfdoor:9d41f91, author = {Kevin Beaumont}, title = {{BPFDoor — an active Chinese global surveillance tool}}, date = {2022-05-07}, organization = {DoublePulsar}, url = {https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896}, language = {English}, urldate = {2022-05-09} } @online{beckers:20210419:how:60ec572, author = {Jeroen Beckers}, title = {{How to analyze mobile malware: a Cabassous/FluBot Case study}}, date = {2021-04-19}, organization = {nviso}, url = {https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/}, language = {English}, urldate = {2021-04-28} } @online{beckers:20210511:android:4e1e946, author = {Jeroen Beckers}, title = {{Android overlay attacks on Belgian financial applications}}, date = {2021-05-11}, organization = {nviso}, url = {https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/}, language = {English}, urldate = {2021-05-13} } @online{beckman:20171208:gratefulpos:0ba1053, author = {Kent Beckman}, title = {{GratefulPOS credit card stealing malware - just in time for the shopping season}}, date = {2017-12-08}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season}, language = {English}, urldate = {2020-01-08} } @online{beek:20200212:csi:4308ee0, author = {Christiaan Beek}, title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I}}, date = {2020-02-12}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/}, language = {English}, urldate = {2021-05-13} } @online{beek:20200220:csi:8525a7b, author = {Christiaan Beek and Eamonn Ryan and Darren Fitzpatrick}, title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II}}, date = {2020-02-20}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/}, language = {English}, urldate = {2021-05-13} } @online{beek:20201105:operation:ca0ac54, author = {Christiaan Beek and Ryan Sherstobitoff}, title = {{Operation North Star: Behind The Scenes}}, date = {2020-11-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/}, language = {English}, urldate = {2022-02-17} } @online{beek:20201217:additional:cd38b54, author = {Christiaan Beek and Cedric Cochin and Raj Samani}, title = {{Additional Analysis into the SUNBURST Backdoor}}, date = {2020-12-17}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/}, language = {English}, urldate = {2020-12-18} } @online{beek:20210116:vhd:12336a8, author = {Christiaan Beek}, title = {{VHD Forensics — the sequel}}, date = {2021-01-16}, organization = {Medium christiaanbeek}, url = {https://christiaanbeek.medium.com/vhd-forensics-the-sequel-9fc39460bc1b}, language = {English}, urldate = {2021-02-20} } @online{beek:20210629:demo:2cbd075, author = {Christiaan Beek}, title = {{Demo of REvil/Sodinokibi Linux variant encrypting a Linux system}}, date = {2021-06-29}, organization = {YouTube (C. Beek)}, url = {https://www.youtube.com/watch?v=ptbNMlWxYnE}, language = {English}, urldate = {2021-06-29} } @online{beek:20210914:operation:95aed8d, author = {Christiaan Beek}, title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}}, date = {2021-09-14}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/}, language = {English}, urldate = {2021-09-19} } @online{beek:20220120:return:a89bce6, author = {Christiaan Beek and Max Kersten and Raj Samani}, title = {{Return of Pseudo Ransomware}}, date = {2022-01-20}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html}, language = {English}, urldate = {2022-01-24} } @online{beek:20220217:looking:0149198, author = {Christiaan Beek and Marc Elias}, title = {{Looking over the nation-state actors’ shoulders: Even they have a difficult day sometimes}}, date = {2022-02-17}, organization = {Trellix}, url = {https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html}, language = {English}, urldate = {2022-03-01} } @online{beek:20220503:hermit:70ec592, author = {Christiaan Beek}, title = {{The Hermit Kingdom’s Ransomware play}}, date = {2022-05-03}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html}, language = {English}, urldate = {2022-05-04} } @online{beek:20220623:sound:31e77bd, author = {Christiaan Beek}, title = {{The Sound of Malware}}, date = {2022-06-23}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html}, language = {English}, urldate = {2022-06-27} } @online{beer:20190829:implant:f25a696, author = {Ian Beer and Project Zero}, title = {{Implant Teardown}}, date = {2019-08-29}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html}, language = {English}, urldate = {2020-01-06} } @online{beer:20201215:deep:b14a3bc, author = {Ian Beer and Samuel Groß}, title = {{A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution}}, date = {2020-12-15}, organization = {Google Project Zero}, url = {https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html}, language = {English}, urldate = {2022-01-24} } @online{beery:20200903:bitcoin:932fb45, author = {Tal Be'ery}, title = {{The Bitcoin Ransomware Detective Strikes Again: The UCSF Case}}, date = {2020-09-03}, organization = {ZenGo}, url = {https://zengo.com/bitcoin-ransomware-detective-ucsf/}, language = {English}, urldate = {2020-09-06} } @online{beery:20210125:ungilded:97355a8, author = {Tal Be'ery}, title = {{Ungilded Secrets: A New Paradigm for Key Security}}, date = {2021-01-25}, organization = {ZenGo}, url = {https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/}, language = {English}, urldate = {2021-01-26} } @online{bekerman:20170329:new:e4007ca, author = {Dima Bekerman}, title = {{New Mirai Variant Launches 54 Hour DDoS Attack against US College}}, date = {2017-03-29}, organization = {Imperva}, url = {https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html}, language = {English}, urldate = {2020-01-05} } @online{belousov:20220527:how:d00c942, author = {Anton Belousov and Aleksey Vishnyakov}, title = {{How bootkits are implemented in modern firmware and how UEFI differs from Legacy BIOS}}, date = {2022-05-27}, organization = {PTSecurity}, url = {https://habr.com/ru/amp/post/668154/}, language = {Russian}, urldate = {2022-05-29} } @online{ben:20220217:log4j2:aa3e992, author = {Amitai Ben and Shushan Ehrlich}, title = {{Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon}}, date = {2022-02-17}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/}, language = {English}, urldate = {2022-02-19} } @online{bencherchali:20210124:common:0efc28c, author = {Nasreddine Bencherchali}, title = {{Common Tools & Techniques Used By Threat Actors and Malware — Part I}}, date = {2021-01-24}, organization = {Medium nasbench}, url = {https://nasbench.medium.com/common-tools-techniques-used-by-threat-actors-and-malware-part-i-deb05b664879}, language = {English}, urldate = {2021-01-25} } @online{bencherchali:20210220:finding:01aa9bf, author = {Nasreddine Bencherchali}, title = {{Finding Forensic Goodness In Obscure Windows Event Logs}}, date = {2021-02-20}, organization = {Medium (Nasreddine Bencherchali)}, url = {https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3}, language = {English}, urldate = {2021-03-19} } @online{bencsath:20170103:technical:1c2e81e, author = {Boldizsar Bencsath}, title = {{Technical details on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-01-03}, organization = {CrySyS Lab}, url = {http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2020-01-09} } @online{bencsath:20170302:update:0e03ee6, author = {Boldizsar Bencsath}, title = {{Update on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-03-02}, organization = {Laboratory of Cryptography and System Security}, url = {http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2019-10-13} } @techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } @online{bene:20210624:crackonosh:ce54a93, author = {Daniel Beneš}, title = {{Crackonosh: A New Malware Distributed in Cracked Software}}, date = {2021-06-24}, organization = {Avast}, url = {https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/}, language = {English}, urldate = {2021-06-29} } @online{bene:20220421:warez:b31715c, author = {Daniel Beneš}, title = {{Warez users fell for Certishell}}, date = {2022-04-21}, organization = {Avast Decoded}, url = {https://decoded.avast.io/danielbenes/warez-users-fell-for-certishell/}, language = {English}, urldate = {2022-04-29} } @online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } @online{benkow:20140820:command:ec27583, author = {Benkow}, title = {{Command Line Confusion}}, date = {2014-08-20}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/}, language = {English}, urldate = {2020-01-07} } @online{bennett:20130213:number:c947ab9, author = {James T. Bennett}, title = {{The Number of the Beast}}, date = {2013-02-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20130228:its:1534b7e, author = {James T. Bennett}, title = {{It's a Kind of Magic}}, date = {2013-02-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } @online{bennett:20190425:carbanak:be237af, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Four: The CARBANAK Desktop Video Player}}, date = {2019-04-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html}, language = {English}, urldate = {2019-12-20} } @online{bennett:20201201:using:d19f4ce, author = {James T. Bennett}, title = {{Using Speakeasy Emulation Framework Programmatically to Unpack Malware}}, date = {2020-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/using-speakeasy-emulation-framework-programmatically-to-unpack-malware.html}, language = {English}, urldate = {2020-12-15} } @online{bennett:20210608:ual:12fb9fb, author = {Patrick Bennett}, title = {{UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations}}, date = {2021-06-08}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/user-access-logging-ual-overview/}, language = {English}, urldate = {2021-06-09} } @techreport{berady:20210204:from:6570db5, author = {Aimad Berady and Mathieu Jaume and Valérie Viet Triem Tong and Gilles Guette}, title = {{From TTP to IoC: Advanced Persistent Graphs forThreat Hunting}}, date = {2021-02-04}, institution = {HAL}, url = {https://hal.inria.fr/hal-03131262/file/Final%20version%20TNSM%20-%20From%20TTP%20to%20IoC%20-%20Advanced%20Persistent%20Graphs%20for%20Threat%20Hunting.pdf}, language = {English}, urldate = {2021-02-20} } @online{berchem:20170810:weltweite:5df6bfa, author = {Tom Berchem}, title = {{Weltweite Spamwelle verbreitet teuflische Variante des Locky}}, date = {2017-08-10}, organization = {botfrei Blog}, url = {https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/}, language = {German}, urldate = {2019-12-10} } @online{berdan:20211216:pegasus:c1c06eb, author = {Kristin Berdan and John Scott-Railton and Bill Marczak and Noura Al-Jizawi and Bahr Abdul Razzak and Ron Deibert and Siena Anstis}, title = {{Pegasus vs. Predator: Dissident's Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware}}, date = {2021-12-16}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/}, language = {English}, urldate = {2022-01-24} } @online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } @techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } @online{berdnikov:20190313:fourth:98b1131, author = {Vasily Berdnikov and Boris Larin}, title = {{The fourth horseman: CVE-2019-0797 vulnerability}}, date = {2019-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/}, language = {English}, urldate = {2019-12-20} } @online{bergbom:20180206:danderspritzpeddlecheap:b09bc8f, author = {John Bergbom}, title = {{DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)}}, date = {2018-02-06}, organization = {Forcepoint}, url = {https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#}, language = {English}, urldate = {2020-05-07} } @online{bergin:20160520:special:46b3cc4, author = {Tom Bergin and Nathan Layne}, title = {{Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network}}, date = {2016-05-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD}, language = {English}, urldate = {2019-12-17} } @online{bermejo:20170622:following:7126b3b, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/}, language = {English}, urldate = {2019-12-24} } @online{bermejo:20170622:trail:ba78447, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{The Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html}, language = {English}, urldate = {2021-01-29} } @techreport{bermejo:201706:following:61e6dae, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf}, language = {English}, urldate = {2020-01-07} } @online{bermejo:20170717:android:593475f, author = {Lenart Bermejo and Jordan Pan and Cedric Pernet}, title = {{Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More}}, date = {2017-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/}, language = {English}, urldate = {2020-01-13} } @online{bermejo:20170807:backdoorcarrying:317ebe3, author = {Lenart Bermejo and Ronnie Giagone and Rubio Wu and Fyodor Yarochkin}, title = {{Backdoor-carrying Emails Set Sights on Russian-speaking Businesses}}, date = {2017-08-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/}, language = {English}, urldate = {2020-01-09} } @online{bermejo:20181120:lazarus:1d8d3b3, author = {Lenart Bermejo and Joelson Soares}, title = {{Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America}}, date = {2018-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } @techreport{bermejo:20201215:finding:f68f005, author = {Lenart Bermejo and Gilbert Sison and Buddy Tancio}, title = {{Finding APTX: Attacks via MITRE TTPs}}, date = {2020-12-15}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf}, language = {English}, urldate = {2020-12-17} } @online{bernardo:20210816:lockbit:d709d4c, author = {Jett Paulo Bernardo and Jayson Chong and Nikki Madayag and Mark Marti and Cris Tomboc and Sean Torre and Byron Gelera}, title = {{LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK}}, date = {2021-08-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html}, language = {English}, urldate = {2021-08-23} } @online{berninger:20200528:masked:44cad71, author = {Matthew Berninger}, title = {{The Masked SYNger: Investigating a Traffic Phenomenon}}, date = {2020-05-28}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2020/05/28/the-masked-synger-investigating-a-traffic-phenomenon/}, language = {English}, urldate = {2020-05-29} } @online{berninger:20210216:hard:55e809e, author = {Alexandrea Berninger}, title = {{Hard lessons learned: Threat intel takeaways from the community response to Solarigate}}, date = {2021-02-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate}, language = {English}, urldate = {2021-02-20} } @online{bernstein:20210430:qbot:104bad4, author = {Odin Bernstein}, title = {{Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server}}, date = {2021-04-30}, organization = {MADRID Labs}, url = {https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/}, language = {English}, urldate = {2021-05-08} } @techreport{berre:20180209:hey:8be9a1c, author = {Stéfan Le Berre}, title = {{Hey Uroburos! What's up ?}}, date = {2018-02-09}, institution = {ExaTrack}, url = {https://exatrack.com/public/Uroburos_EN.pdf}, language = {English}, urldate = {2022-05-25} } @online{best:20150912:stuxnet:c9b43da, author = {Emma Best}, title = {{Stuxnet code}}, date = {2015-09-12}, organization = {Archive-org}, url = {https://archive.org/details/Stuxnet}, language = {English}, urldate = {2020-01-09} } @online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } @online{beukema:20200622:hijacking:b46d971, author = {Wietze Beukema}, title = {{Hijacking DLLs in Windows}}, date = {2020-06-22}, organization = {wietzebeukema.nl}, url = {https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows}, language = {English}, urldate = {2020-06-24} } @online{beuth:20200617:die:4272009, author = {Patrick Beuth}, title = {{Die erste Cyberwaffe und ihre Folgen}}, date = {2020-06-17}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147}, language = {German}, urldate = {2020-06-18} } @online{bevis:202103:unseen:b20b5bf, author = {Jason Bevis}, title = {{The Unseen One: Hades Ransomware Gang or Hafnium}}, date = {2021-03}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/}, language = {English}, urldate = {2021-03-31} } @online{bezvershenko:20210927:bloodystealer:5944099, author = {Leonid Bezvershenko and Marc Rivero López and Dmitry Galov}, title = {{BloodyStealer and gaming assets for sale}}, date = {2021-09-27}, organization = {Kaspersky}, url = {https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/}, language = {English}, urldate = {2021-10-05} } @online{bhaaskaran:20220610:new:d2fb70b, author = {Vignesh Bhaaskaran}, title = {{New SVCReady malware loads from Word doc properties – Detection & Response}}, date = {2022-06-10}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/}, language = {English}, urldate = {2022-06-10} } @online{bhat:20160201:tracking:f5fa1f1, author = {Raashid Bhat}, title = {{Tracking the footprints of PushDo Trojan}}, date = {2016-02-01}, organization = {Blueliv}, url = {https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/}, language = {English}, urldate = {2019-11-20} } @online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } @online{bhat:20180906:dissecting:8c82fb5, author = {Raashid Bhat}, title = {{Dissecting DEloader malware with obfuscation}}, date = {2018-09-06}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware}, language = {English}, urldate = {2020-01-06} } @online{bhat:20180918:taste:e7dd98d, author = {Raashid Bhat}, title = {{A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait}}, date = {2018-09-18}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait}, language = {English}, urldate = {2020-01-10} } @online{bhat:20190422:dissecting:ffba987, author = {Raashid Bhat}, title = {{Dissecting Emotet’s network communication protocol}}, date = {2019-04-22}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol}, language = {English}, urldate = {2020-01-06} } @online{bhat:20190730:practical:d049779, author = {Raashid Bhat}, title = {{Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection}}, date = {2019-07-30}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection}, language = {English}, urldate = {2020-01-08} } @online{bhat:20200311:emotet:c178008, author = {Raashid Bhat}, title = {{Tweet on Emotet Deobfuscation with Video}}, date = {2020-03-11}, organization = {Twitter (@raashidbhatt)}, url = {https://twitter.com/raashidbhatt/status/1237853549200936960}, language = {English}, urldate = {2020-03-13} } @online{bhat:20200331:emotet:50264e0, author = {Raashid Bhat}, title = {{Emotet Binary Deobfuscation | Coconut Paradise | Episode 1}}, date = {2020-03-31}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=_mGMJFNJWSk}, language = {English}, urldate = {2020-04-23} } @online{bhat:20200422:flattenthecurve:0bdf5a3, author = {Raashid Bhat}, title = {{FlattenTheCurve - Emotet Control Flow Unflattening | Episode 2}}, date = {2020-04-22}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=8PHCZdpNKrw}, language = {English}, urldate = {2020-04-23} } @online{biaczak:20200901:characterizing:422e6a1, author = {Piotr Białczak and Wojciech Mazurczyk}, title = {{Characterizing Anomalies in Malware-Generated HTTP Traffic}}, date = {2020-09-01}, url = {https://www.hindawi.com/journals/scn/2020/8848863/}, language = {English}, urldate = {2020-09-03} } @online{biasini:20171024:threat:7bd8515, author = {Nick Biasini}, title = {{Threat Spotlight: Follow the Bad Rabbit}}, date = {2017-10-24}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/bad-rabbit.html}, language = {English}, urldate = {2019-12-10} } @online{biasini:20180509:gandcrab:50296a6, author = {Nick Biasini and Nick Lister and Christopher Marczewski}, title = {{Gandcrab Ransomware Walks its Way onto Compromised Sites}}, date = {2018-05-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html}, language = {English}, urldate = {2019-10-21} } @online{biasini:20190220:combing:bdc059c, author = {Nick Biasini and Edmund Brumaghin and Matthew Molyett}, title = {{Combing Through Brushaloader Amid Massive Detection Uptick}}, date = {2019-02-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html}, language = {English}, urldate = {2019-11-29} } @online{biasini:20190425:jasperloader:ebe50ca, author = {Nick Biasini and Edmund Brumaghin and Andrew Williams}, title = {{JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan}}, date = {2019-04-25}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html}, language = {English}, urldate = {2020-01-09} } @online{biasini:20190523:sorpresa:e7cbd9d, author = {Nick Biasini and Edmund Brumaghin}, title = {{Sorpresa! JasperLoader targets Italy with a new bag of tricks}}, date = {2019-05-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html}, language = {English}, urldate = {2020-01-06} } @online{biasini:20200213:threat:443d687, author = {Nick Biasini and Edmund Brumaghin}, title = {{Threat actors attempt to capitalize on coronavirus outbreak}}, date = {2020-02-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html}, language = {English}, urldate = {2020-03-19} } @online{biasini:20200511:astaroth:f325070, author = {Nick Biasini and Edmund Brumaghin and Nick Lister}, title = {{Astaroth - Maze of obfuscation and evasion reveals dark stealer}}, date = {2020-05-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/05/astaroth-analysis.html}, language = {English}, urldate = {2020-05-11} } @online{biasini:20200701:threat:a726b7e, author = {Nick Biasini and Edmund Brumaghin and Mariano Graziano}, title = {{Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks}}, date = {2020-07-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/valak-emerges.html}, language = {English}, urldate = {2020-08-18} } @online{biasini:20201118:back:178d20d, author = {Nick Biasini and Edmund Brumaghin and Jaeson Schultz}, title = {{Back from vacation: Analyzing Emotet’s activity in 2020}}, date = {2020-11-18}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/11/emotet-2020.html}, language = {English}, urldate = {2020-11-19} } @online{biasini:20201214:threat:63acc35, author = {Nick Biasini}, title = {{Threat Advisory: SolarWinds supply chain attack}}, date = {2020-12-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more}, language = {English}, urldate = {2020-12-19} } @online{biasini:20210407:sowing:2bf94a9, author = {Nick Biasini and Edmund Brumaghin and Chris Neal and Paul Eubanks.}, title = {{Sowing Discord: Reaping the benefits of collaboration app abuse}}, date = {2021-04-07}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/04/collab-app-abuse.html}, language = {English}, urldate = {2021-04-19} } @online{biasini:20210622:attackers:ba60e36, author = {Nick Biasini}, title = {{Attackers in Executive Clothing - BEC continues to separate orgs from their money}}, date = {2021-06-22}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/06/business-email-compromise.html}, language = {English}, urldate = {2021-06-24} } @online{biasini:20220121:ukraine:e0da072, author = {Nick Biasini and Michael Chen and Chris Neal and Matt Olney and Dmytro Korzhevin}, title = {{Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation}}, date = {2022-01-21}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html}, language = {English}, urldate = {2022-01-25} } @online{bichet:20200414:deobfuscating:d7320ab, author = {Jean Bichet}, title = {{Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend}}, date = {2020-04-14}, organization = {Intrinsec}, url = {https://www.intrinsec.com/deobfuscating-hunting-ostap/}, language = {English}, urldate = {2021-01-11} } @online{bichet:20201112:egregor:1ac0eb1, author = {Jean Bichet}, title = {{Egregor – Prolock: Fraternal Twins ?}}, date = {2020-11-12}, organization = {Intrinsec}, url = {https://www.intrinsec.com/egregor-prolock/}, language = {English}, urldate = {2020-11-23} } @online{bienstock:20210427:abusing:60f23c5, author = {Doug Bienstock}, title = {{Abusing Replication: Stealing AD FS Secrets Over the Network}}, date = {2021-04-27}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html}, language = {English}, urldate = {2021-04-29} } @techreport{bienstock:20210804:cloudy:a74cb93, author = {Doug Bienstock and Josh Madeley}, title = {{Cloudy with a Chance of APTNovel Microsoft 365 Attacks in the Wild}}, date = {2021-08-04}, institution = {FireEye}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Cloudy-With-A-Chance-Of-APT-Novel-Microsoft-365-Attacks-In-The-Wild.pdf}, language = {English}, urldate = {2021-08-06} } @online{bienstock:20220502:unc3524:5948892, author = {Doug Bienstock and Melissa Derr and Josh Madeley and Tyler McLellan and Chris Gardner}, title = {{UNC3524: Eye Spy on Your Email}}, date = {2022-05-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc3524-eye-spy-email}, language = {English}, urldate = {2022-05-03} } @online{biermann:20201008:hanois:3f2def5, author = {Kai Biermann and Thi Do Nguyen and Hakan Tanriverdi and Maximilian Zierer}, title = {{Hanois Hacker}}, date = {2020-10-08}, organization = {ZEIT Online}, url = {https://www.zeit.de/politik/deutschland/2020-10/cyberspionage-vietnam-hackerangriffe-deutschland-bmw-verfassungsschutz-oceanlotus-apt32/komplettansicht}, language = {German}, urldate = {2020-10-12} } @online{biermann:20210610:trail:42969a8, author = {Von Kai Biermann and Astrid Geisler and Herwig G. Höller and Karsten Polke-Majewski and Zachary Kamel}, title = {{On the Trail of the Internet Extortionists}}, date = {2021-06-10}, organization = {ZEIT Online}, url = {https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers}, language = {English}, urldate = {2021-07-02} } @online{biggs:20220217:detecting:95e53bb, author = {Simon Biggs and Richard Footman and Michael Mullen}, title = {{Detecting Karakurt – an extortion focused threat actor}}, date = {2022-02-17}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/02/17/detecting-karakurt-an-extortion-focused-threat-actor/}, language = {English}, urldate = {2022-02-26} } @techreport{bilodeau:201403:operation:40b7f42, author = {Olivier Bilodeau and Pierre-Marc Bureau and Joan Calvet and Alexis Dorais-Joncas and Marc-Etienne M.Léveillé and Benjamin Vanheuverzwijn}, title = {{OPERATION WINDIGO}}, date = {2014-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf}, language = {English}, urldate = {2020-01-08} } @online{binance:20210624:binance:afde1e5, author = {Binance}, title = {{Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks}}, date = {2021-06-24}, organization = {Binance}, url = {https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks}, language = {English}, urldate = {2021-06-29} } @online{bing:20170418:shadow:f8c81a6, author = {Chris Bing}, title = {{Shadow Brokers leaks show U.S. spies successfully hacked Russian, Iranian targets}}, date = {2017-04-18}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/}, language = {English}, urldate = {2020-01-12} } @online{bing:20180320:kasperskys:9cf65c1, author = {Chris Bing and Patrick Howell O'Neill}, title = {{Kaspersky's 'Slingshot' report burned an ISIS-focused intelligence operation}}, date = {2018-03-20}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/}, language = {English}, urldate = {2019-07-11} } @online{bing:20201023:exclusive:00afa85, author = {Christopher Bing and Jack Stubbs}, title = {{Exclusive: 'Dumb mistake' exposed Iranian hand behind fake Proud Boys U.S. election emails - sources}}, date = {2020-10-23}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-election-cyber-iran-exclusive/exclusive-dumb-mistake-exposed-iranian-hand-behind-fake-proud-boy-u-s-election-emails-sources-idUSKBN2772YL}, language = {English}, urldate = {2020-10-26} } @online{bing:20201023:exclusive:9ffe805, author = {Christopher Bing}, title = {{Exclusive: National Guard called in to thwart cyberattack in Louisiana weeks before election}}, date = {2020-10-23}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-election-cyber-louisiana-exclusiv/exclusive-national-guard-called-in-to-thwart-cyberattack-in-louisiana-weeks-before-election-idUSKBN27823F}, language = {English}, urldate = {2020-10-27} } @online{bing:20201029:building:ceeb50f, author = {Christopher Bing and Joseph Menn}, title = {{Building wave of ransomware attacks strike U.S. hospitals}}, date = {2020-10-29}, organization = {Reuters}, url = {https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP}, language = {English}, urldate = {2020-11-02} } @online{bing:20201213:suspected:81b53a9, author = {Christopher Bing}, title = {{Suspected Russian hackers spied on U.S. Treasury emails - sources}}, date = {2020-12-13}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive/suspected-russian-hackers-spied-on-u-s-treasury-emails-sources-idUSKBN28N0PG}, language = {English}, urldate = {2020-12-14} } @online{bing:20210111:exclusive:cf710cb, author = {Christopher Bing}, title = {{Exclusive: FBI probes Russian-linked postcard sent to FireEye CEO after cybersecurity firm uncovered hack - sources}}, date = {2021-01-11}, organization = {Reuters}, url = {https://www.reuters.com/article/us-global-cyber-fireeye/exclusive-fbi-probes-russian-linked-postcard-sent-to-fireeye-ceo-after-cybersecurity-firm-uncovered-hack-sources-idUSKBN29G2IG}, language = {English}, urldate = {2021-01-18} } @online{bing:20210202:exclusive:426eec4, author = {Christopher Bing and Jack Stubbs and Raphael Satter and Joseph Menn}, title = {{Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency - sources}}, date = {2021-02-02}, organization = {Reuters}, url = {https://www.reuters.com/article/us-cyber-solarwinds-china/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSKBN2A22K8}, language = {English}, urldate = {2021-02-04} } @online{bing:20210508:cyber:0adb323, author = {Christopher Bing and Stephanie Kelly}, title = {{Cyber attack shuts down top U.S. fuel pipeline network}}, date = {2021-05-08}, organization = {Reuters}, url = {https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/}, language = {English}, urldate = {2021-05-11} } @online{bing:20220228:new:f79957b, author = {Christopher Bing}, title = {{New Chinese hacking tool found, spurring U.S. warning to allies}}, date = {2022-02-28}, organization = {Reuters}, url = {https://www.reuters.com/technology/new-chinese-hacking-tool-found-spurring-us-warning-allies-2022-02-28/}, language = {English}, urldate = {2022-03-08} } @online{bingham:20130130:backdoorbarkiofork:8a76c17, author = {Joseph Bingham}, title = {{Backdoor.Barkiofork Targets Aerospace and Defense Industry}}, date = {2013-01-30}, url = {https://www.symantec.com/connect/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry}, language = {English}, urldate = {2021-01-25} } @online{bingl:20210820:virtualbox:a8f9a4e, author = {Berhan Bingöl}, title = {{VirtualBox Detection, Anti-Detection}}, date = {2021-08-20}, organization = {Medium Berhan Bingöl}, url = {https://berhanbingol.medium.com/virtualbox-detection-anti-detection-30614691f108}, language = {Turkish}, urldate = {2021-08-25} } @techreport{biradar:20150120:reversing:8a25caf, author = {Basavaraj K. Biradar}, title = {{Reversing the Inception APT malware}}, date = {2015-01-20}, institution = {Blue Coat}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf}, language = {English}, urldate = {2020-04-21} } @online{birsan:20210209:dependency:44eaf05, author = {Alex Birsan}, title = {{Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies}}, date = {2021-02-09}, organization = {Medium (@alex.birsan)}, url = {https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610}, language = {English}, urldate = {2021-02-10} } @online{bishopfox:20190117:sliver:915fc7e, author = {BishopFox}, title = {{Sliver Implant Framework}}, date = {2019-01-17}, organization = {Github (BishopFox)}, url = {https://github.com/BishopFox/sliver}, language = {English}, urldate = {2020-01-07} } @techreport{bissell:2018:latest:1c1fba4, author = {Kelly Bissell and Joshua Ray and Uwe Kissman and Ryan LaSalle and Gareth Russell}, title = {{LATEST CYBER ESPIONAGE MALWARE ATTACKS}}, date = {2018}, institution = {Accenture Security}, url = {https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf}, language = {English}, urldate = {2020-01-08} } @online{bisson:20210428:qbot:dcbcd50, author = {David Bisson}, title = {{QBot Malware Spotted Using Windows Defender Antivirus Lure}}, date = {2021-04-28}, organization = {IBM}, url = {https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/}, language = {English}, urldate = {2021-05-03} } @online{bitam:20220601:cuba:040c34a, author = {Salim Bitam}, title = {{CUBA Ransomware Malware Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis}, language = {English}, urldate = {2022-06-09} } @techreport{bitdefender:20151217:apt28:fca586f, author = {Bitdefender}, title = {{APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information}}, date = {2015-12-17}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20160630:pacifier:2b7078c, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{bitdefender:20160630:pacifier:642af11, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20170221:dissecting:eec4e1f, author = {Bitdefender}, title = {{Dissecting the APT28 Mac OS X Payload}}, date = {2017-02-21}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } @techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } @online{bitdefender:20210714:how:3e51ccd, author = {Bitdefender}, title = {{How We Tracked a Threat Group Running an Active Cryptojacking Campaign}}, date = {2021-07-14}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign}, language = {English}, urldate = {2021-07-20} } @techreport{bitdefender:20210719:debugging:48353a0, author = {Bitdefender}, title = {{Debugging MosaicLoader, One Step at a Time}}, date = {2021-07-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf}, language = {English}, urldate = {2021-07-20} } @techreport{bitdefender:20211021:digitallysigned:248a238, author = {Bitdefender}, title = {{Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions}}, date = {2021-10-21}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/405/Bitdefender-DT-Whitepaper-Fivesys-creat5699-en-EN.pdf}, language = {English}, urldate = {2021-11-03} } @online{bitdefender:20220126:new:587f615, author = {Bitdefender}, title = {{New FluBot and TeaBot Global Malware Campaigns Discovered}}, date = {2022-01-26}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered}, language = {English}, urldate = {2022-02-01} } @online{bitensky:20170518:uiwix:4cc9aa8, author = {Gal Bitensky}, title = {{UIWIX – Evasive Ransomware Exploiting ETERNALBLUE}}, date = {2017-05-18}, organization = {Minerva}, url = {https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue}, language = {English}, urldate = {2020-01-08} } @online{bitensky:20180517:analyzing:c25d2ac, author = {Gal Bitensky}, title = {{Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers}}, date = {2018-05-17}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers}, language = {English}, urldate = {2019-10-14} } @online{bitsofbinary:20201211:macos:a00d112, author = {Twitter (@BitsOfBinary)}, title = {{Tweet on macOS Manuscypt samples}}, date = {2020-12-11}, organization = {PWC UK}, url = {https://twitter.com/BitsOfBinary/status/1337330286787518464}, language = {English}, urldate = {2020-12-14} } @online{bitton:20200803:httpskelacombacktoschoolwhycybercriminalscontinuetotargettheeducationsector:c7312d4, author = {Sharon Bitton and Victoria Kivilevich}, title = {{https://ke-la.com/back-to-school-why-cybercriminals-continue-to-target-the-education-sector/}}, date = {2020-08-03}, organization = {KELA}, url = {https://ke-la.com/back-to-school-why-cybercriminals-continue-to-target-the-education-sector/}, language = {English}, urldate = {2021-05-07} } @online{bitton:20210307:australian:0166781, author = {Sharon Bitton and Victoria Kivilevich}, title = {{Australian Mining Companies and Cybercriminals Digging for the Gold}}, date = {2021-03-07}, organization = {KELA}, url = {https://ke-la.com/australian-mining-companies-and-cybercriminals-digging-for-the-gold/}, language = {English}, urldate = {2021-03-11} } @online{bizeul:20140711:eye:3cb48c1, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-25} } @online{bizeul:20140711:eye:bdaf0a0, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-29} } @online{bizga:20220304:bitdefender:44d1f32, author = {Alina Bizga}, title = {{Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine}}, date = {2022-03-04}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine}, language = {English}, urldate = {2022-03-04} } @online{bizone:20210513:from:aeb3d77, author = {BI.ZONE}, title = {{From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit}}, date = {2021-05-13}, organization = {BI. ZONE Cyber Threats Research Team}, url = {https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319}, language = {English}, urldate = {2021-05-17} } @online{bkmsft:20190724:apt17:8b88bcb, author = {Ben K (bkMSFT)}, title = {{Tweet on APT17}}, date = {2019-07-24}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1153994428949749761}, language = {English}, urldate = {2020-01-07} } @online{bkmsft:20191203:zirconium:c025731, author = {Ben K (bkMSFT)}, title = {{Tweet on ZIRCONIUM alias for APT31}}, date = {2019-12-03}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1201876664667582466}, language = {English}, urldate = {2020-06-16} } @online{black:20180703:iranian:2e94ec4, author = {Samantha Black}, title = {{Iranian APT Charming Kitten impersonates ClearSky, the security firm that uncovered its campaigns}}, date = {2018-07-03}, organization = {Cyware}, url = {https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f}, language = {English}, urldate = {2020-01-08} } @online{blackhacker511:20190104:github:e7e5d16, author = {BlackHacker511}, title = {{Github Repository: BlackNET}}, date = {2019-01-04}, organization = {Github (BlackHacker511)}, url = {https://github.com/FarisCode511/BlackNET/}, language = {English}, urldate = {2020-07-13} } @online{blackhacker511:20191123:blackworm:9cf1955, author = {BlackHacker511}, title = {{BlackWorm v6.0 Black Ninja}}, date = {2019-11-23}, organization = {Github (BlackHacker511)}, url = {https://github.com/BlackHacker511/BlackWorm}, language = {English}, urldate = {2020-01-13} } @techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } @online{blackorbird:20200408:wannaren:8da1d44, author = {blackorbird}, title = {{Tweet on WannaRen}}, date = {2020-04-08}, organization = {Twitter (@blackorbird)}, url = {https://twitter.com/blackorbird/status/1247834024711577601}, language = {English}, urldate = {2020-05-05} } @techreport{blaich:20180118:dark:31c31f6, author = {Andrew Blaich and Apurva Kumar and Jeremy Richards and Michael Flossman and Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: Cyber-espionage at a Global Scal}}, date = {2018-01-18}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf}, language = {English}, urldate = {2020-06-08} } @online{blake:20210122:ldap:edfef67, author = {Scott W Blake}, title = {{LDAP Channel Binding and Signing}}, date = {2021-01-22}, organization = {Trimarc Security}, url = {https://www.hub.trimarcsecurity.com/post/ldap-channel-binding-and-signing}, language = {English}, urldate = {2021-01-29} } @online{blake:20211229:cobalt:b8c08bb, author = {Blake}, title = {{Cobalt Strike DFIR: Listening to the Pipes}}, date = {2021-12-29}, organization = {Blake's R&D}, url = {https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes}, language = {English}, urldate = {2021-12-31} } @online{blancrolin:20211125:emotet:b02b32b, author = {Charles Blanc-Rolin}, title = {{Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine?}}, date = {2021-11-25}, organization = {DSIH}, url = {https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html}, language = {French}, urldate = {2021-12-06} } @online{blasco:20120702:sykipot:09eeec7, author = {Jaime Blasco}, title = {{Sykipot is back}}, date = {2012-07-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/sykipot-is-back}, language = {English}, urldate = {2019-12-18} } @online{blasco:20130321:new:511f1a7, author = {Jaime Blasco}, title = {{New Sykipot developments}}, date = {2013-03-21}, organization = {AT&T}, url = {https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments}, language = {English}, urldate = {2020-01-12} } @online{blasco:20140828:scanbox:a0cc92a, author = {Jaime Blasco}, title = {{Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks}}, date = {2014-08-28}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks}, language = {English}, urldate = {2019-12-06} } @online{blasco:20190402:xwo:11817a2, author = {Jaime Blasco and Chris Doman}, title = {{Xwo - A Python-based bot scanner}}, date = {2019-04-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner}, language = {English}, urldate = {2020-01-06} } @online{blasi:20200922:darkside:67c758a, author = {Stefano De Blasi}, title = {{DarkSide: The New Ransomware Group Behind Highly Targeted Attacks}}, date = {2020-09-22}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/}, language = {English}, urldate = {2020-11-17} } @online{blasi:20210203:emotet:8e8ac18, author = {Stefano De Blasi}, title = {{Emotet Disruption: what it means for the cyber threat landscape}}, date = {2021-02-03}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/emotet-disruption/}, language = {English}, urldate = {2021-02-06} } @online{blasi:20210520:ransomwareasaservice:c7173c4, author = {Stefano De Blasi}, title = {{Ransomware-as-a-Service, Rogue Affiliates, and What’s Next}}, date = {2021-05-20}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/}, language = {English}, urldate = {2021-05-26} } @online{blazek:20210524:scotch:7104907, author = {Sam Blazek}, title = {{SCOTCH: A framework for rapidly assessing influence operations}}, date = {2021-05-24}, organization = {Atlantic Council}, url = {https://www.atlanticcouncil.org/blogs/geotech-cues/scotch-a-framework-for-rapidly-assessing-influence-operations/}, language = {English}, urldate = {2021-06-21} } @online{blazier:20201218:quirk:fe216c8, author = {Nick Blazier and Jesse Kipp}, title = {{A quirk in the SUNBURST DGA algorithm}}, date = {2020-12-18}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/}, language = {English}, urldate = {2020-12-18} } @online{blazytko:20210630:automation:4b8423b, author = {Tim Blazytko}, title = {{Automation in Reverse Engineering: String Decryption}}, date = {2021-06-30}, organization = {synthesis.to blog}, url = {https://synthesis.to/2021/06/30/automating_string_decryption.html}, language = {English}, urldate = {2021-07-12} } @online{bleepingcomputer:20170417:remove:4727489, author = {BleepingComputer}, title = {{Remove Search.searchetan.com Chrome New Tab Page}}, date = {2017-04-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page}, language = {English}, urldate = {2020-01-06} } @online{bleepingcomputer:20211219:exposed:333be0a, author = {BleepingComputer}, title = {{Exposed Docker APIs Abused by DDoS, Cryptojacking Botnet Malware}}, date = {2021-12-19}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/}, language = {English}, urldate = {2021-12-20} } @online{bleepingcomputer:20220106:night:7b146e2, author = {BleepingComputer}, title = {{Night Sky is the latest ransomware targeting corporate networks}}, date = {2022-01-06}, url = {https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/}, language = {English}, urldate = {2022-01-12} } @online{bleepingcomputer:20220427:new:e66d2b0, author = {BleepingComputer}, title = {{New Black Basta ransomware springs into action with a dozen breaches}}, date = {2022-04-27}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/}, language = {English}, urldate = {2022-04-29} } @online{blinken:20210415:holding:13b5d18, author = {Antony J. Blinken}, title = {{Holding Russia To Account}}, date = {2021-04-15}, organization = {U.S. Department of State}, url = {https://www.state.gov/holding-russia-to-account/}, language = {English}, urldate = {2021-04-16} } @online{blksmth:20220118:analysis:f6d259e, author = {BLKSMTH}, title = {{Analysis of Destructive Malware (WhisperGate) targeting Ukraine}}, date = {2022-01-18}, organization = {S2W Inc.}, url = {https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3}, language = {English}, urldate = {2022-01-19} } @online{block:20210604:ransomware:9b1bb93, author = {Bar Block}, title = {{The Ransomware Conundrum – A Look into DarkSide}}, date = {2021-06-04}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/}, language = {English}, urldate = {2021-06-22} } @online{block:20220524:blame:9f45829, author = {Bar Block}, title = {{Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them}}, date = {2022-05-24}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office}, language = {English}, urldate = {2022-05-29} } @online{blog:20081124:iwormnuwarw:424455b, author = {NoVirusThanks Blog}, title = {{I-Worm/Nuwar.W + Rustock.E Variant – Analysis}}, date = {2008-11-24}, organization = {NoVirusThanks Blog}, url = {http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/}, language = {English}, urldate = {2019-10-15} } @online{blog:20170413:decrypting:c59a1bd, author = {Koodous Blog}, title = {{Decrypting Bankbot communications.}}, date = {2017-04-13}, organization = {Koodous}, url = {http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html}, language = {English}, urldate = {2019-08-07} } @online{blog:20200904:navigating:75404a6, author = {Quosec Blog}, title = {{Navigating QakBot samples with grap}}, date = {2020-09-04}, organization = {QuoSec GmbH}, url = {https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html}, language = {English}, urldate = {2021-03-22} } @online{blog:20200910:grap:d2f055d, author = {Quosec Blog}, title = {{grap: Automating QakBot strings decryption}}, date = {2020-09-10}, organization = {QuoSec GmbH}, url = {https://quosecgmbh.github.io/blog/grap_qakbot_strings.html}, language = {English}, urldate = {2021-03-22} } @online{blog:202102:profiling:e0aafb8, author = {Dancho Danchev's Blog}, title = {{Profiling a Currently Active High-Profile Cybercriminals Portfolio of Ransomware-Themed Extortion Email Addresses - Part Two}}, date = {2021-02}, organization = {Dancho Danchev's Blog}, url = {https://ddanchev.blogspot.com/2021/02/profiling-currently-active-high-profile.html}, language = {English}, urldate = {2021-02-20} } @online{blog:20211005:regarding:ed16d41, author = {EXPMON's Blog}, title = {{Regarding the Threats Posed by Encrypted Office Files}}, date = {2021-10-05}, organization = {EXPMON}, url = {https://expmon.blogspot.com/2021/10/regarding-threats-posed-by-encrypted.html}, language = {English}, urldate = {2021-10-11} } @online{blog:20211124:from:541a657, author = {Lasq's Security Blog}, title = {{From the archive #1: OSTap downloader deobfuscation and analysis}}, date = {2021-11-24}, organization = {Lasq's Security Blog}, url = {https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/}, language = {English}, urldate = {2021-11-29} } @online{blogs:20210720:growing:25ed338, author = {Microsoft Corporate Blogs}, title = {{The growing threat of ransomware}}, date = {2021-07-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/07/20/the-growing-threat-of-ransomware/}, language = {English}, urldate = {2021-07-26} } @techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{blueliv:201609:chasing:1c02f62, author = {Blueliv}, title = {{Chasing Cybercrime: Network insights into Vawtrak v2}}, date = {2016-09}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf}, language = {English}, urldate = {2020-01-07} } @online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } @techreport{blueliv:201807:necurs:652cee2, author = {Blueliv}, title = {{Necurs Malware Overview}}, date = {2018-07}, institution = {Blueliv}, url = {https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf}, language = {English}, urldate = {2019-12-10} } @techreport{blueliv:20220125:cyber:47bcefd, author = {Blueliv}, title = {{Cyber Threat Intelligence for Banking & Financial Services FOLLOW THE MONEY}}, date = {2022-01-25}, institution = {Blueliv}, url = {https://www.blueliv.com/resources/white-papers/financial_wp_21.pdf}, language = {English}, urldate = {2022-01-28} } @online{bluemonkey:20210929:ariabody:49911f8, author = {BlueMonkey}, title = {{Aria-Body Loader? Is that you?}}, date = {2021-09-29}, organization = {Medium BlueMonkey}, url = {https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1}, language = {English}, urldate = {2021-10-20} } @online{blueteamops:20210926:supercharging:aad33da, author = {BlueteamOps}, title = {{Supercharging Bulk DFIR triage with Node-RED, Google’s Log2timeline & Google’s Timesketch}}, date = {2021-09-26}, organization = {Medium BlueteamOps}, url = {https://blueteamops.medium.com/super-charging-bulk-dfir-triage-with-node-red-google-log2timeline-google-timesketch-2d78e1ee335c}, language = {English}, urldate = {2021-09-28} } @online{blumira:20210714:threat:614d084, author = {Blumira}, title = {{Threat of the Month: IcedID Malware}}, date = {2021-07-14}, organization = {Cerium Networks}, url = {https://ceriumnetworks.com/threat-of-the-month-icedid-malware/}, language = {English}, urldate = {2021-07-20} } @online{bmcder02:20220419:extracting:3e827cf, author = {bmcder02}, title = {{Extracting Cobalt Strike from Windows Error Reporting}}, date = {2022-04-19}, organization = {Blake's R&D}, url = {https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting}, language = {English}, urldate = {2022-04-20} } @online{bobritsky:20201118:stopping:e5c486b, author = {Eddy Bobritsky}, title = {{Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module}}, date = {2020-11-18}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/stopping-buerloader}, language = {English}, urldate = {2020-11-19} } @online{bocereg:20200924:apps:88b3497, author = {Alexandra Bocereg and Oana Asoltanei and Ioan-Septimiu Dinulica and Bogdan Botezatu}, title = {{Apps on Google Play Tainted with Cerberus Banker Malware}}, date = {2020-09-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/}, language = {English}, urldate = {2020-10-13} } @techreport{bock:20210827:even:9845698, author = {Kevin Bock and Gabriel Naval and Kyle Reese and Dave Levin}, title = {{Even Censors Have a Backup: Examining China’s Double HTTPS Censorship Middleboxes}}, date = {2021-08-27}, institution = {University of Maryland}, url = {https://geneva.cs.umd.edu/papers/foci21.pdf}, language = {English}, urldate = {2021-10-13} } @online{bock:20210828:even:8ce1f2c, author = {Kevin Bock}, title = {{Even Censors Have a Backup: Examining China’s Double HTTPS Censorship Middleboxes - FOCI 21}}, date = {2021-08-28}, organization = {YouTube (Kevin Bock)}, url = {https://www.youtube.com/watch?v=ASskHbwnrV4}, language = {English}, urldate = {2021-10-13} } @online{boczan:20180605:evolution:372e566, author = {Tamas Boczan}, title = {{The Evolution of GandCrab Ransomware}}, date = {2018-06-05}, organization = {VMRay}, url = {http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/}, language = {English}, urldate = {2019-11-20} } @online{boczan:20190625:analyzing:fe5a161, author = {Tamas Boczan}, title = {{Analyzing Ursnif’s Behavior Using a Malware Sandbox}}, date = {2019-06-25}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/}, language = {English}, urldate = {2019-12-17} } @online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } @online{bogdanov:20210324:encounters:e5ed159, author = {Igor Bogdanov}, title = {{APT Encounters of the Third Kind}}, date = {2021-03-24}, organization = {Igor's Blog}, url = {https://igor-blue.github.io/2021/03/24/apt1.html}, language = {English}, urldate = {2021-03-25} } @online{boguslavskiy:20200715:inside:f9b95b1, author = {Yelisey Boguslavskiy and Samantha van de Ven}, title = {{Inside REvil Extortionist “Machine”: Predictive Insights}}, date = {2020-07-15}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights}, language = {English}, urldate = {2020-07-16} } @online{boguslavskiy:20210503:tween:35cfbaf, author = {Yelisey Boguslavskiy}, title = {{Tween on new RaaS Galaxy Ransomware}}, date = {2021-05-03}, organization = {Twitter (@y_advintel)}, url = {https://twitter.com/y_advintel/status/1389330275616710657}, language = {English}, urldate = {2021-05-08} } @online{boguslavskiy:20210630:ransomwarecve:deae6a7, author = {Yelisey Boguslavskiy and Brandon Rudisel and AdvIntel Security & Development Team}, title = {{Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets}}, date = {2021-06-30}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities}, language = {English}, urldate = {2021-07-01} } @online{boguslavskiy:20210714:revil:7729e3d, author = {Yelisey Boguslavskiy and AdvIntel Security & Development Team}, title = {{REvil Vanishes From Underground - Infrastructure Down}}, date = {2021-07-14}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent}, language = {English}, urldate = {2021-07-20} } @online{boguslavskiy:20210909:groove:f678f6d, author = {Yelisey Boguslavskiy and Anastasia Sentsova}, title = {{Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings}}, date = {2021-09-09}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings}, language = {English}, urldate = {2021-09-12} } @online{boguslavskiy:20211120:corporate:a8b0a1c, author = {Yelisey Boguslavskiy and Vitali Kremez}, title = {{Corporate Loader "Emotet": History of "X" Project Return for Ransomware}}, date = {2021-11-20}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware}, language = {English}, urldate = {2021-11-25} } @online{boguslavskiy:20220114:storm:ad0e3d7, author = {Yelisey Boguslavskiy}, title = {{Storm in "Safe Haven": Takeaways from Russian Authorities Takedown of REvil}}, date = {2022-01-14}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil}, language = {English}, urldate = {2022-01-24} } @online{boguslavskiy:20220216:trickbot:a431e84, author = {Yelisey Boguslavskiy}, title = {{The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works}}, date = {2022-02-16}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works}, language = {English}, urldate = {2022-02-19} } @online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } @online{bohio:20150319:analyzing:eac298c, author = {Muhammad Junaid Bohio}, title = {{Analyzing a Backdoor/Bot forthe MIPS Platform}}, date = {2015-03-19}, url = {https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902}, language = {English}, urldate = {2020-09-21} } @online{bojaxhi:20200324:exchange:bd67613, author = {Hermes Bojaxhi}, title = {{Exchange Exploit Case Study – CVE-2020-0688}}, date = {2020-03-24}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2020/03/24/exchange-exploit-case-study-cve-2020-0688}, language = {English}, urldate = {2021-02-02} } @online{boldewin:20181231:fastcashmalwaredissected:d72e332, author = {Frank Boldewin}, title = {{FastCashMalwareDissected}}, date = {2018-12-31}, organization = {Github Repository}, url = {https://github.com/fboldewin/FastCashMalwareDissected/}, language = {English}, urldate = {2019-07-10} } @online{boldewin:20190328:javadispcash:8899167, author = {Frank Boldewin}, title = {{Tweet on JavaDispCash}}, date = {2019-03-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1111254169623674882}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190601:atm:7c1d0c2, author = {Frank Boldewin}, title = {{Tweet on ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1135606944427905025}, language = {English}, urldate = {2019-11-26} } @online{boldewin:20190710:xfs:aa523ad, author = {Frank Boldewin}, title = {{Tweet on XFS ATM malware}}, date = {2019-07-10}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1149043362244308992}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190828:atm:b393cb8, author = {Frank Boldewin}, title = {{Tweet on ATM Malware}}, date = {2019-08-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1166773324548063232}, language = {English}, urldate = {2019-12-05} } @online{boldewin:20191129:libertad:974f5d8, author = {Frank Boldewin}, title = {{Libertad y gloria - A Mexican cyber heist story - CyberCrimeCon19 Singapore}}, date = {2019-11-29}, organization = {Github (fboldewin)}, url = {https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore}, language = {English}, urldate = {2019-12-17} } @online{boldewin:20200227:dispcashbr:7dda1c8, author = {Frank Boldewin}, title = {{Tweet on DispCashBR}}, date = {2020-02-27}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1232944566208286720}, language = {English}, urldate = {2020-02-27} } @online{boldewin:20200817:loup:c8e43e4, author = {Frank Boldewin}, title = {{Tweet on Loup}}, date = {2020-08-17}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1295275546780327936}, language = {English}, urldate = {2020-08-17} } @techreport{boldewin:20201127:when:9697611, author = {Frank Boldewin}, title = {{When ransomware hits an ATM giant - The Diebold Nixdorf case dissected}}, date = {2020-11-27}, institution = {Fiducia & GAD IT AG}, url = {https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf}, language = {English}, urldate = {2020-12-01} } @online{boldewin:20210812:stealbit:08f3307, author = {Frank Boldewin}, title = {{Tweet on StealBit malware as used by LockBit 2.0}}, date = {2021-08-12}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1425875923606310913}, language = {English}, urldate = {2021-08-16} } @online{bone:20200617:detecting:be87469, author = {Rob Bone}, title = {{Detecting PoshC2 – Indicators of Compromise}}, date = {2020-06-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/}, language = {English}, urldate = {2020-06-18} } @online{bonfa:20101115:tracing:4f23185, author = {Giuseppe Bonfa}, title = {{Tracing the Crimeware Origins by Reversing Injected Code}}, date = {2010-11-15}, organization = {Infosec}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/}, language = {English}, urldate = {2020-01-05} } @online{bonfa:20101116:zeroaccess:14293db, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 3: The Device Driver Process Injection Rootkit}}, date = {2010-11-16}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/}, language = {English}, urldate = {2020-01-08} } @online{bonfa:20101120:kernelmode:b6d039e, author = {Giuseppe Bonfa}, title = {{The Kernel-Mode Device Driver Stealth Rootkit}}, date = {2010-11-20}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/}, language = {English}, urldate = {2020-01-13} } @online{bonfa:201011:zeroaccess:fd02426, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 1: De-Obfuscating and Reversing the User-Mode Agent Dropper}}, date = {2010-11}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/}, language = {English}, urldate = {2019-12-17} } @online{bonicontro:20201107:linuxmidrashim:55a5b54, author = {Guilherme Thomazi Bonicontro}, title = {{Linux.Midrashim}}, date = {2020-11-07}, organization = {Github (guitmz)}, url = {https://github.com/guitmz/midrashim}, language = {English}, urldate = {2021-01-21} } @online{bonicontro:20210118:linuxmidrashim:0ffc38f, author = {Guilherme Thomazi Bonicontro}, title = {{Linux.Midrashim: Assembly x64 ELF virus}}, date = {2021-01-18}, organization = {guitmz blog}, url = {https://www.guitmz.com/linux-midrashim-elf-virus/}, language = {English}, urldate = {2021-01-21} } @online{borders:20190329:exodus:e3044af, author = {Security without Borders}, title = {{Exodus: New Android Spyware Made in Italy}}, date = {2019-03-29}, organization = {Security Without Borders}, url = {https://securitywithoutborders.org/blog/2019/03/29/exodus.html}, language = {English}, urldate = {2019-07-09} } @online{borg:2020:memory:974bf75, author = {Steve Borg}, title = {{Memory Forensics of Qakbot}}, date = {2020}, organization = {University of Malta}, url = {https://www.um.edu.mt/library/oar/handle/123456789/76802}, language = {English}, urldate = {2021-06-24} } @online{borghard:20201217:russias:5ad1412, author = {Erica Borghard and Jacquelyn Schneider}, title = {{Russia's Hack Wasn't Cyberwar. That Complicates US Strategy}}, date = {2020-12-17}, organization = {Wired}, url = {https://www.wired.com/story/russia-solarwinds-hack-wasnt-cyberwar-us-strategy}, language = {English}, urldate = {2021-06-21} } @techreport{boris:20141113:computer:290f01d, author = {Ivanov Boris}, title = {{Computer Forensic Investigation of mobile Banking Trojan}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf}, language = {English}, urldate = {2019-11-27} } @online{boris:20220331:new:fc75dc9, author = {Teejay Boris}, title = {{New Password-Stealing Malware Sells on Hacking Forum! Chrome, Binance, Outlook, Telegram Users Affected?}}, date = {2022-03-31}, organization = {Tech Times}, url = {https://www.techtimes.com/articles/273752/20220331/new-password-stealing-malware-hacking-forum-hack-password-stealing-google-chrome-binance-outlook-telegram.htm}, language = {English}, urldate = {2022-04-05} } @online{borja:20200914:analysis:36d3fee, author = {Aprilyn Borja and Abraham Camba and Khristoffer Jocson and Ryan Maglaque and Gilbert Sison and Jay Yaneza}, title = {{Analysis of a Convoluted Attack Chain Involving Ngrok}}, date = {2020-09-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/analysis-of-a-convoluted-attack-chain-involving-ngrok.html}, language = {English}, urldate = {2020-09-23} } @online{boscovich:20120913:microsoft:da601a2, author = {Richard Domingues Boscovich}, title = {{Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain}}, date = {2012-09-13}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/}, language = {English}, urldate = {2020-01-13} } @online{botezatu:20170505:inside:0cff0e6, author = {Bogdan Botezatu and Alexandru Maximciuc and Cristina Vatamanu and Adrian Schipur}, title = {{Inside Netrepser – a JavaScript-based Targeted Attack}}, date = {2017-05-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180124:new:f993782, author = {Bogdan Botezatu}, title = {{New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild}}, date = {2018-01-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180413:radrat:e2bc7ad, author = {Bogdan Botezatu and Eduard Budaca}, title = {{RadRAT: An all-in-one toolkit for complex espionage ops}}, date = {2018-04-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/}, language = {English}, urldate = {2020-01-09} } @online{botezatu:20180507:hide:0fd8d9a, author = {Bogdan Botezatu}, title = {{Hide and Seek IoT Botnet resurfaces with new tricks, persistence}}, date = {2018-05-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/}, language = {English}, urldate = {2020-01-06} } @online{botezatu:20181025:gandcrab:4e85fe9, author = {Bogdan Botezatu}, title = {{GandCrab Ransomware decryption tool}}, date = {2018-10-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/}, language = {English}, urldate = {2020-01-10} } @online{botezatu:20190219:new:21079a9, author = {Bogdan Botezatu}, title = {{New GandCrab v5.1 Decryptor Available Now}}, date = {2019-02-19}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/}, language = {English}, urldate = {2019-10-15} } @online{botezatu:20190416:inside:8302b5d, author = {Bogdan Botezatu and Cristofor Ochinca and Andrei Ardelean}, title = {{Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation}}, date = {2019-04-16}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/}, language = {English}, urldate = {2019-12-18} } @online{botezatu:20190617:good:c24ed06, author = {Bogdan Botezatu}, title = {{Good riddance, GandCrab! We’re still fixing the mess you left behind}}, date = {2019-06-17}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind}, language = {English}, urldate = {2020-01-10} } @techreport{botezatu:20190625:scranos:13c5096, author = {Bogdan Botezatu and Andrei Ardelean and Cristofor Ochinca and Cristian Alexandru and Istrate and Claudiu Stefan Coblis}, title = {{Scranos Revisited – Rethinking persistence to keep established network alive}}, date = {2019-06-25}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20210204:fonix:9d53bd8, author = {Bogdan Botezatu}, title = {{Fonix Ransomware Decryptor}}, date = {2021-02-04}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/}, language = {English}, urldate = {2021-05-04} } @online{botezatu:20210721:luminousmoth:7ed907d, author = {Bogdan Botezatu and Victor Vrabie}, title = {{LuminousMoth – PlugX, File Exfiltration and Persistence Revisited}}, date = {2021-07-21}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited}, language = {English}, urldate = {2021-07-26} } @techreport{botezatu:20210825:fin8:44ba5b3, author = {Bogdan Botezatu and Victor Vrabie and Cristina Vatamanu and Eduard Budaca}, title = {{FIN8 Threat Actor Goes Agile with New Sardonic Backdoor}}, date = {2021-08-25}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf}, language = {English}, urldate = {2021-09-02} } @online{bousseaden:20200625:close:be8a8b2, author = {Samir Bousseaden and Daniel Stepanic}, title = {{A close look at the advanced techniques used in a Malaysian-focused APT campaign}}, date = {2020-06-25}, organization = {Elastic}, url = {https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign}, language = {English}, urldate = {2020-06-25} } @online{bousseaden:20210318:hunting:3c36ea4, author = {Samir Bousseaden}, title = {{Hunting for Lateral Movement using Event Query Language}}, date = {2021-03-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/hunting-for-lateral-movement-using-event-query-language}, language = {English}, urldate = {2021-03-19} } @online{bousseaden:20220207:exploring:c0df09d, author = {Samir Bousseaden}, title = {{Exploring Windows UAC Bypasses: Techniques and Detection Strategies}}, date = {2022-02-07}, organization = {Elastic}, url = {https://elastic.github.io/security-research/whitepapers/2022/02/03.exploring-windows-uac-bypass-techniques-detection-strategies/article/}, language = {English}, urldate = {2022-03-07} } @online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20150409:operation:077f5fe, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap, the trap for Russian accountants}}, date = {2015-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/04/09/operation-buhtrap/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20151111:operation:baffed9, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap malware distributed via ammyy.com}}, date = {2015-11-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/}, language = {English}, urldate = {2020-01-08} } @online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20181105:bluehat:65f6d65, author = {Jean-Ian Boutin and Frédéric Vachon}, title = {{BlueHat v18 || First STRONTIUM UEFI Rootkit Unveiled}}, date = {2018-11-05}, organization = {Youtube (MSRC)}, url = {https://www.youtube.com/watch?v=VeoXT0nEcFU}, language = {English}, urldate = {2019-12-17} } @online{boutin:20190711:buhtrap:ec174bc, author = {Jean-Ian Boutin}, title = {{Buhtrap group uses zero‑day in latest espionage campaigns}}, date = {2019-07-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20200611:gamaredon:14a96c2, author = {Jean-Ian Boutin}, title = {{Gamaredon group grows its game}}, date = {2020-06-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/}, language = {English}, urldate = {2020-06-11} } @online{boutin:20201012:eset:a7eeb51, author = {Jean-Ian Boutin}, title = {{ESET takes part in global operation to disrupt Trickbot}}, date = {2020-10-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/}, language = {English}, urldate = {2020-10-12} } @online{boutin:20220413:eset:7463437, author = {Jean-Ian Boutin and Tomáš Procházka}, title = {{ESET takes part in global operation to disrupt Zloader botnets}}, date = {2022-04-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/}, language = {English}, urldate = {2022-04-14} } @online{boyarchuk:20220329:emotet:18b143b, author = {Oleg Boyarchuk and Jason Zhang and Threat Analysis Unit}, title = {{Emotet C2 Configuration Extraction and Analysis}}, date = {2022-03-29}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html}, language = {English}, urldate = {2022-04-04} } @online{boyarchuk:20220516:emotet:6392ff3, author = {Oleg Boyarchuk and Stefano Ortolani and Jason Zhang and Threat Analysis Unit}, title = {{Emotet Moves to 64 bit and Updates its Loader}}, date = {2022-05-16}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html}, language = {English}, urldate = {2022-05-17} } @online{boyarchuk:20220525:emotet:ada82ac, author = {Oleg Boyarchuk and Stefano Ortolani}, title = {{Emotet Config Redux}}, date = {2022-05-25}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/05/emotet-config-redux.html}, language = {English}, urldate = {2022-05-29} } @techreport{boyton:20211105:analysis:2711253, author = {Christopher Boyton}, title = {{An Analysis of Buer Loader}}, date = {2021-11-05}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf}, language = {English}, urldate = {2021-11-08} } @online{boyton:20211105:review:a1394e6, author = {Christopher Boyton}, title = {{A Review and Analysis of 2021 Buer Loader Campaigns}}, date = {2021-11-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html}, language = {English}, urldate = {2021-11-08} } @online{bozzato:20211109:cisco:2f6a349, author = {Claudio Bozzato and Lilith Wyatt}, title = {{Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton}}, date = {2021-11-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/11/cisco-talos-finds-10-vulnerabilities-in.html}, language = {English}, urldate = {2021-11-11} } @online{br3akp0int:20211118:how:02114e2, author = {Br3akp0int}, title = {{Tweet on how to decrypt 4 layers of encryption & obfuscation of vjw0rm}}, date = {2021-11-18}, organization = {Twitter (@tccontre18)}, url = {https://twitter.com/tccontre18/status/1461386178528264204}, language = {English}, urldate = {2021-11-19} } @techreport{br:202003:nova:38220a4, author = {CTIR GOV BR}, title = {{Nova campanha de ataques de Ransomware}}, date = {2020-03}, institution = {CTIR GOV}, url = {https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf}, language = {English}, urldate = {2021-01-29} } @online{bracken:20210713:guess:eafaf32, author = {Becky Bracken}, title = {{Guess Fashion Brand Deals With Data Loss After Ransomware Attack}}, date = {2021-07-13}, organization = {Threat Post}, url = {https://threatpost.com/guess-fashion-data-loss-ransomware/167754/}, language = {English}, urldate = {2021-07-20} } @online{brackmann:20200709:threat:dc4f44e, author = {Pascal Brackmann}, title = {{Threat Bulletin: Dissecting GuLoader’s Evasion Techniques}}, date = {2020-07-09}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/}, language = {English}, urldate = {2021-01-10} } @online{brad:20180117:reviewing:49ad844, author = {brad}, title = {{Reviewing the spam filters: Malspam pushing Gozi-ISFB}}, date = {2018-01-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245}, language = {English}, urldate = {2019-12-20} } @online{bradley:20210426:shlayer:1802a7d, author = {Jaron Bradley}, title = {{Shlayer malware abusing Gatekeeper bypass on macOS}}, date = {2021-04-26}, organization = {Jamf Blog}, url = {https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/}, language = {English}, urldate = {2021-04-29} } @online{bradley:20210524:zeroday:7196ca4, author = {Jaron Bradley}, title = {{Zero-Day TCC bypass discovered in XCSSET malware}}, date = {2021-05-24}, organization = {Jamf Blog}, url = {https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/}, language = {English}, urldate = {2021-06-11} } @online{bradley:20210811:rising:3bef356, author = {Tony Bradley}, title = {{The Rising Threat from LockBit Ransomware}}, date = {2021-08-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware}, language = {English}, urldate = {2022-02-14} } @online{bradley:20220516:updateagent:c0c5625, author = {Jaron Bradley and Stuart Ashenbrenner and Matt Benyo}, title = {{UpdateAgent Adapts Again}}, date = {2022-05-16}, organization = {Jamf Blog}, url = {https://www.jamf.com/blog/updateagent-adapts-again/}, language = {English}, urldate = {2022-05-17} } @online{brady:20190117:pond:572e6e8, author = {Matthew Brady}, title = {{Pond Loach delivers BadCake malware}}, date = {2019-01-17}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware}, language = {English}, urldate = {2020-03-03} } @online{brandefense:20220221:darkside:98639e6, author = {Brandefense}, title = {{Darkside Ransomware Analysis Report}}, date = {2022-02-21}, organization = {Brandefense}, url = {https://brandefense.io/darkside-ransomware-analysis-report/}, language = {English}, urldate = {2022-05-03} } @online{brandefense:20220310:hermeticwiper:c5162c1, author = {Brandefense}, title = {{HermeticWiper - Technical Analysis Report}}, date = {2022-03-10}, organization = {Brandefense}, url = {https://brandefense.io/hermeticwiper-technical-analysis-report/}, language = {English}, urldate = {2022-05-03} } @online{brandefense:20220410:zebrocy:467d0a0, author = {Brandefense}, title = {{Zebrocy Malware Technical Analysis Report}}, date = {2022-04-10}, organization = {Brandefense}, url = {https://brandefense.io/zebrocy-malware-technical-analysis-report/}, language = {English}, urldate = {2022-05-03} } @online{brandel:20210422:thread:edbfa14, author = {Eric Brandel}, title = {{A thread on possibly new magecart skimmer}}, date = {2021-04-22}, organization = {Twitter (@AffableKraut)}, url = {https://twitter.com/AffableKraut/status/1385030485676544001}, language = {English}, urldate = {2021-04-28} } @online{brandel:20210715:another:384815e, author = {Eric Brandel}, title = {{Tweet on another digital skimmer/magecart script from the "q-logger" threat actor}}, date = {2021-07-15}, organization = {Twitter (@AffableKraut)}, url = {https://twitter.com/AffableKraut/status/1415425132080816133?s=20}, language = {English}, urldate = {2021-07-20} } @online{brandt:20180731:samsam:68f06ce, author = {Andrew Brandt}, title = {{SamSam guide to coverage}}, date = {2018-07-31}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20180731:sophos:908af44, author = {Andrew Brandt}, title = {{Sophos releases SamSam ransomware report}}, date = {2018-07-31}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20181129:how:a840588, author = {Andrew Brandt}, title = {{How a SamSam-like attack happens, and what you can do about it}}, date = {2018-11-29}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20190130:matrix:1dc1113, author = {Andrew Brandt}, title = {{Matrix: Targeted, small scale, canary in the coalmine ransomware}}, date = {2019-01-30}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } @online{brandt:20190510:megacortex:6b7c935, author = {Andrew Brandt}, title = {{MegaCortex, deconstructed: mysteries mount as analysis continues}}, date = {2019-05-10}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20190524:directed:1164fdf, author = {Andrew Brandt}, title = {{Directed attacks against MySQL servers deliver ransomware}}, date = {2019-05-24}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20191209:snatch:a8f2825, author = {Andrew Brandt}, title = {{Snatch ransomware reboots PCs into Safe Mode to bypass protection}}, date = {2019-12-09}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20200206:living:811742c, author = {Andrew Brandt and Mark Loman}, title = {{Living off another land: Ransomware borrows vulnerable driver to remove security software}}, date = {2020-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/}, language = {English}, urldate = {2020-02-13} } @online{brandt:20200624:glupteba:fc4095d, author = {Andrew Brandt}, title = {{Glupteba malware hides in plain sight}}, date = {2020-06-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728}, language = {English}, urldate = {2020-06-24} } @online{brandt:20200729:emotets:cb1de9b, author = {Andrew Brandt}, title = {{Emotet’s return is the canary in the coal mine}}, date = {2020-07-29}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728}, language = {English}, urldate = {2020-07-30} } @online{brandt:20200917:maze:714f603, author = {Andrew Brandt and Peter Mackenzie}, title = {{Maze attackers adopt Ragnar Locker virtual machine technique}}, date = {2020-09-17}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/}, language = {English}, urldate = {2020-09-21} } @online{brandt:20200924:emaildelivered:742cfe6, author = {Andrew Brandt and Andrew O'Donnell and Fraser Howard}, title = {{Email-delivered MoDi RAT attack pastes PowerShell commands}}, date = {2020-09-24}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands}, language = {English}, urldate = {2020-09-25} } @online{brandt:20210216:conti:24c2333, author = {Andrew Brandt and Anand Ajjan}, title = {{Conti ransomware: Evasive by nature}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/}, language = {English}, urldate = {2021-02-20} } @online{brandt:20210413:compromised:c21fba1, author = {Andrew Brandt}, title = {{Compromised Exchange server hosting cryptojacker targeting other Exchange servers}}, date = {2021-04-13}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/}, language = {English}, urldate = {2021-04-14} } @online{brandt:20210415:bazarloader:93400a1, author = {Andrew Brandt}, title = {{BazarLoader deploys a pair of novel spam vectors}}, date = {2021-04-15}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors}, language = {English}, urldate = {2021-04-16} } @online{brandt:20210505:intervention:f548dee, author = {Andrew Brandt and Peter Mackenzie and Vikas Singh and Gabor Szappanos}, title = {{Intervention halts a ProxyLogon-enabled attack}}, date = {2021-05-05}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack}, language = {English}, urldate = {2021-05-07} } @online{brandt:20210528:new:4d0e375, author = {Andrew Brandt}, title = {{A new ransomware enters the fray: Epsilon Red}}, date = {2021-05-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/28/epsilonred/}, language = {English}, urldate = {2021-06-07} } @online{brandt:20210611:relentless:56d5133, author = {Andrew Brandt and Anand Ajjan and Hajnalka Kope and Mark Loman and Peter Mackenzie}, title = {{Relentless REvil, revealed: RaaS as variable as the criminals who use it}}, date = {2021-06-11}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/}, language = {English}, urldate = {2021-06-16} } @online{brandt:20210617:vigilante:d05c7d7, author = {Andrew Brandt}, title = {{Vigilante malware rats out software pirates while blocking ThePirateBay}}, date = {2021-06-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/17/vigilante-antipiracy-malware/}, language = {English}, urldate = {2021-06-21} } @online{brandt:20210921:cring:9bd4998, author = {Andrew Brandt and Vikas Singh and Shefali Gupta and Krisztián Diriczi and Chaitanya Ghorpade}, title = {{Cring ransomware group exploits ancient ColdFusion server}}, date = {2021-09-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728}, language = {English}, urldate = {2021-09-24} } @online{brandt:20211005:python:61cd49c, author = {Andrew Brandt and Rajesh Nataraj and Andrew O’Donnell and Mauricio Valdivieso}, title = {{Python ransomware script targets ESXi server for encryption}}, date = {2021-10-05}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/05/python-ransomware-script-targets-esxi-server-for-encryption/}, language = {English}, urldate = {2021-10-11} } @online{brandt:20211111:bazarloader:9328545, author = {Andrew Brandt}, title = {{BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism}}, date = {2021-11-11}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/}, language = {English}, urldate = {2021-11-12} } @online{brandt:20211221:attackers:a529ed2, author = {Andrew Brandt and Stephen Ormandy}, title = {{Attackers test “CAB-less 40444” exploit in a dry run}}, date = {2021-12-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/}, language = {English}, urldate = {2021-12-31} } @online{brandt:20211222:avos:b09298c, author = {Andrew Brandt and Fraser Howard and Anand Ajjan and Peter Mackenzie and Ferenc László Nagy and Sergio Bestulic and Timothy Easton}, title = {{Avos Locker remotely accesses boxes, even running in Safe Mode}}, date = {2021-12-22}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/}, language = {English}, urldate = {2021-12-31} } @online{brandt:20220125:windows:7d316fb, author = {Andrew Brandt}, title = {{Windows services lay the groundwork for a Midas ransomware attack}}, date = {2022-01-25}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/}, language = {English}, urldate = {2022-03-30} } @online{brandt:20220125:windows:d134759, author = {Andrew Brandt and Jason Jenkins}, title = {{Windows services lay the groundwork for a Midas ransomware attack}}, date = {2022-01-25}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/?cmp=30728}, language = {English}, urldate = {2022-01-28} } @online{brandt:20220223:dridex:51a6f80, author = {Andrew Brandt and Anand Ajjan and Colin Cowie and Abhijit Gupta and Steven Lott and Rahil Shah and Vikas Singh and Felix Weyne and Syed Zaidi and Xiaochuan Zhang}, title = {{Dridex bots deliver Entropy ransomware in recent attacks}}, date = {2022-02-23}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728}, language = {English}, urldate = {2022-03-01} } @online{brandt:20220223:dridex:c1d4784, author = {Andrew Brandt}, title = {{Dridex bots deliver Entropy ransomware in recent attacks}}, date = {2022-02-23}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/}, language = {English}, urldate = {2022-03-01} } @online{brandt:20220412:attackers:f9f5c52, author = {Andrew Brandt and Angela Gunn and Melissa Kelly and Peter Mackenzie and Ferenc László Nagy and Mauricio Valdivieso and Sergio Bestulic and Johnathan Fern and Linda Smith and Matthew Everts}, title = {{Attackers linger on government agency computers before deploying Lockbit ransomware}}, date = {2022-04-12}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/}, language = {English}, urldate = {2022-04-15} } @online{brandt:20220616:confluence:0bbf8de, author = {Andrew Brandt}, title = {{Confluence exploits used to drop ransomware on vulnerable servers}}, date = {2022-06-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/}, language = {English}, urldate = {2022-06-17} } @techreport{brave:20180515:human:b4396ac, author = {Brave}, title = {{HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN}}, date = {2018-05-15}, institution = {Amnesty International}, url = {https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF}, language = {English}, urldate = {2019-12-10} } @online{brazil:20210314:how:5fcb8be, author = {Matthew Brazil}, title = {{How China’s Devastating Microsoft Hack Puts Us All at Risk}}, date = {2021-03-14}, organization = {DAILY BEAST}, url = {https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk}, language = {English}, urldate = {2021-03-31} } @online{breach:20200130:tracking:bfa4550, author = {Under The Breach}, title = {{Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods}}, date = {2020-01-30}, organization = {Under The Breach}, url = {https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80}, language = {English}, urldate = {2020-01-31} } @online{breakdown:20170403:shadow:962f78d, author = {Malware Breakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/}, language = {English}, urldate = {2019-12-18} } @online{breakdown:20170724:seamless:7e55e6a, author = {Malware Breakdown}, title = {{The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.}}, date = {2017-07-24}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/}, language = {English}, urldate = {2020-01-10} } @online{breakdown:20170823:seamless:3a2c794, author = {Malware Breakdown}, title = {{The Seamless Campaign Isn’t Losing Any Steam}}, date = {2017-08-23}, url = {https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/}, language = {English}, urldate = {2019-12-04} } @online{breakdown:20170911:re:5d563f4, author = {Malware Breakdown}, title = {{“Re: Details” Malspam Downloads CoreBot Banking Trojan}}, date = {2017-09-11}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/}, language = {English}, urldate = {2020-01-08} } @online{breakdown:20180321:fobos:15877e7, author = {Malware Breakdown}, title = {{Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK}}, date = {2018-03-21}, organization = {Malware Breakdown Blog}, url = {https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/}, language = {English}, urldate = {2019-10-13} } @online{breen:20140505:vt:121e664, author = {Kevin Breen}, title = {{VT Comments Page on Blue Banana Sample}}, date = {2014-05-05}, url = {https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community}, language = {English}, urldate = {2020-10-13} } @techreport{breitenbacher:20200617:operation:7969e3a, author = {Dominik Breitenbacher and Kaspars Osis}, title = {{Operation In(ter)ception: Targeted Attacks against European Aerospace and Military Companies}}, date = {2020-06-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf}, language = {English}, urldate = {2020-06-17} } @online{brendel:20210403:hubnr:950251c, author = {Carlos Brendel}, title = {{Hubnr Botnet}}, date = {2021-04-03}, organization = {Github (carbreal)}, url = {https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet}, language = {English}, urldate = {2021-04-14} } @online{brennan:20210525:cobalt:c428be0, author = {Matthew Brennan}, title = {{Cobalt Strikes Again: An Analysis of Obfuscated Malware}}, date = {2021-05-25}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware}, language = {English}, urldate = {2021-06-09} } @online{brennan:20210817:snakes:1b4d004, author = {Matthew Brennan}, title = {{Snakes on a Domain: An Analysis of a Python Malware Loader}}, date = {2021-08-17}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader}, language = {English}, urldate = {2021-08-20} } @online{brennan:20220218:hackers:243d8b8, author = {Matthew Brennan}, title = {{Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection}}, date = {2022-02-18}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection}, language = {English}, urldate = {2022-02-26} } @online{brenner:20170626:how:b5978ec, author = {Bill Brenner}, title = {{How Spora ransomware tries to fool antivirus}}, date = {2017-06-26}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/}, language = {English}, urldate = {2019-10-14} } @online{brewster:20140807:sophisticated:5f484c8, author = {Tom Brewster}, title = {{Sophisticated 'Turla' hackers spying on European governments, say researchers}}, date = {2014-08-07}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec}, language = {English}, urldate = {2020-01-05} } @online{brewster:20170215:inside:8b5faed, author = {Thomas Brewster}, title = {{Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage}}, date = {2017-02-15}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a}, language = {English}, urldate = {2020-01-13} } @online{brewster:20170504:behind:4da1ded, author = {Thomas Brewster}, title = {{Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business}}, date = {2017-05-04}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates}, language = {English}, urldate = {2020-01-09} } @online{brewster:20170727:with:b21b072, author = {Thomas Brewster}, title = {{With Fake News And Femmes Fatales, Iran's Spies Learn To Love Facebook}}, date = {2017-07-27}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/}, language = {English}, urldate = {2020-01-07} } @online{brewster:20180830:hackers:d006ceb, author = {Thomas Brewster}, title = {{Hackers Are Exposing An Apple Mac Weakness In Middle East Espionage}}, date = {2018-08-30}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/}, language = {English}, urldate = {2019-11-26} } @online{brodsky:20210511:darkside:9c81721, author = {James Brodsky}, title = {{The DarkSide of the Ransomware Pipeline}}, date = {2021-05-11}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html}, language = {English}, urldate = {2021-05-13} } @online{bromiley:20161007:attacking:0d71422, author = {Matt Bromiley and Preston Lewis}, title = {{Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years}}, date = {2016-10-07}, organization = {FireEye}, url = {https://www.youtube.com/watch?v=fevGZs0EQu8}, language = {English}, urldate = {2020-04-17} } @online{bromiley:20190718:hard:7a6144e, author = {Matt Bromiley and Noah Klapprodt and Nick Schroeder and Jessica Rocchio}, title = {{Hard Pass: Declining APT34’s Invite to Join Their Professional Network}}, date = {2019-07-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html}, language = {English}, urldate = {2019-12-20} } @online{bromiley:20210216:light:5541ad4, author = {Matt Bromiley and Andrew Rector and Robert Wallace}, title = {{Light in the Dark: Hunting for SUNBURST}}, date = {2021-02-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html}, language = {English}, urldate = {2021-02-20} } @online{bromiley:20210304:detection:3b8c16f, author = {Matt Bromiley and Chris DiGiamo and Andrew Thompson and Robert Wallace}, title = {{Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities}}, date = {2021-03-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html}, language = {English}, urldate = {2021-03-10} } @techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } @online{brook:20120725:new:67f3d60, author = {Chris Brook}, title = {{New and Improved Madi Spyware Campaign Continues}}, date = {2012-07-25}, organization = {Threatpost}, url = {https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/}, language = {English}, urldate = {2019-12-17} } @online{brook:20140306:dexter:45b31c6, author = {Chris Brook}, title = {{Dexter, Project Hook POS Malware Campaigns Persist}}, date = {2014-03-06}, organization = {Threatpost}, url = {https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/}, language = {English}, urldate = {2021-01-29} } @online{brook:20160425:attackers:61e599a, author = {Chris Brook}, title = {{Attackers Behind GozNym Trojan Set Sights on Europe}}, date = {2016-04-25}, organization = {Threat Post}, url = {https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/}, language = {English}, urldate = {2019-11-23} } @online{brook:20160823:goznym:29466b9, author = {Chris Brook}, title = {{GozNym Banking Trojan Targeting German Banks}}, date = {2016-08-23}, organization = {Threatpost}, url = {https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/}, language = {English}, urldate = {2020-01-08} } @online{brook:20171114:iceid:5a074d2, author = {Chris Brook}, title = {{IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites}}, date = {2017-11-14}, organization = {Digital Guardian}, url = {https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites}, language = {English}, urldate = {2019-07-10} } @online{brooks:20200602:malware:bc0b560, author = {Casey Brooks}, title = {{tweet on malware called dnstunnel RAT}}, date = {2020-06-02}, organization = {Twitter (@DrunkBinary)}, url = {https://twitter.com/DrunkBinary/status/1267568386516692992}, language = {English}, urldate = {2020-06-05} } @techreport{brooks:20201210:open:5c64c56, author = {Casey Brooks and Selena Larson}, title = {{Open Source Intelligence}}, date = {2020-12-10}, institution = {Dragos}, url = {https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Dragos-OSINT-Framework.pdf}, language = {English}, urldate = {2021-01-01} } @online{brown:20181025:new:7234825, author = {Sophia Brown}, title = {{New sLoad malware downloader being leveraged by APT group TA554 to spread Ramnit}}, date = {2018-10-25}, url = {https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9}, language = {English}, urldate = {2019-11-22} } @online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } @online{brown:20200507:detecting:5059f43, author = {Jesse Brown}, title = {{Detecting COR_PROFILER manipulation for persistence}}, date = {2020-05-07}, organization = {Red Canary}, url = {https://redcanary.com/blog/cor_profiler-for-persistence/}, language = {English}, urldate = {2020-06-02} } @techreport{brown:20210118:egregor:a2ab774, author = {Adam Brown and Harold Rodriguez}, title = {{Egregor: The Ghost of Soviet Bears Past Haunts On}}, date = {2021-01-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf}, language = {English}, urldate = {2021-02-02} } @online{brown:20220308:does:94c6c3e, author = {Rufus Brown and Van Ta and Douglas Bienstock and Geoff Ackerman and John Wolfram}, title = {{Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments}}, date = {2022-03-08}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/apt41-us-state-governments}, language = {English}, urldate = {2022-03-10} } @online{brown:20220428:lapsus:c7cd787, author = {David Brown and Michael Matthews and Rob Smallridge}, title = {{LAPSUS$: Recent techniques, tactics and procedures}}, date = {2022-04-28}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/}, language = {English}, urldate = {2022-04-29} } @online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } @online{brubaker:20220413:incontroller:0f05d07, author = {Nathan Brubaker and Keith Lunden and Ken Proska and Muhammad Umair and Daniel Kapellmann Zafra and Corey Hildebrandt and Rob Caldwell}, title = {{INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems}}, date = {2022-04-13}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool}, language = {English}, urldate = {2022-04-15} } @online{bruell:20220204:cyberattack:fca25a5, author = {Alexandra Bruell and Sadie Gurman}, title = {{Cyberattack on News Corp, Believed Linked to China, Targeted Emails of Journalists, Others}}, date = {2022-02-04}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/cyberattack-on-news-corp-believed-linked-to-china-targeted-emails-of-journalists-others-11643979328?st=yrhf72fjgcuccqv&reflink=desktopwebshare_permalink}, language = {English}, urldate = {2022-02-07} } @online{brulez:20211120:unpacking:b26d2fb, author = {Nicolas Brulez}, title = {{Unpacking Emotet and Reversing Obfuscated Word Document}}, date = {2021-11-20}, organization = {Youtube (HEXORCIST)}, url = {https://www.youtube.com/watch?v=AkZ5TYBqcU4}, language = {English}, urldate = {2021-12-20} } @online{brulez:20220119:whispergate:a81ff16, author = {Nicolas Brulez}, title = {{WhisperGate: MBR Wiper Malware Analysis. Ukraine Cyber Attack 2022}}, date = {2022-01-19}, organization = {Youtube (HEXORCIST)}, url = {https://www.youtube.com/watch?v=2nd-f1dIfD4}, language = {English}, urldate = {2022-01-24} } @online{brumaghin:20160711:when:0155a0a, author = {Edmund Brumaghin and Warren Mercer}, title = {{When Paying Out Doesn't Pay Off}}, date = {2016-07-11}, organization = {Talos}, url = {http://blog.talosintel.com/2016/07/ranscam.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20170502:covert:32e078f, author = {Edmund Brumaghin and Colin Grady}, title = {{Covert Channels and Poor Decisions: The Tale of DNSMessenger}}, date = {2017-05-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2017/03/dnsmessenger.html}, language = {English}, urldate = {2019-11-26} } @online{brumaghin:20170918:ccleanup:5ba0369, author = {Edmund Brumaghin and Ross Gibb and Warren Mercer and Matthew Molyett and Craig Williams}, title = {{CCleanup: A Vast Number of Machines at Risk}}, date = {2017-09-18}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20170920:ccleaner:e034063, author = {Edmund Brumaghin and Earl Carter and Warren Mercer and Matthew Molyett and Matthew Olney and Paul Rascagnères and Craig Williams}, title = {{CCleaner Command and Control Causes Concern}}, date = {2017-09-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20171011:spoofed:9f0fc69, author = {Edmund Brumaghin and Colin Grady and Dave Maynor and @Simpo13}, title = {{Spoofed SEC Emails Distribute Evolved DNSMessenger}}, date = {2017-10-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } @online{brumaghin:20180306:gozi:6146f77, author = {Edmund Brumaghin and Holger Unterbrink and Adam Weller}, title = {{Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution}}, date = {2018-03-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20180626:files:661b639, author = {Edmund Brumaghin and Earl Carter and Andrew Williams}, title = {{Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor}}, date = {2018-06-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20180822:picking:925912d, author = {Edmund Brumaghin and Holger Unterbrink and Eric Kuhla and Lilia Gonzalez Medina}, title = {{Picking Apart Remcos Botnet-In-A-Box}}, date = {2018-08-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html}, language = {English}, urldate = {2019-10-23} } @online{brumaghin:20180926:vpnfilter:343892a, author = {Edmund Brumaghin}, title = {{VPNFilter III: More Tools for the Swiss Army Knife of Malware}}, date = {2018-09-26}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20181108:metamorfo:d12fe7e, author = {Edmund Brumaghin and Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{Metamorfo Banking Trojan Keeps Its Sights on Brazil}}, date = {2018-11-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20190130:fake:3499d4e, author = {Edmund Brumaghin and Paul Rascagnères and Jungsoo An}, title = {{Fake Cisco Job Posting Targets Korean Candidates}}, date = {2019-01-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html}, language = {English}, urldate = {2020-01-10} } @online{brumaghin:20190415:new:bf931b1, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{New HawkEye Reborn Variant Emerges Following Ownership Change}}, date = {2019-04-15}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20190828:rat:dadd9c5, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{RAT Ratatouille: Backdooring PCs with leaked RATs}}, date = {2019-08-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html}, language = {English}, urldate = {2020-01-13} } @online{brumaghin:20190926:divergent:2d282a0, author = {Edmund Brumaghin}, title = {{Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host}}, date = {2019-09-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/09/divergent-analysis.html}, language = {English}, urldate = {2019-10-24} } @online{brumaghin:20200423:threat:4f7f840, author = {Edmund Brumaghin and Amit Raut}, title = {{Threat Spotlight: MedusaLocker}}, date = {2020-04-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/medusalocker.html}, language = {English}, urldate = {2020-04-26} } @online{brumaghin:20210812:vice:c55624f, author = {Edmund Brumaghin and Joe Marshall and Arnaud Zobec}, title = {{Vice Society Leverages PrintNightmare In Ransomware Attacks}}, date = {2021-08-12}, url = {https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html}, language = {English}, urldate = {2021-08-15} } @online{brumaghin:20210831:attracting:5d141c1, author = {Edmund Brumaghin and Vitor Ventura}, title = {{Attracting flies with Honey(gain): Adversarial abuse of proxyware}}, date = {2021-08-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/08/proxyware-abuse.html}, language = {English}, urldate = {2021-09-02} } @online{brumaghin:20211026:squirrelwaffle:88c5943, author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis}, title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}}, date = {2021-10-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html}, language = {English}, urldate = {2021-11-02} } @online{brumaghin:20220405:threat:da8955e, author = {Edmund Brumaghin and Alex Karkins}, title = {{Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter}}, date = {2022-04-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html}, language = {English}, urldate = {2022-04-07} } @online{brumaghin:20220414:threat:45dba55, author = {Edmund Brumaghin and Vanja Svajcer and Michael Chen}, title = {{Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer}}, date = {2022-04-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html}, language = {English}, urldate = {2022-04-15} } @online{bruneau:20210327:malware:91319b0, author = {Guy Bruneau}, title = {{Malware Analysis with elastic-agent and Microsoft Sandbox}}, date = {2021-03-27}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Malware+Analysis+with+elasticagent+and+Microsoft+Sandbox/27248/}, language = {English}, urldate = {2021-03-31} } @online{bruppacher:20220321:vpn:f61b485, author = {Benjamin Bruppacher}, title = {{VPN Appliance Forensics}}, date = {2022-03-21}, organization = {COMPASS SECURITY}, url = {https://blog.compass-security.com/2022/03/vpn-appliance-forensics/}, language = {English}, urldate = {2022-03-24} } @techreport{bruvoll:20200603:handling:7de6da3, author = {Janita A. Bruvoll and Aasmund Thuv and Geir Enemo}, title = {{Handling of ICT security incidents in Health South-East and the county governor's offices - an assessment (APT31 page-37)}}, date = {2020-06-03}, institution = {Norwegian Defence Research Establishment (FFI)}, url = {https://publications.ffi.no/nb/item/asset/dspace:6767/20-01560.pdf}, language = {Norwegian}, urldate = {2021-06-24} } @online{bryan:20210310:monitoring:479d8b5, author = {Pete Bryan}, title = {{Monitoring the Software Supply Chain with Azure Sentinel}}, date = {2021-03-10}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463}, language = {English}, urldate = {2021-03-12} } @online{bryan:20210310:sample:874c31f, author = {Pete Bryan}, title = {{Tweet on Sample KQL query for detecting usage of HAFNIUM PoC code floating ITW}}, date = {2021-03-10}, organization = {Twitter (@MSSPete)}, url = {https://twitter.com/MSSPete/status/1369749166893588480}, language = {English}, urldate = {2021-03-12} } @online{bryan:20211117:creating:b3fac06, author = {Pete Bryan}, title = {{Creating your first Microsoft Sentinel Notebook}}, date = {2021-11-17}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/creating-your-first-microsoft-sentinel-notebook/ba-p/2977745#.YZXCGrsENGQ.twitter}, language = {English}, urldate = {2021-11-19} } @online{bryant:20190213:hunting:8c671bf, author = {Josh Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018}}, date = {2019-02-13}, organization = {Youtube (SANS Digital Forensics & Incident Response)}, url = {https://www.youtube.com/watch?v=GjquFKa4afU}, language = {English}, urldate = {2020-01-13} } @techreport{bryant:20190708:hunting:7ce53d5, author = {Josh M. Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace}}, date = {2019-07-08}, institution = {SANS}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf}, language = {English}, urldate = {2020-01-09} } @online{bryce:20210122:grimagent:611b917, author = {Bryce}, title = {{Tweet on GRIMAGENT malware used by UNC1878 during some #RYUK intrusions in 2020}}, date = {2021-01-22}, organization = {Twitter (@bryceabdo)}, url = {https://twitter.com/bryceabdo/status/1352359414746009608}, language = {English}, urldate = {2021-02-06} } @online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } @online{buchka:20160303:attack:fa7a7ba, author = {Nikita Buchka and Mikhail Kuzin}, title = {{Attack on Zygote: a new twist in the evolution of mobile threats}}, date = {2016-03-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20161228:switcher:a2408dd, author = {Nikita Buchka}, title = {{Switcher: Android joins the ‘attack-the-router’ club}}, date = {2016-12-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20171218:jack:5842578, author = {Nikita Buchka and Anton Kivva and Dmitry Galov}, title = {{Jack of all trades}}, date = {2017-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/jack-of-all-trades/83470/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20180116:skygofree:4e0990c, author = {Nikita Buchka and Alexey Firsh}, title = {{Skygofree: Following in the footsteps of HackingTeam}}, date = {2018-01-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/}, language = {English}, urldate = {2019-12-20} } @online{bucket:20140330:ioc:053d0b0, author = {IOC Bucket}, title = {{IOC Bucket for Putter Panda}}, date = {2014-03-30}, organization = {IOC Bucket}, url = {https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31}, language = {English}, urldate = {2020-01-09} } @online{bucur:20220317:avira:fe8909a, author = {Ionut Bucur and Avira Protection Labs}, title = {{Avira Labs Research Reveals Hydra Banking Trojan 2.0 targeting a wider network of German and Austrian banks}}, date = {2022-03-17}, organization = {Avira}, url = {https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0}, language = {English}, urldate = {2022-03-17} } @online{budaca:20210413:from:5df70c8, author = {Eduard Budaca and Bogdan Botezatu}, title = {{From Cracks to Empty Wallets – How Popular Cracks Lead to Digital Currency and Data Theft}}, date = {2021-04-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/04/from-cracks-to-empty-wallets-how-popular-cracks-lead-to-digital-currency-and-data-theft/}, language = {English}, urldate = {2021-05-04} } @online{budd:20150916:operation:7889703, author = {Christopher Budd}, title = {{Operation Iron Tiger: Attackers Shift from East Asia to the United States}}, date = {2015-09-16}, organization = {Trend Micro}, url = {http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states}, language = {English}, urldate = {2019-12-17} } @online{buescher:20210514:how:23df023, author = {Armin Buescher and Gokulakrishnan S}, title = {{How Flubot targets Android phone users and their money}}, date = {2021-05-14}, organization = {NortonLifeLock}, url = {https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users}, language = {English}, urldate = {2021-05-19} } @techreport{buggenhout:2014:history:049d4d1, author = {Erik Van Buggenhout}, title = {{A history of ATM violence}}, date = {2014}, institution = {nviso}, url = {http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{buguroo:20210315:toddler:ce25cc1, author = {Buguroo}, title = {{Toddler: Credential theft through overlays and accessibility event logging}}, date = {2021-03-15}, institution = {Buguroo}, url = {https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf}, language = {English}, urldate = {2021-05-13} } @online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } @online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } @online{bukhteyev:20210727:timeproven:d927632, author = {Alexey Bukhteyev and Raman Ladutska}, title = {{Time-proven tricks in a new environment: the macOS evolution of Formbook}}, date = {2021-07-27}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/}, language = {English}, urldate = {2021-07-29} } @online{bukhteyev:20211216:phorpiex:cef1b8e, author = {Alexey Bukhteyev}, title = {{Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions}}, date = {2021-12-16}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/}, language = {English}, urldate = {2021-12-17} } @online{bukhteyev:20220531:xloader:f9d6f5f, author = {Alexey Bukhteyev and Raman Ladutska}, title = {{XLoader Botnet: Find Me If You Can}}, date = {2022-05-31}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/}, language = {English}, urldate = {2022-05-31} } @online{bunce:20190815:gootkit:1052b18, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2019-12-20} } @online{bunce:20190815:gootkit:480c7e8, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2020-06-18} } @online{bunce:20190829:gootkit:b379f2c, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities}}, date = {2019-08-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/}, language = {English}, urldate = {2020-01-08} } @online{bunce:20200622:unpacking:8a02d84, author = {Daniel Bunce}, title = {{Unpacking Visual Basic Packers – IcedID}}, date = {2020-06-22}, organization = {zero2auto}, url = {https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/}, language = {English}, urldate = {2020-06-24} } @online{bunce:20200820:dbatloadermodiloader:6cccf7e, author = {Daniel Bunce}, title = {{DBatLoader/ModiLoader Analysis – First Stage}}, date = {2020-08-20}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/}, language = {English}, urldate = {2020-08-25} } @online{bunce:20210706:new:36ccc46, author = {Daniel Bunce and 0verfl0w_}, title = {{New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings}}, date = {2021-07-06}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/}, language = {English}, urldate = {2021-07-11} } @online{bunce:20210724:quack:ddda5cd, author = {Daniel Bunce}, title = {{Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1}}, date = {2021-07-24}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/}, language = {English}, urldate = {2021-08-02} } @techreport{bundeskriminalamt:20200821:mgliche:fbbf1b2, author = {Bundeskriminalamt}, title = {{Mögliche Cyberspionage mittels der Schadsoftware GOLDENSPY}}, date = {2020-08-21}, institution = {Bundeskriminalamt}, url = {https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf}, language = {German}, urldate = {2020-08-27} } @online{bundeskriminalamt:20210127:infrastruktur:eb4ede6, author = {Bundeskriminalamt}, title = {{In­fra­struk­tur der Emo­tet-Schad­soft­wa­re zer­schla­gen}}, date = {2021-01-27}, organization = {Bundeskriminalamt}, url = {https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html}, language = {German}, urldate = {2021-01-27} } @online{bundeskriminalamt:20220405:illegal:2a9f4fb, author = {BKA (Bundeskriminalamt)}, title = {{Illegal darknet marketplace "Hydra Market" shut down}}, date = {2022-04-05}, organization = {Bundeskriminalamt}, url = {https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2022/Presse2022/220405_PM_IllegalerDarknetMarktplatz.html}, language = {English}, urldate = {2022-04-15} } @online{buonopane:20190201:information:2fbf14a, author = {Paul Buonopane}, title = {{Information about lnkr5, malware distributed via Chrome extensions}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr}, language = {English}, urldate = {2020-05-05} } @online{buonopane:20190201:lnkr:f79885e, author = {Paul Buonopane}, title = {{LNKR - Extension analysis - Flash Playlist}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md}, language = {English}, urldate = {2020-05-05} } @online{burbage:20180416:rat:3c30776, author = {Paul Burbage and Mike Mimoso}, title = {{RAT Gone Rogue: Meet ARS VBS Loader}}, date = {2018-04-16}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/}, language = {English}, urldate = {2019-12-17} } @online{burbage:20180912:malware:5b7d58a, author = {Paul Burbage and Mike Mimoso}, title = {{Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down}}, date = {2018-09-12}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/}, language = {English}, urldate = {2020-01-08} } @online{burbage:20181102:new:4781b19, author = {Paul Burbage}, title = {{Tweet on New Stealer}}, date = {2018-11-02}, organization = {Twitter (@hexlax)}, url = {https://twitter.com/hexlax/status/1058356670835908610}, language = {English}, urldate = {2020-01-07} } @online{burbage:20191228:tale:2e5f361, author = {Paul Burbage}, title = {{The Tale of the Pija-Droid Firefinch}}, date = {2019-12-28}, url = {https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2}, language = {English}, urldate = {2020-02-14} } @online{burchard:20200528:berlin:c5c42b4, author = {Hans von der Burchard and Laurens Cerulus}, title = {{Berlin seeks sanctions against Russian hackers over Bundestag cyberattack}}, date = {2020-05-28}, organization = {POLITICO}, url = {https://www.politico.eu/article/berlin-sanctions-against-russian-hacker-bundestag-cyberattack-angela-merkel-gru/}, language = {English}, urldate = {2020-05-29} } @online{bureau:20121218:malicious:c863bcf, author = {Pierre-Marc Bureau}, title = {{Malicious Apache module used for content injection: Linux/Chapro.A}}, date = {2012-12-18}, organization = {ESET Research}, url = {http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a}, language = {English}, urldate = {2019-12-20} } @online{bureau:20130426:linuxcdorkeda:ab3e321, author = {Pierre-Marc Bureau}, title = {{Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole}}, date = {2013-04-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20130925:win32napolar:aba54b1, author = {Pierre-Marc Bureau}, title = {{Win32/Napolar – A new bot on the block}}, date = {2013-09-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20140318:operation:1b1bd17, author = {Pierre-Marc Bureau}, title = {{Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign}}, date = {2014-03-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20200305:vietnam:23ec4c0, author = {Microstep Intelligence Bureau}, title = {{Vietnam National Background APT organization "Sea Lotus" used the topic of the epidemic to attack our government agencies}}, date = {2020-03-05}, organization = {Microstep Intelligence Bureau}, url = {https://m.threatbook.cn/detail/2527}, language = {Chinese}, urldate = {2020-04-26} } @online{burgess:20200821:evolution:6d5c407, author = {Josh Burgess and Steve Ginty}, title = {{The Evolution of Ransomware & Pinchy Spider's Shot at the Title}}, date = {2020-08-21}, organization = {Vimeo (RiskIQ)}, url = {https://vimeo.com/449849549}, language = {English}, urldate = {2020-08-25} } @techreport{burgess:20201209:from:1811e9c, author = {Josh Burgess and Jason Rivera}, title = {{From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower}}, date = {2020-12-09}, institution = {CrowdStrike}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf}, language = {English}, urldate = {2020-12-11} } @online{burgess:20210420:how:53fecfc, author = {Will Burgess}, title = {{How attackers abuse Access Token Manipulation (ATT&CK T1134)}}, date = {2021-04-20}, organization = {Elastic}, url = {https://www.elastic.co/blog/how-attackers-abuse-access-token-manipulation}, language = {English}, urldate = {2021-04-28} } @online{burgess:20210914:russia:5afacc3, author = {Christopher Burgess}, title = {{Russia is fully capable of shutting down cybercrime}}, date = {2021-09-14}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3632943/russia-is-fully-capable-of-shutting-down-cybercrime.html}, language = {English}, urldate = {2021-09-14} } @online{burgess:20220201:inside:0e154c3, author = {Matt Burgess}, title = {{Inside Trickbot, Russia’s Notorious Ransomware Gang}}, date = {2022-02-01}, organization = {Wired}, url = {https://www.wired.co.uk/article/trickbot-malware-group-internal-messages}, language = {English}, urldate = {2022-02-09} } @online{burgess:20220201:inside:bb20f12, author = {Matt Burgess}, title = {{Inside Trickbot, Russia’s Notorious Ransomware Gang}}, date = {2022-02-01}, organization = {Wired}, url = {https://www.wired.com/story/trickbot-malware-group-internal-messages/}, language = {English}, urldate = {2022-02-02} } @online{burgher:20210610:backdoordiplomacy:4ebcb1d, author = {Adam Burgher}, title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}}, date = {2021-06-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/}, language = {English}, urldate = {2022-06-08} } @online{burks:20220216:quick:e515983, author = {Doug Burks}, title = {{Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08}}, date = {2022-02-16}, organization = {Security Onion}, url = {https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html}, language = {English}, urldate = {2022-02-17} } @online{burnel:20220225:le:9689415, author = {Florian Burnel}, title = {{Le ransomware Cuba s’en prend aux serveurs Exchange}}, date = {2022-02-25}, organization = {IT-Connect (FR)}, url = {https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/}, language = {French}, urldate = {2022-03-01} } @techreport{burns:20210119:remediation:044c1db, author = {Mike Burns and Matthew McWhirt and Douglas Bienstock and Nick Bennett}, title = {{Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 (WHITE PAPER)}}, date = {2021-01-19}, institution = {Mandiant}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf}, language = {English}, urldate = {2021-01-21} } @online{burns:20210119:remediation:76c7695, author = {Mike Burns and Matthew McWhirt and Douglas Bienstock and Nick Bennett}, title = {{Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452}}, date = {2021-01-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html}, language = {English}, urldate = {2021-01-21} } @online{burt:20190327:new:9ba6b3b, author = {Tom Burt}, title = {{New steps to protect customers from hacking}}, date = {2019-03-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/}, language = {English}, urldate = {2020-01-13} } @online{burt:20200310:new:251948a, author = {Tom Burt}, title = {{New action to disrupt world’s largest online criminal network}}, date = {2020-03-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/}, language = {English}, urldate = {2020-03-11} } @online{burt:20200707:microsoft:3300f46, author = {Tom Burt}, title = {{Microsoft takes legal action against COVID-19-related cybercrime}}, date = {2020-07-07}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/}, language = {English}, urldate = {2020-07-08} } @online{burt:20200910:new:ec117be, author = {Tom Burt}, title = {{New cyberattacks targeting U.S. elections}}, date = {2020-09-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/}, language = {English}, urldate = {2020-09-10} } @online{burt:20201012:new:045c1c3, author = {Tom Burt}, title = {{New action to combat ransomware ahead of U.S. elections}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/}, language = {English}, urldate = {2020-10-12} } @online{burt:20201020:update:12549c2, author = {Tom Burt}, title = {{An update on disruption of Trickbot}}, date = {2020-10-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/}, language = {English}, urldate = {2020-10-23} } @online{burt:20201028:cyberattacks:89b0105, author = {Tom Burt}, title = {{Cyberattacks target international conference attendees (APT35/PHOSPHORUS)}}, date = {2020-10-28}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/}, language = {English}, urldate = {2020-10-29} } @online{burt:20201105:gitpaste12:a3f5e87, author = {Alex Burt and Trevor Pott}, title = {{Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin}}, date = {2020-11-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/gitpaste-12}, language = {English}, urldate = {2020-11-09} } @online{burt:20201113:cyberattacks:d848567, author = {Tom Burt}, title = {{Cyberattacks targeting health care must stop}}, date = {2020-11-13}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/}, language = {English}, urldate = {2020-11-18} } @online{burt:20201221:cyber:23a768f, author = {Tom Burt}, title = {{Cyber Mercenaries Don’t Deserve Immunity}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/12/21/cyber-immunity-nso/}, language = {English}, urldate = {2020-12-23} } @online{burt:20210302:new:622d7b8, author = {Tom Burt}, title = {{New nation-state cyberattacks (HAFNIUM)}}, date = {2021-03-02}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/}, language = {English}, urldate = {2022-04-14} } @online{burt:20210527:another:bcd55b9, author = {Tom Burt}, title = {{Another Nobelium Cyberattack}}, date = {2021-05-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/}, language = {English}, urldate = {2021-06-09} } @online{burt:20210530:defend:3e06dec, author = {Tom Burt}, title = {{Defend and deter}}, date = {2021-05-30}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/05/30/nobelium-cybersecurity-cyberattacks-phishing/}, language = {English}, urldate = {2022-04-15} } @online{burt:20211007:russian:eab9ca4, author = {Tom Burt}, title = {{Russian cyberattacks pose greater risk to governments and other insights from our annual report}}, date = {2021-10-07}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/10/07/digital-defense-report-2021/}, language = {English}, urldate = {2022-04-15} } @online{burt:20211024:new:3afd953, author = {Tom Burt}, title = {{New activity from Russian actor Nobelium}}, date = {2021-10-24}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/?ocid=usoc_TWITTER_M365_spl100002625922692}, language = {English}, urldate = {2021-11-02} } @online{burt:20211206:protecting:1e30e3d, author = {Tom Burt}, title = {{Protecting people from recent cyberattacks}}, date = {2021-12-06}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/12/06/cyberattacks-nickel-dcu-china/}, language = {English}, urldate = {2021-12-08} } @online{burt:20220115:malware:5f4e2d4, author = {Tom Burt}, title = {{Malware attacks targeting Ukraine government (DEV-0586)}}, date = {2022-01-15}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/}, language = {English}, urldate = {2022-04-15} } @online{burt:20220316:blackberry:96c470c, author = {Jeff Burt}, title = {{BlackBerry says extortionists erase documents if ransom unpaid}}, date = {2022-03-16}, organization = {The Register}, url = {https://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/}, language = {English}, urldate = {2022-03-17} } @online{burt:20220322:this:2834162, author = {Jeff Burt}, title = {{This is a BlackCat you don't want crossing your path}}, date = {2022-03-22}, organization = {The Register}, url = {https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/}, language = {English}, urldate = {2022-03-23} } @online{burt:20220322:what:a42ef40, author = {Jeff Burt}, title = {{What does Go-written malware look like? Here's a sample under the microscope}}, date = {2022-03-22}, organization = {The Register}, url = {https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/}, language = {English}, urldate = {2022-03-25} } @online{burt:20220407:disrupting:8f3a3d9, author = {Tom Burt}, title = {{Disrupting cyberattacks targeting Ukraine (APT28)}}, date = {2022-04-07}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2022/04/07/cyberattacks-ukraine-strontium-russia/}, language = {English}, urldate = {2022-04-12} } @online{burton:20211222:crowdstrike:bdf017f, author = {Randy Burton and Ian Barton}, title = {{CrowdStrike Launches Free Targeted Log4j Search Tool}}, date = {2021-12-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/free-targeted-log4j-search-tool/}, language = {English}, urldate = {2022-01-05} } @online{bushidotoken:20200509:turkey:a764ff0, author = {BushidoToken}, title = {{Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns}}, date = {2020-05-09}, organization = {BushidoToken}, url = {https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html}, language = {English}, urldate = {2020-05-13} } @online{bushidotoken:20200528:ozh:d9cd398, author = {BushidoToken}, title = {{Tweet on OZH RAT}}, date = {2020-05-28}, organization = {Twitter (@BushidoToken)}, url = {https://twitter.com/BushidoToken/status/1266075992679948289}, language = {English}, urldate = {2020-05-29} } @online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } @online{bushidotoken:20220417:lessons:d4d0595, author = {BushidoToken}, title = {{Lessons from the Conti Leaks}}, date = {2022-04-17}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html}, language = {English}, urldate = {2022-04-25} } @online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } @online{bushidotoken:20220626:overview:97370ff, author = {BushidoToken}, title = {{Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022}}, date = {2022-06-26}, url = {https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html}, language = {English}, urldate = {2022-06-27} } @online{bustami:20181213:powersing:2a7b1db, author = {Mo Bustami}, title = {{POWERSING - From LNK Files To Janicab Through YouTube & Twitter}}, date = {2018-12-13}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html}, language = {English}, urldate = {2020-08-25} } @online{butler:20210707:elastic:8a709bf, author = {Jamie Butler}, title = {{Elastic Security prevents 100% of REvil ransomware samples}}, date = {2021-07-07}, organization = {Elastic}, url = {https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter}, language = {English}, urldate = {2021-07-12} } @online{byers:20200908:ghostdnsbusters:9531dcd, author = {Nick Byers and Manabu Niseki and CERT-BR}, title = {{GhostDNSbusters: Illuminating GhostDNS Infrastructure}}, date = {2020-09-08}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/09/08/ghostdnsbusters/}, language = {English}, urldate = {2020-09-15} } @online{bykkaya:20220308:contiransomwareioc:57c8ab1, author = {Arda Büyükkaya}, title = {{Conti-Ransomware-IOC}}, date = {2022-03-08}, organization = {Github (whichbuffer)}, url = {https://github.com/whichbuffer/Conti-Ransomware-IOC}, language = {English}, urldate = {2022-03-10} } @online{bykkaya:20220406:karakurt:7471190, author = {Arda Büyükkaya}, title = {{Karakurt Hacking Team Indicators of Compromise (IOC)}}, date = {2022-04-06}, organization = {Github (infinitumlabs)}, url = {https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI}, language = {English}, urldate = {2022-04-08} } @online{bykkaya:20220408:threat:cbbf292, author = {Arda Büyükkaya}, title = {{Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team}}, date = {2022-04-08}, organization = {Infinitum Labs}, url = {https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/}, language = {English}, urldate = {2022-04-08} } @online{byteatlas:20150415:knowledge:0d028a7, author = {ByteAtlas}, title = {{Knowledge Fragment: Bruteforcing Andromeda Configuration Buffers}}, date = {2015-04-15}, url = {https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html}, language = {English}, urldate = {2020-01-07} } @online{byteraptors:20200603:wizardopium:b83073d, author = {ByteRaptors}, title = {{The WizardOpium LPE: Exploiting CVE-2019-1458}}, date = {2020-06-03}, organization = {ByteRaptors Blog}, url = {https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html}, language = {English}, urldate = {2020-06-12} } @online{c0d3inj3ct:20180524:javascript:af29dab, author = {c0d3inj3cT}, title = {{JavaScript based Bot using Github C&C}}, date = {2018-05-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html}, language = {English}, urldate = {2020-05-23} } @online{c0d3inj3ct:20191224:unpacking:3102f76, author = {c0d3inj3cT}, title = {{Unpacking Payload used in Bottle EK}}, date = {2019-12-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html}, language = {English}, urldate = {2020-03-11} } @online{c0d3inj3ct:20191225:blacknet:80468eb, author = {c0d3inj3cT}, title = {{BlackNet RAT - When you leave the Panel unprotected}}, date = {2019-12-25}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html}, language = {English}, urldate = {2020-03-11} } @online{c3rb3ru5d3d53c:20211122:introduction:1daa38b, author = {c3rb3ru5d3d53c and Sergei Frankoff}, title = {{Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...}}, date = {2021-11-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=hgz5gZB3DxE}, language = {English}, urldate = {2021-11-29} } @online{c4i:20170216:breaking:b65439a, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/}, language = {English}, urldate = {2019-12-20} } @online{c4i:20170216:breaking:cc7bead, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/}, language = {English}, urldate = {2019-12-20} } @online{c:20200608:tau:f5b25ff, author = {A C}, title = {{TAU Threat Analysis: Hakbit Ransomware}}, date = {2020-06-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/}, language = {English}, urldate = {2020-06-10} } @online{c:20200615:tau:c60e41f, author = {A C}, title = {{TAU Threat Analysis: Relations to Hakbit Ransomware}}, date = {2020-06-15}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/}, language = {English}, urldate = {2020-06-16} } @online{caban:20180707:youve:b02f5ff, author = {Dan Caban and Muks Hirani}, title = {{You’ve Got Mail!}}, date = {2018-07-07}, organization = {Youtube (SteelCon)}, url = {https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI}, language = {English}, urldate = {2020-01-08} } @online{cadieux:20190430:sodinokibi:d04e315, author = {Pierre Cadieux and Colin Grady and Jaeson Schultz and Matt Valites}, title = {{Sodinokibi ransomware exploits WebLogic Server vulnerability}}, date = {2019-04-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html}, language = {English}, urldate = {2019-12-17} } @online{cadolabs:20210118:botnet:f8ef420, author = {cadolabs}, title = {{Botnet Deploys Cloud and Container Attack Techniques}}, date = {2021-01-18}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques}, language = {English}, urldate = {2021-01-21} } @online{cadolabs:20210406:threat:aba341a, author = {cadolabs}, title = {{Threat Group Uses Voice Changing Software in Espionage Attempt}}, date = {2021-04-06}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt}, language = {English}, urldate = {2021-04-06} } @online{caesar:20210419:incredible:5435b11, author = {Ed Caesar}, title = {{The Incredible Rise of North Korea’s Hacking Army}}, date = {2021-04-19}, organization = {NEW YORKER}, url = {https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army}, language = {English}, urldate = {2021-04-20} } @online{cahen:20220511:detecting:c61fd63, author = {Blake Cahen and IronNet Threat Research}, title = {{Detecting a MUMMY SPIDER campaign and Emotet infection}}, date = {2022-05-11}, organization = {IronNet}, url = {https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection}, language = {English}, urldate = {2022-05-17} } @online{california:20210528:united:1a0e5db, author = {United States District Court Southern District of California}, title = {{United States of America vs Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin, Wu Shurong}}, date = {2021-05-28}, url = {https://www.justice.gov/opa/press-release/file/1412916/download}, language = {English}, urldate = {2021-07-26} } @online{callow:20211028:suspected:ae61e43, author = {Brett Callow}, title = {{Tweet on suspected actor behind Payorgrief ransomware}}, date = {2021-10-28}, organization = {Twitter (@BrettCallow)}, url = {https://twitter.com/BrettCallow/status/1453557686830727177?s=20}, language = {English}, urldate = {2021-11-08} } @online{calvet:20150305:casper:be062ed, author = {Joan Calvet}, title = {{Casper Malware: After Babar and Bunny, Another Espionage Cartoon}}, date = {2015-03-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/}, language = {English}, urldate = {2019-11-14} } @online{camacho:20201218:negasteal:e5b291f, author = {Matthew Camacho and Raphael Centeno and Junestherry Salvador}, title = {{Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware}}, date = {2020-12-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware}, language = {English}, urldate = {2020-12-26} } @online{camastra:20190220:spoofing:f2e825b, author = {Luigino Camastra and Jan Širmer and Adolf Středa and Lukáš Obrdlík}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-02-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/}, language = {English}, urldate = {2020-01-06} } @online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } @online{camastra:20201209:targeting:952844f, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/}, language = {English}, urldate = {2021-01-27} } @online{camastra:20210701:backdoored:6f26c16, author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek}, title = {{Backdoored Client from Mongolian CA MonPass}}, date = {2021-07-01}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/}, language = {English}, urldate = {2021-07-02} } @online{camba:20121009:bkdrsarhusta:92d2b93, author = {Abraham Latimer Camba}, title = {{BKDR_SARHUST.A}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a}, language = {English}, urldate = {2020-01-05} } @online{camba:20130227:bkdrrarstone:8c1d7b2, author = {Abraham Camba}, title = {{BKDR_RARSTONE: New RAT to Watch Out For}}, date = {2013-02-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/}, language = {English}, urldate = {2020-01-08} } @online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } @online{camba:20210202:finding:67f5c6b, author = {Abraham Camba and Byron Gelera and Catherine Loveria}, title = {{Finding and Decoding Multi-Step Obfuscated Malware}}, date = {2021-02-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/finding-multi-step-obfuscated-malware.html}, language = {English}, urldate = {2021-02-09} } @online{camba:20210705:tracking:6ae6ad5, author = {Abraham Camba and Catherine Loveria and Ryan Maglaque and Buddy Tancio}, title = {{Tracking Cobalt Strike: A Trend Micro Vision One Investigation}}, date = {2021-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html}, language = {English}, urldate = {2021-07-19} } @online{camba:20211217:staging:0ec37d9, author = {Abraham Camba and Jonna Santos and Gilbert Sison and Jay Yaneza}, title = {{Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager}}, date = {2021-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html}, language = {English}, urldate = {2021-12-31} } @online{cameron:20170915:welp:8da10de, author = {Dell Cameron}, title = {{Welp, Vevo Just Got Hacked}}, date = {2017-09-15}, url = {https://gizmodo.com/welp-vevo-just-got-hacked-1813390834}, language = {English}, urldate = {2019-10-17} } @online{cameron:20181030:us:45da6b7, author = {Dell Cameron}, title = {{U.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal Aerospace Secrets}}, date = {2018-10-30}, organization = {Gizmodo}, url = {https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695}, language = {English}, urldate = {2019-11-27} } @online{camichel:20190309:retefe:3414337, author = {Corsin Camichel}, title = {{retefe: Artefacts from various retefe campaigns}}, date = {2019-03-09}, organization = {Github (cocaman)}, url = {https://github.com/cocaman/retefe}, language = {English}, urldate = {2020-01-13} } @online{camichel:20190523:analysing:9a4f909, author = {Corsin Camichel}, title = {{Analysing "Retefe" with Sysmon and Splunk}}, date = {2019-05-23}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/}, language = {English}, urldate = {2019-07-09} } @online{camichel:20200512:absent:f352502, author = {Corsin Camichel}, title = {{Tweet on AbSent Loader}}, date = {2020-05-12}, organization = {Twitter (@cocaman)}, url = {https://twitter.com/cocaman/status/1260069549069733888}, language = {English}, urldate = {2020-05-15} } @online{camichel:20201101:observed:abb75ee, author = {Corsin Camichel}, title = {{Observed Malware Campaigns – October 2020}}, date = {2020-11-01}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2020/11/observed-malware-campaigns-october-2020/}, language = {English}, urldate = {2020-11-02} } @online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } @online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } @online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } @online{campbell:20191114:ta2101:e79f6fb, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}}, date = {2019-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us}, language = {English}, urldate = {2019-11-27} } @online{campbell:20200608:analysis:500f9fe, author = {Ryan Campbell}, title = {{Analysis of Valak Maldoc}}, date = {2020-06-08}, organization = {Security Soup Blog}, url = {https://security-soup.net/analysis-of-valak-maldoc/}, language = {English}, urldate = {2020-06-08} } @online{campbell:20200831:analysis:33c982e, author = {Chris Campbell}, title = {{Analysis of the latest wave of Emotet malicious documents}}, date = {2020-08-31}, organization = {Inde}, url = {https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents}, language = {English}, urldate = {2022-04-29} } @online{campbell:20201106:quick:741d84a, author = {Ryan Campbell}, title = {{Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs}}, date = {2020-11-06}, organization = {Security Soup Blog}, url = {https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/}, language = {English}, urldate = {2020-11-09} } @online{campbell:20201204:inside:9f2f036, author = {Chris Campbell}, title = {{Inside a .NET Stealer: AgentTesla}}, date = {2020-12-04}, organization = {Inde}, url = {https://www.inde.nz/blog/inside-agenttesla}, language = {English}, urldate = {2022-04-29} } @online{campbell:20210311:you:7bd2342, author = {Josh Campbell}, title = {{You Don't Know the HAFNIUM of it...}}, date = {2021-03-11}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/}, language = {English}, urldate = {2021-03-16} } @online{campbell:20210412:different:ea9739f, author = {Chris Campbell}, title = {{A Different Kind of Zoombomb}}, date = {2021-04-12}, organization = {Inde}, url = {https://www.inde.nz/blog/different-kind-of-zoombomb}, language = {English}, urldate = {2022-04-29} } @online{campbell:20210918:squirrelwaffle:5790d40, author = {Ryan Campbell}, title = {{“Squirrelwaffle” Maldoc Analysis}}, date = {2021-09-18}, organization = {Security Soup Blog}, url = {https://security-soup.net/squirrelwaffle-maldoc-analysis/}, language = {English}, urldate = {2021-09-20} } @online{campbell:20210927:doppeldridex:daa5f69, author = {Ryan Campbell}, title = {{DoppelDridex Delivered via Slack and Discord}}, date = {2021-09-27}, organization = {Security Soup Blog}, url = {https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/}, language = {English}, urldate = {2021-09-29} } @online{campbell:20211020:ta551:aa5f9d9, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA551 Uses ‘SLIVER’ Red Team Tool in New Activity}}, date = {2021-10-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity}, language = {English}, urldate = {2021-10-26} } @online{campbell:20220315:decoding:507512a, author = {Ryan Campbell}, title = {{Decoding a DanaBot Downloader}}, date = {2022-03-15}, organization = {Security Soup Blog}, url = {https://security-soup.net/decoding-a-danabot-downloader/}, language = {English}, urldate = {2022-03-28} } @online{campbell:20220321:serpent:12b3381, author = {Bryan Campbell and Zachary Abzug and Andrew Northern and Selena Larson}, title = {{Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain}}, date = {2022-03-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain}, language = {English}, urldate = {2022-03-22} } @online{can:20190313:n:bfbaff0, author = {Ahmet Bilal Can}, title = {{N Ways to Unpack Mobile Malware}}, date = {2019-03-13}, organization = {Pentest Blog}, url = {https://pentest.blog/n-ways-to-unpack-mobile-malware/}, language = {English}, urldate = {2020-01-09} } @online{can:20190718:android:5097363, author = {Ahmet Bilal Can}, title = {{Android Malware Analysis : Dissecting Hydra Dropper}}, date = {2019-07-18}, url = {https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/}, language = {English}, urldate = {2019-12-05} } @techreport{canada:2011:snowglobe:2cf6813, author = {CSE Canada}, title = {{SNOWGLOBE: From Discovery to Attribution}}, date = {2011}, institution = {Spiegel Online}, url = {http://www.spiegel.de/media/media-35683.pdf}, language = {English}, urldate = {2019-12-17} } @online{canada:20210415:statement:2e6f28b, author = {Government of Canada}, title = {{Statement on SolarWinds Cyber Compromise}}, date = {2021-04-15}, organization = {Government of Canada}, url = {https://www.canada.ca/en/global-affairs/news/2021/04/statement-on-solarwinds-cyber-compromise.html}, language = {English}, urldate = {2021-04-16} } @online{canada:20210719:statement:e1247f4, author = {Global Affairs Canada}, title = {{Statement on China’s cyber campaigns}}, date = {2021-07-19}, organization = {Government of Canada}, url = {https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html}, language = {English}, urldate = {2021-07-22} } @online{canary:20200617:threat:3a7f962, author = {Red Canary}, title = {{Threat Detection: Blue Mockingbird}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://www.youtube.com/watch?v=6t_E8KOmZSs}, language = {English}, urldate = {2020-06-19} } @online{canary:20201204:yellow:1633ca2, author = {Red Canary}, title = {{Yellow Cockatoo: Search engine redirects, in-memory remote access trojan, and more}}, date = {2020-12-04}, organization = {Red Canary}, url = {https://redcanary.com/blog/yellow-cockatoo/}, language = {English}, urldate = {2020-12-08} } @techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } @techreport{canary:20220322:2022:67c40ea, author = {Red Canary}, title = {{2022 Threat Detection Report}}, date = {2022-03-22}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf}, language = {English}, urldate = {2022-03-23} } @online{cannell:20130725:zeroaccess:4853854, author = {Joshua Cannell}, title = {{ZeroAccess uses Self-Debugging}}, date = {2013-07-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130801:sophos:404c6a5, author = {Joshua Cannell}, title = {{Sophos Discovers ZeroAccess Using RLO}}, date = {2013-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130926:new:428977b, author = {Joshua Cannell}, title = {{New Solarbot Malware Debuts, Creator Publicly Advertising}}, date = {2013-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/}, language = {English}, urldate = {2019-12-20} } @online{cannings:20160616:sakula:cece262, author = {David Cannings}, title = {{Sakula: an adventure in DLL planting}}, date = {2016-06-16}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1}, language = {English}, urldate = {2020-01-06} } @online{cannings:20170403:investigation:7deb188, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2019-12-17} } @online{cannings:20170403:investigation:8de942a, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An Investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2020-01-08} } @online{cannings:20170403:technical:e27583c, author = {David Cannings}, title = {{Technical Notes on RedLeaves}}, date = {2017-04-03}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves}, language = {English}, urldate = {2020-01-06} } @online{cannon:20171207:new:035f809, author = {Vincent Cannon and Nalani Fraser and Yogesh Londhe and Manish Sardiwal and Nick Richard and Jacqueline O’Leary}, title = {{New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit}}, date = {2017-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html}, language = {English}, urldate = {2019-12-20} } @online{cano:20220127:adversary:244a480, author = {Nathali Cano and Jorge Orchilles and Christopher Peacock}, title = {{Adversary Emulation Diavol Ransomware #ThreatThursday}}, date = {2022-01-27}, organization = {SCYTHE}, url = {https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday}, language = {English}, urldate = {2022-02-01} } @online{cao:20200324:operation:89da9bd, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links}}, date = {2020-03-24}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/}, language = {English}, urldate = {2020-03-25} } @techreport{cao:20200324:technical:dc23839, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Technical Brief: Operation Poisoned News: Hong Kong Users Targeted with Mobile Malware via Local News Links}}, date = {2020-03-24}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf}, language = {English}, urldate = {2020-03-25} } @techreport{capcom:20210413:4th:7ce2091, author = {CAPCOM}, title = {{4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results}}, date = {2021-04-13}, institution = {CAPCOM}, url = {https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf}, language = {English}, urldate = {2021-04-14} } @online{capilla:20161121:android:5150467, author = {Sergi Àlvarez i Capilla}, title = {{Android malware analysis with Radare: Dissecting the Triada Trojan}}, date = {2016-11-21}, organization = {NowSecure}, url = {https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/}, language = {English}, urldate = {2020-01-10} } @online{caragay:20150924:credit:59e0581, author = {RonJay Caragay and Michael Marcos}, title = {{Credit Card-Scraping Kasidet Builder Leads to Spike in Detections}}, date = {2015-09-24}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/}, language = {English}, urldate = {2020-01-13} } @techreport{carcano:20181001:triton:7863291, author = {Andrea Carcano}, title = {{TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever}}, date = {2018-10-01}, institution = {SANS Cyber Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf}, language = {English}, urldate = {2020-01-20} } @online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } @online{carhart:20210511:reasonable:9708c70, author = {Lesley Carhart}, title = {{Reasonable IR Team Expectations}}, date = {2021-05-11}, organization = {tisiphone.net blog}, url = {https://tisiphone.net/2021/05/11/reasonable-ir-team-expectations/}, language = {English}, urldate = {2021-05-13} } @online{caridi:20210721:this:17b999a, author = {Chris Caridi and Allison Wikoff}, title = {{This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered}}, date = {2021-07-21}, organization = {IBM}, url = {https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/}, language = {English}, urldate = {2021-07-22} } @online{carli:201705:botnet:18f6b9a, author = {Lorenzo De Carli and Ruben Torres and Gaspar Modelo-Howard and Alok Tongaonkar and Somesh Jha}, title = {{Botnet Protocol Inference in the Presence of Encrypted Traffic}}, date = {2017-05}, organization = {IEEE}, url = {https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail}, language = {English}, urldate = {2021-10-11} } @online{carlson:20100714:who:7563adc, author = {Benjamin Carlson}, title = {{Who Was the 12th Russian Spy at Microsoft?}}, date = {2010-07-14}, organization = {The Atlantic}, url = {https://www.theatlantic.com/international/archive/2010/07/who-was-the-12th-russian-spy-at-microsoft/344876/}, language = {English}, urldate = {2021-04-19} } @online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20170524:apt32:4060afe, author = {Nick Carr}, title = {{APT32: New Cyber Espionage Group}}, date = {2017-05-24}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/10703/261205}, language = {English}, urldate = {2020-01-07} } @online{carr:20170630:obfuscation:c3d947e, author = {Nick Carr and Daniel Bohannon}, title = {{Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques}}, date = {2017-06-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20180801:hunt:0fe0e15, author = {Nick Carr and Kimberly Goody and Steve Miller and Barry Vengerik}, title = {{On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation}}, date = {2018-08-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20181106:griffon:c7f800f, author = {Nick Carr}, title = {{Tweet on a GRIFFON sample}}, date = {2018-11-06}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1059898708286939136}, language = {English}, urldate = {2019-12-17} } @online{carr:20190605:malware:a6892ae, author = {Nick Carr}, title = {{Tweet on Malware Sample}}, date = {2019-06-05}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1136502701301346305}, language = {English}, urldate = {2020-01-07} } @online{carr:20191010:mahalo:917c5b2, author = {Nick Carr and Josh Yoder and Kimberly Goody and Scott Runnels and Jeremy Kennelly and Jordan Nuce}, title = {{Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques}}, date = {2019-10-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html}, language = {English}, urldate = {2019-11-18} } @online{carr:20191220:grunt:02cb116, author = {Nick Carr}, title = {{Tweet on GRUNT payload}}, date = {2019-12-20}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1208141697282117633}, language = {English}, urldate = {2020-01-09} } @online{carr:20200114:rough:1c149da, author = {Nick Carr and Matt Bromiley}, title = {{Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)}}, date = {2020-01-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html}, language = {English}, urldate = {2020-01-17} } @online{carr:20200601:malware:62e3d49, author = {Nick Carr}, title = {{Tweet on malware called NETFLASH}}, date = {2020-06-01}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1267475216923594755}, language = {English}, urldate = {2020-06-05} } @online{carr:20201214:summarizing:67227be, author = {Nick Carr}, title = {{Tweet on summarizing post-compromise actvity of UNC2452}}, date = {2020-12-14}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1338382939835478016}, language = {English}, urldate = {2020-12-14} } @online{carr:20201215:quick:5305f61, author = {Nick Carr}, title = {{A quick note from Nick Carr on COSMICGALE and SUPERNOVA that those are unrelated to UC2452 intrusion campaign}}, date = {2020-12-15}, organization = {Github (itsreallynick)}, url = {https://github.com/fireeye/sunburst_countermeasures/pull/5}, language = {English}, urldate = {2020-12-19} } @techreport{carrera:20041006:digital:5a195e2, author = {Ero Carrera and Gergely Erdélyi}, title = {{Digital genome mapping: advanced binary malware analysis}}, date = {2004-10-06}, institution = {F-Secure}, url = {https://archive.f-secure.com/weblog/archives/carrera_erdelyi_VB2004.pdf}, language = {English}, urldate = {2021-12-31} } @techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2022-01-28} } @online{carroll:20220105:technical:171666f, author = {Eoin Carroll}, title = {{Technical Analysis of CVE-2021-1732}}, date = {2022-01-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/technical-analysis-of-cve-2021-1732/}, language = {English}, urldate = {2022-01-25} } @online{carvey:20190404:mimikatz:243c11a, author = {Harlan Carvey}, title = {{Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”}}, date = {2019-04-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/}, language = {English}, urldate = {2019-12-20} } @online{case:20190902:digital:0f6cd23, author = {Andrew Case and Matthew Meltzer and Steven Adair}, title = {{Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs}}, date = {2019-09-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/}, language = {English}, urldate = {2019-12-06} } @online{case:20200421:evil:54c1d46, author = {Andrew Case and Dave Lassalle and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant}}, date = {2020-04-21}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/}, language = {English}, urldate = {2020-04-22} } @online{caselden:20150418:operation:f2f3cba, author = {Dan Caselden and Yasir Khalid and James “Tom” Bennett and Genwei Jiang and Corbin Souffrant and Joshua Homan and Jonathan Wrolstad and Chris Phillips and Darien Kin}, title = {{Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack}}, date = {2015-04-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html}, language = {English}, urldate = {2019-10-16} } @online{caselden:20150623:operation:dc2929c, author = {Dan Caselden and Erica Eng}, title = {{Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign}}, date = {2015-06-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html}, language = {English}, urldate = {2019-12-20} } @online{cash:20201214:dark:7d54c5d, author = {Damien Cash and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{Dark Halo Leverages SolarWinds Compromise to Breach Organizations}}, date = {2020-12-14}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/}, language = {English}, urldate = {2020-12-15} } @online{cash:20210115:sign:c50ae62, author = {David Cash}, title = {{Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures}}, date = {2021-01-15}, organization = {nccgroup}, url = {https://research.nccgroup.com/2021/01/15/sign-over-your-hashes-stealing-netntlm-hashes-via-outlook-signatures/}, language = {English}, urldate = {2021-01-21} } @online{cash:20210527:suspected:beb9dd9, author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns}}, date = {2021-05-27}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/}, language = {English}, urldate = {2021-06-09} } @online{cash:20210817:north:e84fb02, author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Steven Adair and Thomas Lancaster}, title = {{North Korean APT37 / InkySquid Infects Victims Using Browser Exploits}}, date = {2021-08-17}, organization = {Volatility Labs}, url = {https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/}, language = {English}, urldate = {2021-08-20} } @online{cash:20210824:north:aab532f, author = {Damien Cash and Josh Grunzweig and Steven Adair and Thomas Lancaster}, title = {{North Korean BLUELIGHT Special: InkySquid Deploys RokRAT}}, date = {2021-08-24}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/}, language = {English}, urldate = {2021-08-31} } @online{cash:20220322:storm:236d2ad, author = {Damien Cash and Steven Adair and Thomas Lancaster}, title = {{Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS}}, date = {2022-03-22}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/}, language = {English}, urldate = {2022-03-23} } @online{cashdollar:20190613:latest:1dba306, author = {Larry Cashdollar}, title = {{Latest ECHOBOT: 26 Infection Vectors}}, date = {2019-06-13}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html}, language = {English}, urldate = {2020-01-08} } @online{cashdollar:20210316:another:93fb703, author = {Larry Cashdollar}, title = {{Another Golang Crypto Miner On The Loose}}, date = {2021-03-16}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2021/03/another-golang-crypto-miner-on-the-loose.html}, language = {English}, urldate = {2021-03-22} } @online{cashdollar:20210916:capoae:5ac6400, author = {Larry Cashdollar}, title = {{Capoae Malware Ramps Up: Uses Multiple Vulnerabilities and Tactics to Spread}}, date = {2021-09-16}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread}, language = {English}, urldate = {2021-09-19} } @online{cashman:20201221:how:10d8756, author = {Mo Cashman and Arnab Roy}, title = {{How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise}}, date = {2020-12-21}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/}, language = {English}, urldate = {2020-12-23} } @online{casperinous:20220219:ida:8fdf71c, author = {Casperinous}, title = {{IDA scripts for analysis of Colibri Loader}}, date = {2022-02-19}, organization = {Github (Casperinous)}, url = {https://github.com/Casperinous/colibri_loader}, language = {English}, urldate = {2022-03-02} } @online{caspi:20170504:osx:9f62c96, author = {Ofer Caspi}, title = {{OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic}}, date = {2017-05-04}, organization = {Check Point Software Technologies Ltd}, url = {http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/}, language = {English}, urldate = {2019-11-24} } @online{caspi:20170713:osxdok:b34ca60, author = {Ofer Caspi}, title = {{OSX/Dok Refuses to Go Away and It’s After Your Money}}, date = {2017-07-13}, organization = {Check Point}, url = {https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/}, language = {English}, urldate = {2020-01-05} } @online{caspi:20180724:emotet:a26725d, author = {Ofer Caspi and Ben Herzog}, title = {{Emotet: The Tricky Trojan that ‘Git Clones’}}, date = {2018-07-24}, organization = {Check Point}, url = {https://research.checkpoint.com/emotet-tricky-trojan-git-clones/}, language = {English}, urldate = {2020-01-13} } @online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } @online{caspi:20210107:malware:2ad7d86, author = {Ofer Caspi and Fernando Martinez}, title = {{Malware using new Ezuri memory loader}}, date = {2021-01-07}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader}, language = {English}, urldate = {2021-01-11} } @online{caspi:20210127:teamtnt:8ebf267, author = {Ofer Caspi}, title = {{TeamTNT delivers malware with new detection evasion tool}}, date = {2021-01-27}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool}, language = {English}, urldate = {2021-01-27} } @online{caspi:20210622:darkside:2889f3c, author = {Ofer Caspi}, title = {{Darkside RaaS in Linux version}}, date = {2021-06-22}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version}, language = {English}, urldate = {2021-06-24} } @online{caspi:20210701:revils:20b42ae, author = {Ofer Caspi and Fernando Martinez}, title = {{REvil’s new Linux version}}, date = {2021-07-01}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version}, language = {English}, urldate = {2021-07-02} } @online{caspi:20210802:new:65cbd77, author = {Ofer Caspi and Javier Ruiz}, title = {{New sophisticated RAT in town: FatalRat analysis}}, date = {2021-08-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis}, language = {English}, urldate = {2021-08-02} } @online{caspi:20210908:teamtnt:f9ad39d, author = {Ofer Caspi}, title = {{TeamTNT with new campaign aka “Chimaera”}}, date = {2021-09-08}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera}, language = {English}, urldate = {2021-09-10} } @online{caspi:20211111:att:4c2bbed, author = {Ofer Caspi}, title = {{AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits}}, date = {2021-11-11}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits}, language = {English}, urldate = {2021-11-17} } @online{caspi:20220126:botenago:0c74142, author = {Ofer Caspi}, title = {{BotenaGo strikes again - malware source code uploaded to GitHub}}, date = {2022-01-26}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github}, language = {English}, urldate = {2022-04-24} } @online{caspi:20220526:rapidly:cbc0d84, author = {Ofer Caspi}, title = {{Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices}}, date = {2022-05-26}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers}, language = {English}, urldate = {2022-05-31} } @online{cass:20211019:whatta:4d969e1, author = {Zydeca Cass and Axel F and Crista Giering and Matthew Mesa and Georgi Mladenov and Brandon Murphy}, title = {{Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant}}, date = {2021-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant}, language = {English}, urldate = {2021-10-24} } @online{castel:20210607:avaddon:9a4a8cb, author = {Loïc Castel}, title = {{Avaddon Ransomware Analysis}}, date = {2021-06-07}, organization = {ATOS}, url = {https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis}, language = {English}, urldate = {2021-11-17} } @online{castillo:20220302:cybercrime:c1663a8, author = {Carlos del Castillo}, title = {{Cybercrime bosses warn that they will "fight back" if Russia is hacked}}, date = {2022-03-02}, organization = {elDiario}, url = {https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html}, language = {Spanish}, urldate = {2022-03-04} } @online{castleman:20210127:logokit:7322a8b, author = {Adam Castleman}, title = {{LogoKit: Simple, Effective, and Deceptive}}, date = {2021-01-27}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/a068810a}, language = {English}, urldate = {2021-01-29} } @online{castleman:20210407:yanbian:dcf9de9, author = {Adam Castleman and Jordan Herman}, title = {{Yanbian Gang Malware Continues with Wide-Scale Distribution and C2}}, date = {2021-04-07}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f88ed16f/description}, language = {English}, urldate = {2021-04-09} } @online{castleman:20210422:stealing:d799b15, author = {Adam Castleman and Jordan Herman}, title = {{Stealing All Your Information For Years With Shadow Z118 PayPal Phish Kits}}, date = {2021-04-22}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/50bcba95}, language = {English}, urldate = {2021-04-28} } @online{casualmalware:20200311:firebird:6d1f8a2, author = {casual_malware}, title = {{Tweet on FireBird RAT}}, date = {2020-03-11}, organization = {Twitter (@casual_malware)}, url = {https://twitter.com/casual_malware/status/1237775601035096064}, language = {English}, urldate = {2020-03-13} } @online{catwithoutahat7:20210313:dearcry:3a71a24, author = {Twitter (@CatWithoutAHat7)}, title = {{DearCry Ransomware - A quick look 0x01}}, date = {2021-03-13}, organization = {YouTube (0xc7a)}, url = {https://www.youtube.com/watch?v=Hhx9Q2i7zGo}, language = {English}, urldate = {2021-04-16} } @online{catwithoutahat7:20210313:dearcry:85773c0, author = {Twitter (@CatWithoutAHat7)}, title = {{DearCry Ransomware - A quick look 0x02}}, date = {2021-03-13}, organization = {YouTube (0xc7a)}, url = {https://www.youtube.com/watch?v=MRTdGUy1lfw}, language = {English}, urldate = {2021-04-16} } @online{catwithoutahat7:20210313:dearcry:bb446b1, author = {Twitter (@CatWithoutAHat7)}, title = {{DearCry Ransomware - A quick look 0x00}}, date = {2021-03-13}, organization = {YouTube (0xc7a)}, url = {https://www.youtube.com/watch?v=qmCjtigVVR0}, language = {English}, urldate = {2021-04-16} } @techreport{ccc:20111008:analyse:0c4a8c9, author = {CCC}, title = {{ANALYSE EINER REGIERUNGS-MALWARE}}, date = {2011-10-08}, institution = {CCC}, url = {http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf}, language = {English}, urldate = {2020-01-07} } @online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } @online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } @online{ccncert:202005:malware:e6aed81, author = {CCN-CERT}, title = {{Malware report CCN-CERT ID-15/20 Snake Locker}}, date = {2020-05}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html}, language = {English}, urldate = {2020-06-10} } @online{ccncert:202103:informe:1628d52, author = {CCN-CERT}, title = {{Informe Código DañinoCCN-CERT ID-03/21: RyukRansomware}}, date = {2021-03}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html}, language = {Spanish}, urldate = {2021-03-19} } @online{centeno:20180501:legitimate:bd0644c, author = {Raphael Centeno}, title = {{Legitimate Application AnyDesk Bundled with New Ransomware Variant}}, date = {2018-05-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/}, language = {English}, urldate = {2019-10-14} } @online{centeno:20190508:dharma:cc5ac04, author = {Raphael Centeno}, title = {{Dharma Ransomware Uses AV Tool to Distract from Malicious Activities}}, date = {2019-05-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/}, language = {English}, urldate = {2020-01-06} } @online{centeno:20200521:backdoor:d6d37a9, author = {Raphael Centeno and Llallum Victoria}, title = {{Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers}}, date = {2020-05-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-devil-shadow-botnet-hidden-in-fake-zoom-installers/}, language = {English}, urldate = {2020-05-23} } @online{centeno:20200921:cybercriminals:0dbaa08, author = {Raphael Centeno}, title = {{Cybercriminals Distribute Backdoor With VPN Installer}}, date = {2020-09-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html}, language = {English}, urldate = {2020-09-23} } @online{centeno:20210205:new:33e89f1, author = {Raphael Centeno and Monte de Jesus and Don Ovid Ladores and Junestherry Salvador and Nikko Tamana and Llalum Victoria}, title = {{New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker}}, date = {2021-02-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html}, language = {English}, urldate = {2021-02-09} } @online{centeno:20210412:spike:d67dcb0, author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy}, title = {{A Spike in BazarCall and IcedID Activity Detected in March}}, date = {2021-04-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html}, language = {English}, urldate = {2021-04-14} } @online{center:20130222:recent:b3d3f80, author = {Microsoft Security Response Center}, title = {{Recent Cyberattacks}}, date = {2013-02-22}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/}, language = {English}, urldate = {2019-12-20} } @online{center:20180330:analysis:4f1feb9, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}}, date = {2018-03-30}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/}, language = {Chinese}, urldate = {2020-01-13} } @techreport{center:201803:oilrig:b3c95ff, author = {NYOTRON ATTACK RESPONSE CENTER}, title = {{OilRig is Back with Next-Generation Tools and Techniques}}, date = {2018-03}, institution = {Nyotron}, url = {https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf}, language = {English}, urldate = {2019-10-13} } @online{center:20180523:sidewinderapttapt04:2f4c2cc, author = {Tencent Mimi Threat Intelligence Center}, title = {{SideWinder“响尾蛇”APT组织(T-APT-04):针对南亚的定向攻击威胁}}, date = {2018-05-23}, organization = {Tencent}, url = {https://s.tencent.com/research/report/479.html}, language = {Chinese}, urldate = {2020-01-06} } @techreport{center:20180614:cyber:b2150a3, author = {Cyber ​​Emergency Center}, title = {{Cyber ​​Emergency Center Report No. 3}}, date = {2018-06-14}, institution = {LAC}, url = {https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf}, language = {English}, urldate = {2020-07-20} } @online{center:20180723:golden:acfd437, author = {Qi Anxin Threat Intelligence Center}, title = {{Golden Rat Organization-targeted attack in Syria}}, date = {2018-07-23}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-27/}, language = {Chinese}, urldate = {2020-04-28} } @online{center:20181129:analysis:08c590c, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english}, language = {English}, urldate = {2020-03-02} } @online{center:20181129:analysis:d46e3e4, author = {Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/}, language = {English}, urldate = {2022-01-03} } @online{center:20181212:donot:32e8fb0, author = {Qi Anxin Threat Intelligence Center}, title = {{Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China}}, date = {2018-12-12}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/}, language = {English}, urldate = {2020-01-13} } @online{center:20190218:aptc36:abbf9ea, author = {Anxin Threat Intelligence Center}, title = {{APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations}}, date = {2019-02-18}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/}, language = {English}, urldate = {2020-01-09} } @online{center:20190226:disclosure:d46aaed, author = {Tencent Yujian Threat Intelligence Center}, title = {{Disclosure of SideWinder APT's attack against South Asia}}, date = {2019-02-26}, organization = {Tencent}, url = {https://s.tencent.com/research/report/659.html}, language = {Chinese}, urldate = {2021-03-04} } @online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } @online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2022-06-15} } @techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } @online{center:20200528:analysis:5b197d4, author = {Threat Intelligence Center}, title = {{Analysis of recent rattlesnake APT attacks against surrounding countries and regions}}, date = {2020-05-28}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/}, language = {Chinese}, urldate = {2020-10-27} } @online{center:20200604::a1c780b, author = {Chianxin Virus Response Center}, title = {{脚本系贼寇之风兴起,买卖体系堪比勒索软件}}, date = {2020-06-04}, url = {https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw}, language = {Chinese}, urldate = {2020-07-16} } @online{center:20200701::fc5fdee, author = {360 Threat Intelligence Center}, title = {{游走在东欧和中亚的奇幻熊}}, date = {2020-07-01}, organization = {360}, url = {https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og}, language = {Chinese}, urldate = {2020-10-26} } @online{center:20200821:recurrence:d780ef1, author = {Baidu Security Emergency Response Center}, title = {{Recurrence and research of macro attacks under macOS}}, date = {2020-08-21}, organization = {Baidu Security Emergency Response Center}, url = {https://mp.weixin.qq.com/s/a_0Vbnr38drTZAlQfoH10A}, language = {Chinese}, urldate = {2020-08-25} } @online{center:20200825:darkhotel:cf3af4b, author = {360 Threat Intelligence Center}, title = {{Darkhotel (APT-C-06) organized multiple attacks using the Thinmon backdoor framework to reveal the secrets}}, date = {2020-08-25}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg}, language = {Chinese}, urldate = {2020-08-25} } @online{center:20201023:apt28:099c6cd, author = {360 Threat Intelligence Center}, title = {{APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析}}, date = {2020-10-23}, organization = {360}, url = {https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g}, language = {Chinese}, urldate = {2020-10-26} } @online{center:20201026:analysis:81bfa52, author = {Threat Intelligence Center}, title = {{Analysis of the attack activities of the Rattlesnake organization using the Buffy bilateral agreement as bait}}, date = {2020-10-26}, organization = {Qianxin}, url = {https://www.secrss.com/articles/26507}, language = {Chinese}, urldate = {2020-10-27} } @online{center:20201030:aptc41:ede60de, author = {Threat Intelligence Center}, title = {{蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露}}, date = {2020-10-30}, organization = {360}, url = {https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg}, language = {Chinese}, urldate = {2020-11-02} } @online{center:20201030:donot:5f3e428, author = {Threat Intelligence Center}, title = {{攻击武器再升级:Donot组织利用伪造签名样本的攻击活动分析}}, date = {2020-10-30}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/3Pa3hiuZyQBspDzH0kGSHw}, language = {Chinese}, urldate = {2020-11-02} } @online{center:20201109:analysis:ccf80c0, author = {360 Threat Intelligence Center}, title = {{Analysis of the latest targeted attacks by Lugansk against Ukraine}}, date = {2020-11-09}, organization = {360}, url = {https://mp.weixin.qq.com/s/aMj_EDmTYyAouHWFbY64-A}, language = {Chinese}, urldate = {2020-11-11} } @online{center:20201201:blade:1b3519c, author = {Qi Anxin Threat Intelligence Center}, title = {{Blade Eagle Group - Targeted attack group activities circling the Middle East and West Asia's cyberspace revealed}}, date = {2020-12-01}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/}, language = {English}, urldate = {2022-04-15} } @online{center:20201213:customer:1f4f734, author = {Microsoft Security Response Center}, title = {{Customer Guidance on Recent Nation-State Cyber Attacks}}, date = {2020-12-13}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/}, language = {English}, urldate = {2020-12-14} } @online{center:20210315:oneclick:cafd441, author = {Microsoft Security Response Center}, title = {{One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021}}, date = {2021-03-15}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/}, language = {English}, urldate = {2021-03-22} } @online{center:20210601:rising:06299b0, author = {Rising Threat Intelligence Center}, title = {{Rising warning: APT organizes Lazarus Group to launch an attack on China}}, date = {2021-06-01}, organization = {Rising Threat Intelligence Center}, url = {https://it.rising.com.cn/dongtai/19777.html}, language = {Chinese}, urldate = {2021-06-09} } @online{center:20210602:analysis:6da7255, author = {Microstep Online Research Response Center}, title = {{Analysis of Lazarus's recent targeted attacks against military industry and other industries}}, date = {2021-06-02}, organization = {Microstep Online Research Response Center}, url = {https://mp.weixin.qq.com/s/MBH8ACSTfC6UGzf2h1BuhA}, language = {Chinese}, urldate = {2021-06-09} } @online{center:20210611:tencent:ed32dd1, author = {The Tencent Security Threat Intelligence Center}, title = {{Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm}}, date = {2021-06-11}, organization = {Tencent}, url = {https://s.tencent.com/research/report/1322.html}, language = {Chinese}, urldate = {2021-06-22} } @online{center:20210623:kimsuky:48c6cff, author = {Microstep Online Research Response Center}, title = {{Kimsuky APT organization's targeted attacks on South Korean defense and security related departments}}, date = {2021-06-23}, organization = {Microstep Online Research Response Center}, url = {https://mp.weixin.qq.com/s/SLocYak45PoOwLtMCn0PFg}, language = {Chinese}, urldate = {2021-06-24} } @techreport{center:20210623:kimsuky:859fde5, author = {Microstep Online Research Response Center}, title = {{Kimsuky APT organization's targeted attacks on South Korean defense and security related departments (IOCs included)}}, date = {2021-06-23}, institution = {Microstep Online Research Response Center}, url = {https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Kimsuky%20APT%20Group%20targeted%20on%20South%20Korean%20defense%20and%20security%20departments.pdf}, language = {Chinese}, urldate = {2021-06-23} } @online{center:20210701:suspected:aedb06c, author = {Anheng Threat Intelligence Center}, title = {{Suspected HADES organization launched an attack on Ukraine with military themes}}, date = {2021-07-01}, organization = {Anheng Threat Intelligence Center}, url = {https://www.freebuf.com/news/279181.html}, language = {English}, urldate = {2021-07-11} } @online{center:20210714:old:d9d32d2, author = {Microstep Online Research Response Center}, title = {{Old trees and new flowers: Analysis of the new version of KGH spy components used by Kimsuky}}, date = {2021-07-14}, organization = {Microstep Online Research Response Center}, url = {https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw}, language = {Chinese}, urldate = {2021-07-20} } @online{center:20210803:apt31:db50b02, author = {PT Expert Security Center}, title = {{APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere}}, date = {2021-08-03}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/}, language = {English}, urldate = {2021-08-06} } @online{center:20210824:lockbit:730526a, author = {KELA Cyber Intelligence Center}, title = {{LockBit 2.0 Interview with Russian OSINT}}, date = {2021-08-24}, organization = {KELA}, url = {https://ke-la.com/lockbit-2-0-interview-with-russian-osint/}, language = {English}, urldate = {2021-11-02} } @online{center:20210908:trilateral:aedcf24, author = {Microstep Online Research Response Center}, title = {{Trilateral operation: years of cyberespionage against countries in south asia and the middle east (APT36)}}, date = {2021-09-08}, organization = {Microstep Intelligence Bureau}, url = {https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg}, language = {Chinese}, urldate = {2021-09-14} } @online{center:20210930:masters:8707c00, author = {PT Expert Security Center}, title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}}, date = {2021-09-30}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang}, language = {English}, urldate = {2021-10-14} } @online{center:20210930:masters:a5ec8ee, author = {PT Expert Security Center}, title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}}, date = {2021-09-30}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/}, language = {English}, urldate = {2021-10-22} } @online{center:20211108:aint:b92e3b4, author = {KELA Cyber Intelligence Center}, title = {{Ain’t No Actor Trustworthy Enough: The importance of validating sources}}, date = {2021-11-08}, organization = {KELA}, url = {https://ke-la.com/aint-no-actor-trustworthy-enough-the-importance-of-validating-sources/}, language = {English}, urldate = {2021-11-09} } @online{center:20211201:blacktech:b5f8a20, author = {Microstep Online Research Response Center}, title = {{BlackTech, an East Asian hacking group, has launched attacks in sectors such as finance and education}}, date = {2021-12-01}, organization = {Microstep Intelligence Bureau}, url = {https://mp.weixin.qq.com/s/m7wo0AD4yiAFfTm1Jhq2NQ}, language = {Chinese}, urldate = {2021-12-07} } @online{center:20220223:aptc58:fb10a0a, author = {360 Threat Intelligence Center}, title = {{APT-C-58 (Gorgon Group) attack warning}}, date = {2022-02-23}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ}, language = {Chinese}, urldate = {2022-03-01} } @online{center:20220307:i:aadcf34, author = {Cyber ​​Emergency Center}, title = {{I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS}}, date = {2022-03-07}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/report/20220307_002893.html}, language = {Japanese}, urldate = {2022-04-05} } @online{center:20220322:quantum:8629794, author = {360 Threat Intelligence Center}, title = {{Quantum Attack System – NSA "APT-C-40" Hacking Organization High-end Cyber Attack Weapon Technical Analysis Report (I)}}, date = {2022-03-22}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/lzf16Fchfv1fMG3IExq7XA}, language = {Chinese}, urldate = {2022-06-27} } @online{center:20220330:vajraeleph:272518d, author = {QAX Virus Response Center}, title = {{VajraEleph, a Vajra elephant group from South Asia, reveals cyber espionage campaign against Pakistani military personnel}}, date = {2022-03-30}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww}, language = {Chinese}, urldate = {2022-03-31} } @online{center:20220402:waves:5aa4f65, author = {360 Threat Intelligence Center}, title = {{WAVES LURKING IN THE CALM OF THE WIND AND WAVES: A DYNAMIC ANALYSIS OF THE ATTACK ACTIVITIES OF THE APT-C-00 (SEALOTUS) ORGANIZATION}}, date = {2022-04-02}, organization = {institute for advanced threats}, url = {https://mp.weixin.qq.com/s/tBQSbv55lJUipaPWFr1fKw}, language = {Chinese}, urldate = {2022-04-05} } @online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } @online{center:20220518:filesyncshelldll:4266601, author = {360 Threat Intelligence Center}, title = {{filesyncshell.dll hijacked? APT-C-24 Sidewinder Briefing on the Latest Attack Activity}}, date = {2022-05-18}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/qsGxZIiTsuI7o-_XmiHLHg}, language = {Chinese}, urldate = {2022-05-25} } @techreport{centre:20180705:nciipc:2796c50, author = {National Critical Information Infrastructure Protection Centre}, title = {{NCIIPC Newsletter July 2018}}, date = {2018-07-05}, institution = {National Critical Information Infrastructure Protection Centre}, url = {https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf}, language = {English}, urldate = {2020-01-10} } @online{centre:20210429:saving:cdbd9ca, author = {International Computing Centre}, title = {{Saving World Health Day: UNICC and Group-IB Take Down Scam Campaign Impersonating the World Health Organization}}, date = {2021-04-29}, organization = {International Computing Centre}, url = {https://www.unicc.org/news/2021/04/29/unicc-and-group-ib-take-down-scam-campaign/}, language = {English}, urldate = {2021-05-03} } @online{cepe:20100531:sasfis:7642314, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/}, language = {English}, urldate = {2020-01-09} } @techreport{cepe:20100531:sasfis:c0eab28, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, institution = {Trend Micro}, url = {https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf}, language = {English}, urldate = {2020-01-08} } @online{cerberus:201906:twitter:97cd9de, author = {Android Cerberus}, title = {{Twitter Account of Android Cerberus}}, date = {2019-06}, organization = {Twitter (@AndroidCerberus)}, url = {https://twitter.com/AndroidCerberus}, language = {English}, urldate = {2020-01-09} } @online{cert:20160306:network:f9244d3, author = {thyssenkrupp CERT}, title = {{Network detector for Winnti malware}}, date = {2016-03-06}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-detector}, language = {English}, urldate = {2020-01-07} } @online{cert:20160906:kzcert:3d8bb82, author = {KZ CERT}, title = {{KZ-CERT has analyzed another sample of malicious software, which is a component of targeted attacks (Targeted attacks, Advanced Persistent Threats (APT))}}, date = {2016-09-06}, organization = {KZ CERT}, url = {http://www.kz-cert.kz/page/502}, language = {Kazakh}, urldate = {2019-10-16} } @techreport{cert:20161104:from:a139d13, author = {Antiy CERT}, title = {{FROM EQUATION TO EQUATIONS}}, date = {2016-11-04}, institution = {Antiy CERT}, url = {https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf}, language = {English}, urldate = {2020-08-18} } @online{cert:20180423:energetic:451033f, author = {Kaspersky Lab ICS CERT}, title = {{Energetic Bear/Crouching Yeti: attacks on servers}}, date = {2018-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/energetic-bear-crouching-yeti/85345/}, language = {English}, urldate = {2019-12-20} } @online{cert:20180522:nmap:1ee2530, author = {thyssenkrupp CERT}, title = {{Nmap Script to scan for Winnti infections}}, date = {2018-05-22}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-nmap-script}, language = {English}, urldate = {2020-01-07} } @online{cert:20180919::c3b6955, author = {Antiy CERT}, title = {{绿斑”行动——持续多年的攻击}}, date = {2018-09-19}, url = {https://www.antiy.com/response/20180919.html}, language = {English}, urldate = {2020-08-14} } @online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } @online{cert:20190613:advanced:5d2e200, author = {ae CERT}, title = {{Advanced Notification of Cyber Threats against Family of Malware Giving Remote Access to Computers}}, date = {2019-06-13}, organization = {ae CERT}, url = {https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx}, language = {English}, urldate = {2021-04-16} } @online{cert:20200522:analysis:fc8e2b2, author = {Antiy CERT}, title = {{Analysis of Ramsay components of Darkhotel's infiltration and isolation network}}, date = {2020-05-22}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20200522.html}, language = {Chinese}, urldate = {2020-05-23} } @online{cert:20200616:active:1c01229, author = {New Zealand CERT}, title = {{Active ransomware campaign leveraging remote access technologies}}, date = {2020-06-16}, organization = {New Zealand CERT}, url = {https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/}, language = {English}, urldate = {2020-06-21} } @online{cert:20200617:targeted:4a2a126, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attacks on industrial companies using Snake ransomware}}, date = {2020-06-17}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/}, language = {English}, urldate = {2020-06-18} } @techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } @techreport{cert:20201105:attackson:62f1e26, author = {Kaspersky Lab ICS CERT and Vyacheslav Kopeytsev}, title = {{Attackson industrial enterprises using RMS and TeamViewer: new data}}, date = {2020-11-05}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf}, language = {English}, urldate = {2020-11-06} } @online{cert:20201223:solarwindsapt:a237c40, author = {Qi AnXin CERT}, title = {{从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战}}, date = {2020-12-23}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q}, language = {Chinese}, urldate = {2020-12-23} } @online{cert:20201228:civerids:b40d172, author = {Antiy CERT}, title = {{"Civerids" organization vs. Middle East area attack activity analysis report}}, date = {2020-12-28}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20201228.html}, language = {Chinese}, urldate = {2021-01-04} } @online{cert:20210126:sunburst:0170800, author = {Kaspersky Lab ICS CERT}, title = {{SunBurst industrial victims}}, date = {2021-01-26}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/}, language = {English}, urldate = {2021-01-27} } @online{cert:20210221:analysis:84134cb, author = {Antiy CERT}, title = {{Analysis report on the attack activities of the "Baby Elephant" against Pakistani defense manufacturers}}, date = {2021-02-21}, organization = {Antiy}, url = {https://mp.weixin.qq.com/s/y2kRbYCt94yPu-5jtcZ_AA}, language = {Chinese}, urldate = {2021-02-25} } @online{cert:20210705:analysis:5047c28, author = {Antiy CERT}, title = {{Analysis of "Bitter Elephant" organization's attacks against country in the first half of the year}}, date = {2021-07-05}, organization = {Antiy}, url = {https://mp.weixin.qq.com/s/dHiYZyJXoy2LLXtElcYeog}, language = {Chinese}, urldate = {2021-07-12} } @techreport{cert:20211026:attacks:6f30d0f, author = {Kaspersky Lab ICS CERT}, title = {{APT attacks on industrial organizations in H1 2021}}, date = {2021-10-26}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf}, language = {English}, urldate = {2021-11-08} } @online{cert:20211216:pseudomanuscrypt:808ef18, author = {Kaspersky Lab ICS CERT}, title = {{PseudoManuscrypt: a mass-scale spyware attack campaign}}, date = {2021-12-16}, url = {https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/}, language = {English}, urldate = {2021-12-23} } @online{cert:20211216:pseudomanuscrypt:d59d94e, author = {Kaspersky Lab ICS CERT}, title = {{PseudoManuscrypt: a mass-scale spyware attack campaign}}, date = {2021-12-16}, organization = {Kaspersky}, url = {https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/105286/}, language = {English}, urldate = {2021-12-23} } @online{certagid:20200713:campagna:1da46a9, author = {Cert-AgID}, title = {{Campagna sLoad v.2.9.3 veicolata via PEC}}, date = {2020-07-13}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/}, language = {Italian}, urldate = {2020-07-15} } @online{certagid:20201231:simplify:1a7bcd2, author = {Cert-AgID}, title = {{Simplify Emotet parsing with Python and iced x86}}, date = {2020-12-31}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/}, language = {Italian}, urldate = {2021-01-05} } @online{certagid:20210125:individuato:81951d8, author = {Cert-AgID}, title = {{Individuato sito che veicola in Italia un APK malevolo}}, date = {2021-01-25}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/}, language = {Italian}, urldate = {2021-02-02} } @online{certagid:20210127:oscorp:94a1a19, author = {Cert-AgID}, title = {{Oscorp, il “solito” malware per Android}}, date = {2021-01-27}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/oscorp-il-solito-malware-per-android/}, language = {Italian}, urldate = {2021-02-02} } @online{certbr:20210318:communiqu:cc24235, author = {CERT-BR}, title = {{Communiqué de presse: 400 systèmes informatique belges infiltrés dans le cadre d'une vulnérabilité des serveurs Microsoft Exchange}}, date = {2021-03-18}, organization = {CERT-BR}, url = {https://www.cert.be/fr/news/communique-de-presse-400-systemes-informatique-belges-infiltres-dans-le-cadre-dune}, language = {French}, urldate = {2021-03-19} } @online{certbund:20191108:spam:0630ad5, author = {CERT-Bund}, title = {{Tweet on Spam Mails containing MAZE}}, date = {2019-11-08}, organization = {Twitter (@certbund)}, url = {https://twitter.com/certbund/status/1192756294307995655}, language = {English}, urldate = {2020-01-08} } @techreport{certbund:20210319:microsoft:beb2409, author = {CERT-Bund}, title = {{Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)}}, date = {2021-03-19}, institution = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf}, language = {English}, urldate = {2021-03-22} } @techreport{certee:20210127:gamaredon:5d273c4, author = {CERT-EE}, title = {{Gamaredon Infection: From Dropper to Entry}}, date = {2021-01-27}, institution = {Estonian Information System Authority}, url = {https://www.ria.ee/sites/default/files/js/tale_of_gamaredon_infection.pdf}, language = {English}, urldate = {2021-03-31} } @online{certem:20180803:certfr:65e03cf, author = {CERT-EM}, title = {{CERT-FR ALERT BULLETIN}}, date = {2018-08-03}, organization = {CERT-EM}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/}, language = {French}, urldate = {2020-01-08} } @techreport{certeu:20200603:cyber:681a7c2, author = {CERT-EU}, title = {{Cyber brief (June2020)}}, date = {2020-06-03}, institution = {CERT-EU}, url = {https://media.cert.europa.eu/static/MEMO/2020/TLP-WHITE-CERT-EU-CYBER-BRIEF-20-06%20v1.1.pdf}, language = {English}, urldate = {2020-06-05} } @online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } @online{certfr:20200318:rapport:abbc7c4, author = {CERT-FR}, title = {{Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa}}, date = {2020-03-18}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/}, language = {French}, urldate = {2020-03-26} } @techreport{certfr:20200423:le:4dbca96, author = {CERT-FR}, title = {{LE GROUPE CYBERCRIMINEL SILENCE}}, date = {2020-04-23}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf}, language = {French}, urldate = {2020-05-07} } @online{certfr:20200525:indicateurs:642332f, author = {CERT-FR}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}}, date = {2020-05-25}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/}, language = {French}, urldate = {2020-06-03} } @techreport{certfr:20200525:le:ac94f72, author = {CERT-FR}, title = {{Le Code Malveillant Dridex: Origines et Usages}}, date = {2020-05-25}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf}, language = {French}, urldate = {2020-05-26} } @techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } @techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } @techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } @online{certfr:20200907:bulletin:f7b2023, author = {CERT-FR}, title = {{Bulletin d'alerte du CERT-FR: Recrudescence d’activité Emotet en France}}, date = {2020-09-07}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/}, language = {English}, urldate = {2020-09-15} } @techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } @techreport{certfr:20210127:sandword:7f2e586, author = {CERT-FR}, title = {{Sandword Intrusion Set: Campaign Targeting Centreon Ssystems}}, date = {2021-01-27}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf}, language = {English}, urldate = {2021-03-02} } @techreport{certfr:20210212:malwareaaaservice:c6454b5, author = {CERT-FR}, title = {{The Malware-Aa-A-Service Emotet}}, date = {2021-02-12}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf}, language = {English}, urldate = {2021-02-20} } @techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } @online{certfr:20210302:egregor:f0da4ec, author = {CERT-FR}, title = {{The Egregor Ransomware}}, date = {2021-03-02}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/}, language = {English}, urldate = {2021-06-29} } @techreport{certfr:20211202:phishing:c22ef4f, author = {CERT-FR}, title = {{Phishing Campaigns by the Nobelium Intrusion Set}}, date = {2021-12-02}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf}, language = {English}, urldate = {2021-12-07} } @online{certfr:20211206:phishing:c58da54, author = {CERT-FR}, title = {{Phishing campaigns by the Nobelium intrusion set}}, date = {2021-12-06}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/}, language = {English}, urldate = {2021-12-07} } @techreport{certil:20170424:wave:d0c610f, author = {CERT-IL}, title = {{Wave attacks against government agencies, academia and business entities in Israel}}, date = {2017-04-24}, institution = {CERT-IL}, url = {https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf}, language = {Hebrew}, urldate = {2020-05-18} } @online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } @online{certpa:20190110:divergent:c0ab442, author = {Cert-PA}, title = {{“Divergent” malware Fileless}}, date = {2019-01-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/devergent-malware-fileless/}, language = {Italian}, urldate = {2019-11-23} } @online{certpa:20200310:campagna:dac7559, author = {Cert-PA}, title = {{Campagna sLoad “Star Wars Edition” veicolata via PEC}}, date = {2020-03-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/}, language = {Italian}, urldate = {2020-03-11} } @online{certpa:20200323:pwndlocker:3607042, author = {Cert-PA}, title = {{PwndLocker si rinnova in ProLock Ransomware}}, date = {2020-03-23}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/}, language = {Italian}, urldate = {2020-03-25} } @techreport{certpl:20110603:botnet:fd65588, author = {CERT.PL}, title = {{Botnet Hamweq - analiza}}, date = {2011-06-03}, institution = {CERT Polska / NASK}, url = {https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf}, language = {Polish}, urldate = {2019-11-28} } @online{certpl:20141215:banatrix:ff1a5a2, author = {CERT.PL}, title = {{Banatrix – an indepth look}}, date = {2014-12-15}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/banatrix-an-indepth-look/}, language = {English}, urldate = {2019-10-23} } @online{certpl:20151110:talking:d93cf24, author = {CERT.PL}, title = {{Talking to Dridex (part 0) – inside the dropper}}, date = {2015-11-10}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/}, language = {English}, urldate = {2020-01-06} } @techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } @online{certpl:20191118:brushaloader:f75d346, author = {CERT.PL}, title = {{Brushaloader gaining new layers like a pro}}, date = {2019-11-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/}, language = {English}, urldate = {2020-01-13} } @online{certpl:20211027:vidar:8fe3984, author = {CERT.PL}, title = {{Vidar stealer campaign targeting Baltic region and NATO entities}}, date = {2021-10-27}, organization = {CERT.PL}, url = {https://cert.pl/en/posts/2021/10/vidar-campaign/}, language = {English}, urldate = {2021-11-02} } @online{certua:20180903:bulk:09fa177, author = {Cert-UA}, title = {{Bulk mailing of spyware like Pterodo}}, date = {2018-09-03}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/42}, language = {Ukrainian}, urldate = {2020-01-08} } @online{certua:20181115:pterodo:3ed19e5, author = {Cert-UA}, title = {{Виявлена підготовка до проведення кібератаки з використанням ШПЗ типу Pterodo}}, date = {2018-11-15}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/46}, language = {Ukrainian}, urldate = {2020-01-13} } @online{certua:20220126:fragment:f64191e, author = {Cert-UA}, title = {{Fragment of cyberattack research 14.01.2022}}, date = {2022-01-26}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/18101}, language = {Ukrainian}, urldate = {2022-01-28} } @online{certua:20220202:uac0056:c1fdb5c, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state organizations using SaintBot and OutSteel malware (CERT-UA#3799)}}, date = {2022-02-02}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/18419}, language = {Ukrainian}, urldate = {2022-05-04} } @online{certua:20220218:information:122b8b2, author = {Cert-UA}, title = {{Information on cyberattacks 15 February 2022}}, date = {2022-02-18}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/37139}, language = {Ukrainian}, urldate = {2022-05-04} } @online{certua:20220307:uac0051:18afbc7, author = {Cert-UA}, title = {{UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)}}, date = {2022-03-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/37626}, language = {Ukrainian}, urldate = {2022-03-08} } @online{certua:20220311:cyberattack:1e34a52, author = {Cert-UA}, title = {{Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)}}, date = {2022-03-11}, url = {https://cert.gov.ua/article/37704}, language = {Ukrainian}, urldate = {2022-03-14} } @online{certua:20220322:cyberattack:e5a60d7, author = {Cert-UA}, title = {{Cyberattack on Ukrainian enterprises using the DoubleZero destructor program (CERT-UA # 4243)}}, date = {2022-03-22}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38088}, language = {Ukrainian}, urldate = {2022-03-23} } @online{certua:20220322:uac0026:526ce2b, author = {Cert-UA}, title = {{Uac-0026 cyberattack using HeaderTip malware (CERT-UA#4244)}}, date = {2022-03-22}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38097}, language = {Ukrainian}, urldate = {2022-04-04} } @online{certua:20220328:uac0056:46919e1, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)}}, date = {2022-03-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38374}, language = {Ukrainian}, urldate = {2022-03-31} } @online{certua:20220330:mass:5bc04fd, author = {Cert-UA}, title = {{Mass distribution of the MarsStealer malware among citizens of Ukraine and domestic organizations (CERT-UA#4315)}}, date = {2022-03-30}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38606}, language = {Ukrainian}, urldate = {2022-04-04} } @online{certua:20220404:cyber:d319b18, author = {Cert-UA}, title = {{Cyber ​​attack of UAC-0010 group (Armageddon) on state organizations of Ukraine (CERT-UA # 4378)}}, date = {2022-04-04}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39138}, language = {Ukrainian}, urldate = {2022-04-12} } @online{certua:20220405:information:b3685e0, author = {Cert-UA}, title = {{Information on cyberattacks aimed at gaining access to Telegram accounts (CERT-UA#4360)}}, date = {2022-04-05}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39253}, language = {Ukrainian}, urldate = {2022-04-07} } @online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } @online{certua:20220414:cyberattack:915dfa7, author = {Cert-UA}, title = {{Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)}}, date = {2022-04-14}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39609}, language = {Ukrainian}, urldate = {2022-04-20} } @online{certua:20220428:malicious:7c130c8, author = {Cert-UA}, title = {{Malicious JavaScript-code BrownFlood injected into web-sites used for DDoS attacks (CERT-UA#4553)}}, date = {2022-04-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39925}, language = {Ukrainian}, urldate = {2022-05-03} } @online{certua:20220507:mass:5933c0a, author = {Cert-UA}, title = {{Mass distribution of JesterStealer malware using chemical attack themes (CERT-UA#4625)}}, date = {2022-05-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/40135}, language = {Ukrainian}, urldate = {2022-05-17} } @online{certua:20220512:uac0010:582178b, author = {Cert-UA}, title = {{Uac-0010 (Armageddon) cyberattacks using GammaLoad.PS1_v2 malware (CERT-UA#4634,4648)}}, date = {2022-05-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/40240}, language = {Ukrainian}, urldate = {2022-05-17} } @online{certua:20220624:cyberattack:c247b3d, author = {Cert-UA}, title = {{Cyberattack against Ukrainian telecommunications operators using DarkCrystal RAT malware (CERT-UA # 4874)}}, date = {2022-06-24}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/405538}, language = {Ukrainian}, urldate = {2022-06-27} } @online{ch0sys:20170615:dubrute:3cb7c5a, author = {ch0sys}, title = {{DUBrute}}, date = {2017-06-15}, organization = {Github (ch0sys)}, url = {https://github.com/ch0sys/DUBrute}, language = {English}, urldate = {2020-01-08} } @online{chalard:20211220:dont:0aad3db, author = {Nick Chalard}, title = {{(Don't) Bring Dridex Home for the Holidays}}, date = {2021-12-20}, organization = {InQuest}, url = {https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays}, language = {English}, urldate = {2021-12-22} } @online{chalupowski:20210201:bazarloader:61a163a, author = {Lilly Chalupowski}, title = {{BazarLoader Mocks Researchers in December 2020 Malspam Campaign}}, date = {2021-02-01}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/}, language = {English}, urldate = {2021-02-02} } @online{chalupowski:20211102:new:b68bd68, author = {Lilly Chalupowski}, title = {{New Malware “Gameloader” in Discord Malspam Campaign Identified by GoSecure Titan Labs}}, date = {2021-11-02}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/11/02/new-malware-gameloader-in-discord-malspam-campaign-identified-by-gosecure-titan-labs/}, language = {English}, urldate = {2021-11-03} } @online{chandrayan:20211223:log4j:58ea562, author = {Siddhesh Chandrayan}, title = {{Log4j Vulnerabilities: Attack Insights}}, date = {2021-12-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks}, language = {English}, urldate = {2022-01-25} } @online{chang:20160603:sends:176f9ab, author = {Yin Hong Chang and Sudeep Singh}, title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}}, date = {2016-06-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html}, language = {English}, urldate = {2019-12-20} } @online{chang:20170619:erebus:dee1998, author = {Ziv Chang and Gilbert Sison and Jeanne Jocson}, title = {{Erebus Resurfaces as Linux Ransomware}}, date = {2017-06-19}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{channell:20200612:what:af937e9, author = {Justin Channell}, title = {{What is the Gibberish Hack?}}, date = {2020-06-12}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/06/gibberish-hack.html}, language = {English}, urldate = {2020-06-16} } @online{charlie:20200713:fell:f278f19, author = {Charlie}, title = {{Fell Deeds Awake}}, date = {2020-07-13}, organization = {Cofense}, url = {https://cofenselabs.com/fell-deeds-awake/}, language = {English}, urldate = {2020-07-15} } @online{chaturvedi:20200710:deep:f2d16c7, author = {Rohit Chaturvedi and Naveen Selvan}, title = {{Deep Dive Into the M00nD3V Logger}}, date = {2020-07-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger}, language = {English}, urldate = {2020-07-16} } @online{chaturvedi:20210414:look:02bf1e0, author = {Rohit Chaturvedi and Atinderpal Singh and Tarun Dewan}, title = {{A look at HydroJiin campaign}}, date = {2021-04-14}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign}, language = {English}, urldate = {2021-04-16} } @online{chaturvedi:20211022:new:c65f106, author = {Stuti Chaturvedi and Amandeep Kumar}, title = {{New MultiloginBot Phishing Campaign}}, date = {2021-10-22}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-multiloginbot-phishing-campaign}, language = {English}, urldate = {2021-11-03} } @online{chaturvedi:20220217:freecryptoscam:340b9ec, author = {Stuti Chaturvedi and Aditya Sharma}, title = {{FreeCryptoScam - A New Cryptocurrency Scam That Leads to Installation of Backdoors and Stealers}}, date = {2022-02-17}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and}, language = {English}, urldate = {2022-03-02} } @online{chaudhari:20171003:evolution:5462d67, author = {Pavankumar Chaudhari}, title = {{Evolution of jRAT JAVA Malware}}, date = {2017-10-03}, organization = {Seqrite}, url = {https://blogs.seqrite.com/evolution-of-jrat-java-malware/}, language = {English}, urldate = {2020-01-06} } @online{chaudhari:20200512:java:47c27e7, author = {Pavankumar Chaudhari}, title = {{Java RAT Campaign Targets Co-Operative Banks in India}}, date = {2020-05-12}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-india/}, language = {English}, urldate = {2020-05-23} } @online{chaudhari:20200810:gorgon:3a961be, author = {Pavankumar Chaudhari}, title = {{Gorgon APT targeting MSME sector in India}}, date = {2020-08-10}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/}, language = {English}, urldate = {2020-08-13} } @online{chaudhari:20201218:rat:50074a2, author = {Pavankumar Chaudhari}, title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}}, date = {2020-12-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/}, language = {English}, urldate = {2020-12-18} } @online{chebesov:20211028:cannibal:883dcbe, author = {Ruslan Chebesov and Sergey Kokurin}, title = {{Cannibal Carders}}, date = {2021-10-28}, organization = {Group-IB}, url = {https://blog.group-ib.com/cannibal-carders}, language = {English}, urldate = {2021-11-03} } @online{chebyshev:20200225:mobile:e40c963, author = {Victor Chebyshev}, title = {{Mobile malware evolution 2019}}, date = {2020-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/mobile-malware-evolution-2019/96280/}, language = {English}, urldate = {2020-02-26} } @online{checkmal:20210726:whiteblackgroup:397b3d3, author = {CheckMal}, title = {{WhiteBlackGroup Ransomware (.encrpt3d)}}, date = {2021-07-26}, organization = {CheckMal}, url = {https://www.checkmal.com/video/read/3605/}, language = {English}, urldate = {2022-03-07} } @techreport{checkpoint:20131212:malware:45645af, author = {Checkpoint}, title = {{Malware Research Group HIMAN Malware Analysis}}, date = {2013-12-12}, institution = {Checkpoint}, url = {https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{checkpoint:20190204:speakup:9fa2718, author = {Checkpoint}, title = {{SpeakUp: A New Undetected Backdoor Linux Trojan}}, date = {2019-02-04}, organization = {Checkpoint}, url = {https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/}, language = {English}, urldate = {2019-07-11} } @online{checkpoint:20200721:how:5980135, author = {Checkpoint}, title = {{How scammers are hiding their phishing trips in public clouds}}, date = {2020-07-21}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2020/07/21/how-scammers-are-hiding-their-phishing-trips-in-public-clouds/}, language = {English}, urldate = {2020-07-30} } @online{checkpoint:20220510:infostealer:33aee4a, author = {Checkpoint}, title = {{Info-stealer Campaign targets German Car Dealerships and Manufacturers}}, date = {2022-05-10}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/}, language = {English}, urldate = {2022-05-13} } @online{chee:20220404:uncommon:1b240dc, author = {Max Chee}, title = {{Uncommon office malware stagers}}, date = {2022-04-04}, organization = {Medium (csg-govtech)}, url = {https://medium.com/csg-govtech/uncommon-office-malware-stagers-dad49a8f2054}, language = {English}, urldate = {2022-04-07} } @online{chen:20140602:sinowal:6d7af96, author = {Chao Chen}, title = {{Sinowal banking trojan}}, date = {2014-06-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan}, language = {English}, urldate = {2020-01-10} } @online{chen:20151217:slembunk:df100af, author = {Zhaofeng Chen and Jimmy Su and Wu Zhou and Jing Xie and Heqing Huang}, title = {{SlemBunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps}}, date = {2015-12-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html}, language = {English}, urldate = {2019-12-20} } @online{chen:20160622:after:aaa03f7, author = {Joseph C Chen}, title = {{After Angler: Shift in Exploit Kit Landscape and New Crypto-Ransomware Activity}}, date = {2016-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/}, language = {English}, urldate = {2019-10-12} } @online{chen:20161027:blackgear:00f52d4, author = {Joey Chen and MingYen Hsieh}, title = {{BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List}}, date = {2016-10-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/}, language = {English}, urldate = {2019-12-18} } @online{chen:20171107:redbaldknightbronze:63a08fe, author = {Joey Chen and MingYen Hsieh}, title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}}, date = {2017-11-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/}, language = {English}, urldate = {2020-01-09} } @online{chen:20180717:blackgear:69b5213, author = {Joey Chen}, title = {{Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication}}, date = {2018-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/}, language = {English}, urldate = {2020-01-13} } @online{chen:20180918:magecart:af83872, author = {Joseph C Chen}, title = {{Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites}}, date = {2018-09-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/}, language = {English}, urldate = {2020-01-08} } @online{chen:20190418:predator:5135f9f, author = {Yueh-Ting Chen and Evgeny Ananin}, title = {{Predator the Thief: New Routes of Delivery}}, date = {2019-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html}, language = {English}, urldate = {2019-12-17} } @online{chen:20190503:mirrorthief:05f07e5, author = {Joseph C Chen}, title = {{Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada}}, date = {2019-05-03}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/}, language = {English}, urldate = {2019-11-27} } @online{chen:20191009:fin6:11bb05d, author = {Joseph C. Chen}, title = {{FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops}}, date = {2019-10-09}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/}, language = {English}, urldate = {2020-02-25} } @techreport{chen:20191129:operation:16f5aaa, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE:TICK: 2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data}}, date = {2019-11-29}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf}, language = {English}, urldate = {2020-06-02} } @online{chen:20191129:operation:749d75d, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK}}, date = {2019-11-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/}, language = {English}, urldate = {2019-12-17} } @online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } @online{chen:20200512:tropic:8fff7a4, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments}}, date = {2020-05-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/}, language = {English}, urldate = {2020-05-14} } @techreport{chen:20200512:tropic:a3285d0, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments (Technical Brief)}}, date = {2020-05-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf}, language = {English}, urldate = {2020-05-14} } @online{chen:20200626:us:8bce65c, author = {Joseph C Chen}, title = {{US Local Government Services Targeted by New Magecart Credit Card Skimming Attack}}, date = {2020-06-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/}, language = {English}, urldate = {2020-06-30} } @techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } @online{chen:20200806:water:e7860e3, author = {Marshall Chen and Loseway Lu and Yorkbing Yap and Fyodor Yarochkin}, title = {{Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts}}, date = {2020-08-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campaign-targets-c-suites-office-365-accounts/}, language = {English}, urldate = {2020-08-13} } @online{chen:20200902:cybersquatting:b5f5a8f, author = {Zhanhao Chen and Janos Szurdi}, title = {{Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers}}, date = {2020-09-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cybersquatting/}, language = {English}, urldate = {2021-07-02} } @online{chen:20201109:closer:b1c72cf, author = {Jin Chen and Tao Yan and Taojie Wang and Yu Fu}, title = {{A Closer Look at the Web Skimmer}}, date = {2020-11-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/web-skimmer/}, language = {English}, urldate = {2020-11-11} } @online{chen:20201209:sidewinder:a454abd, author = {Joseph C Chen and Jaromír Hořejší and Ecular Xu}, title = {{SideWinder Leverages South Asian Territorial Issues for Spear Phishing and Mobile Device Attacks}}, date = {2020-12-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html}, language = {English}, urldate = {2020-12-10} } @online{chen:20210203:hildegard:f3ca3bc, author = {Jay Chen and Aviv Sasson and Ariel Zelivansky}, title = {{Hildegard: New TeamTNT Malware Targeting Kubernetes}}, date = {2021-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/}, language = {English}, urldate = {2021-02-04} } @online{chen:20210707:biopass:88dcdc2, author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen}, title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}}, date = {2021-07-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html}, language = {English}, urldate = {2021-07-19} } @online{chen:20211014:analyzing:ae5c6a4, author = {Marshall Chen and Loseway Lu and Paul Pajares and Fyodor Yarochkin}, title = {{Analyzing Email Services Abused for Business Email Compromise}}, date = {2021-10-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/j/analyzing-email-services-abused-for-business-email-compromise.html}, language = {English}, urldate = {2021-10-26} } @online{chen:20211229:strategically:0d2fa74, author = {Zhanhao Chen and Daiping Liu and Wanjin Li and Jielong Xu}, title = {{Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends}}, date = {2021-12-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/}, language = {English}, urldate = {2022-01-05} } @online{chen:20220502:moshen:1969df2, author = {Joey Chen and Amitai Ben Shushan Ehrlich}, title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}}, date = {2022-05-02}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/}, language = {English}, urldate = {2022-05-04} } @online{chen:20220609:aoqin:134698f, author = {Joey Chen}, title = {{Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years}}, date = {2022-06-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/}, language = {English}, urldate = {2022-06-09} } @online{cheng:20170421:china:8c7d327, author = {Jonathan Cheng and Josh Chin}, title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}}, date = {2017-04-21}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403}, language = {English}, urldate = {2020-08-17} } @online{cheng:20170421:china:ab10228, author = {Jonathan Cheng and Josh Chin}, title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}}, date = {2017-04-21}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==}, language = {English}, urldate = {2020-01-06} } @techreport{cherepanov:20141113:roaming:1b09324, author = {Anton Cherepanov}, title = {{Roaming tiger}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20150908:carbanak:c9457cd, author = {Anton Cherepanov}, title = {{Carbanak gang is back and packing new guns}}, date = {2015-09-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20160517:operation:e907b67, author = {Anton Cherepanov}, title = {{Operation Groundbait: Analysis of a surveillance toolkit}}, date = {2016-05-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf}, language = {English}, urldate = {2019-10-25} } @online{cherepanov:20160922:book:ec1383a, author = {Anton Cherepanov}, title = {{Book of Eli: African targeted attacks}}, date = {2016-09-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2016/09/22/libya-malware-analysis/}, language = {English}, urldate = {2022-02-14} } @online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } @online{cherepanov:20170523:xdata:98a14a3, author = {Anton Cherepanov}, title = {{XData ransomware making rounds amid global WannaCryptor scare}}, date = {2017-05-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170630:telebots:84aa93d, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/}, language = {English}, urldate = {2019-12-20} } @techreport{cherepanov:20170703:blackenergy:2403feb, author = {Anton Cherepanov and Robert Lipovsky}, title = {{BlackEnergy – what we really know about the notorious cyber attacks}}, date = {2017-07-03}, institution = {ESET Research}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf}, language = {English}, urldate = {2019-10-14} } @online{cherepanov:20170704:analysis:37c48b2, author = {Anton Cherepanov}, title = {{Analysis of TeleBots’ cunning backdoor}}, date = {2017-07-04}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20180709:certificates:ae214b6, author = {Anton Cherepanov}, title = {{Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign}}, date = {2018-07-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181017:eset:c34687b, author = {Anton Cherepanov and Robert Lipovsky}, title = {{ESET unmasks ‘GREYENERGY’ cyber-espionage group}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.eset.com/int/greyenergy-exposed/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20181017:greyenergy:f328dbf, author = {Anton Cherepanov and Robert Lipovsky}, title = {{GreyEnergy: Updated arsenal of one of the most dangerous threat actors}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/}, language = {English}, urldate = {2020-01-07} } @techreport{cherepanov:20181018:greyenergy:9885d0c, author = {Anton Cherepanov}, title = {{GREYENERGY: A successor to BlackEnergy}}, date = {2018-10-18}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20190514:plead:3140588, author = {Anton Cherepanov}, title = {{Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage}}, date = {2019-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20200910:who:2fdc6a6, author = {Anton Cherepanov}, title = {{Who is calling? CDRThief targets Linux VoIP softswitches}}, date = {2020-09-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/}, language = {English}, urldate = {2020-09-15} } @online{cherepanov:20201116:lazarus:6b90a77, author = {Anton Cherepanov and Peter Kálnai}, title = {{Lazarus supply‑chain attack in South Korea}}, date = {2020-11-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/}, language = {English}, urldate = {2020-11-18} } @online{chester:20170813:analysis:11db4f8, author = {Adam Chester}, title = {{Analysis of APT28 hospitality malware (Part 2)}}, date = {2017-08-13}, url = {https://blog.xpnsec.com/apt28-hospitality-malware-part-2/}, language = {English}, urldate = {2020-01-08} } @online{chester:20190510:exploring:758b4e8, author = {Adam Chester}, title = {{Exploring Mimikatz - Part 1 - WDigest}}, date = {2019-05-10}, organization = {XPN Blog}, url = {https://blog.xpnsec.com/exploring-mimikatz-part-1/}, language = {English}, urldate = {2020-09-01} } @online{chester:20210128:tailoring:d3f973c, author = {Adam Chester}, title = {{Tailoring Cobalt Strike on Target}}, date = {2021-01-28}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/}, language = {English}, urldate = {2021-01-29} } @online{chiang:20070403:case:5dd68c2, author = {Ken Chiang and Levi Lloyd}, title = {{A Case Study of the Rustock Rootkit and Spam Bot}}, date = {2007-04-03}, organization = {USENIX}, url = {https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html}, language = {English}, urldate = {2019-12-17} } @techreport{chien:2011:nitro:76c8338, author = {Eric Chien and Gavin O'Gorman}, title = {{The Nitro Attacks}}, date = {2011}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-01-13} } @online{chierici:20211116:handson:38838d6, author = {Stefano Chierici}, title = {{Hands-On Muhstik Botnet: crypto-mining attacks targeting Kubernetes}}, date = {2021-11-16}, organization = {sysdig}, url = {https://sysdig.com/blog/muhstik-malware-botnet-analysis/}, language = {English}, urldate = {2021-11-25} } @online{chierzi:20211209:evolution:f5eb0ca, author = {Veronica Chierzi}, title = {{The Evolution of IoT Linux Malware Based on MITRE ATT&CK TTPs}}, date = {2021-12-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html}, language = {English}, urldate = {2022-01-05} } @online{chili:20180201:operation:305d726, author = {Ivona Alexandra Chili and Bogdan Botezatu}, title = {{Operation PZChao: a possible return of the Iron Tiger APT}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/}, language = {English}, urldate = {2020-01-05} } @online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } @online{chimino:20210623:ursnif:700b0a7, author = {Itzik Chimino}, title = {{Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy}}, date = {2021-06-23}, organization = {IBM}, url = {https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/}, language = {English}, urldate = {2021-06-24} } @online{chinnasamy:20220321:emotet:2d27f06, author = {Vinugayathri Chinnasamy}, title = {{Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware}}, date = {2022-03-21}, organization = {Info Security}, url = {https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/}, language = {English}, urldate = {2022-03-22} } @online{chirgwin:20180110:taiwanese:1ccf7ce, author = {Richard Chirgwin}, title = {{Taiwanese cops give malware-laden USB sticks as prizes for security quiz}}, date = {2018-01-10}, organization = {The Register}, url = {https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/}, language = {English}, urldate = {2020-01-09} } @online{chiscariu:20210518:darkside:a38ef87, author = {Radu Emanuel Chiscariu}, title = {{DarkSide Ransomware Behavior and Techniques}}, date = {2021-05-18}, organization = {KEYSIGHT TECHNOLOGIES}, url = {https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html}, language = {English}, urldate = {2021-09-20} } @online{chitwadgi:20210405:2020:cc3fe6d, author = {Ashutosh Chitwadgi and Ashkan Hosseini}, title = {{2020 Phishing Trends With PDF Files}}, date = {2021-04-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/phishing-trends-with-pdf-files/}, language = {English}, urldate = {2021-04-12} } @online{chiu:20170331:threat:caa8838, author = {Alexander Chiu}, title = {{Threat Round-up for Mar 24 - Mar 31}}, date = {2017-03-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html}, language = {English}, urldate = {2021-01-25} } @online{chiu:20170621:player:b44064a, author = {Alex Chiu and Warren Mercer and Jaeson Schultz and Sean Baird and Matthew Molyett}, title = {{Player 1 Limps Back Into the Ring - Hello again, Locky!}}, date = {2017-06-21}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html}, language = {English}, urldate = {2019-12-17} } @online{chlumeck:20210616:dirtymoe:9e1065a, author = {Martin Chlumecký}, title = {{DirtyMoe: Introduction and General Overview of Modularized Malware}}, date = {2021-06-16}, organization = {Avast Decoded}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-1/}, language = {English}, urldate = {2021-09-20} } @online{chlumeck:20210811:dirtymoe:4cb640e, author = {Martin Chlumecký}, title = {{DirtyMoe: Rootkit Driver}}, date = {2021-08-11}, organization = {Avast Decoded}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/}, language = {English}, urldate = {2021-09-20} } @online{chlumeck:20210917:dirtymoe:d684802, author = {Martin Chlumecký}, title = {{DirtyMoe: Code Signing Certificate}}, date = {2021-09-17}, organization = {Avast}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-3/}, language = {English}, urldate = {2021-09-20} } @online{chlumeck:20211103:dirtymoe:93da365, author = {Martin Chlumecký}, title = {{DirtyMoe: Deployment}}, date = {2021-11-03}, organization = {Avast}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-4/}, language = {English}, urldate = {2021-11-08} } @online{chlumeck:20220316:dirtymoe:48e136e, author = {Martin Chlumecký}, title = {{DirtyMoe: Worming Modules}}, date = {2022-03-16}, organization = {Avast}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-5/}, language = {English}, urldate = {2022-03-17} } @online{chohan:20180816:chinese:91aaa15, author = {Sanil Chohan and Winnona Desombre and Justin Grosfelt}, title = {{Chinese Cyberespionage Originating From Tsinghua University Infrastructure}}, date = {2018-08-16}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-cyberespionage-operations/}, language = {English}, urldate = {2020-01-09} } @online{chokepoint:20170417:azazel:0fc47c6, author = {chokepoint}, title = {{Azazel}}, date = {2017-04-17}, organization = {Github (chokepoint)}, url = {https://github.com/chokepoint/azazel}, language = {English}, urldate = {2020-01-10} } @online{chole:20220401:scammers:df7f0da, author = {Vallabh Chole and Oliver Devane}, title = {{Scammers are Exploiting Ukraine Donations}}, date = {2022-04-01}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/}, language = {English}, urldate = {2022-04-07} } @online{chong:20120416:detailed:3f191a4, author = {Rong Hwa Chong}, title = {{Detailed Analysis Of Sykipot (Smartcard Proxy Variant)}}, date = {2012-04-16}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919}, language = {English}, urldate = {2020-01-07} } @online{chong:20130401:trojanaptbanechant:3b8eea7, author = {Rong Hwa Chong}, title = {{Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks}}, date = {2013-04-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html}, language = {English}, urldate = {2020-07-15} } @online{chong:20130618:trojanaptseinup:be546b7, author = {Rong Hwa Chong}, title = {{Trojan.APT.Seinup Hitting ASEAN}}, date = {2013-06-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-asean.html}, language = {English}, urldate = {2021-02-04} } @online{chris:20140501:hunting:bcefc84, author = {Chris}, title = {{Hunting Hidden Lynx: How OSINT is Crucial for APT Analysis}}, date = {2014-05-01}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/hidden-lynx-analysis/}, language = {English}, urldate = {2020-01-07} } @online{chrisjd20:20170512:powershellwebbackdoor:ceb76d4, author = {chrisjd20}, title = {{powershell_web_backdoor}}, date = {2017-05-12}, organization = {Github (chrisjd20)}, url = {https://github.com/chrisjd20/powershell_web_backdoor}, language = {English}, urldate = {2020-01-06} } @online{christian:20210302:rapid7s:b676aa4, author = {Andrew Christian}, title = {{Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day}}, date = {2021-03-02}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day}, language = {English}, urldate = {2021-03-10} } @online{chrysaidos:20151104:droidjack:d4ab0f5, author = {Nikolaos Chrysaidos}, title = {{DroidJack isn’t the only spying software out there: Avast discovers OmniRat}}, date = {2015-11-04}, organization = {Avast}, url = {https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co}, language = {English}, urldate = {2019-12-10} } @online{chrysaidos:20171220:new:6ebc559, author = {Nikolaos Chrysaidos}, title = {{New version of mobile malware Catelites possibly linked to Cron cyber gang}}, date = {2017-12-20}, organization = {Avast}, url = {https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang}, language = {English}, urldate = {2020-01-07} } @online{chuangyu:20211222:tracking:5b23633, author = {Know Chuangyu}, title = {{APT Tracking Analytics: Transparent Tribe Attack Activity}}, date = {2021-12-22}, organization = {Know Chuangyu}, url = {https://www.4hou.com/posts/vLzM}, language = {English}, urldate = {2021-12-23} } @online{chumley:20140529:iranian:38c457f, author = {Cheryl K. Chumley}, title = {{Iranian hackers sucker punch U.S. defense officials with creative social-media scam}}, date = {2014-05-29}, organization = {The Washington Times}, url = {https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/}, language = {English}, urldate = {2020-01-06} } @online{chung:20210915:phishing:15f054e, author = {Anna Chung and Swetha Balla}, title = {{Phishing Eager Travelers}}, date = {2021-09-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/travel-themed-phishing/}, language = {English}, urldate = {2021-09-19} } @online{ciccarelli:20191121:going:0e7cac5, author = {Mario Ciccarelli}, title = {{Going Deep | A Guide to Reversing Smoke Loader Malware}}, date = {2019-11-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/}, language = {English}, urldate = {2020-01-07} } @online{cid:20140318:windigo:7fd6adb, author = {Daniel B. Cid}, title = {{Windigo Linux Analysis – Ebury and Cdorked}}, date = {2014-03-18}, url = {https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html}, language = {English}, urldate = {2019-12-18} } @online{cimpanu:20160112:trochilus:2b0bc1c, author = {Catalin Cimpanu}, title = {{Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia}}, date = {2016-01-12}, organization = {Softpedia News}, url = {https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20160309:korean:06f01a0, author = {Catalin Cimpanu}, title = {{Korean Energy and Transportation Targets Attacked by OnionDog APT}}, date = {2016-03-09}, organization = {SOFTPEDIA® NEWS}, url = {http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20160911:free:c125edd, author = {Catalin Cimpanu}, title = {{Free Darktrack RAT Has the Potential of Being the Best RAT on the Market Search}}, date = {2016-09-11}, organization = {Softpedia News}, url = {http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20161209:new:97f5c14, author = {Catalin Cimpanu}, title = {{New Exo Android Trojan Sold on Hacking Forums, Dark Web}}, date = {2016-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/}, language = {English}, urldate = {2022-06-09} } @online{cimpanu:20161209:proof:25c0bdd, author = {Catalin Cimpanu}, title = {{"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families}}, date = {2016-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170104:firecrypt:5b965cd, author = {Catalin Cimpanu}, title = {{FireCrypt Ransomware Comes With a DDoS Component}}, date = {2017-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170117:new:3c28f96, author = {Catalin Cimpanu}, title = {{New GhostAdmin Malware Used for Data Theft and Exfiltration}}, date = {2017-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170206:polish:577f33c, author = {Catalin Cimpanu}, title = {{Polish Banks Infected with Malware Hosted on Their Own Government's Site}}, date = {2017-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170410:longhorn:97fddcb, author = {Catalin Cimpanu}, title = {{Longhorn Cyber-Espionage Group Is Actually the CIA}}, date = {2017-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170421:brickerbot:658d8b8, author = {Catalin Cimpanu}, title = {{BrickerBot Author Claims He Bricked Two Million Devices}}, date = {2017-04-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170622:locky:4a088f0, author = {Catalin Cimpanu}, title = {{Locky Ransomware Returns, but Targets Only Windows XP & Vista}}, date = {2017-06-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170629:ransomware:d2d7b40, author = {Catalin Cimpanu}, title = {{Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone}}, date = {2017-06-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170826:us:0d7249a, author = {Catalin Cimpanu}, title = {{US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks}}, date = {2017-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171101:cryptoshuffler:64a3db4, author = {Catalin Cimpanu}, title = {{CryptoShuffler Stole $150,000 by Replacing Bitcoin Wallet IDs in PC Clipboards}}, date = {2017-11-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171109:ordinypt:cc9c071, author = {Catalin Cimpanu}, title = {{Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany}}, date = {2017-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171124:mirai:ea4773e, author = {Catalin Cimpanu}, title = {{Mirai Activity Picks up Once More After Publication of PoC Exploit Code}}, date = {2017-11-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171211:brickerbot:52db283, author = {Catalin Cimpanu}, title = {{BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices}}, date = {2017-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171212:moneytaker:b5f4fbb, author = {Catalin Cimpanu}, title = {{MoneyTaker Hacker Group Steals Millions from US and Russian Banks}}, date = {2017-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180117:exobot:cde3b02, author = {Catalin Cimpanu}, title = {{Exobot Author Calls It Quits and Sells Off Banking Trojan Source Code}}, date = {2018-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/}, language = {English}, urldate = {2022-06-09} } @online{cimpanu:20180124:new:90c5883, author = {Catalin Cimpanu}, title = {{New HNS IoT Botnet Has Already Amassed 14K Bots}}, date = {2018-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180226:nanocore:4659d30, author = {Catalin Cimpanu}, title = {{Nanocore RAT Author Gets 33 Months in Prison}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180418:stresspaint:640ad68, author = {Catalin Cimpanu}, title = {{Stresspaint Malware Steals Facebook Credentials and Session Cookies}}, date = {2018-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180427:north:b7ed973, author = {Catalin Cimpanu}, title = {{North Korean Hackers Are up to No Good Again}}, date = {2018-04-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180508:hide:5ab3dfd, author = {Catalin Cimpanu}, title = {{"Hide and Seek" Becomes First IoT Botnet Capable of Surviving Device Reboots}}, date = {2018-05-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:chinese:e0be0ab, author = {Catalin Cimpanu}, title = {{Chinese Cyber-Espionage Group Hacked Government Data Center}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:hacker:e0452dd, author = {Catalin Cimpanu}, title = {{Hacker Breaches Syscoin GitHub Account and Poisons Official Client}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180706:hns:c7115f1, author = {Catalin Cimpanu}, title = {{HNS Evolves From IoT to Cross-Platform Botnet}}, date = {2018-07-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180719:router:38a2d38, author = {Catalin Cimpanu}, title = {{Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day}}, date = {2018-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180723:source:1e0f06d, author = {Catalin Cimpanu}, title = {{Source Code for Exobot Android Banking Trojan Leaked Online}}, date = {2018-07-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/}, language = {English}, urldate = {2022-06-09} } @online{cimpanu:20180728:new:b35a74a, author = {Catalin Cimpanu}, title = {{New Underminer Exploit Kit Discovered Pushing Bootkits and CoinMiners}}, date = {2018-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180821:microsoft:bc5c2f0, author = {Catalin Cimpanu}, title = {{Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections}}, date = {2018-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180823:lazarus:e929232, author = {Catalin Cimpanu}, title = {{Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack}}, date = {2018-08-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180824:iranian:04296ee, author = {Catalin Cimpanu}, title = {{Iranian Hackers Charged in March Are Still Actively Phishing Universities}}, date = {2018-08-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180905:new:c1c9e19, author = {Catalin Cimpanu}, title = {{New Silence hacking group suspected of having ties to cyber-security industry}}, date = {2018-09-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/}, language = {English}, urldate = {2019-12-19} } @online{cimpanu:20190116:north:8f56bd0, author = {Catalin Cimpanu}, title = {{North Korean hackers infiltrate Chile's ATM network after Skype job interview}}, date = {2019-01-16}, organization = {ZDNet}, url = {https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190214:127:78132dd, author = {Catalin Cimpanu}, title = {{127 million user records from 8 companies put up for sale on the dark web}}, date = {2019-02-14}, organization = {ZDNet}, url = {https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20190217:hacker:19fe800, author = {Catalin Cimpanu}, title = {{Hacker puts up for sale third round of hacked databases on the Dark Web}}, date = {2019-02-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190317:round:53521b8, author = {Catalin Cimpanu}, title = {{Round 4: Hacker returns and puts 26Mil user records for sale on the Dark Web}}, date = {2019-03-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-15} } @online{cimpanu:20190409:cybercrime:7fd4c7e, author = {Catalin Cimpanu}, title = {{Cybercrime market selling full digital fingerprints of over 60,000 users}}, date = {2019-04-09}, organization = {ZDNet}, url = {https://www.zdnet.com/article/cybercrime-market-selling-full-digital-fingerprints-of-over-60000-users/}, language = {English}, urldate = {2021-05-08} } @online{cimpanu:20190415:hacker:4b851e8, author = {Catalin Cimpanu}, title = {{A hacker has dumped nearly one billion user records over the past two months}}, date = {2019-04-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/}, language = {English}, urldate = {2020-01-05} } @online{cimpanu:20190419:security:683479e, author = {Catalin Cimpanu}, title = {{Security researcher MalwareTech pleads guilty}}, date = {2019-04-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20190509:new:f8a3f46, author = {Catalin Cimpanu}, title = {{New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web}}, date = {2019-05-09}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/}, language = {English}, urldate = {2020-01-09} } @online{cimpanu:20191010:new:3f09021, author = {Catalin Cimpanu}, title = {{New espionage malware found targeting Russian-speaking users in Eastern Europe}}, date = {2019-10-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/}, language = {English}, urldate = {2020-01-06} } @online{cimpanu:20191120:new:f9c81de, author = {Catalin Cimpanu}, title = {{New Roboto botnet emerges targeting Linux servers running Webmin}}, date = {2019-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20191123:extensive:4db6fce, author = {Catalin Cimpanu}, title = {{Extensive hacking operation discovered in Kazakhstan}}, date = {2019-11-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/}, language = {English}, urldate = {2020-01-08} } @online{cimpanu:20200108:naive:31da98b, author = {Catalin Cimpanu}, title = {{Naive IoT botnet wastes its time mining cryptocurrency}}, date = {2020-01-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20200123:someone:fb903da, author = {Catalin Cimpanu}, title = {{Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus}}, date = {2020-01-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/}, language = {English}, urldate = {2020-01-27} } @online{cimpanu:20200129:dod:57de65d, author = {Catalin Cimpanu}, title = {{DOD contractor suffers ransomware infection}}, date = {2020-01-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/}, language = {English}, urldate = {2020-02-03} } @online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } @online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } @online{cimpanu:20200229:meet:b1d7dbd, author = {Catalin Cimpanu}, title = {{Meet the white-hat group fighting Emotet, the world's most dangerous malware}}, date = {2020-02-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/}, language = {English}, urldate = {2020-03-02} } @online{cimpanu:20200319:france:9882b07, author = {Catalin Cimpanu}, title = {{France warns of new ransomware gang targeting local governments}}, date = {2020-03-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/}, language = {English}, urldate = {2020-03-26} } @online{cimpanu:20200327:booz:90c4f8d, author = {Catalin Cimpanu}, title = {{Booz Allen analyzed 200+ Russian hacking operations to better understand their tactics}}, date = {2020-03-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/booz-allen-analyzed-200-russian-hacking-operations-to-better-understand-their-tactics/}, language = {English}, urldate = {2020-03-27} } @online{cimpanu:20200331:fbi:91630df, author = {Catalin Cimpanu}, title = {{FBI re-sends alert about supply chain attacks for the third time in three months}}, date = {2020-03-31}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/}, language = {English}, urldate = {2020-04-07} } @online{cimpanu:20200427:shade:4d47bf1, author = {Catalin Cimpanu}, title = {{Shade (Troldesh) ransomware shuts down and releases decryption keys}}, date = {2020-04-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/}, language = {English}, urldate = {2020-04-28} } @online{cimpanu:20200518:fbi:54e14c9, author = {Catalin Cimpanu}, title = {{FBI: ProLock ransomware gains access to victim networks via Qakbot infections}}, date = {2020-05-18}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/}, language = {English}, urldate = {2020-05-18} } @online{cimpanu:20200531:russian:2bdcc02, author = {Catalin Cimpanu}, title = {{Russian hacker Pavel Sitnikov arrested for sharing malware source code}}, date = {2020-05-31}, organization = {The Record}, url = {https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/}, language = {English}, urldate = {2021-06-09} } @online{cimpanu:20200602:revil:883c59f, author = {Catalin Cimpanu}, title = {{REvil ransomware gang launches auction site to sell stolen data}}, date = {2020-06-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200603:ransomware:116ecb8, author = {Catalin Cimpanu}, title = {{Ransomware gang says it breached one of NASA's IT contractors}}, date = {2020-06-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200615:web:a10a55d, author = {Catalin Cimpanu}, title = {{Web skimmers found on the websites of Intersport, Claire's, and Icing}}, date = {2020-06-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/}, language = {English}, urldate = {2020-06-16} } @online{cimpanu:20200715:chinese:0ff06bd, author = {Catalin Cimpanu}, title = {{Chinese state hackers target Hong Kong Catholic Church}}, date = {2020-07-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/}, language = {English}, urldate = {2020-07-30} } @online{cimpanu:20200729:kaspersky:d874677, author = {Catalin Cimpanu}, title = {{Kaspersky: New hacker-for-hire mercenary group is targeting European law firms}}, date = {2020-07-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/kaspersky-new-hacker-for-hire-mercenary-group-is-targeting-european-law-firms/}, language = {English}, urldate = {2020-08-18} } @online{cimpanu:20200804:ransomware:e0320ee, author = {Catalin Cimpanu}, title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}}, date = {2020-08-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/}, language = {English}, urldate = {2020-08-18} } @online{cimpanu:20200810:fbi:10c4512, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices}, language = {English}, urldate = {2020-09-18} } @online{cimpanu:20200810:fbi:704abe2, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/}, language = {English}, urldate = {2020-08-12} } @online{cimpanu:20200901:iranian:5f8dd6c, author = {Catalin Cimpanu}, title = {{Iranian hackers are selling access to compromised companies on an underground forum}}, date = {2020-09-01}, organization = {ZDNet}, url = {https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum}, language = {English}, urldate = {2020-09-18} } @online{cimpanu:20201008:german:7b88550, author = {Catalin Cimpanu}, title = {{German tech giant Software AG down after ransomware attack}}, date = {2020-10-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/}, language = {English}, urldate = {2020-10-12} } @online{cimpanu:20201015:ubisoft:51fe666, author = {Catalin Cimpanu}, title = {{Ubisoft, Crytek data posted on ransomware gang's site}}, date = {2020-10-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/}, language = {English}, urldate = {2020-10-21} } @online{cimpanu:20201022:eu:ed3c7a4, author = {Catalin Cimpanu}, title = {{EU sanctions Russia over 2015 German Parliament hack}}, date = {2020-10-22}, organization = {ZDNet}, url = {https://www.zdnet.com/article/eu-sanctions-russia-over-2015-german-parliament-hack/}, language = {English}, urldate = {2020-10-26} } @online{cimpanu:20201104:revil:02ca78c, author = {Catalin Cimpanu}, title = {{REvil ransomware gang 'acquires' KPOT malware}}, date = {2020-11-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/}, language = {English}, urldate = {2020-11-06} } @online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } @online{cimpanu:20201205:ransomware:49c8fff, author = {Catalin Cimpanu}, title = {{Ransomware hits helicopter maker Kopter}}, date = {2020-12-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/}, language = {English}, urldate = {2020-12-08} } @online{cimpanu:20201208:norway:86ae7a1, author = {Catalin Cimpanu}, title = {{Norway says Russian hacking group APT28 is behind August 2020 Parliament hack}}, date = {2020-12-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/}, language = {English}, urldate = {2020-12-08} } @online{cimpanu:20201217:microsoft:e52b204, author = {Catalin Cimpanu}, title = {{Microsoft confirms it was also breached in recent SolarWinds supply chain hack}}, date = {2020-12-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/microsoft-was-also-breached-in-recent-solarwinds-supply-chain-hack-report/}, language = {English}, urldate = {2020-12-18} } @online{cimpanu:20210107:londons:3d62f93, author = {Catalin Cimpanu}, title = {{Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware}}, date = {2021-01-07}, organization = {Twitter (@campuscodi)}, url = {https://twitter.com/campuscodi/status/1347223969984897026}, language = {English}, urldate = {2021-01-11} } @online{cimpanu:20210301:first:6ded68e, author = {Catalin Cimpanu}, title = {{First Fully Weaponized Spectre Exploit Discovered Online}}, date = {2021-03-01}, organization = {The Record}, url = {https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/}, language = {English}, urldate = {2021-03-04} } @online{cimpanu:20210308:flubot:306fd8b, author = {Catalin Cimpanu}, title = {{FluBot Malware Gang Arrested in Barcelona}}, date = {2021-03-08}, organization = {The Record}, url = {https://therecord.media/flubot-malware-gang-arrested-in-barcelona/}, language = {English}, urldate = {2021-06-29} } @online{cimpanu:20210316:frances:5c4b6c2, author = {Catalin Cimpanu}, title = {{France’s lead cybercrime investigator on the Egregor arrests, cybercrime}}, date = {2021-03-16}, organization = {The Record}, url = {https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/}, language = {English}, urldate = {2021-03-22} } @online{cimpanu:20210317:missed:c4716fc, author = {Catalin Cimpanu}, title = {{Missed opportunity: Bug in LockBit ransomware allowed free decryptions}}, date = {2021-03-17}, organization = {The Record}, url = {https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/}, language = {English}, urldate = {2021-03-19} } @online{cimpanu:20210329:redecho:30b16b4, author = {Catalin Cimpanu}, title = {{RedEcho group parks domains after public exposure}}, date = {2021-03-29}, organization = {The Record}, url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/}, language = {English}, urldate = {2021-03-31} } @online{cimpanu:20210413:sweden:842ab60, author = {Catalin Cimpanu}, title = {{Sweden drops Russian hacking investigation due to legal complications}}, date = {2021-04-13}, organization = {The Record}, url = {https://therecord.media/sweden-drops-russian-hacking-investigation-due-to-legal-complications/}, language = {English}, urldate = {2021-04-14} } @online{cimpanu:20210422:nightmare:ae2d421, author = {Catalin Cimpanu}, title = {{Nightmare week for security vendors: Now a Trend Micro bug is being exploited in the wild}}, date = {2021-04-22}, organization = {The Record}, url = {https://therecord.media/nightmare-week-for-security-vendors-now-a-trend-micro-bug-is-being-exploited-in-the-wild/}, language = {English}, urldate = {2021-04-29} } @online{cimpanu:20210422:ransomware:1186cfb, author = {Catalin Cimpanu}, title = {{Ransomware gang wants to short the stock price of their victims}}, date = {2021-04-22}, organization = {The Record}, url = {https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/}, language = {English}, urldate = {2021-04-28} } @online{cimpanu:20210425:hacking:4472d82, author = {Catalin Cimpanu}, title = {{Hacking campaign targets FileZen file-sharing network appliances}}, date = {2021-04-25}, organization = {The Record}, url = {https://therecord.media/hacking-campaign-targets-filezen-file-sharing-network-appliances/}, language = {English}, urldate = {2021-04-29} } @online{cimpanu:20210426:despite:4069a05, author = {Catalin Cimpanu}, title = {{Despite arrests in Spain, FluBot operations explode across Europe and Japan}}, date = {2021-04-26}, organization = {The Record}, url = {https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/}, language = {English}, urldate = {2021-06-29} } @online{cimpanu:20210429:qnap:d3abf58, author = {Catalin Cimpanu}, title = {{QNAP warns of AgeLocker ransomware attacks against NAS devices}}, date = {2021-04-29}, organization = {The Record}, url = {https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/}, language = {English}, urldate = {2021-05-03} } @online{cimpanu:20210430:cybercrime:1bc5f68, author = {Catalin Cimpanu}, title = {{Cybercrime Featured DarkPath scam group loses 134 domains impersonating the WHO}}, date = {2021-04-30}, organization = {The Record}, url = {https://therecord.media/darkpath-scam-group-loses-134-domains-impersonating-the-who/}, language = {English}, urldate = {2021-05-03} } @online{cimpanu:20210502:doj:9d42ffb, author = {Catalin Cimpanu}, title = {{DOJ hiring new liaison prosecutor to hunt cybercriminals in Eastern Europe}}, date = {2021-05-02}, organization = {The Record}, url = {https://therecord.media/doj-hiring-new-liaison-prosecutor-to-hunt-cybercriminals-in-eastern-europe/}, language = {English}, urldate = {2021-05-03} } @online{cimpanu:20210505:malware:27b4343, author = {Catalin Cimpanu}, title = {{Malware group leaks millions of stolen authentication cookies}}, date = {2021-05-05}, organization = {The Record}, url = {https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/}, language = {English}, urldate = {2021-05-07} } @online{cimpanu:20210508:solarwinds:501c002, author = {Catalin Cimpanu}, title = {{SolarWinds says fewer than 100 customers were impacted by supply chain attack}}, date = {2021-05-08}, organization = {The Record}, url = {https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack}, language = {English}, urldate = {2021-05-11} } @online{cimpanu:20210511:15:317b47d, author = {Catalin Cimpanu}, title = {{15% of 2020 ransomware payments carried a sanctions violations risk}}, date = {2021-05-11}, organization = {The Record}, url = {https://therecord.media/15-of-2020-ransomware-payments-carried-a-sanctions-violations-risk/}, language = {English}, urldate = {2021-05-13} } @online{cimpanu:20210511:osiris:c21f10f, author = {Catalin Cimpanu}, title = {{Osiris banking trojan shuts down as new Ares variant emerges}}, date = {2021-05-11}, organization = {The Record}, url = {https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/}, language = {English}, urldate = {2021-05-13} } @online{cimpanu:20210512:agents:975c354, author = {Catalin Cimpanu}, title = {{Agents raid home of Kansas man seeking info on botnet that infected DOD network}}, date = {2021-05-12}, organization = {The Record}, url = {https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/}, language = {English}, urldate = {2021-05-13} } @online{cimpanu:20210513:popular:278e039, author = {Catalin Cimpanu}, title = {{Popular hacking forum bans ransomware ads}}, date = {2021-05-13}, organization = {The Record}, url = {https://therecord.media/popular-hacking-forum-bans-ransomware-ads/}, language = {English}, urldate = {2021-05-17} } @online{cimpanu:20210514:darkside:2760169, author = {Catalin Cimpanu}, title = {{Darkside ransomware gang says it lost control of its servers & money a day after Biden threat}}, date = {2021-05-14}, organization = {The Record}, url = {https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/}, language = {English}, urldate = {2021-05-17} } @online{cimpanu:20210517:three:afe4f03, author = {Catalin Cimpanu}, title = {{Three major hacking forums ban ransomware ads as some ransomware gangs shut down}}, date = {2021-05-17}, organization = {The Record}, url = {https://therecord.media/three-major-hacking-forums-ban-ransomware-ads-as-some-ransomware-gangs-shut-down/}, language = {English}, urldate = {2021-05-19} } @online{cimpanu:20210518:darkside:14b6690, author = {Catalin Cimpanu}, title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}}, date = {2021-05-18}, organization = {The Record}, url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/}, language = {English}, urldate = {2021-05-19} } @online{cimpanu:20210521:fsb:5c2ad05, author = {Catalin Cimpanu}, title = {{FSB NKTsKI: Foreign ‘cyber mercenaries’ breached Russian federal agencies}}, date = {2021-05-21}, organization = {The Record}, url = {https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210602:two:5237d2e, author = {Catalin Cimpanu}, title = {{Two Carbanak hackers sentenced to eight years in prison in Kazakhstan}}, date = {2021-06-02}, organization = {The Record}, url = {https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210604:epsilonred:62073f1, author = {Catalin Cimpanu}, title = {{EpsilonRed ransomware group hits one of India’s financial software powerhouses}}, date = {2021-06-04}, organization = {The Record}, url = {https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/}, language = {English}, urldate = {2021-06-06} } @online{cimpanu:20210604:us:20a6d26, author = {Catalin Cimpanu}, title = {{US arrests Latvian woman who worked on Trickbot malware source code}}, date = {2021-06-04}, organization = {The Record}, url = {https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210608:microsoft:551f598, author = {Catalin Cimpanu}, title = {{Microsoft patches six Windows zero-days, including a commercial exploit}}, date = {2021-06-08}, organization = {The Record}, url = {https://therecord.media/microsoft-patches-six-windows-zero-days-including-a-commercial-exploit/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210609:russian:6ad9a91, author = {Catalin Cimpanu}, title = {{Russian hackers breached Dutch police systems in 2017}}, date = {2021-06-09}, organization = {The Record}, url = {https://therecord.media/russian-hackers-breached-dutch-police-systems-in-2017/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210611:cybercrime:dba57e7, author = {Catalin Cimpanu}, title = {{Cybercrime Featured Avaddon ransomware operation shuts down and releases decryption keys}}, date = {2021-06-11}, organization = {The Record}, url = {https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210614:apple:45d6879, author = {Catalin Cimpanu}, title = {{Apple patches two iOS zero-days in old-gen devices}}, date = {2021-06-14}, organization = {The Record}, url = {https://therecord.media/apple-patches-two-ios-zero-days-in-old-gen-devices/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210614:g7:3b92056, author = {Catalin Cimpanu}, title = {{G7 calls on Russia to crack down on ransomware gangs}}, date = {2021-06-14}, organization = {The Record}, url = {https://therecord.media/g7-calls-on-russia-to-crack-down-on-ransomware-gangs/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210615:source:59336b0, author = {Catalin Cimpanu}, title = {{Source code for Paradise ransomware leaked on hacking forums}}, date = {2021-06-15}, organization = {The Record}, url = {https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210616:ukrainian:141533c, author = {Catalin Cimpanu}, title = {{Ukrainian police arrest Clop ransomware members, seize server infrastructure}}, date = {2021-06-16}, organization = {The Record}, url = {https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210627:builder:40a8c38, author = {Catalin Cimpanu}, title = {{Builder for Babuk Locker ransomware leaked online}}, date = {2021-06-27}, organization = {The Record}, url = {https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/}, language = {English}, urldate = {2021-06-29} } @online{cimpanu:20210629:free:228fc3b, author = {Catalin Cimpanu}, title = {{Free decrypter available for Lorenz ransomware}}, date = {2021-06-29}, organization = {The Record}, url = {https://therecord.media/free-decrypter-available-for-lorenz-ransomware/}, language = {English}, urldate = {2021-06-30} } @online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } @online{cimpanu:20210701:mongolian:1fd57de, author = {Catalin Cimpanu}, title = {{Mongolian certificate authority hacked eight times, compromised with malware}}, date = {2021-07-01}, organization = {The Record}, url = {https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/}, language = {English}, urldate = {2021-07-02} } @online{cimpanu:20210702:revil:7283386, author = {Catalin Cimpanu}, title = {{REvil ransomware gang executes supply chain attack via malicious Kaseya update}}, date = {2021-07-02}, organization = {The Record}, url = {https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/}, language = {English}, urldate = {2021-07-05} } @online{cimpanu:20210702:trickbot:7d2b9f7, author = {Catalin Cimpanu}, title = {{TrickBot: New attacks see the botnet deploy new banking module, new ransomware}}, date = {2021-07-02}, organization = {The Record}, url = {https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/}, language = {English}, urldate = {2021-07-05} } @online{cimpanu:20210706:moroccan:66d1784, author = {Catalin Cimpanu}, title = {{Moroccan hacker Dr HeX arrested for phishing attacks, malware distribution}}, date = {2021-07-06}, organization = {The Record}, url = {https://therecord.media/moroccan-hacker-dr-hex-arrested-for-phishing-attacks-malware-distribution/}, language = {English}, urldate = {2021-07-11} } @online{cimpanu:20210709:ransomwhere:bd77fbe, author = {Catalin Cimpanu}, title = {{Ransomwhere project wants to create a database of past ransomware payments}}, date = {2021-07-09}, organization = {The Record}, url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/}, language = {English}, urldate = {2021-07-20} } @online{cimpanu:20210712:over:c88e351, author = {Catalin Cimpanu}, title = {{Over 780,000 email accounts compromised by Emotet have been secured}}, date = {2021-07-12}, organization = {The Record}, url = {https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/}, language = {English}, urldate = {2021-07-20} } @online{cimpanu:20210714:spain:447c00d, author = {Catalin Cimpanu}, title = {{Spain arrests 16 for working with the Mekotio and Grandoreiro malware gangs}}, date = {2021-07-14}, organization = {The Record}, url = {https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/}, language = {English}, urldate = {2021-07-20} } @online{cimpanu:20210722:wiper:08d9833, author = {Catalin Cimpanu}, title = {{Wiper malware targeting Japanese PCs discovered ahead of Tokyo Olympics opening}}, date = {2021-07-22}, organization = {The Record}, url = {https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/}, language = {English}, urldate = {2021-08-20} } @online{cimpanu:20210727:blackmatter:4934eef, author = {Catalin Cimpanu}, title = {{BlackMatter ransomware targets companies with revenue of $100 million and more}}, date = {2021-07-27}, organization = {The Record}, url = {https://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/}, language = {English}, urldate = {2021-07-29} } @online{cimpanu:20210801:decryptor:5f67ec8, author = {Catalin Cimpanu}, title = {{Decryptor released for Prometheus ransomware victims}}, date = {2021-08-01}, organization = {The Record}, url = {https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/}, language = {English}, urldate = {2021-08-06} } @online{cimpanu:20210803:lemonduck:d6e7c42, author = {Catalin Cimpanu}, title = {{LemonDuck botnet evolves to allow hands-on-keyboard intrusions}}, date = {2021-08-03}, organization = {The Record}, url = {https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/}, language = {English}, urldate = {2022-02-16} } @online{cimpanu:20210805:disgruntled:4a7c7d7, author = {Catalin Cimpanu}, title = {{Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/}, language = {English}, urldate = {2021-08-06} } @online{cimpanu:20210805:meet:bce8310, author = {Catalin Cimpanu}, title = {{Meet Prometheus, the secret TDS behind some of today’s malware campaigns}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/}, language = {English}, urldate = {2021-08-06} } @online{cimpanu:20210806:australian:8543b09, author = {Catalin Cimpanu}, title = {{Australian cybersecurity agency warns of spike in LockBit ransomware attacks}}, date = {2021-08-06}, organization = {The Record}, url = {https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/}, language = {English}, urldate = {2021-08-09} } @online{cimpanu:20210812:printnightmare:026bc57, author = {Catalin Cimpanu}, title = {{PrintNightmare vulnerability weaponized by Magniber ransomware gang}}, date = {2021-08-12}, organization = {The Record}, url = {https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/}, language = {English}, urldate = {2021-08-16} } @online{cimpanu:20210812:synack:c4109da, author = {Catalin Cimpanu}, title = {{SynAck ransomware gang releases decryption keys for old victims}}, date = {2021-08-12}, organization = {The Record}, url = {https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/}, language = {English}, urldate = {2021-08-15} } @online{cimpanu:20210827:phorpiex:8cf60a5, author = {Catalin Cimpanu}, title = {{Phorpiex botnet shuts down, source code goes up for sale}}, date = {2021-08-27}, organization = {The Record}, url = {https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/}, language = {English}, urldate = {2021-08-31} } @online{cimpanu:20210901:confluence:75c7c2e, author = {Catalin Cimpanu}, title = {{Confluence enterprise servers targeted with recent vulnerability}}, date = {2021-09-01}, organization = {The Record}, url = {https://therecord.media/confluence-enterprise-servers-targeted-with-recent-vulnerability/}, language = {English}, urldate = {2021-09-06} } @online{cimpanu:20210910:indonesian:fc06998, author = {Catalin Cimpanu}, title = {{Indonesian intelligence agency compromised in suspected Chinese hack}}, date = {2021-09-10}, organization = {The Record}, url = {https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/}, language = {English}, urldate = {2021-09-12} } @online{cimpanu:20210919:alaska:5238129, author = {Catalin Cimpanu}, title = {{Alaska discloses ‘sophisticated’ nation-state cyberattack on health service}}, date = {2021-09-19}, organization = {The Record}, url = {https://therecord.media/alaska-discloses-sophisticated-nation-state-cyberattack-on-health-service/}, language = {English}, urldate = {2021-09-22} } @online{cimpanu:20210929:turkish:2ac5599, author = {Catalin Cimpanu}, title = {{Turkish national charged for DDoS attacks with the WireX botnet}}, date = {2021-09-29}, organization = {The Record}, url = {https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/}, language = {English}, urldate = {2021-10-13} } @online{cimpanu:20211007:google:653f25d, author = {Catalin Cimpanu}, title = {{Google notifies 14,000 Gmail users of targeted APT28 attacks}}, date = {2021-10-07}, organization = {The Record}, url = {https://therecord.media/google-notifies-14000-gmail-users-of-targeted-apt28-attacks/}, language = {English}, urldate = {2021-10-13} } @online{cimpanu:20211007:netherlands:c716790, author = {Catalin Cimpanu}, title = {{Netherlands can use intelligence or armed forces to respond to ransomware attacks}}, date = {2021-10-07}, organization = {The Record}, url = {https://therecord.media/netherlands-can-use-intelligence-or-armed-forces-to-respond-to-ransomware-attacks/}, language = {English}, urldate = {2021-10-13} } @online{cimpanu:20211019:moses:35089a3, author = {Catalin Cimpanu}, title = {{Tweet on Moses Staff}}, date = {2021-10-19}, organization = {Twitter (@campuscodi)}, url = {https://twitter.com/campuscodi/status/1450455259202166799}, language = {English}, urldate = {2022-03-07} } @online{cimpanu:20211022:darkside:27f49ba, author = {Catalin Cimpanu}, title = {{DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement}}, date = {2021-10-22}, organization = {The Record}, url = {https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/}, language = {English}, urldate = {2021-11-02} } @online{cimpanu:20211102:destructive:a5ab443, author = {Catalin Cimpanu}, title = {{‘Destructive’ cyberattack hits National Bank of Pakistan}}, date = {2021-11-02}, organization = {The Record}, url = {https://therecord.media/destructive-cyberattack-hits-national-bank-of-pakistan/}, language = {English}, urldate = {2021-11-03} } @online{cimpanu:20211103:blackmatter:04b7414, author = {Catalin Cimpanu}, title = {{BlackMatter ransomware says its shutting down due to pressure from local authorities}}, date = {2021-11-03}, organization = {The Record}, url = {https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/}, language = {English}, urldate = {2021-11-03} } @online{cimpanu:20211104:google:340c884, author = {Catalin Cimpanu}, title = {{Google fixes Android zero-day exploited in the wild in targeted attacks (CVE-2021-1048)}}, date = {2021-11-04}, organization = {The Record}, url = {https://therecord.media/google-fixes-android-zero-day-exploited-in-the-wild-in-targeted-attacks/}, language = {English}, urldate = {2021-11-08} } @online{cimpanu:20211108:us:42947b7, author = {Catalin Cimpanu}, title = {{US arrests and charges Ukrainian man for Kaseya ransomware attack}}, date = {2021-11-08}, organization = {The Record}, url = {https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/}, language = {English}, urldate = {2021-11-09} } @online{cimpanu:20211228:iranian:0d0f5b0, author = {Catalin Cimpanu}, title = {{Iranian hackers behind Cox Media Group ransomware attack (DEV-0270)}}, date = {2021-12-28}, organization = {The Record}, url = {https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/}, language = {English}, urldate = {2021-12-31} } @online{cimpanu:20220213:san:4feaacb, author = {Catalin Cimpanu}, title = {{San Francisco 49ers confirm ransomware attack}}, date = {2022-02-13}, organization = {The Record}, url = {https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/}, language = {English}, urldate = {2022-02-14} } @online{cimpanu:20220216:red:e3296da, author = {Catalin Cimpanu}, title = {{Red Cross blames hack on Zoho vulnerability, suspects APT attack}}, date = {2022-02-16}, organization = {The Record}, url = {https://therecord.media/red-cross-blames-hack-on-zoho-vulnerability-suspects-apt-attack/}, language = {English}, urldate = {2022-02-19} } @online{cimpanu:20220218:academics:d2f3045, author = {Catalin Cimpanu}, title = {{Academics publish method for recovering data encrypted by the Hive ransomware}}, date = {2022-02-18}, organization = {The Record}, url = {https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/}, language = {English}, urldate = {2022-02-19} } @online{cimpanu:20220221:chinese:fe29003, author = {Catalin Cimpanu}, title = {{Chinese hackers linked to months-long attack on Taiwanese financial sector}}, date = {2022-02-21}, organization = {The Record}, url = {https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/}, language = {English}, urldate = {2022-02-26} } @online{cimpanu:20220223:second:960453d, author = {Catalin Cimpanu}, title = {{Second data wiper attack hits Ukraine computer networks}}, date = {2022-02-23}, organization = {The Record}, url = {https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/}, language = {English}, urldate = {2022-03-01} } @online{cimpanu:20220224:trickbot:2f5ab4d, author = {Catalin Cimpanu}, title = {{TrickBot gang shuts down botnet after months of inactivity}}, date = {2022-02-24}, organization = {The Record}, url = {https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/}, language = {English}, urldate = {2022-03-01} } @online{cimpanu:20220227:conti:935e928, author = {Catalin Cimpanu}, title = {{Conti ransomware gang chats leaked by pro-Ukraine member}}, date = {2022-02-27}, organization = {The Record}, url = {https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/}, language = {English}, urldate = {2022-03-01} } @online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-03-28} } @techreport{circl:20130329:analysis:b3c48b0, author = {CIRCL}, title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}}, date = {2013-03-29}, institution = {Computer Incident Response Center Luxembourg}, url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf}, language = {English}, urldate = {2019-11-24} } @techreport{circl:20130529:malware:cd9f6f8, author = {CIRCL}, title = {{Malware analysis report of a Backdoor.Snifula variant}}, date = {2013-05-29}, institution = {CIRCL}, url = {https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf}, language = {English}, urldate = {2019-07-11} } @techreport{circl:20130530:analysis:e828e08, author = {CIRCL}, title = {{Analysis of a stage 3 Miniduke sample}}, date = {2013-05-30}, institution = {CIRCL}, url = {https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf}, language = {English}, urldate = {2020-01-08} } @online{circl:20141126:tr23:fb5d867, author = {CIRCL}, title = {{TR-23 Analysis - NetWiredRC malware}}, date = {2014-11-26}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-23/}, language = {English}, urldate = {2020-01-09} } @online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } @online{circl:20211110:tr64:37ab4d8, author = {CIRCL}, title = {{TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders}}, date = {2021-11-10}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-64/}, language = {English}, urldate = {2021-11-25} } @online{cirlig:202104:pareto:eb7b26c, author = {Gabi Cirlig and Vikas Parthasarathy and Michael Moran and Michael McNally and Inna Vasilyeva and Mikhail Venkov and Federico Harrington and Adam Sell}, title = {{PARETO: A Technical Analysis}}, date = {2021-04}, organization = {humansecurity}, url = {https://www.humansecurity.com/blog/pareto-a-technical-analysis}, language = {English}, urldate = {2021-04-29} } @online{cisa:20170412:ics:0d94c2e, author = {CISA}, title = {{ICS Alert (ICS-ALERT-17-102-01A)}}, date = {2017-04-12}, organization = {CISA}, url = {https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A}, language = {English}, urldate = {2020-01-09} } @online{cisa:20170612:alert:7799e28, author = {CISA}, title = {{Alert (TA17-163A)}}, date = {2017-06-12}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/alerts/TA17-163A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20180809:malware:71c0559, author = {CISA}, title = {{Malware Analysis Report (AR18-221A)}}, date = {2018-08-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-221A}, language = {English}, urldate = {2020-01-07} } @online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } @online{cisa:20191031:malware:4eccc2d, author = {CISA}, title = {{Malware Analysis Report (AR19-304A)}}, date = {2019-10-31}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-304a}, language = {English}, urldate = {2020-01-09} } @online{cisa:2019:hidden:52ee565, author = {CISA}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2019}, organization = {CISA}, url = {https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity}, language = {English}, urldate = {2020-01-07} } @online{cisa:20200826:alert:91b063b, author = {CISA and U.S. Department of the Treasury and FBI and U.S. Cyber Command}, title = {{Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks}}, date = {2020-08-26}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa20-239a}, language = {English}, urldate = {2022-04-20} } @online{cisa:20200826:mar103017061v1:735a8fc, author = {CISA}, title = {{MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a}, language = {English}, urldate = {2020-09-01} } @online{cisa:20200826:mar103017062v1:e64b3ac, author = {CISA}, title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b}, language = {English}, urldate = {2020-09-01} } @techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } @online{cisa:20201213:active:44eb4a4, author = {CISA}, title = {{Active Exploitation of SolarWinds Software}}, date = {2020-12-13}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software}, language = {English}, urldate = {2020-12-15} } @online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210303:alert:c05160a, author = {CISA}, title = {{Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities}}, date = {2021-03-03}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-062a}, language = {English}, urldate = {2021-03-10} } @online{cisa:20210310:remediating:23bf74d, author = {CISA}, title = {{Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise}}, date = {2021-03-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/remediating-apt-compromised-networks}, language = {English}, urldate = {2021-03-12} } @online{cisa:20210318:cisa:49f510f, author = {CISA}, title = {{CISA Hunt and Incident Response Program (CHIRP)}}, date = {2021-03-18}, organization = {Github (cisagov)}, url = {https://github.com/cisagov/CHIRP}, language = {English}, urldate = {2021-03-19} } @techreport{cisa:20210402:joint:cc385f7, author = {CISA and FBI}, title = {{Joint CSA AA21-092A: APT Actors Exploit Vulnerabilitiesto Gain Initial Access for Future Attacks}}, date = {2021-04-02}, institution = {}, url = {https://www.ic3.gov/Media/News/2021/210402.pdf}, language = {English}, urldate = {2021-04-06} } @techreport{cisa:20210426:russian:0ef89c2, author = {CISA and FBI and Department of Homeland Security}, title = {{Russian Foreign Intelligence Service (SVR)Cyber Operations: Trends and Best Practices for Network Defenders}}, date = {2021-04-26}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf}, language = {English}, urldate = {2021-04-29} } @online{cisa:20210506:analysis:9b259c7, author = {CISA}, title = {{Analysis Report: FiveHands Ransomware}}, date = {2021-05-06}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a}, language = {English}, urldate = {2021-05-08} } @online{cisa:20210506:mar103247841v1:408b7aa, author = {CISA}, title = {{MAR-10324784-1.v1: FiveHands Ransomware}}, date = {2021-05-06}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b}, language = {English}, urldate = {2021-05-08} } @techreport{cisa:20210701:russian:4127fc7, author = {CISA and FBI and NSA and NCSC UK}, title = {{Russian GRU (APT28) Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments}}, date = {2021-07-01}, institution = {}, url = {https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF}, language = {English}, urldate = {2021-07-11} } @online{cisa:20210719:alert:bc070a7, author = {CISA}, title = {{Alert (AA21-200B): Chinese State-Sponsored Cyber Operations: Observed TTPs}}, date = {2021-07-19}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-200b}, language = {English}, urldate = {2021-07-22} } @online{cisa:20210728:top:78a1031, author = {CISA and Australian Cyber Security Centre (ACSC) and NCSC UK and FBI}, title = {{Top Routinely Exploited Vulnerabilities}}, date = {2021-07-28}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-209a}, language = {English}, urldate = {2021-07-29} } @techreport{cisa:20211117:cybersecurity:28e0ecc, author = {CISA}, title = {{Cybersecurity Incident & Vulnerability Response Playbooks}}, date = {2021-11-17}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf}, language = {English}, urldate = {2021-11-19} } @online{cisa:20211222:alert:635c59b, author = {CISA and FBI and NSA and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand National Cyber Security Centre (NZ NCSC) and United Kingdom’s National Cyber Security Centre (NCSC-UK)}, title = {{Alert (AA21-356A) Mitigating Log4Shell and Other Log4j-Related Vulnerabilities}}, date = {2021-12-22}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa21-356a}, language = {English}, urldate = {2021-12-23} } @techreport{cisa:20220111:understanding:07bbdcf, author = {CISA and FBI and NSA}, title = {{Understanding and Mitigating Russian State- Sponsored Cyber Threats to U.S. Critical Infrastructure}}, date = {2022-01-11}, institution = {}, url = {https://media.defense.gov/2022/Jan/11/2002919950/-1/-1/1/JOINT_CSA_UNDERSTANDING_MITIGATING_RUSSIAN_CYBER_THREATS_TO_US_CRITICAL_INFRASTRUCTURE_20220111.PDF}, language = {English}, urldate = {2022-01-18} } @techreport{cisa:20220111:understanding:aae8b36, author = {CISA and FBI and NSA}, title = {{Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure}}, date = {2022-01-11}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-011A_Joint_CSA_Understanding_and_Mitigating%20_Russian_Cyber_Threats_to_US_Critical_Infrastructure_TLP-WHITE_01-10-22_v1.pdf}, language = {English}, urldate = {2022-04-07} } @techreport{cisa:20220209:alert:be2567f, author = {CISA and FBI and NSA and Australian Cyber Security Centre (ACSC) and NCSC UK}, title = {{Alert (AA22-040A) 2021 Trends Show Increased Globalized Threat of Ransomware}}, date = {2022-02-09}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-040A_2021_Trends_Show_Increased_Globalized_Threat_of_Ransomware_508.pdf}, language = {English}, urldate = {2022-04-07} } @techreport{cisa:20220223:advisory:56f6379, author = {CISA and NCSC UK and FBI and NSA}, title = {{Advisory: New Sandworm malware Cyclops Blink replaces VPNFilter}}, date = {2022-02-23}, institution = {}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf}, language = {English}, urldate = {2022-02-26} } @online{cisa:20220223:alert:3e2924e, author = {CISA}, title = {{Alert (AA22-054A) New Sandworm Malware Cyclops Blink Replaces VPNFilter}}, date = {2022-02-23}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-054a}, language = {English}, urldate = {2022-02-26} } @online{cisa:20220226:alert:48440b6, author = {CISA}, title = {{Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine}}, date = {2022-02-26}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-057a}, language = {English}, urldate = {2022-03-01} } @techreport{cisa:20220226:destructive:be5862b, author = {CISA and FBI}, title = {{Destructive Malware Targeting Organizations in Ukraine}}, date = {2022-02-26}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf}, language = {English}, urldate = {2022-03-01} } @techreport{cisa:20220418:aa22108a:a0a81c6, author = {CISA and U.S. Department of the Treasury and FBI}, title = {{AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)}}, date = {2022-04-18}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf}, language = {English}, urldate = {2022-04-20} } @online{cisa:20220418:alert:dcc72c0, author = {CISA and FBI and U.S. Department of the Treasury}, title = {{Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies}}, date = {2022-04-18}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-108a}, language = {English}, urldate = {2022-04-25} } @techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } @online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } @online{cisa:20220427:alert:e02c831, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and New Zealand National Cyber Security Centre (NZ NCSC) and United Kingdom’s National Cyber Security Centre (NCSC-UK)}, title = {{Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities}}, date = {2022-04-27}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-117a}, language = {English}, urldate = {2022-04-29} } @online{cisa:20220601:alert:f73857d, author = {CISA and FBI and Department of the Treasury (Treasury) and FINCEN}, title = {{Alert (AA22-152A): Karakurt Data Extortion Group}}, date = {2022-06-01}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-152a}, language = {English}, urldate = {2022-06-02} } @techreport{citizenlab:20100406:shadows:0ddd0ca, author = {CitizenLab and Information Warfare Monitor and Shadowserver Foundation}, title = {{SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0}}, date = {2010-04-06}, institution = {CitizenLab}, url = {https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf}, language = {English}, urldate = {2020-01-13} } @online{citizenlab:20200609:dark:6fc74ec, author = {CitizenLab}, title = {{Dark Basin Indicators of Compromise}}, date = {2020-06-09}, organization = {Github (citizenlab)}, url = {https://github.com/citizenlab/malware-indicators/tree/master/202006_DarkBasin}, language = {English}, urldate = {2020-11-02} } @online{citizenlab:20211108:devices:47e5c60, author = {CitizenLab}, title = {{Devices of Palestinian Human Rights Defenders Hacked with NSO Group’s Pegasus Spyware}}, date = {2021-11-08}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/}, language = {English}, urldate = {2021-11-08} } @online{ciuleanu:20220520:mirai:77360aa, author = {Vlad Ciuleanu}, title = {{Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022}}, date = {2022-05-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/}, language = {English}, urldate = {2022-05-25} } @online{civil:20210714:civil:e46ca2f, author = {Guardia Civil}, title = {{The Civil Guard dismantles an important network dedicated to committing scams through the Internet}}, date = {2021-07-14}, organization = {Guardia Civil}, url = {http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853}, language = {Spanish}, urldate = {2021-07-20} } @online{civilsphereproject:20210921:capturing:60e5728, author = {civilsphereproject}, title = {{Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN}}, date = {2021-09-21}, organization = {civilsphereproject}, url = {https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn}, language = {English}, urldate = {2021-09-22} } @online{clapp:20210505:viruses:aab7c1a, author = {Kelsey Clapp}, title = {{Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic}}, date = {2021-05-05}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/298c9fc9}, language = {English}, urldate = {2021-05-26} } @online{clapp:20210922:bom:b738b21, author = {Kelsey Clapp and Jordan Herman}, title = {{The Bom Skimmer and MageCart Group 7}}, date = {2021-09-22}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/743ea75b/description}, language = {English}, urldate = {2021-09-24} } @online{clapp:20211103:vagabon:d24a68e, author = {Kelsey Clapp}, title = {{Vagabon PhishKit - An Example of Shared Code Modularity}}, date = {2021-11-03}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/17d2262c}, language = {English}, urldate = {2021-11-08} } @online{clapp:20211203:woos:020f03d, author = {Kelsey Clapp}, title = {{Woo's There? Magecart Targets WooCommerce}}, date = {2021-12-03}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2efc2782}, language = {English}, urldate = {2021-12-07} } @online{clapp:20220510:commodity:7703042, author = {Kelsey Clapp}, title = {{Commodity Skimming & Magecart Trends in First Quarter of 2022}}, date = {2022-05-10}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/017cf2e6}, language = {English}, urldate = {2022-05-17} } @techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } @techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } @online{clarke:20210324:oauth:5092c3f, author = {Itir Clarke and Assaf Friedman}, title = {{OAuth Abuse: Think SolarWinds/Solorigate Campaign with Focus on Cloud Applications}}, date = {2021-03-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/cloud-security/oauth-abuse-think-solarwindssolorigate-campaign-focus-cloud-applications}, language = {English}, urldate = {2021-03-25} } @online{cleafy:20210510:teabot:8998a59, author = {Cleafy}, title = {{TeaBot: a new Android malware emerged in Italy, targets banks in Europe}}, date = {2021-05-10}, organization = {Cleafy}, url = {https://www.cleafy.com/documents/teabot}, language = {English}, urldate = {2021-05-11} } @online{cleafy:20210727:oscorp:7f7fcd5, author = {Cleafy}, title = {{Oscorp evolves into UBEL: an advanced Android malware spreading across the globe}}, date = {2021-07-27}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution}, language = {English}, urldate = {2021-07-27} } @online{cleafy:20211025:digital:48fbdf8, author = {Cleafy}, title = {{Digital banking fraud: how the Gozi malware works}}, date = {2021-10-25}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work}, language = {English}, urldate = {2021-11-02} } @online{cleafy:20211111:sharkbot:efbc5a5, author = {Cleafy}, title = {{SharkBot: a new generation of Android Trojans is targeting banks in Europe}}, date = {2021-11-11}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe}, language = {English}, urldate = {2021-11-17} } @online{cleafy:20211203:mobile:4153ff9, author = {Cleafy}, title = {{Mobile banking fraud: BRATA strikes again}}, date = {2021-12-03}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again}, language = {English}, urldate = {2021-12-13} } @online{cleafy:20220124:how:b4fcbab, author = {Cleafy}, title = {{How BRATA is monitoring your bank account}}, date = {2022-01-24}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account}, language = {English}, urldate = {2022-01-25} } @online{cleafy:20220301:teabot:bc307ec, author = {Cleafy}, title = {{TeaBot is now spreading across the globe}}, date = {2022-03-01}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe}, language = {English}, urldate = {2022-03-02} } @online{cleafy:20220627:revive:e305f85, author = {Cleafy}, title = {{Revive: from spyware to Android banking trojan}}, date = {2022-06-27}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan}, language = {English}, urldate = {2022-06-29} } @techreport{clearsky:201707:operationwilted:7e57e58, author = {ClearSky and Trend Micro}, title = {{OperationWilted Tulip}}, date = {2017-07}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf}, language = {English}, urldate = {2020-01-06} } @online{clearsky:20180213:enfal:e063cf1, author = {ClearSky}, title = {{Tweet on Enfal loader}}, date = {2018-02-13}, organization = {Twitter (@ClearskySec)}, url = {https://twitter.com/ClearskySec/status/963829930776723461}, language = {English}, urldate = {2019-07-10} } @techreport{clearsky:20201015:operation:dead010, author = {ClearSky}, title = {{Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations}}, date = {2020-10-15}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf}, language = {English}, urldate = {2020-10-21} } @techreport{clearsky:202105:attributing:67fb261, author = {ClearSky}, title = {{Attributing Attacks Against Crypto Exchanges to LAZARUS – North Korea}}, date = {2021-05}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf}, language = {English}, urldate = {2021-06-09} } @techreport{clearsky:20210817:new:573e4e4, author = {ClearSky}, title = {{New Iranian Espionage Campaign By “Siamesekitten” - Lyceum}}, date = {2021-08-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf}, language = {English}, urldate = {2021-08-25} } @online{clinton:20211021:stopping:3c26152, author = {Alex Clinton and Tasha Robinson}, title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}}, date = {2021-10-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/}, language = {English}, urldate = {2021-11-02} } @online{clueley:20200109:man:cea3f4b, author = {Graham Clueley}, title = {{Man jailed for using webcam RAT to spy on women in their bedrooms}}, date = {2020-01-09}, organization = {The State of Security}, url = {https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/}, language = {English}, urldate = {2020-01-20} } @online{cluley:20121113:new:627d122, author = {Graham Cluley}, title = {{New variant of Mac Trojan discovered, targeting Tibet}}, date = {2012-11-13}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/}, language = {English}, urldate = {2020-01-08} } @online{cluley:20150526:moose:4cb9940, author = {Graham Cluley}, title = {{Moose – the router worm with an appetite for social networks}}, date = {2015-05-26}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2015/05/26/moose-router-worm/}, language = {English}, urldate = {2019-12-20} } @online{cluley:20170830:new:c821389, author = {Graham Cluley}, title = {{New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies}}, date = {2017-08-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/}, language = {English}, urldate = {2019-11-14} } @online{cluley:20170904:despite:6f4a25f, author = {Graham Cluley}, title = {{Despite appearances, WikiLeaks wasn’t hacked}}, date = {2017-09-04}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/}, language = {English}, urldate = {2019-11-28} } @online{cluley:20200409:travelex:bb5a2d7, author = {Graham Cluley}, title = {{Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack}}, date = {2020-04-09}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/travelex-paid-ransom/}, language = {English}, urldate = {2020-04-26} } @online{cluley:20200505:kaiji:94f85b6, author = {Graham Cluley}, title = {{Kaiji – a new strain of IoT malware seizing control and launching DDoS attacks}}, date = {2020-05-05}, organization = {Bitdefender}, url = {https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/}, language = {English}, urldate = {2020-05-06} } @techreport{cluster25:202105:not:0bf7be8, author = {Cluster25}, title = {{A Not So Fancy Game: Exploring the New SkinnyBoy Bear's Backdoor}}, date = {2021-05}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf}, language = {English}, urldate = {2021-06-07} } @techreport{cluster25:20210910:rattlesnake:7bbbd1f, author = {Cluster25}, title = {{A rattlesnake in the Navy}}, date = {2021-09-10}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2021/09/a_rattlesnake_in_the_navy.pdf}, language = {English}, urldate = {2021-09-12} } @online{cluster25:20220224:ukraine:3000c86, author = {Cluster25}, title = {{Ukraine: Analysis Of The New Disk-Wiping Malware (HermeticWiper)}}, date = {2022-02-24}, url = {https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/}, language = {English}, urldate = {2022-03-01} } @online{cluster25:20220302:contis:27cb79d, author = {Cluster25}, title = {{Conti's Source Code: Deep-Dive Into}}, date = {2022-03-02}, organization = {Cluster25}, url = {https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/}, language = {English}, urldate = {2022-03-07} } @online{cluster25:20220308:ghostwriter:3f0d3c1, author = {Cluster25}, title = {{GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine}}, date = {2022-03-08}, organization = {Cluster25}, url = {https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/}, language = {English}, urldate = {2022-03-10} } @online{cluster25:20220429:lotus:c5520e5, author = {Cluster25}, title = {{The LOTUS PANDA Is Awake, Again. Analysis Of Its Last Strike.}}, date = {2022-04-29}, organization = {Cluster25}, url = {https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/}, language = {English}, urldate = {2022-04-29} } @online{cluster25:20220503:strange:1481afa, author = {Cluster25}, title = {{The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet}}, date = {2022-05-03}, organization = {Cluster25}, url = {https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/}, language = {English}, urldate = {2022-05-04} } @online{cluster25:20220513:cozy:44aa396, author = {Cluster25}, title = {{Cozy Smuggled Into The Box: APT29 Abusing Legitimate Software For Targeted Operations In Europe}}, date = {2022-05-13}, organization = {Cluster25}, url = {https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/}, language = {English}, urldate = {2022-05-17} } @online{cn33liz:20170605:javascript:36e302d, author = {Cn33liz}, title = {{A JavaScript and VBScript Based Empire Launcher - by Cn33liz 2017}}, date = {2017-06-05}, organization = {Github (Cn33liz)}, url = {https://github.com/Cn33liz/StarFighters}, language = {English}, urldate = {2020-04-07} } @online{cna:201901:destructive:38ed2c3, author = {Saudi Arabia CNA}, title = {{Destructive Attack “DUSTMAN” Technical Report}}, date = {2019-01}, organization = {Saudi Arabia CNA}, url = {https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report}, language = {English}, urldate = {2020-01-13} } @online{cncert:20210628:analysis:0eea3df, author = {CNCERT}, title = {{Analysis of the new P2P botnet PBot}}, date = {2021-06-28}, organization = {CN CERT}, url = {https://www.cert.org.cn/publish/main/11/2021/20210628133948926376206/20210628133948926376206_.html}, language = {Chinese}, urldate = {2021-09-14} } @online{cobb:20130502:stealthiness:6579e26, author = {Stephen Cobb}, title = {{The stealthiness of Linux/Cdorked: a clarification}}, date = {2013-05-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/}, language = {English}, urldate = {2019-11-14} } @online{cobli:20180618:six:c3dc8c0, author = {Claudiu Cobliș and Cristian Istrate and Cornel Punga and Andrei Ardelean}, title = {{Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation}}, date = {2018-06-18}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/}, language = {English}, urldate = {2020-07-08} } @techreport{cocomazzi:20220324:ransomware:be706fa, author = {Antonio Cocomazzi}, title = {{Ransomware Encryption Internals: A Behavioral Characterization}}, date = {2022-03-24}, institution = {SentinelOne}, url = {https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf}, language = {English}, urldate = {2022-03-25} } @online{cocomelonc:20220402:malware:48c405d, author = {cocomelonc}, title = {{Malware development tricks. Find kernel32.dll base: asm style. C++ example.}}, date = {2022-04-02}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html}, language = {English}, urldate = {2022-04-07} } @online{codeandsec:20141002:finfisher:3b1d9c1, author = {CodeAndSec}, title = {{FinFisher Malware Analysis - Part 2}}, date = {2014-10-02}, organization = {CodeAndSec}, url = {https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2}, language = {English}, urldate = {2020-03-19} } @online{codercto:20181220:analysis:60da1aa, author = {Codercto}, title = {{Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies}}, date = {2018-12-20}, organization = {Codercto}, url = {https://www.codercto.com/a/46729.html}, language = {Chinese}, urldate = {2020-01-07} } @online{coding:20140801:soraya:4e51b2f, author = {Coding and Security}, title = {{Soraya Malware Analysis - Dropper}}, date = {2014-08-01}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper}, language = {English}, urldate = {2020-01-09} } @online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } @online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } @online{cofense:20170323:tales:cbdee9a, author = {Cofense}, title = {{Tales from the Trenches: Loki Bot Malware}}, date = {2017-03-23}, organization = {Cofense}, url = {https://phishme.com/loki-bot-malware/}, language = {English}, urldate = {2019-12-02} } @online{cofense:20190121:kutaki:3bff835, author = {Cofense}, title = {{The Kutaki Malware Bypasses Gateways to Steal Users’ Credentials}}, date = {2019-01-21}, organization = {Cofense}, url = {https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/}, language = {English}, urldate = {2020-01-06} } @online{cofense:20201029:online:867b653, author = {Cofense}, title = {{Online Leader Invites You to This Webex Phish}}, date = {2020-10-29}, organization = {Cofense}, url = {https://cofense.com/online-leader-invites-you-to-this-webex-phish/}, language = {English}, urldate = {2020-11-02} } @online{cofense:20211021:missed:0f171ba, author = {Cofense}, title = {{“Missed Voice Message,” the Latest Phishing Lure}}, date = {2021-10-21}, organization = {Cofense}, url = {https://cofense.com/blog/missed-voice-message-phish/}, language = {English}, urldate = {2021-10-26} } @online{cognizant:20200418:cognizant:0e20ac0, author = {Cognizant}, title = {{Cognizant Security Incident Update}}, date = {2020-04-18}, organization = {Cognizant}, url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update}, language = {English}, urldate = {2020-04-20} } @techreport{cognizant:20200617:notice:37fe994, author = {Cognizant}, title = {{Notice of Data Breach}}, date = {2020-06-17}, institution = {Cognizant}, url = {https://oag.ca.gov/system/files/Letter%204.pdf}, language = {English}, urldate = {2020-06-18} } @online{cohen:20180521:decrypting:37d595c, author = {Itay Cohen}, title = {{Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1}}, date = {2018-05-21}, organization = {MegaBeets}, url = {https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/}, language = {English}, urldate = {2019-07-10} } @online{cohen:20180629:backswap:1605a3d, author = {Ruby Cohen and Doron Voolf}, title = {{BackSwap Defrauds Online Banking Customers Using Hidden Input Fields}}, date = {2018-06-29}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi}, language = {English}, urldate = {2020-01-10} } @online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } @online{cohen:20181130:evolution:045e447, author = {Itay Cohen}, title = {{The Evolution of BackSwap}}, date = {2018-11-30}, organization = {Check Point}, url = {https://research.checkpoint.com/the-evolution-of-backswap/}, language = {English}, urldate = {2020-01-10} } @online{cohen:20190117:qealler:3db4f96, author = {David Cohen}, title = {{Qealler — The Silent Java Credential Thief}}, date = {2019-01-17}, organization = {CyberArk}, url = {https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/}, language = {English}, urldate = {2020-05-18} } @online{cohen:20190424:deobfuscating:581c86e, author = {Itay Cohen}, title = {{Deobfuscating APT32 Flow Graphs with Cutter and Radare2}}, date = {2019-04-24}, organization = {Check Point Research}, url = {https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/}, language = {English}, urldate = {2020-05-06} } @techreport{cohen:20200224:analyzing:57cc981, author = {Ben Cohen}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2021-04-29} } @online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } @online{cohen:20201002:graphology:af4c7bd, author = {Itay Cohen and Eyal Itkin}, title = {{Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints}}, date = {2020-10-02}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-volodya/}, language = {English}, urldate = {2020-10-06} } @online{cohen:20201026:exploit:9ec173c, author = {Itay Cohen and Eyal Itkin}, title = {{Exploit Developer Spotlight: The Story of PlayBit}}, date = {2020-10-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/}, language = {English}, urldate = {2020-10-27} } @online{cohen:20201125:csp:1b9a48e, author = {Idan Cohen}, title = {{CSP, the Right Solution for the Web-Skimming Pandemic?}}, date = {2020-11-25}, organization = {Reflectiz}, url = {https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218}, language = {English}, urldate = {2021-01-29} } @online{cohen:20201217:sunburst:7931c48, author = {Itay Cohen}, title = {{Tweet on SUNBURST malware discussing some of its evasion techniques}}, date = {2020-12-17}, organization = {Twitter (@megabeets_)}, url = {https://twitter.com/megabeets_/status/1339308801112027138}, language = {English}, urldate = {2020-12-18} } @online{cohen:20210107:meet:9fbcca8, author = {Ben Cohen}, title = {{Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer}}, date = {2021-01-07}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer}, language = {English}, urldate = {2021-01-11} } @online{cohen:20210629:guloaders:a569974, author = {Hido Cohen}, title = {{GuLoader’s Anti-Analysis Techniques}}, date = {2021-06-29}, organization = {Medium hidocohen}, url = {https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195}, language = {English}, urldate = {2021-07-20} } @online{cohen:20210719:fickerstealer:6d57700, author = {Ben Cohen}, title = {{FickerStealer: A New Rust Player in the Market}}, date = {2021-07-19}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market}, language = {English}, urldate = {2021-07-26} } @online{cohen:20211028:decaf:d22e18a, author = {Hido Cohen and Michael Dereviashkin}, title = {{DECAF Ransomware: A New Golang Threat Makes Its Appearance}}, date = {2021-10-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance}, language = {English}, urldate = {2021-11-03} } @online{cohen:20211123:babadeda:ae0d0ac, author = {Hido Cohen and Arnold Osipov}, title = {{Babadeda Crypter targeting crypto, NFT, and DeFi communities}}, date = {2021-11-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities}, language = {English}, urldate = {2021-12-22} } @online{cohen:20211201:smishing:3fa90c0, author = {Shmuel Cohen}, title = {{Smishing Botnets Going Viral in Iran}}, date = {2021-12-01}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/smishing-botnets-going-viral-in-iran/}, language = {English}, urldate = {2021-12-06} } @online{cohen:20220105:can:6a1ef46, author = {Golan Cohen}, title = {{Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk}}, date = {2022-01-05}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/}, language = {English}, urldate = {2022-01-18} } @techreport{cohen:20220214:journey:6c209dc, author = {Hido Cohen and Arnold Osipov}, title = {{Journey of a Crypto Scammer - NFT-001}}, date = {2022-02-14}, institution = {Morphisec}, url = {https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf}, language = {English}, urldate = {2022-02-19} } @online{cohen:20220323:new:7356088, author = {Hido Cohen}, title = {{New JSSLoader Trojan Delivered Through XLL Files}}, date = {2022-03-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files}, language = {English}, urldate = {2022-03-25} } @online{cohen:20220330:new:b2abe2b, author = {Hido Cohen}, title = {{New Wave Of Remcos RAT Phishing Campaign}}, date = {2022-03-30}, organization = {Morphisec}, url = {https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain}, language = {English}, urldate = {2022-03-31} } @online{cohen:20220408:new:6c99a64, author = {Shimi Cohen and Inbal Shalev and Irena Damsky}, title = {{New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns}}, date = {2022-04-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarmarker-malware/}, language = {English}, urldate = {2022-04-14} } @online{cohen:20220512:new:6e12278, author = {Hido Cohen}, title = {{New SYK Crypter Distributed Via Discord}}, date = {2022-05-12}, organization = {Morphisec}, url = {https://blog.morphisec.com/syk-crypter-discord}, language = {English}, urldate = {2022-06-09} } @online{coldshell:20180828:walk:fb8dcc6, author = {Coldshell}, title = {{A walk through the AcridRain Stealer}}, date = {2018-08-28}, organization = {This is Security}, url = {https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/}, language = {English}, urldate = {2020-01-07} } @online{coldshell:20190118:nymaim:1d2e6f9, author = {Coldshell}, title = {{Nymaim deobfuscation}}, date = {2019-01-18}, organization = {Github (coldshell)}, url = {https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim}, language = {English}, urldate = {2020-01-10} } @online{cole:20200205:stomp:77ecf4b, author = {Rick Cole and Andrew Moore and Genevieve Stark and Blaine Stancill}, title = {{STOMP 2 DIS: Brilliance in the (Visual) Basics}}, date = {2020-02-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html}, language = {English}, urldate = {2020-02-09} } @online{colin:20210902:confluence:5bbf2cb, author = {Colin and GaborSzappanos}, title = {{Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)}}, date = {2021-09-02}, organization = {Twitter (@th3_protoCOL)}, url = {https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20}, language = {English}, urldate = {2021-09-06} } @online{command:20220112:iranian:52c412c, author = {U.S. Cyber Command}, title = {{Iranian intel cyber suite of malware uses open source tools}}, date = {2022-01-12}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/}, language = {English}, urldate = {2022-01-25} } @techreport{commission:20211111:data:a5eddd6, author = {Federal Trade Commission}, title = {{Data Breach Response}}, date = {2021-11-11}, institution = {Federal Trade Commission}, url = {https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business-042519-508.pdf}, language = {English}, urldate = {2021-11-17} } @online{committee:20210226:weathering:6dfb09f, author = {Oversight Committee}, title = {{Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign}}, date = {2021-02-26}, organization = {YouTube (Oversight Committee)}, url = {https://www.youtube.com/watch?v=dV2QTLSecpc}, language = {English}, urldate = {2021-03-25} } @online{community:20210616:emotet:7e0fafe, author = {CSIRT-CV (the ICT Security Center of the Valencian Community)}, title = {{Emotet campaign analysis}}, date = {2021-06-16}, organization = {S2 Grupo}, url = {https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/}, language = {Spanish}, urldate = {2021-06-21} } @online{conant:20180207:rat:5f1eba8, author = {Simon Conant}, title = {{RAT Trapped? LuminosityLink Falls Foul of Vermin Eradication Efforts}}, date = {2018-02-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/}, language = {English}, urldate = {2019-12-20} } @online{condon:20210311:2020:3380372, author = {Caitlin Condon and Spencer McIntyre and William Vu}, title = {{2020 Vulnerability Intelligence Report}}, date = {2021-03-11}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/research/report/vulnerability-intelligence-report/}, language = {English}, urldate = {2021-03-12} } @techreport{condor:20201028:decade:b8d7422, author = {Ruben Andrei Condor}, title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}}, date = {2020-10-28}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-11-02} } @online{confiantintel:20210119:wizardupdate:9b651d0, author = {ConfiantIntel}, title = {{Tweet on WizardUpdate macOS backdoor}}, date = {2021-01-19}, organization = {Twitter (@ConfiantIntel)}, url = {https://twitter.com/ConfiantIntel/status/1351559054565535745}, language = {English}, urldate = {2021-02-06} } @online{confiantintel:20210514:osxbundlore:118ec5b, author = {ConfiantIntel}, title = {{Tweet on OSX/Bundlore Loader compiled for ARM}}, date = {2021-05-14}, organization = {Twitter (@ConfiantIntel)}, url = {https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20}, language = {English}, urldate = {2021-05-17} } @online{conrad:20220223:ransomware:9d2ec37, author = {Senan Conrad}, title = {{Ransomware Profile: ALPHV}}, date = {2022-02-23}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/}, language = {English}, urldate = {2022-03-01} } @online{constantin:20210830:lockfile:f792736, author = {Lucian Constantin}, title = {{LockFile ransomware uses intermittent encryption to evade detection}}, date = {2021-08-30}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html}, language = {English}, urldate = {2021-08-31} } @online{constantinescu:20220322:bitrat:03c1c4c, author = {Vlad Constantinescu}, title = {{BitRAT Malware Seen Spreading Through Unofficial Microsoft Windows Activators}}, date = {2022-03-22}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/}, language = {English}, urldate = {2022-06-09} } @techreport{consulting:20201020:incident:275ade2, author = {F-Secure Consulting}, title = {{Incident Readiness: Preparing a proactive response to attacks}}, date = {2020-10-20}, institution = {F-Secure}, url = {https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf}, language = {English}, urldate = {2020-10-23} } @online{consulting:20210208:national:25bf467, author = {Arsenal Consulting}, title = {{National Investigation Agency VS Sudhir Pralhad Dhawale & others Report 1}}, date = {2021-02-08}, organization = {Arsenal Consulting}, url = {https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.}, language = {English}, urldate = {2021-02-25} } @online{contextis:20191003:avivore:421fc23, author = {Contextis}, title = {{AVIVORE – Hunting Global Aerospace through the Supply Chain}}, date = {2019-10-03}, organization = {Contextis}, url = {https://www.contextis.com/en/blog/avivore}, language = {English}, urldate = {2022-04-06} } @online{contextis:20191003:context:9845673, author = {Contextis}, title = {{Context Identifies new AVIVORE threat group}}, date = {2019-10-03}, organization = {Contextis}, url = {https://www.contextis.com/en/news/context-identifies-new-avivore-threat-group}, language = {English}, urldate = {2022-04-05} } @online{contextis:20200131:new:74e3724, author = {Contextis}, title = {{New AVIVORE threat group – how they operate and managing the risk}}, date = {2020-01-31}, organization = {YouTube (Context Information Security)}, url = {https://www.youtube.com/watch?v=C_TmANnbS2k}, language = {English}, urldate = {2022-04-13} } @online{contileaks:20220301:emotet:b68be9c, author = {ContiLeaks}, title = {{Tweet on Emotet final server scheme}}, date = {2022-03-01}, organization = {Twitter (@ContiLeaks)}, url = {https://twitter.com/ContiLeaks/status/1498614197202079745}, language = {English}, urldate = {2022-03-02} } @online{conwell:20210714:domain:c0fbbdd, author = {John “Turbo” Conwell}, title = {{Domain Blooms: Identifying Domain Name Themes Targeted By Threat Actors}}, date = {2021-07-14}, organization = {Medium TowardsDataScience}, url = {https://towardsdatascience.com/domain-blooms-identifying-domain-name-themes-targeted-by-threat-actors-70942fe506d4}, language = {English}, urldate = {2021-07-20} } @online{coogan:20100204:spyeye:5c54efe, author = {Peter Coogan}, title = {{SpyEye Bot versus Zeus Bot}}, date = {2010-02-04}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot}, language = {English}, urldate = {2020-01-06} } @online{coogan:20100426:spyeyes:fb53c77, author = {Peter Coogan}, title = {{SpyEye’s "Kill Zeus" Bark is Worse Than its Bite}}, date = {2010-04-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite}, language = {English}, urldate = {2019-12-16} } @online{cook:20210518:encounter:c4ef6d9, author = {Andrew Cook}, title = {{An Encounter With TA551/Shathak}}, date = {2021-05-18}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/an-encounter-with-ta551-shathak}, language = {English}, urldate = {2021-05-25} } @online{cook:20210621:encounter:a6f5f76, author = {Andrew Cook}, title = {{An Encounter With Ransomware-as-a-Service: MEGAsync Analysis}}, date = {2021-06-21}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/megasync-analysis/}, language = {English}, urldate = {2021-06-22} } @online{corera:20161010:how:29d38b3, author = {Gordon Corera}, title = {{How France's TV5 was almost destroyed by 'Russian hackers'}}, date = {2016-10-10}, organization = {BBC}, url = {https://www.bbc.com/news/technology-37590375}, language = {English}, urldate = {2020-01-09} } @online{cornateanu:20200303:extracting:a48a754, author = {Ryan Cornateanu}, title = {{Extracting Embedded Payloads From Malware}}, date = {2020-03-03}, url = {https://medium.com/@ryancor/extracting-embedded-payloads-from-malware-aaca8e9aa1a9}, language = {English}, urldate = {2020-03-04} } @online{cornateanu:20201123:genetic:cd446d2, author = {Ryan Cornateanu}, title = {{Genetic Analysis of CryptoWall Ransomware}}, date = {2020-11-23}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f}, language = {English}, urldate = {2020-12-03} } @online{cornateanu:20210927:deobfuscating:bfa117a, author = {Ryan Cornateanu}, title = {{Deobfuscating PowerShell Malware Droppers}}, date = {2021-09-27}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d}, language = {English}, urldate = {2021-11-25} } @online{corp:20200416:taiwan:3029f53, author = {CyCraft Technology Corp}, title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}}, date = {2020-04-16}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730}, language = {English}, urldate = {2020-11-04} } @online{corp:20201008:taiwan:3a6afa1, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 1: Waterbear Malware}}, date = {2020-10-08}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-1980acde92b0}, language = {English}, urldate = {2020-10-23} } @online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } @online{corp:20210126:threat:e637761, author = {CyCraft Technology Corp}, title = {{Threat Attribution — Chimera "Under the Radar"}}, date = {2021-01-26}, organization = {Medium cycrafttechnology}, url = {https://cycrafttechnology.medium.com/threat-attribution-chimera-under-the-radar-7c4cce390efd}, language = {English}, urldate = {2021-01-29} } @online{corp:20210602:chinalinked:487955f, author = {CyCraft Technology Corp}, title = {{China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware}}, date = {2021-06-02}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5}, language = {English}, urldate = {2021-06-09} } @online{corp:20210713:prometheus:bd4e53b, author = {CyCraft Technology Corp}, title = {{Prometheus Ransomware Decryptor}}, date = {2021-07-13}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea}, language = {English}, urldate = {2021-08-02} } @online{corp:20220222:china:76aa7e8, author = {CyCraft Technology Corp}, title = {{China Implicated in Prolonged Supply Chain Attack Targeting Taiwan Financial Sector}}, date = {2022-02-22}, url = {https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525}, language = {English}, urldate = {2022-02-26} } @online{cortes:20171005:freemilk:1c7eb5d, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2020-01-08} } @online{cortes:20171005:freemilk:a929f1b, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2019-12-20} } @online{cortes:20211216:global:815f2b2, author = {Santiago Cortes}, title = {{Global outbreak of Log4Shell}}, date = {2021-12-16}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/global-outbreak-of-log4shell}, language = {English}, urldate = {2022-01-05} } @online{corvid:20211103:unique:3709f32, author = {CORVID}, title = {{Tweet on a unique Qbot debugger dropped by an actor after compromise}}, date = {2021-11-03}, organization = {Twitter (@Corvid_Cyber)}, url = {https://twitter.com/Corvid_Cyber/status/1455844008081641472}, language = {English}, urldate = {2021-11-08} } @online{costa:20220621:avos:b60a2ad, author = {Flavio Costa and Chris Neal and Guilherme Venere}, title = {{Avos ransomware group expands with new attack arsenal}}, date = {2022-06-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html}, language = {English}, urldate = {2022-06-22} } @online{costis:20200724:tau:2730a2c, author = {Andrew Costis}, title = {{TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves}}, date = {2020-07-24}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/}, language = {English}, urldate = {2020-08-05} } @online{couchard:20200925:catching:f381664, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part One}}, date = {2020-09-25}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic}, language = {English}, urldate = {2020-10-05} } @online{couchard:20201023:catching:5788228, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two}}, date = {2020-10-23}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two}, language = {English}, urldate = {2020-10-26} } @techreport{council:20210316:foreign:99ae81b, author = {National Intelligence Council}, title = {{Foreign Threats to the 2020 US Federal Elections}}, date = {2021-03-16}, institution = {National Intelligence Council}, url = {https://assets.documentcloud.org/documents/20515476/ica-declass-16mar2129.pdf}, language = {English}, urldate = {2021-03-19} } @techreport{council:20210408:global:e8df52b, author = {National Intelligence Council}, title = {{Global Trends 2040: A more Contested World}}, date = {2021-04-08}, institution = {National Intelligence Council}, url = {https://www.dni.gov/files/ODNI/documents/assessments/GlobalTrends_2040.pdf}, language = {English}, urldate = {2021-04-16} } @techreport{council:20210409:annual:c2fd7a5, author = {National Intelligence Council}, title = {{Annual Threat Assessment of the US Intelligence Community}}, date = {2021-04-09}, institution = {National Intelligence Council}, url = {https://www.dni.gov/files/ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf}, language = {English}, urldate = {2021-04-14} } @online{coveware:20190129:phobos:8423f74, author = {CoveWare}, title = {{Phobos Ransomware, A Combo of CrySiS and Dharma}}, date = {2019-01-29}, organization = {CodeWare}, url = {https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew}, language = {English}, urldate = {2020-01-08} } @online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } @online{coveware:20220127:ransomware:165f513, author = {CoveWare}, title = {{Ransomware as a Service Innovation Curve}}, date = {2022-01-27}, url = {https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve}, language = {English}, urldate = {2022-02-14} } @online{cowie:20220119:zloader:e87c22c, author = {Colin Cowie and Mat Gangwer and Stan Andic and Sophos MTR Team}, title = {{Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike}}, date = {2022-01-19}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/}, language = {English}, urldate = {2022-01-25} } @online{cowie:20220425:choziosi:d3c9063, author = {Colin Cowie}, title = {{Choziosi Loader: Multi-platform campaign delivering browser extension malware}}, date = {2022-04-25}, organization = {th3protocol blog}, url = {https://www.th3protocol.com/2022/Choziosi-Loader}, language = {English}, urldate = {2022-05-05} } @online{cowman:20191218:understanding:d629d14, author = {Pete Cowman}, title = {{Understanding Ransomware Series: Detecting Sodin}}, date = {2019-12-18}, organization = {Hatching.io}, url = {https://hatching.io/blog/ransomware-part2}, language = {English}, urldate = {2020-01-08} } @online{cowman:20200827:smokeloader:6b86b56, author = {Pete Cowman}, title = {{Smokeloader Analysis and More Family Detections}}, date = {2020-08-27}, organization = {Hatching.io}, url = {https://hatching.io/blog/tt-2020-08-27/}, language = {English}, urldate = {2020-09-03} } @online{cox:20210427:cockli:be7ee57, author = {Joseph Cox}, title = {{'Cock.li' Admin Says He’s Not Surprised Russian Intelligence Uses His Site}}, date = {2021-04-27}, organization = {Vice}, url = {https://www.vice.com/en/article/dyv87z/cockli-admin-russian-intelligence-svr-fbi-dhs-cisa-report}, language = {English}, urldate = {2021-04-29} } @online{cox:20210615:ransomware:4969e93, author = {Joseph Cox}, title = {{Ransomware Gang Turns to Revenge Porn}}, date = {2021-06-15}, organization = {Vice}, url = {https://www.vice.com/en/article/z3xzby/ransomware-gang-revenge-porn-leaks-nude-images}, language = {English}, urldate = {2021-06-21} } @online{cox:20210622:cryptomining:13a5fec, author = {Oakley Cox}, title = {{Crypto-mining on a DNS server}}, date = {2021-06-22}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/crypto-mining-on-a-dns-server/}, language = {English}, urldate = {2021-06-24} } @online{cox:20210719:amazon:ec7aab9, author = {Joseph Cox}, title = {{Amazon Shuts Down NSO Group Infrastructure}}, date = {2021-07-19}, organization = {Vice}, url = {https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure}, language = {English}, urldate = {2021-07-24} } @online{cox:20210824:how:2b6d60b, author = {Joseph Cox}, title = {{How Data Brokers Sell Access to the Backbone of the Internet}}, date = {2021-08-24}, organization = {Vice Motherboard}, url = {https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru}, language = {English}, urldate = {2021-09-14} } @online{cox:20220214:staying:16693dd, author = {Oakley Cox}, title = {{Staying ahead of REvil’s Ransomware-as-a-Service business model}}, date = {2022-02-14}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/}, language = {English}, urldate = {2022-03-01} } @online{cox:20220318:open:27cb616, author = {Joseph Cox}, title = {{Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers}}, date = {2022-03-18}, organization = {Vice Motherboard}, url = {https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers}, language = {English}, urldate = {2022-03-22} } @online{cr4sh:20210504:cr4sh:3c1597c, author = {Cr4sh}, title = {{Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets}}, date = {2021-05-04}, url = {https://github.com/cr4sh/microbackdoor}, language = {English}, urldate = {2021-05-04} } @online{craft:20210907:shellcode:dc30cfa, author = {Counter Craft}, title = {{Shellcode Detection Using Real-Time Kernel Monitoring}}, date = {2021-09-07}, organization = {Counter Craft}, url = {https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/}, language = {English}, urldate = {2021-09-14} } @online{crahmaliuc:20220311:five:9ba5aa0, author = {Radu Crahmaliuc}, title = {{Five Things You Need to Know About the Cyberwar in Ukraine}}, date = {2022-03-11}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/}, language = {English}, urldate = {2022-03-31} } @online{creaktive:20180521:tiny:13fd580, author = {creaktive}, title = {{Tiny SHell}}, date = {2018-05-21}, organization = {Github (creaktive)}, url = {https://github.com/creaktive/tsh}, language = {English}, urldate = {2020-01-10} } @online{crespo:20220215:new:875538a, author = {Pablo Rincón Crespo}, title = {{New Evidence Linking Kwampirs Malware to Shamoon APTS (Technical Blog)}}, date = {2022-02-15}, organization = {Cylera}, url = {https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts}, language = {English}, urldate = {2022-03-10} } @online{creus:20160926:sofacys:2c11dc9, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2019-12-20} } @online{creus:20160926:sofacys:6ddbb81, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2020-01-13} } @online{criptonizando:20200426:35:f5240ec, author = {Criptonizando}, title = {{35 mil computadores foram infectados na América Latina por malware que minerava Monero}}, date = {2020-04-26}, organization = {Criptonizando}, url = {https://criptonizando.com/35-mil-computadores-foram-infectados-na-america-latina-por-malware-que-minerava-monero/}, language = {Portoguese}, urldate = {2022-02-18} } @online{crook:20200622:dynamic:47a0942, author = {Jack Crook}, title = {{Dynamic Correlation, ML and Hunting}}, date = {2020-06-22}, organization = {FindingBad Blogspot}, url = {http://findingbad.blogspot.com/2020/06/dynamic-correlation-ml-and-hunting.html}, language = {English}, urldate = {2020-06-23} } @online{crook:20211031:measuring:f7e5ba7, author = {Jack Crook}, title = {{Measuring User Behavior}}, date = {2021-10-31}, organization = {FindingBad Blogspot}, url = {http://findingbad.blogspot.com/2021/10/measuring-user-behavior.html}, language = {English}, urldate = {2021-11-17} } @online{crovax:20210821:panda:38d0b7a, author = {Crovax}, title = {{Panda Banker Analysis Part 1}}, date = {2021-08-21}, organization = {Medium Crovax}, url = {https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847}, language = {English}, urldate = {2022-01-25} } @online{crovax:20211228:extracting:cd05925, author = {Crovax}, title = {{Extracting Hancitor’s Configuration with Ghidra part 1}}, date = {2021-12-28}, organization = {Medium Crovax}, url = {https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5}, language = {English}, urldate = {2022-01-25} } @techreport{crowdstrike:20140609:crowdstrike:a348198, author = {CrowdStrike}, title = {{Crowdstrike Intelligence Report: Putter Panda}}, date = {2014-06-09}, institution = {CrowdStrike}, url = {https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf}, language = {English}, urldate = {2021-02-02} } @techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } @techreport{crowdstrike:20150210:global:da4da20, author = {CrowdStrike}, title = {{Global Threat Intel Report}}, date = {2015-02-10}, institution = {CrowdStrike}, url = {http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{crowdstrike:201610:2015:e74876c, author = {CrowdStrike}, title = {{2015 Global Threat Report}}, date = {2016-10}, institution = {CrowdStrike}, url = {https://conferences.law.stanford.edu/cyberday/wp-content/uploads/sites/10/2016/10/2a_15GlobalThreatReport_Extracted.pdf}, language = {English}, urldate = {2021-05-31} } @techreport{crowdstrike:2016:intelligence:574f45c, author = {CrowdStrike}, title = {{Intelligence Report: Emergence and Development of Core Bot}}, date = {2016}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf}, language = {English}, urldate = {2021-05-31} } @techreport{crowdstrike:2018:2018:5ba6206, author = {CrowdStrike}, title = {{2018 Global Threat Report}}, date = {2018}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf}, language = {English}, urldate = {2019-12-17} } @online{crowdstrike:2019:2019:2c268c8, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/}, language = {English}, urldate = {2020-07-16} } @techreport{crowdstrike:2019:2019:4e50c97, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-15} } @online{crowdstrike:2019:twisted:8dacf6c, author = {CrowdStrike}, title = {{Twisted Spider}}, date = {2019}, organization = {CrowdStrike}, url = {https://adversary.crowdstrike.com/adversary/twisted-spider/}, language = {English}, urldate = {2021-05-19} } @online{crowdstrike:2019:viceroy:c209ad4, author = {CrowdStrike}, title = {{Viceroy Tiger}}, date = {2019}, organization = {CrowdStrike}, url = {https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger}, language = {English}, urldate = {2022-03-16} } @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } @techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } @online{crowdstrike:2020:2019:f849658, author = {CrowdStrike}, title = {{2019 Crowdstrike Global Threat Report}}, date = {2020}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report}, language = {English}, urldate = {2020-07-23} } @techreport{crowdstrike:2020:cyber:de17ed0, author = {CrowdStrike}, title = {{Cyber Front Lines Report}}, date = {2020}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeServicesCyberFrontLines.pdf}, language = {English}, urldate = {2021-05-31} } @techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } @techreport{crowdstrike:20220216:global:755868e, author = {CrowdStrike}, title = {{Global Threat Report 2022}}, date = {2022-02-16}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2022GTR.pdf}, language = {English}, urldate = {2022-02-19} } @online{cru:20220412:threat:2357d34, author = {ConnectWise CRU}, title = {{Threat Profile: Avaddon}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/avaddon-profile}, language = {English}, urldate = {2022-04-13} } @online{cru:20220412:threat:6f5aace, author = {ConnectWise CRU}, title = {{Threat Profile: LockBit}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/lockbit-profile}, language = {English}, urldate = {2022-04-13} } @online{cru:20220412:threat:c1f918f, author = {ConnectWise CRU}, title = {{Threat Profile: REvil}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/revil-profile}, language = {English}, urldate = {2022-04-13} } @online{cru:20220412:threat:d5577b2, author = {ConnectWise CRU}, title = {{Threat Profile: Conti}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/conti-profile}, language = {English}, urldate = {2022-04-13} } @online{cru:20220412:threat:ea9a60f, author = {ConnectWise CRU}, title = {{Threat Profile: Hive}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/hive-profile}, language = {English}, urldate = {2022-04-13} } @online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } @online{cruz:20220118:new:c7bdfeb, author = {Arianne Dela Cruz and Bren Matthew Ebriega and Don Ovid Ladores and Mary Yambao}, title = {{New Ransomware Spotted: White Rabbit and Its Evasion Tactics}}, date = {2022-01-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.html}, language = {English}, urldate = {2022-01-24} } @online{cruz:20220124:analysis:5807286, author = {Junestherry Dela Cruz}, title = {{Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant}}, date = {2022-01-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html}, language = {English}, urldate = {2022-01-25} } @online{cruz:20220525:new:43d8257, author = {Arianne Dela Cruz and Byron Gelera and McJustine De Guzman and Warren Sto.Tomas}, title = {{New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices}}, date = {2022-05-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html}, language = {English}, urldate = {2022-05-29} } @online{cryptolaemus:20180912:emotet:013e01b, author = {Cryptolaemus}, title = {{Emotet IOC}}, date = {2018-09-12}, organization = {Cryptolaemus Pastedump}, url = {https://paste.cryptolaemus.com}, language = {English}, urldate = {2020-01-13} } @online{cryptolaemus:20210622:ta575:895ac37, author = {Cryptolaemus and Kirk Sayre and dao ming si}, title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}}, date = {2021-06-22}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680}, language = {English}, urldate = {2021-06-22} } @online{cryptolaemus:20220419:emotet:c68608b, author = {Cryptolaemus}, title = {{#Emotet Update: 64 bit upgrade of Epoch 5}}, date = {2022-04-19}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1516535343281025032}, language = {English}, urldate = {2022-04-20} } @online{cryptome:20121125:parastoo:b652ed3, author = {Cryptome}, title = {{Parastoo Hacks IAEA}}, date = {2012-11-25}, organization = {Cryptome}, url = {https://cryptome.org/2012/11/parastoo-hacks-iaea.htm}, language = {English}, urldate = {2020-01-06} } @online{csirt:20201029:list:5fb0206, author = {Swisscom CSIRT}, title = {{List of CobaltStrike C2's used by RYUK}}, date = {2020-10-29}, organization = {Github (Swisscom)}, url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt}, language = {English}, urldate = {2020-11-02} } @online{csirt:20210126:cring:f12c487, author = {Swisscom CSIRT}, title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}}, date = {2021-01-26}, organization = {Twitter (@swisscom_csirt)}, url = {https://twitter.com/swisscom_csirt/status/1354052879158571008}, language = {English}, urldate = {2021-01-27} } @online{csirtmon:20220122:analysis:25ca045, author = {csirt-mon}, title = {{Analysis of the Cyberattack on Ukrainian Government Resources}}, date = {2022-01-22}, organization = {csirt-mon}, url = {https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/}, language = {English}, urldate = {2022-01-28} } @techreport{csis:2012:w32tinba:542635f, author = {Peter Kruse (CSIS) and Feike Hacquebord (Trend Micro) and Robert McArdle (Trend Micro)}, title = {{W32.Tinba (Tinybanker) The Turkish Incident}}, date = {2012}, institution = {CSIS Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf}, language = {English}, urldate = {2019-12-24} } @techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } @online{csis:20210423:supply:474eb97, author = {CSIS}, title = {{Supply chain attack on the password manager Clickstudios - PASSWORDSTATE}}, date = {2021-04-23}, organization = {CSIS}, url = {https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/}, language = {English}, urldate = {2021-05-04} } @online{ctu:20150730:sakula:8025917, author = {Dell Secureworks CTU}, title = {{Sakula Malware Family}}, date = {2015-07-30}, organization = {Secureworks}, url = {https://www.secureworks.com/research/sakula-malware-family}, language = {English}, urldate = {2020-01-06} } @online{cube0x0:20211117:github:0551fdb, author = {cube0x0}, title = {{GitHub - cube0x0 / SharpMapExec}}, date = {2021-11-17}, organization = {Github (cube0x0)}, url = {https://github.com/cube0x0/SharpMapExec}, language = {English}, urldate = {2021-12-01} } @online{cucci:20200419:reversing:4523233, author = {Kyle Cucci}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-08-13} } @online{cucci:20200819:chantays:3998ebb, author = {Kyle Cucci}, title = {{Chantay’s Resume: Investigating a CV-Themed ZLoader Malware}}, date = {2020-08-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/}, language = {English}, urldate = {2020-09-01} } @online{cummings:20191217:incident:44acf5c, author = {JJ Cummings and Dave Liebenberg}, title = {{Incident Response lessons from recent Maze ransomware attacks}}, date = {2019-12-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html}, language = {English}, urldate = {2020-01-09} } @online{currie:20210621:ready:ec4a88d, author = {Gabriel Currie}, title = {{Ready for (nearly) anything: Five things to prepare for a cyber security incident}}, date = {2021-06-21}, organization = {Medium gabrielcurrie}, url = {https://gabrielcurrie.medium.com/ready-for-nearly-anything-five-things-to-prepare-for-a-cyber-security-incident-4fc49d665488}, language = {English}, urldate = {2021-11-29} } @techreport{currie:20211114:ready:7398ccf, author = {Gabriel Currie}, title = {{Ready for (nearly) anything: Five things to prepare for a cyber security incident}}, date = {2021-11-14}, institution = {Github (gabrielcurrie)}, url = {https://raw.githubusercontent.com/gabrielcurrie/conference-talks/main/2021%20-%20BSides%20London%20-%20Five%20Things%20to%20Prepare%20for%20a%20Cyber%20Incident.pdf}, language = {English}, urldate = {2021-11-29} } @online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } @online{cutler:20190515:winnti:269a852, author = {Silas Cutler and Juan Andrés Guerrero-Saade}, title = {{Winnti: More than just Windows and Gates}}, date = {2019-05-15}, organization = {Chronicle}, url = {https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a}, language = {English}, urldate = {2019-10-14} } @online{cutler:20191116:fresh:871567d, author = {Silas Cutler}, title = {{Fresh PlugX October 2019}}, date = {2019-11-16}, organization = {Silas Cutler's Blog}, url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html}, language = {English}, urldate = {2020-01-07} } @online{cutler:20220118:whispers:c986974, author = {Silas Cutler}, title = {{Whispers in the noise}}, date = {2022-01-18}, organization = {Stairwell}, url = {https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/}, language = {English}, urldate = {2022-01-19} } @online{cutler:20220309:hermeticwizards:3cd717d, author = {Silas Cutler}, title = {{Tweet on HermeticWizard's self-spreading mechanism}}, date = {2022-03-09}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1501668345640366091}, language = {English}, urldate = {2022-03-10} } @online{cutler:20220412:analysis:561c2a2, author = {Silas Cutler}, title = {{Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2}}, date = {2022-04-12}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1513870210398363651}, language = {English}, urldate = {2022-05-25} } @techreport{cutler:20220421:inkstained:cc446df, author = {Silas Cutler}, title = {{The ink-stained trail of GOLDBACKDOOR}}, date = {2022-04-21}, institution = {Stairwell}, url = {https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf}, language = {English}, urldate = {2022-04-29} } @online{cyb3rsn0rlax:20211102:detecting:a2828eb, author = {Cyb3rSn0rlax}, title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2}}, date = {2021-11-02}, organization = {unh4ck}, url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2}, language = {English}, urldate = {2021-11-03} } @online{cyber00011011:20210217:understand:2783d8d, author = {Cyber_00011011}, title = {{Understand Shellcode with CyberChef}}, date = {2021-02-17}, organization = {cyber00011011.github.io}, url = {https://cyber00011011.github.io/CookingUpCyber/}, language = {English}, urldate = {2021-02-20} } @online{cyber:20190328:unleash:f5f7048, author = {Skylight Cyber}, title = {{Unleash The Hash - ShadowHammer MAC Address List}}, date = {2019-03-28}, organization = {Skylight Cyber}, url = {https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/}, language = {English}, urldate = {2019-10-23} } @online{cyber:20200611:snowstorm:7112209, author = {MDR Cyber}, title = {{SNOWSTORM: Hacker-for-hire and physical surveillance targeted financial analyst}}, date = {2020-06-11}, organization = {Mishcon de Reya}, url = {https://www.mishcon.com/news/snowstorm-hacker-for-hire-and-physical-surveillance-targeted-financial-analyst}, language = {English}, urldate = {2020-06-12} } @online{cyber:20220225:il:2af16d4, author = {Red Hot Cyber}, title = {{Il ransomware Conti si schiera a favore della Russia.}}, date = {2022-02-25}, organization = {Red Hot Cyber}, url = {https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia}, language = {Italian}, urldate = {2022-03-01} } @techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } @online{cyberint:20201105:cerberus:c5716d3, author = {CyberInt}, title = {{Cerberus is Dead, Long Live Cerberus?}}, date = {2020-11-05}, organization = {CyberInt}, url = {https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus}, language = {English}, urldate = {2020-11-19} } @online{cyberint:20201210:ryuk:e74b8f6, author = {CyberInt}, title = {{Ryuk Crypto-Ransomware}}, date = {2020-12-10}, organization = {CyberInt}, url = {https://blog.cyberint.com/ryuk-crypto-ransomware}, language = {English}, urldate = {2020-12-14} } @online{cyberjack:20220308:elfshelf:2111663, author = {CyberJack}, title = {{Tweet on ELFSHELF alias for KEYPLUG}}, date = {2022-03-08}, organization = {Twitter (@CyberJack42)}, url = {https://twitter.com/CyberJack42/status/1501290277864046595}, language = {English}, urldate = {2022-03-14} } @online{cybermalveillance:20191106:outil:dfa36a5, author = {Cybermalveillance}, title = {{Outil de déchiffrement du rançongiciel (ransomware) PyLocky versions 1 et 2}}, date = {2019-11-06}, organization = {Cybermalveillance}, url = {https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/}, language = {French}, urldate = {2019-12-18} } @online{cybermasterv:20201127:dissecting:23d6915, author = {CyberMasterV}, title = {{Dissecting APT21 samples using a step-by-step approach}}, date = {2020-11-27}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/}, language = {English}, urldate = {2020-12-08} } @online{cybermasterv:20201226:analyzing:b94f52e, author = {CyberMasterV}, title = {{Analyzing APT19 malware using a step-by-step method}}, date = {2020-12-26}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/}, language = {English}, urldate = {2021-01-01} } @online{cybermasterv:20210125:detailed:c27540a, author = {CyberMasterV}, title = {{A detailed analysis of ELMER Backdoor used by APT16}}, date = {2021-01-25}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/}, language = {English}, urldate = {2021-01-27} } @online{cybermasterv:20210614:stepbystep:6b4b871, author = {CyberMasterV}, title = {{A Step-by-Step Analysis of a New Version of DarkSide Ransomware}}, date = {2021-06-14}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/}, language = {English}, urldate = {2021-06-22} } @online{cybermasterv:20210803:stepbystep:2c73656, author = {CyberMasterV}, title = {{A step-by-step analysis of the new malware used by APT28/Sofacy called SkinnyBoy}}, date = {2021-08-03}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/skinnyboy-apt28/}, language = {English}, urldate = {2021-08-06} } @online{cybermasterv:20210929:how:b7fbf82, author = {CyberMasterV}, title = {{How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear}}, date = {2021-09-29}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/}, language = {English}, urldate = {2021-10-14} } @online{cybermasterv:20211031:detailed:290dacf, author = {CyberMasterV}, title = {{A detailed analysis of the STOP/Djvu Ransomware}}, date = {2021-10-31}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/}, language = {English}, urldate = {2021-11-08} } @online{cybermasterv:20211130:just:d5f53c9, author = {CyberMasterV}, title = {{Just another analysis of the njRAT malware – A step-by-step approach}}, date = {2021-11-30}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/}, language = {English}, urldate = {2021-12-06} } @online{cybermasterv:20220427:reverse:09cb18a, author = {CyberMasterV}, title = {{Reverse Engineering PsExec for fun and knowledge}}, date = {2022-04-27}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/reverse-engineering-psexec-for-fun-and-knowledge/}, language = {English}, urldate = {2022-05-09} } @online{cyberpunkleigh:20210527:apostle:f53c506, author = {cyberpunkleigh}, title = {{Apostle Ransomware Analysis}}, date = {2021-05-27}, organization = {cyberpunkleigh}, url = {https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/}, language = {English}, urldate = {2021-06-24} } @online{cybersecurity:201606:operation:eb6c3d9, author = {ClearSky Cybersecurity}, title = {{Operation DustySky Part 2}}, date = {2016-06}, organization = {clearskysec}, url = {https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain}, language = {English}, urldate = {2019-12-24} } @techreport{cybersecurity:20170210:ar1720045:43c91fd, author = {National Cybersecurity and Communications Integration Center}, title = {{AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity}}, date = {2017-02-10}, institution = {Department of Homeland Security}, url = {https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf}, language = {English}, urldate = {2019-11-05} } @online{cybersecurity:20180720:alert:89ca0c7, author = {National Cybersecurity and Communications Integration Center}, title = {{Alert (TA18-201A) Emotet Malware}}, date = {2018-07-20}, organization = {NCCIC}, url = {https://www.us-cert.gov/ncas/alerts/TA18-201A}, language = {English}, urldate = {2019-10-27} } @online{cybersecurity:20200626:cryptocore:19a42eb, author = {Atlas Cybersecurity}, title = {{CryptoCore – Cryptocurrency Exchanges Under Attack}}, date = {2020-06-26}, organization = {Atlas Cybersecurity}, url = {https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/}, language = {English}, urldate = {2021-06-08} } @online{cybersecurity:20210425:supply:a36f451, author = {Nightwatch Cybersecurity}, title = {{Supply Chain Attacks via GitHub.com Releases}}, date = {2021-04-25}, organization = {Nightwatch Cybersecurity}, url = {https://wwws.nightwatchcybersecurity.com/2021/04/25/supply-chain-attacks-via-github-com-releases/}, language = {English}, urldate = {2021-04-29} } @online{cybersecurity:20220120:comlook:ca9c0aa, author = {ClearSky Cybersecurity}, title = {{Tweet on ComLook backdoor used by Turla}}, date = {2022-01-20}, organization = {Twitter (@ClearskySec)}, url = {https://twitter.com/ClearskySec/status/1484211242474561540}, language = {English}, urldate = {2022-01-25} } @online{cybersoc:20210321:in:0d188b6, author = {Orange CyberSOC}, title = {{In the eye of our CyberSOC: Campo Loader, analysis and detection perspectives}}, date = {2021-03-21}, url = {https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/}, language = {English}, urldate = {2021-05-13} } @online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } @online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } @online{cyberx:20170128:radiation:141e735, author = {CyberX}, title = {{Radiation Report}}, date = {2017-01-28}, organization = {CyberX}, url = {http://get.cyberx-labs.com/radiation-report}, language = {English}, urldate = {2020-01-13} } @online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } @online{cyble:20210722:donot:831e206, author = {Cyble}, title = {{DoNot APT Group Delivers A Spyware Variant Of Chat App}}, date = {2021-07-22}, organization = {cyble}, url = {https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/}, language = {English}, urldate = {2022-03-16} } @online{cyble:20210804:deepdive:f5d8447, author = {Cyble}, title = {{A Deep-dive Analysis of VENOMOUS Ransomware}}, date = {2021-08-04}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/}, language = {English}, urldate = {2021-08-06} } @online{cyble:20210805:blackmatter:f0b08a4, author = {Cyble}, title = {{BlackMatter Under the Lens: An Emerging Ransomware Group Looking for Affiliates}}, date = {2021-08-05}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/}, language = {English}, urldate = {2021-08-06} } @online{cyble:20210816:deepdive:b23c978, author = {Cyble}, title = {{A Deep-dive Analysis of LOCKBIT 2.0}}, date = {2021-08-16}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210819:shinyhunters:58b6c1a, author = {Cyble}, title = {{ShinyHunters Selling Alleged AT&T Database with 70 million SSN and Date of birth; AT&T Denies it originated from their systems}}, date = {2021-08-19}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/19/shinyhunters-selling-alleged-att-database-with-70-million-ssn-and-date-of-birth/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210820:overview:24e0326, author = {Cyble}, title = {{An Overview of FinTech Threat Landscape}}, date = {2021-08-20}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/20/an-overview-of-fintech-threat-landscape/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210824:deepdive:9bd2478, author = {Cyble}, title = {{​A Deep-dive Analysis of KARMA Ransomware}}, date = {2021-08-24}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210903:spyware:72a86c9, author = {Cyble}, title = {{Spyware Variant Disguised as Korean Video App Targets Multiple Asian Countries}}, date = {2021-09-03}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210907:fake:ccb82be, author = {Cyble}, title = {{Fake Income Tax Application Targets Indian Taxpayers}}, date = {2021-09-07}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210909:flubot:02a6d7c, author = {Cyble}, title = {{FluBot Variant Masquerading As The Default Android Voicemail App}}, date = {2021-09-09}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210914:deepdive:688552e, author = {Cyble}, title = {{Deep-dive Analysis of S.O.V.A. Android Banking Trojan}}, date = {2021-09-14}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210914:targets:303856b, author = {Cyble}, title = {{APT Group Targets Indian Defense Officials Through Enhanced TTPs}}, date = {2021-09-14}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210915:aptc23:7f61636, author = {Cyble}, title = {{APT-C-23 Using New Variant Of Android Spyware To Target Users In The Middle East}}, date = {2021-09-15}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/}, language = {English}, urldate = {2021-09-22} } @online{cyble:20210917:sophisticated:b3482ca, author = {Cyble}, title = {{Sophisticated Spyware Posing as a Banking Application To Target Korean Users}}, date = {2021-09-17}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/}, language = {English}, urldate = {2021-09-22} } @online{cyble:20211021:raccoon:612369d, author = {Cyble}, title = {{​​Raccoon Stealer Under the Lens: A Deep-dive Analysis}}, date = {2021-10-21}, organization = {cyble}, url = {https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/}, language = {English}, urldate = {2021-10-26} } @online{cyble:20211129:pysa:4da06b5, author = {Cyble}, title = {{Pysa Ransomware Under the Lens: A Deep-Dive Analysis}}, date = {2021-11-29}, organization = {cyble}, url = {https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/}, language = {English}, urldate = {2021-12-07} } @online{cyble:20211206:apt37:e9b1bba, author = {Cyble}, title = {{APT37 Using a New Android Spyware, Chinotto}}, date = {2021-12-06}, organization = {cyble}, url = {https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/}, language = {English}, urldate = {2021-12-07} } @online{cyble:20220117:avoslocker:e72ac8a, author = {Cyble}, title = {{AvosLocker Ransomware Linux Version Targets VMware ESXi Servers}}, date = {2022-01-17}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/}, language = {English}, urldate = {2022-02-01} } @online{cyble:20220120:deep:e172620, author = {Cyble}, title = {{Deep Dive Into Ragnar_locker Ransomware Gang}}, date = {2022-01-20}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/}, language = {English}, urldate = {2022-01-25} } @online{cyble:20220128:indian:b4078b9, author = {Cyble}, title = {{Indian Army Personnel Face Remote Access Trojan Attacks}}, date = {2022-01-28}, organization = {cyble}, url = {https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/}, language = {English}, urldate = {2022-02-02} } @online{cyble:20220310:aberebot:d077b97, author = {Cyble}, title = {{AbereBot Returns as Escobar}}, date = {2022-03-10}, organization = {cyble}, url = {https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/}, language = {English}, urldate = {2022-03-14} } @online{cyble:20220311:new:dfa8c06, author = {Cyble}, title = {{New Wiper Malware Attacking Russia: Deep-Dive Into RURansom Malware}}, date = {2022-03-11}, url = {https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/}, language = {English}, urldate = {2022-03-17} } @online{cyble:20220322:hunters:c1cb18a, author = {Cyble}, title = {{Hunters Become The Hunted: Clipper Malware Disguised As AvD Crypto Stealer}}, date = {2022-03-22}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/}, language = {English}, urldate = {2022-03-23} } @online{cyble:20220324:coper:2c91f35, author = {Cyble}, title = {{Coper Banking Trojan: Android Malware Posing As Google Play Store App Installer}}, date = {2022-03-24}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/03/24/coper-banking-trojan/}, language = {English}, urldate = {2022-03-25} } @online{cyble:20220331:deep:88a14dc, author = {Cyble}, title = {{Deep Dive Analysis - Borat RAT}}, date = {2022-03-31}, url = {https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/}, language = {English}, urldate = {2022-04-04} } @online{cyble:20220401:dissecting:033ed24, author = {Cyble}, title = {{Dissecting Blackguard Info Stealer}}, date = {2022-04-01}, organization = {cyble}, url = {https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/}, language = {English}, urldate = {2022-04-01} } @online{cyble:20220405:new:06e0933, author = {Cyble}, title = {{A New Info Stealer Targeting Over 30 Browsers}}, date = {2022-04-05}, organization = {cyble}, url = {https://blog.cyble.com/2022/04/05/inside-lightning-stealer/}, language = {English}, urldate = {2022-04-12} } @online{cyble:20220418:under:c48fd13, author = {Cyble}, title = {{Under The Lens: Eagle Monitor RAT - Upgraded Version Of RAT With New TTPs}}, date = {2022-04-18}, url = {https://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/}, language = {English}, urldate = {2022-04-20} } @online{cyble:20220419:fake:7acd1c5, author = {Cyble}, title = {{Fake MetaMask App Steals Cryptocurrency}}, date = {2022-04-19}, organization = {cyble}, url = {https://blog.cyble.com/2022/04/19/fake-metamask-app-steals-cryptocurrency/}, language = {English}, urldate = {2022-04-20} } @online{cyble:20220421:prynt:72c5fd3, author = {Cyble}, title = {{Prynt Stealer Spotted In The Wild}}, date = {2022-04-21}, organization = {cyble}, url = {https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/}, language = {English}, urldate = {2022-04-25} } @online{cyble:20220427:emotet:a8c919a, author = {Cyble}, title = {{Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims}}, date = {2022-04-27}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/}, language = {English}, urldate = {2022-05-04} } @online{cyble:20220520:malware:c20f29f, author = {Cyble}, title = {{Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon}}, date = {2022-05-20}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/}, language = {English}, urldate = {2022-05-23} } @online{cyble:20220607:bumblebee:9f2dc4a, author = {Cyble}, title = {{Bumblebee Loader on The Rise}}, date = {2022-06-07}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/}, language = {English}, urldate = {2022-06-09} } @online{cybleinc:20201231:strongpity:bb6ab94, author = {cybleinc}, title = {{StrongPity APT Extends Global Reach with New Infrastructure}}, date = {2020-12-31}, organization = {cyble}, url = {https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/}, language = {English}, urldate = {2021-01-04} } @online{cybleinc:20210215:ngrok:32c877d, author = {cybleinc}, title = {{Ngrok Platform Abused by Hackers to Deliver a New Wave of Phishing Attacks}}, date = {2021-02-15}, organization = {cyble}, url = {https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/}, language = {English}, urldate = {2021-02-20} } @online{cybleinc:20210419:zloader:f7ffa0a, author = {cybleinc}, title = {{ZLoader Returns Through Spelevo Exploit Kit & Phishing Campaign}}, date = {2021-04-19}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/}, language = {English}, urldate = {2021-04-28} } @online{cybleinc:20210421:donot:3c9e847, author = {cybleinc}, title = {{Donot Team APT Group Is Back To Using Old Malicious Patterns}}, date = {2021-04-21}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/}, language = {English}, urldate = {2021-04-28} } @online{cybleinc:20210430:transparent:1df2639, author = {cybleinc}, title = {{Transparent Tribe Operating with a New Variant of Crimson RAT}}, date = {2021-04-30}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/}, language = {English}, urldate = {2021-05-03} } @online{cybleinc:20210502:mobile:8f117f2, author = {cybleinc}, title = {{Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus}}, date = {2021-05-02}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/}, language = {English}, urldate = {2021-05-03} } @online{cybleinc:20210603:deep:0077231, author = {cybleinc}, title = {{Deep Dive into BlackCocaine Ransomware}}, date = {2021-06-03}, organization = {cyble}, url = {https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/}, language = {English}, urldate = {2021-06-07} } @online{cybleinc:20210605:prometheus:bf079f6, author = {cybleinc}, title = {{Prometheus: An Emerging Ransomware Group Using Thanos Ransomware To Target Organizations}}, date = {2021-06-05}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/}, language = {English}, urldate = {2021-07-20} } @online{cybleinc:20210621:djvu:7e58962, author = {cybleinc}, title = {{DJVU Malware of STOP Ransomware Family Back with New Variant}}, date = {2021-06-21}, organization = {cyble}, url = {https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/}, language = {English}, urldate = {2021-06-24} } @online{cybleinc:20210622:android:fed4661, author = {cybleinc}, title = {{Android Application Disguised as Dating App Targets Indian Military Personnel}}, date = {2021-06-22}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/06/22/android-application-disguised-as-dating-app-targets-indian-military-personnel/}, language = {English}, urldate = {2021-07-02} } @online{cybleinc:20210703:uncensored:f43cf7f, author = {cybleinc}, title = {{Uncensored Interview with REvil / Sodinokibi Ransomware Operators}}, date = {2021-07-03}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/}, language = {English}, urldate = {2021-07-11} } @online{cybleinc:20210730:aberebot:25abf6e, author = {cybleinc}, title = {{Aberebot on the Rise: New Banking Trojan Targeting Users Through Phishing}}, date = {2021-07-30}, organization = {cyble}, url = {https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/}, language = {English}, urldate = {2021-08-02} } @online{cybleinc:20210802:deepdive:ed9c9d9, author = {cybleinc}, title = {{A Deep-Dive Analysis Of A New Wiper Malware Disguised As Tokyo Olympics Document}}, date = {2021-08-02}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/}, language = {English}, urldate = {2021-08-20} } @online{cybleinc:20210825:lockfile:0bc870f, author = {cybleinc}, title = {{​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell}}, date = {2021-08-25}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/}, language = {English}, urldate = {2021-08-31} } @online{cyfirma:20220531:yashma:7fb43c9, author = {cyfirma}, title = {{Yashma Ransomware Report}}, date = {2022-05-31}, organization = {Cyfirma}, url = {https://www.cyfirma.com/outofband/yashma-ransomware-report/}, language = {English}, urldate = {2022-06-11} } @techreport{cylance:20160406:operation:d4da7b5, author = {Cylance}, title = {{Operation Cleaver}}, date = {2016-04-06}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cylance:20181102:spyrats:67888b3, author = {Cylance}, title = {{The SpyRATs of OceanLotus}}, date = {2018-11-02}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cylera:20220308:link:2b7c36f, author = {Cylera}, title = {{The link between Kwampirs (Orangeworm) and Shamoon APTs}}, date = {2022-03-08}, institution = {Cylera}, url = {https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf}, language = {English}, urldate = {2022-03-10} } @techreport{cymmetria:2016:unveiling:da4224b, author = {Cymmetria}, title = {{Unveiling Patchwork: The Copy-Paste APT}}, date = {2016}, institution = {Cymmetria}, url = {https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf}, language = {English}, urldate = {2020-01-06} } @online{cymmetria:20170919:unveiling:e67fe90, author = {Cymmetria}, title = {{Unveiling Patchwork – a targeted attack caught with cyber deception}}, date = {2017-09-19}, organization = {Cymmetria}, url = {https://www.cymmetria.com/patchwork-targeted-attack/}, language = {English}, urldate = {2019-12-18} } @online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } @online{cymru:20200219:azorult:de72301, author = {Team Cymru}, title = {{Azorult – what we see using our own tools}}, date = {2020-02-19}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/}, language = {English}, urldate = {2020-02-26} } @online{cymru:20200325:how:b1d8c31, author = {Team Cymru}, title = {{How the Iranian Cyber Security Agency Detects Emissary Panda Malware}}, date = {2020-03-25}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/}, language = {English}, urldate = {2020-07-13} } @online{cymru:20210118:apt36:e2e83ce, author = {Team Cymru}, title = {{Tweet on APT36 CrimsonRAT C2}}, date = {2021-01-18}, organization = {Twitter (@teamcymru)}, url = {https://twitter.com/teamcymru/status/1351228309632385027}, language = {English}, urldate = {2021-01-21} } @online{cymru:20220310:crimson:a646aac, author = {Team Cymru}, title = {{Tweet on Crimson RAT infrastructure used by APT36}}, date = {2022-03-10}, organization = {Twitter (@teamcymru_S2)}, url = {https://twitter.com/teamcymru_S2/status/1501955802025836546}, language = {English}, urldate = {2022-03-14} } @online{cyr:20220323:mustang:3e97382, author = {Alexandre Côté Cyr}, title = {{Mustang Panda’s Hodur: Old tricks, new Korplug variant}}, date = {2022-03-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/}, language = {English}, urldate = {2022-03-24} } @online{cyr:20220325:mustang:4052776, author = {Alexandre Côté Cyr}, title = {{Mustang Panda's Hodur: Old stuff, new variant of Korplug}}, date = {2022-03-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/}, language = {French}, urldate = {2022-03-30} } @online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } @online{cytec:20220414:404:a7dc53d, author = {DCSO CyTec}, title = {{404 — File still found}}, date = {2022-04-14}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c}, language = {English}, urldate = {2022-05-31} } @online{cyware:20190822:apt34:3439fde, author = {Cyware}, title = {{APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations}}, date = {2019-08-22}, organization = {Cyware}, url = {https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae}, language = {English}, urldate = {2021-06-29} } @online{cyware:20210214:hildegard:580418b, author = {Cyware}, title = {{Hildegard: TeamTNT’s New Feature-Rich Malware Targeting Kubernetes}}, date = {2021-02-14}, organization = {Cyware}, url = {https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45}, language = {English}, urldate = {2021-03-12} } @online{cyware:20220207:apt27:e900fc7, author = {Cyware}, title = {{APT27 Group Targets German Organizations with HyperBro}}, date = {2022-02-07}, organization = {Cyware}, url = {https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/}, language = {English}, urldate = {2022-02-09} } @online{cyware:20220207:newly:670676e, author = {Cyware}, title = {{Newly Found Sugar Ransomware is Now Being Offered as RaaS}}, date = {2022-02-07}, organization = {Cyware}, url = {https://cyware.com/news/newly-found-sugar-ransomware-is-now-being-offered-as-raas-641cfa69}, language = {English}, urldate = {2022-02-09} } @online{cyware:20220214:ransomware:e449514, author = {Cyware}, title = {{Ransomware Becomes Deadlier, Conti Makes the Most Money}}, date = {2022-02-14}, url = {https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/}, language = {English}, urldate = {2022-02-16} } @online{cyware:20220302:trickbots:8f22fd7, author = {Cyware}, title = {{TrickBot’s AnchorDNS is Now Upgraded to AnchorMail}}, date = {2022-03-02}, organization = {Cyware}, url = {https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/}, language = {English}, urldate = {2022-03-07} } @online{cyware:20220309:ragnar:21beccd, author = {Cyware}, title = {{Ragnar Locker Breached 52 Organizations and Counting, FBI Warns}}, date = {2022-03-09}, organization = {Cyware}, url = {https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/}, language = {English}, urldate = {2022-03-10} } @online{czy:20200715:indepth:9a7c4dd, author = {Bartlomiej Czyż}, title = {{An in-depth analysis of SpyNote remote access trojan}}, date = {2020-07-15}, organization = {Relativity}, url = {https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan}, language = {English}, urldate = {2020-11-06} } @techreport{d00rt:20180706:lokibot:6508667, author = {d00rt}, title = {{LokiBot Infostealer Jihacked Version}}, date = {2018-07-06}, institution = {Github (d00rt)}, url = {https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf}, language = {English}, urldate = {2020-01-10} } @online{d00rt:20190105:emotet:8dee25a, author = {d00rt}, title = {{Emotet Research}}, date = {2019-01-05}, organization = {Github (d00rt)}, url = {https://github.com/d00rt/emotet_research}, language = {English}, urldate = {2020-01-10} } @online{d00rtrm:2019:emutet:8913da8, author = {D00RT_RM}, title = {{Emutet}}, date = {2019}, url = {https://d00rt.github.io/emotet_network_protocol/}, language = {English}, urldate = {2020-01-07} } @online{d:20151019:github:b15ea7e, author = {Anderson D}, title = {{Github Repository for AllaKore}}, date = {2015-10-19}, organization = {Github (Anderson-D)}, url = {https://github.com/Anderson-D/AllaKore}, language = {English}, urldate = {2020-01-08} } @online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } @online{dahan:20170425:shadowwali:565d1c1, author = {Assaf Dahan}, title = {{ShadowWali: New variant of the xxmm family of backdoors}}, date = {2017-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors}, language = {English}, urldate = {2020-02-11} } @online{dahan:20170524:operation:d79be79, author = {Assaf Dahan}, title = {{Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group}}, date = {2017-05-24}, organization = {Cybereason}, url = {https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/}, language = {English}, urldate = {2020-01-09} } @online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } @online{dahan:20190312:new:a435b52, author = {Assaf Dahan and Cybereason Nocturnus}, title = {{New Ursnif Variant targets Japan packed with new Features}}, date = {2019-03-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features}, language = {English}, urldate = {2019-11-28} } @online{dahan:20191120:phoenix:9c5d752, author = {Assaf Dahan}, title = {{Phoenix: The Tale of the Resurrected Keylogger}}, date = {2019-11-20}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger}, language = {English}, urldate = {2020-02-11} } @online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } @online{dahan:20201102:back:64a6991, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{Back to the Future: Inside the Kimsuky KGH Spyware Suite}}, date = {2020-11-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite}, language = {English}, urldate = {2020-11-02} } @online{dahan:20210803:deadringer:908e8d5, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}}, date = {2021-08-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos}, language = {English}, urldate = {2021-08-06} } @online{dahl:20130503:department:8be1534, author = {Matt Dahl}, title = {{Department of Labor Strategic Web Compromise}}, date = {2013-05-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20131010:regional:120d284, author = {Matt Dahl}, title = {{Regional Conflict and Cyber Blowback}}, date = {2013-10-10}, organization = {CrowdStrike}, url = {https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/}, language = {English}, urldate = {2020-05-18} } @online{dahl:20140513:cat:e5c45ff, author = {Matt Dahl}, title = {{Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN}}, date = {2014-05-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20141124:i:38a6ade, author = {Matt Dahl}, title = {{I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors}}, date = {2014-11-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20190125:widespread:48d15a3, author = {Matt Dahl}, title = {{Widespread DNS Hijacking Activity Targets Multiple Sectors}}, date = {2019-01-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20200601:malware:aa6f2ab, author = {Matt Dahl}, title = {{Tweet on malware called knspy used by Donot}}, date = {2020-06-01}, organization = {Twitter (@voodoodahl1)}, url = {https://twitter.com/voodoodahl1/status/1267571622732578816}, language = {English}, urldate = {2020-06-04} } @online{dahms:20140602:molerats:8b00d0d, author = {Timothy Dahms}, title = {{Molerats, Here for Spring!}}, date = {2014-06-02}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html}, language = {English}, urldate = {2019-12-20} } @online{dai:20211214:collecting:3d6dd34, author = {Nick Dai and Ted Lee and Vickie Su}, title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}}, date = {2021-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html}, language = {English}, urldate = {2022-03-30} } @online{daihes:20210113:detecting:a348691, author = {Yael Daihes}, title = {{Detecting Mylobot, unseen DGA based malware, using Deep Learning}}, date = {2021-01-13}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html}, language = {English}, urldate = {2021-01-26} } @online{dallas:20190326:babylon:32e6481, author = {Korben Dallas}, title = {{Tweet on Babylon RAT IOCs}}, date = {2019-03-26}, organization = {Twitter (@KorbenD_Intel)}, url = {https://twitter.com/KorbenD_Intel/status/1110654679980085262}, language = {English}, urldate = {2020-01-13} } @online{dalman:20210427:ransomware:8242ac5, author = {Josh Dalman and Kamil Janton and Eben Kaplan}, title = {{Ransomware Preparedness: A Call to Action}}, date = {2021-04-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/}, language = {English}, urldate = {2021-05-31} } @online{dalman:20210602:under:2e7083b, author = {Josh Dalman and Heather Smith}, title = {{Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware}}, date = {2021-06-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/}, language = {English}, urldate = {2021-06-09} } @online{dalman:20210618:ransomware:2c31db2, author = {Josh Dalman and Heather Smith}, title = {{Ransomware Actors Evolved Their Operations in 2020}}, date = {2021-06-18}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-actors-evolved-operations-in-2020/}, language = {English}, urldate = {2021-06-22} } @online{dan:20180208:merlin:cfc9e6b, author = {Action Dan}, title = {{Merlin for Red Teams}}, date = {2018-02-08}, organization = {Lockboxx}, url = {http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html}, language = {English}, urldate = {2020-01-09} } @online{danchev:20080610:whos:504e579, author = {Dancho Danchev}, title = {{Who's behind the GPcode ransomware?}}, date = {2008-06-10}, organization = {ZDNet}, url = {http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/}, language = {English}, urldate = {2019-12-18} } @online{danchev:20120928:dissecting:1ee1a3f, author = {Dancho Danchev}, title = {{Dissecting 'Operation Ababil' - an OSINT Analysis}}, date = {2012-09-28}, organization = {Dancho Danchev's Blog}, url = {http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html}, language = {English}, urldate = {2020-01-10} } @online{dangu:20180123:uncovering:a3ba605, author = {Jerome Dangu}, title = {{Uncovering 2017’s Largest Malvertising Operation}}, date = {2018-01-23}, organization = {Confiant}, url = {https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85}, language = {English}, urldate = {2019-12-24} } @online{dangu:20180305:zirconium:06d9e29, author = {Jerome Dangu}, title = {{Zirconium was one step ahead of Chrome’s redirect blocker with 0-day}}, date = {2018-03-05}, organization = {Confiant}, url = {https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d}, language = {English}, urldate = {2020-01-09} } @online{dangu:20210203:malvertising:eb3d8cb, author = {Jerome Dangu}, title = {{Malvertising: Made in China}}, date = {2021-02-03}, organization = {Medium Confiant}, url = {https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0}, language = {English}, urldate = {2021-02-04} } @online{dani:20220301:ukrainian:c196036, author = {Mayuresh Dani}, title = {{Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware}}, date = {2022-03-01}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware}, language = {English}, urldate = {2022-03-04} } @online{dannythesloth:20190608:vanilla:bcf3518, author = {DannyTheSloth}, title = {{Vanilla RAT}}, date = {2019-06-08}, organization = {Github (DannyTheSloth)}, url = {https://github.com/DannyTheSloth/VanillaRAT}, language = {English}, urldate = {2020-01-13} } @techreport{dantzig:20191219:operation:96804be, author = {Maarten van Dantzig and Erik Schamper}, title = {{Operation Wocao: Shining a light on one of China’s hidden hacking groups}}, date = {2019-12-19}, institution = {Fox-IT}, url = {https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf}, language = {English}, urldate = {2020-01-13} } @online{darkowl:20211022:page:90c7728, author = {Darkowl}, title = {{“Page Not Found”: REvil Darknet Services Offline After Attack Last Weekend}}, date = {2021-10-22}, organization = {Darkowl}, url = {https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend}, language = {English}, urldate = {2021-10-26} } @online{darkquassar:20180302:tales:c6d0af0, author = {Twitter (@darkquassar)}, title = {{Tales of a Threat Hunter 2 Following the trace of WMI Backdoors & other nastiness}}, date = {2018-03-02}, organization = {eideon blog}, url = {https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/}, language = {English}, urldate = {2021-06-21} } @online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } @online{dart:20201221:advice:dd08ada, author = {Detection and Response Team (DART)}, title = {{Advice for incident responders on recovery from systemic identity compromises}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/}, language = {English}, urldate = {2020-12-23} } @online{dart:20210211:web:c22c110, author = {Detection and Response Team (DART) and Microsoft 365 Defender Research Team}, title = {{Web shell attacks continue to rise}}, date = {2021-02-11}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/}, language = {English}, urldate = {2021-02-20} } @online{dart:20210920:guide:8d2760b, author = {Detection and Response Team (DART)}, title = {{A guide to combatting human-operated ransomware: Part 1}}, date = {2021-09-20}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/09/20/a-guide-to-combatting-human-operated-ransomware-part-1/}, language = {English}, urldate = {2021-09-22} } @online{dart:20210927:guide:40f51ba, author = {Detection and Response Team (DART)}, title = {{A guide to combatting human-operated ransomware: Part 2}}, date = {2021-09-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/09/27/a-guide-to-combatting-human-operated-ransomware-part-2/}, language = {English}, urldate = {2021-09-28} } @online{dart:20211026:protect:22b026a, author = {Detection and Response Team (DART)}, title = {{Protect your business from password sprays with Microsoft DART recommendations}}, date = {2021-10-26}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/}, language = {English}, urldate = {2021-11-03} } @online{dart:20220104:leveraging:36a7deb, author = {Microsoft Detection and Response Team (DART)}, title = {{Leveraging the Power of KQL in Incident Response}}, date = {2022-01-04}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/security-compliance-and-identity/leveraging-the-power-of-kql-in-incident-response/ba-p/3044795}, language = {English}, urldate = {2022-03-14} } @online{dart:20220311:part:13e8665, author = {Microsoft Detection and Response Team (DART)}, title = {{Part 2: LockBit 2.0 ransomware bugs and database recovery attempts}}, date = {2022-03-11}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421}, language = {English}, urldate = {2022-03-14} } @online{dart:20220311:part:2a214e2, author = {Microsoft Detection and Response Team (DART)}, title = {{Part 1: LockBit 2.0 ransomware bugs and database recovery attempts}}, date = {2022-03-11}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354}, language = {English}, urldate = {2022-03-14} } @online{dart:20220412:tarrask:4789795, author = {Detection and Response Team (DART)}, title = {{Tarrask malware uses scheduled tasks for defense evasion}}, date = {2022-04-12}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/}, language = {English}, urldate = {2022-05-04} } @online{das:20210901:incredible:a90149e, author = {Aahir Das}, title = {{The Incredible Rise of DPRK’s Cyber Warfare}}, date = {2021-09-01}, organization = {CyBureau – The Institute for Cyber Policy Studies}, url = {http://blog.cybureau.org/the-incredible-rise-of-dprks-cyber-warfare/}, language = {English}, urldate = {2021-09-06} } @online{data:20140228:uroburos:f6fdb48, author = {G Data}, title = {{Uroburos - highly complex espionage software with Russian roots}}, date = {2014-02-28}, organization = {G Data Blog}, url = {https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots}, language = {English}, urldate = {2019-11-28} } @online{data:20140307:uroburos:22ddc69, author = {G Data}, title = {{Uroburos – Deeper travel into kernel protection mitigation}}, date = {2014-03-07}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation}, language = {English}, urldate = {2019-11-23} } @online{data:20140513:uroburos:a8b1175, author = {G Data}, title = {{Uroburos rootkit: Belgian Foreign Ministry stricken}}, date = {2014-05-13}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken}, language = {English}, urldate = {2019-10-27} } @online{data:20140602:analysis:1038a5f, author = {G Data}, title = {{Analysis of Uroburos, using WinDbg}}, date = {2014-06-02}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg}, language = {English}, urldate = {2020-01-09} } @online{data:20140731:poweliks:250c05f, author = {G Data}, title = {{Poweliks: the persistent malware without a file}}, date = {2014-07-31}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file}, language = {English}, urldate = {2020-01-10} } @online{data:20141030:com:0da80b3, author = {G Data}, title = {{COM Object hijacking: the discreet way of persistence}}, date = {2014-10-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence}, language = {English}, urldate = {2020-01-07} } @techreport{data:20141031:operation:9205b87, author = {G Data}, title = {{OPERATION “TOOHASH”: HOW TARGETED ATTACKS WORK}}, date = {2014-10-31}, institution = {G Data}, url = {https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf}, language = {English}, urldate = {2020-01-08} } @online{data:20141111:uroburos:8dce097, author = {G Data}, title = {{The Uroburos case: new sophisticated RAT identified}}, date = {2014-11-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified}, language = {English}, urldate = {2020-01-08} } @online{data:20150115:weiterentwicklung:a65efbe, author = {G Data}, title = {{Weiterentwicklung anspruchsvoller Spyware: von Agent.BTZ zu ComRAT}}, date = {2015-01-15}, organization = {G Data}, url = {https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat}, language = {English}, urldate = {2020-01-08} } @online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } @online{data:20150218:babar:24e6c08, author = {G Data}, title = {{Babar: espionage software finally found and put under the microscope}}, date = {2015-02-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope}, language = {English}, urldate = {2019-12-02} } @online{data:20150507:dissecting:27b0271, author = {G Data}, title = {{Dissecting the “Kraken”}}, date = {2015-05-07}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken}, language = {English}, urldate = {2022-03-01} } @online{data:20160411:manamecrypt:06eda37, author = {G Data}, title = {{Manamecrypt – a ransomware that takes a different route}}, date = {2016-04-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route}, language = {English}, urldate = {2020-01-08} } @online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } @online{data:20170512:warning:162cfc4, author = {G Data}, title = {{Warning: Massive "WannaCry" Ransomware campaign launched}}, date = {2017-05-12}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign}, language = {English}, urldate = {2020-01-13} } @online{data:20170703:who:7b53706, author = {G Data}, title = {{Who is behind Petna?}}, date = {2017-07-03}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna}, language = {English}, urldate = {2020-01-08} } @online{data:20170711:ordinypt:a3f61cf, author = {G Data}, title = {{Ordinypt hat es auf Benutzer aus Deutschland abgesehen}}, date = {2017-07-11}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/11/30151-ordinypt}, language = {Deutsch}, urldate = {2020-01-08} } @online{data:20170720:rurktar:fa8bc7e, author = {G Data}, title = {{Rurktar - Spyware under Construction}}, date = {2017-07-20}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction}, language = {English}, urldate = {2020-01-09} } @online{data:20171012:emotet:c99dec0, author = {G Data}, title = {{Emotet beutet Outlook aus}}, date = {2017-10-12}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus}, language = {English}, urldate = {2019-12-05} } @online{data:20191121:new:cbeb2e4, author = {G Data}, title = {{New SectopRAT: Remote access malware utilizes second desktop to control browsers}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers}, language = {English}, urldate = {2020-01-10} } @online{data:20200630:ransomware:3f071e1, author = {G Data}, title = {{Ransomware on the Rise: Buran’s transformation into Zeppelin}}, date = {2020-06-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin}, language = {English}, urldate = {2020-07-02} } @online{database:20211228:implantarmilobleeda:3e30a84, author = {Padvish Threats Database}, title = {{Implant.ARM.iLOBleed.a}}, date = {2021-12-28}, organization = {Padvish Threats Database}, url = {https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/}, language = {English}, urldate = {2022-01-03} } @online{daundkar:20220323:sysjoker:d8a1ba0, author = {Sagar Daundkar and Threat Analysis Unit}, title = {{SysJoker – An Analysis of a Multi-OS RAT}}, date = {2022-03-23}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html}, language = {English}, urldate = {2022-04-04} } @online{davenport:20141218:keypoint:4c1fd04, author = {Christian Davenport}, title = {{KeyPoint network breach could affect thousands of federal workers}}, date = {2014-12-18}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html}, language = {English}, urldate = {2020-01-13} } @online{davidecanali:20210908:advance:4742243, author = {Davide Canali and Crista Giering and Tim Kromphardt and Sam Scholten}, title = {{Advance Fee Fraud: The Emergence of Elaborate Crypto Schemes}}, date = {2021-09-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/advance-fee-fraud-emergence-elaborate-crypto-schemes}, language = {English}, urldate = {2021-09-14} } @online{davila:20200518:eleethub:d605473, author = {Asher Davila and Yang Ji}, title = {{Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding}}, date = {2020-05-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/}, language = {English}, urldate = {2020-05-20} } @online{davis:20170921:apt33:52822d2, author = {Stuart Davis and Nick Carr}, title = {{APT33: New Insights into Iranian Cyber Espionage Group}}, date = {2017-09-21}, organization = {FireEye}, url = {https://www.brighttalk.com/webcast/10703/275683}, language = {English}, urldate = {2019-12-20} } @online{davis:20180529:mexico:d40bc2d, author = {Michelle Davis}, title = {{Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret}}, date = {2018-05-29}, organization = {Bloomberg}, url = {https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret}, language = {English}, urldate = {2020-01-07} } @online{davis:20210120:emulation:4061f1c, author = {Andrew Davis}, title = {{Emulation of Kernel Mode Rootkits With Speakeasy}}, date = {2021-01-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html}, language = {English}, urldate = {2021-01-25} } @techreport{davis:20220223:empirically:fe03729, author = {Shannon Davis and SURGe}, title = {{An Empirically Comparative Analysis of Ransomware Binaries}}, date = {2022-02-23}, institution = {splunk}, url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf}, language = {English}, urldate = {2022-03-25} } @online{davis:20220323:gone:56f570f, author = {Shannon Davis}, title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}}, date = {2022-03-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html}, language = {English}, urldate = {2022-03-25} } @online{davison:20170804:smoke:06d64d3, author = {Jason Davison}, title = {{Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis}}, date = {2017-08-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis}, language = {English}, urldate = {2020-01-08} } @online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } @online{dawson:20210830:hypervisor:81ca39b, author = {Michael Dawson}, title = {{Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/}, language = {English}, urldate = {2021-08-31} } @online{daydaynews:20200103:waterbear:b4818c4, author = {DayDayNews}, title = {{Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function}}, date = {2020-01-03}, organization = {DayDayNews}, url = {https://daydaynews.cc/zh-tw/technology/297265.html}, language = {Chinese}, urldate = {2021-04-20} } @online{daza:20220202:white:5b71f59, author = {Jason Daza and Manoj Khatiwada and Paul Brunney and Michael Wirtz and Group-IB}, title = {{White Rabbit Continued: Sardonic and F5}}, date = {2022-02-02}, organization = {lodestone}, url = {https://lodestone.com/insight/white-rabbit-continued-sardonic-and-f5/}, language = {English}, urldate = {2022-02-04} } @online{dcso:20190314:pegasusbuhtrap:2e48e0e, author = {DCSO}, title = {{Pegasus/Buhtrap analysis of the malware stage based on the leaked source code}}, date = {2019-03-14}, organization = {DCSO}, url = {https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code}, language = {English}, urldate = {2021-02-06} } @online{dcso:20190318:enterprise:ff92a62, author = {DCSO}, title = {{Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware}}, date = {2019-03-18}, organization = {DCSO}, url = {https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/}, language = {English}, urldate = {2021-12-13} } @online{dcso:20200116:curious:15c5610, author = {DCSO}, title = {{A Curious Case of CVE-2019-19781 Palware: remove_bds}}, date = {2020-01-16}, organization = {DCSO}, url = {https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/}, language = {English}, urldate = {2021-02-06} } @online{ddash:20201112:lootwodniw:03198af, author = {ddash}, title = {{Tweet on Lootwodniw}}, date = {2020-11-12}, organization = {Twitter (@ddash_ct)}, url = {https://twitter.com/ddash_ct/status/1326887125103616000}, language = {English}, urldate = {2020-12-03} } @online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20210315:hafnium:02beddd, author = {Joshua Deacon}, title = {{HAFNIUM, China Chopper and ASP.NET Runtime}}, date = {2021-03-15}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/}, language = {English}, urldate = {2021-03-22} } @online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } @techreport{decker:20090522:pushdo:518e04c, author = {Alice Decker and David Sancho and Loucif Kharouni and Max Goncharov and Robert McArdle}, title = {{Pushdo / Cutwail Botnet}}, date = {2009-05-22}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf}, language = {English}, urldate = {2020-01-13} } @online{decristofaro:20210803:squashing:ba231ef, author = {Michael DeCristofaro and Eric Loui and Josh Reynolds}, title = {{Squashing SPIDERS: Threat Intelligence, Threat Hunting and Rapid Response Stops SQL Injection Campaign}}, date = {2021-08-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-stopped-an-sql-injection-campaign/}, language = {English}, urldate = {2021-08-31} } @online{decrypterfixer:20140911:torrentlocker:10d80ec, author = {DecrypterFixer}, title = {{TorrentLocker Ransomware Cracked and Decrypter has been made}}, date = {2014-09-11}, organization = {BleepingComputer Forums}, url = {http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/}, language = {English}, urldate = {2020-01-06} } @online{dedenok:20220516:html:b44d1c9, author = {Roman Dedenok}, title = {{HTML attachments in phishing e-mails}}, date = {2022-05-16}, organization = {Kaspersky}, url = {https://securelist.com/html-attachments-in-phishing-e-mails/106481/}, language = {English}, urldate = {2022-05-17} } @online{dedola:20200820:transparent:b63fac6, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 1}}, date = {2020-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-1/98127/}, language = {English}, urldate = {2020-08-24} } @online{dedola:20200826:transparent:b6f0422, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 2}}, date = {2020-08-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-2/98233/}, language = {English}, urldate = {2020-08-27} } @online{dedola:20220621:toddycat:20bf8db, author = {Giampaolo Dedola}, title = {{APT ToddyCat: Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia}}, date = {2022-06-21}, organization = {Kaspersky}, url = {https://securelist.com/toddycat/106799/}, language = {English}, urldate = {2022-06-22} } @online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } @online{dee:20200129:borr:528fccb, author = {Dee}, title = {{Tweet on Borr}}, date = {2020-01-29}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1222704498923032576}, language = {English}, urldate = {2020-02-13} } @online{dee:20210826:vulturi:74e3f14, author = {Dee}, title = {{Tweet on Vulturi Stealer and it's c2 panel}}, date = {2021-08-26}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1430604948241276928?s=20}, language = {English}, urldate = {2021-08-31} } @online{defense:20191111:revenge:114921b, author = {Binary Defense}, title = {{Revenge Is A Dish Best Served… Obfuscated?}}, date = {2019-11-11}, organization = {Binary Defense}, url = {https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated}, language = {English}, urldate = {2020-01-09} } @techreport{defense:20200901:military:670494d, author = {US Department of Defense}, title = {{Military and Security Developments Involving the People’s Republic of China 2020}}, date = {2020-09-01}, institution = {US Department of Defense}, url = {https://media.defense.gov/2020/Sep/01/2002488689/-1/-1/1/2020-DOD-CHINA-MILITARY-POWER-REPORT-FINAL.PDF}, language = {English}, urldate = {2020-09-01} } @online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } @techreport{defense:20210216:creation:d20a363, author = {US Department of Defense}, title = {{The creation of the 2020 ComRATv4 illustration}}, date = {2021-02-16}, institution = {US Department of Defense}, url = {https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf}, language = {English}, urldate = {2021-03-25} } @online{defense:20210706:marsdeimos:ebe87c7, author = {Binary Defense}, title = {{Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)}}, date = {2021-07-06}, organization = {Binary Defense}, url = {https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/}, language = {English}, urldate = {2021-07-24} } @online{defense:20210716:marsdeimos:c0e4144, author = {Binary Defense}, title = {{Mars-Deimos: From Jupiter to Mars and Back again (Part Two)}}, date = {2021-07-16}, organization = {Binary Defense}, url = {https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/}, language = {English}, urldate = {2021-07-24} } @online{defense:20211020:two:9a20bdc, author = {US Department of Defense}, title = {{Two Individuals (Pavel Stassi & Aleksandr Skorodumov) Sentenced for Providing “Bulletproof Hosting” for Cybercriminals}}, date = {2021-10-20}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/two-individuals-sentenced-providing-bulletproof-hosting-cybercriminals}, language = {English}, urldate = {2021-11-02} } @techreport{defense:20211103:military:a9c9e5f, author = {US Department of Defense}, title = {{Military and Security Developments Involving the People’s Republic of China}}, date = {2021-11-03}, institution = {US Department of Defense}, url = {https://media.defense.gov/2021/Nov/03/2002885874/-1/-1/0/2021-CMPR-FINAL.PDF}, language = {English}, urldate = {2021-11-08} } @online{degrippo:20200316:ta505:6cfbbb0, author = {Sherrod DeGrippo}, title = {{TA505 and Others Launch New Coronavirus Campaigns; Now the Largest Collection of Attack Types in Years}}, date = {2020-03-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack}, language = {English}, urldate = {2020-04-26} } @online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } @online{degrippo:20200717:ta547:cec93e0, author = {Sherrod DeGrippo}, title = {{TA547 Pivots from Ursnif Banking Trojan to Ransomware in Australian Campaign}}, date = {2020-07-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign}, language = {English}, urldate = {2020-07-23} } @online{degroot:20211112:agenttesla:d69002b, author = {Dominik Degroot}, title = {{AgentTesla dropped via NSIS installer}}, date = {2021-11-12}, organization = {Living Code}, url = {http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/}, language = {English}, urldate = {2021-11-17} } @online{dekel:20220328:pwning:c0427db, author = {Kasif Dekel and Ronen Shustin}, title = {{Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All}}, date = {2022-03-28}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/pwning-microsoft-azure-defender-for-iot-multiple-flaws-allow-remote-code-execution-for-all/}, language = {English}, urldate = {2022-03-30} } @online{delcher:20201203:what:9853c58, author = {Pierre Delcher}, title = {{What did DeathStalker hide between two ferns?}}, date = {2020-12-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/}, language = {English}, urldate = {2020-12-08} } @techreport{delia:20210804:rope:495f021, author = {Daniele Cono D’Elia and Lorenzo Invidia}, title = {{Rope: Bypassing Behavioral Detection of Malware with Distributed ROP-driven Execution (white paper)}}, date = {2021-08-04}, institution = {Sapienza University of Rome}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Rope-Bypassing-Behavioral-Detection-Of-Malware-With-Distributed-ROP-Driven-Execution-wp.pdf}, language = {English}, urldate = {2021-08-06} } @techreport{delia:20210804:rope:ceb81fd, author = {Daniele Cono D’Elia and Lorenzo Invidia}, title = {{Rope: Bypassing Behavioral Detection of Malware with Distributed ROP-driven Execution (slides)}}, date = {2021-08-04}, institution = {Sapienza University of Rome}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Rope-Bypassing-Behavioral-Detection-Of-Malware-With-Distributed-ROP-Driven-Execution.pdf}, language = {English}, urldate = {2021-08-06} } @online{delmas:20170226:treasurehunter:cd0c965, author = {Arnaud Delmas}, title = {{TreasureHunter : A POS Malware Case Study}}, date = {2017-02-26}, url = {http://adelmas.com/blog/treasurehunter.php}, language = {English}, urldate = {2019-12-02} } @online{delmas:20170314:analyzing:1c055df, author = {Arnaud Delmas}, title = {{Analyzing and Deobfuscating FlokiBot Banking Trojan}}, date = {2017-03-14}, organization = {Arnaud Delmas}, url = {http://adelmas.com/blog/flokibot.php}, language = {English}, urldate = {2020-01-08} } @techreport{deloitte:20160914:evolution:67ad556, author = {Deloitte}, title = {{The evolution of the Nymaim Criminal Enterprise Threat Intelligence & Analytics}}, date = {2016-09-14}, institution = {Deloitte}, url = {https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf}, language = {English}, urldate = {2022-03-28} } @online{deloitte:20200122:project:0a44796, author = {Deloitte}, title = {{Project Lurus}}, date = {2020-01-22}, organization = {Deloitte}, url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF}, language = {English}, urldate = {2020-02-13} } @online{delpy:20190104:mimikatz:caaf928, author = {Benjamin Delpy}, title = {{mimikatz Repository}}, date = {2019-01-04}, organization = {Github (gentilkiwi)}, url = {https://github.com/gentilkiwi/mimikatz}, language = {English}, urldate = {2020-01-07} } @online{deluca:20201020:fbi:db32b2f, author = {Alex DeLuca}, title = {{FBI Investigating Threatening Emails Sent To Democrats In Florida}}, date = {2020-10-20}, organization = {WUFT}, url = {https://www.wuft.org/news/2020/10/20/fbi-investigating-threatening-emails-sent-to-democrats-in-florida/}, language = {English}, urldate = {2020-10-23} } @online{demboski:20211119:is:d05360d, author = {Morgan Demboski}, title = {{Is a coordinated cyberattack brewing in the escalating Russian-Ukrainian conflict?}}, date = {2021-11-19}, organization = {IronNet}, url = {https://www.ironnet.com/blog/is-a-coordinated-cyberattack-brewing-in-the-escalating-russian-ukrainian-conflict}, language = {English}, urldate = {2021-11-25} } @online{demetria:20121030:jacksbot:8a7230b, author = {Johanne Demetria}, title = {{JACKSBOT Has Some Dirty Tricks up Its Sleeves}}, date = {2012-10-30}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/}, language = {English}, urldate = {2020-01-06} } @techreport{demirkapi:20200805:demystifying:147bf1e, author = {Bill Demirkapi}, title = {{Demystifying Modern Windows Rootkits}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://billdemirkapi.me/slides/Demystifying-Modern-Windows-Rootkits-BH.pdf}, language = {English}, urldate = {2020-08-18} } @online{demirkapi:20220107:unpacking:22f8b4a, author = {Bill Demirkapi}, title = {{Unpacking CVE-2021-40444: A Deep Technical Analysis of an Office RCE Exploit}}, date = {2022-01-07}, organization = {Bill Demirkapi's Blog}, url = {https://billdemirkapi.me/unpacking-cve-2021-40444-microsoft-office-rce/}, language = {English}, urldate = {2022-02-02} } @online{demirkapi:20220328:new:233a827, author = {Bill Demirkapi}, title = {{New documents for the Okta breach}}, date = {2022-03-28}, organization = {Threadreader (@BillDemirkapi)}, url = {https://threadreaderapp.com/thread/1508527487655067660.html}, language = {English}, urldate = {2022-03-30} } @online{demirkapi:20220404:sharing:bee2fae, author = {Bill Demirkapi}, title = {{Sharing is Caring: Abusing Shared Sections for Code Injection}}, date = {2022-04-04}, organization = {Bill Demirkapi's Blog}, url = {https://billdemirkapi.me/sharing-is-caring-abusing-shared-sections-for-code-injection/}, language = {English}, urldate = {2022-04-07} } @online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } @techreport{denker:20220201:whispergate:1eca84b, author = {Brandon Denker}, title = {{WhisperGate Malware - Update}}, date = {2022-02-01}, institution = {Cyborg Security}, url = {https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf}, language = {English}, urldate = {2022-02-10} } @online{dennesen:20141201:fin4:0760295, author = {Kristen Dennesen and Jordan Berry and Barry Vengerik and Jonathan Wrolstad}, title = {{FIN4: Stealing Insider Information for an Advantage in Stock Trading?}}, date = {2014-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html}, language = {English}, urldate = {2019-12-20} } @techreport{dereszowski:20140312:uroburos:789e718, author = {Andrzej Dereszowski and Matthieu Kaczmarek}, title = {{Uroburos: the snake rootkit}}, date = {2014-03-12}, institution = {Blog (Artem Baranov)}, url = {https://artemonsecurity.com/uroburos.pdf}, language = {English}, urldate = {2022-05-25} } @techreport{dereszowski:20150211:turladevelopment:98e2483, author = {Andrzej Dereszowski}, title = {{Turla-development & operations}}, date = {2015-02-11}, institution = {FIRST Tbilisi}, url = {https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf}, language = {English}, urldate = {2020-01-06} } @online{dereviashkin:20210208:long:d1419a2, author = {Michael Dereviashkin}, title = {{Long Live, Osiris; Banking Trojan Targets German IP Addresses}}, date = {2021-02-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses}, language = {English}, urldate = {2021-02-09} } @online{dereviashkin:20220125:new:18be3b6, author = {Michael Dereviashkin}, title = {{New Threat Campaign Identified: AsyncRAT Introduces a New Delivery Technique}}, date = {2022-01-25}, organization = {Morphisec}, url = {https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign}, language = {English}, urldate = {2022-01-28} } @online{dereviashkin:20220405:new:2f2f8a9, author = {Michael Dereviashkin}, title = {{New Analysis: The CaddyWiper Malware Attacking Ukraine}}, date = {2022-04-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine}, language = {English}, urldate = {2022-04-07} } @online{desai:201608:agent:d527844, author = {Deepen Desai}, title = {{Agent Tesla Keylogger delivered using cybersquatting}}, date = {2016-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting}, language = {English}, urldate = {2019-11-26} } @online{desai:20200319:new:00516c3, author = {Shivang Desai}, title = {{New Android App Offers Coronavirus Safety Mask But Delivers SMS Trojan}}, date = {2020-03-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan}, language = {English}, urldate = {2020-03-26} } @online{desai:20200729:android:fb3b3d0, author = {Shivang Desai}, title = {{Android Spyware Targeting Tanzania Premier League}}, date = {2020-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league}, language = {English}, urldate = {2020-08-05} } @online{desai:20200908:tiktok:d920a43, author = {Shivang Desai}, title = {{TikTok Spyware: A detailed analysis of spyware masquerading as TikTok}}, date = {2020-09-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/tiktok-spyware}, language = {English}, urldate = {2020-09-15} } @online{desai:20211116:return:936dad6, author = {Deepen Desai}, title = {{Return of Emotet malware}}, date = {2021-11-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware}, language = {English}, urldate = {2021-11-19} } @online{desai:20220224:hermeticwiper:7cac018, author = {Deepen Desai}, title = {{HermeticWiper & resurgence of targeted attacks on Ukraine}}, date = {2022-02-24}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine}, language = {English}, urldate = {2022-03-02} } @online{designativedave:20121116:remote:d5d4856, author = {DesignativeDave}, title = {{Remote Administration Tool for Android devices}}, date = {2012-11-16}, organization = {Github (DesignativeDave)}, url = {https://github.com/DesignativeDave/androrat}, language = {English}, urldate = {2019-11-26} } @online{desimone:20210316:detecting:4091130, author = {Joe Desimone}, title = {{Detecting Cobalt Strike with memory signatures}}, date = {2021-03-16}, organization = {Elastic}, url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures}, language = {English}, urldate = {2021-03-22} } @online{desimone:20211223:elastic:0e1caf7, author = {Joe Desimone and Samir Bousseaden}, title = {{Elastic Security uncovers BLISTER malware campaign}}, date = {2021-12-23}, organization = {Elastic}, url = {https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign}, language = {English}, urldate = {2021-12-23} } @techreport{desombre:20210302:countering:de4981b, author = {Winnona Desombre and James Shires and JD Work and Robert Morgus and Patrick Howell O'Neill and Luca Allodi and Trey Herr}, title = {{Countering Cyber Proliferation: Zeroing in on Access-as-a-Service}}, date = {2021-03-02}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2021/03/Offensive-Cyber-Capabilities-Proliferation-Report-1.pdf}, language = {English}, urldate = {2021-03-04} } @online{deutsch:20201210:dutch:fe5465d, author = {Anthony Deutsch and Toby Sterling}, title = {{Dutch expel two Russian diplomats for suspected espionage}}, date = {2020-12-10}, organization = {Reuters}, url = {https://www.reuters.com/article/netherlands-russia/dutch-expel-two-russian-diplomats-for-suspected-espionage-idUSKBN28K2AT}, language = {English}, urldate = {2020-12-11} } @online{devadoss:20200629:initial:0c8ed48, author = {Dinesh Devadoss}, title = {{Tweet on initial Discovery of EvilQuest}}, date = {2020-06-29}, organization = {Twitter (@dineshdina04)}, url = {https://twitter.com/dineshdina04/status/1277668001538433025}, language = {English}, urldate = {2020-07-01} } @online{devadoss:20220509:from:658ed35, author = {Dinesh Devadoss and Phil Stokes}, title = {{From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win}}, date = {2022-05-09}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win}, language = {English}, urldate = {2022-05-11} } @online{devadoss:20220509:from:d580095, author = {Dinesh Devadoss and Phil Stokes}, title = {{From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win}}, date = {2022-05-09}, url = {https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/}, language = {English}, urldate = {2022-05-11} } @online{devane:20160721:phishing:314ff25, author = {Oliver Devane and Mohinder Gill}, title = {{Phishing Attacks Employ Old but Effective Password Stealer}}, date = {2016-07-21}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/}, language = {English}, urldate = {2019-12-17} } @online{devkar:20220225:avoslocker:4a19530, author = {Sudhir Devkar and Threat Analysis Unit}, title = {{AvosLocker – Modern Linux Ransomware Threats}}, date = {2022-02-25}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html}, language = {English}, urldate = {2022-03-22} } @online{devkar:20220412:ruransom:c9abdbd, author = {Sudhir Devkar}, title = {{RuRansom – A Retaliatory Wiper}}, date = {2022-04-12}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html}, language = {English}, urldate = {2022-05-04} } @online{dewan:20211008:new:b97c20c, author = {Tarun Dewan and Lenart Brave}, title = {{New Trickbot and BazarLoader campaigns use multiple delivery vectorsi}}, date = {2021-10-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors}, language = {English}, urldate = {2021-10-14} } @online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } @techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } @online{dgc:20220225:breaking:a96fdac, author = {Deutsche Gesellschaft für Cybersicherheit (DGC)}, title = {{Breaking news! Warning about “HermeticWiper Malware” by Russian APT Groups}}, date = {2022-02-25}, organization = {Deutsche Gesellschaft für Cybersicherheit}, url = {https://dgc.org/en/hermeticwiper-malware/}, language = {English}, urldate = {2022-03-01} } @online{dhanalakshmi:20180705:look:c39d2cb, author = {Dhanalakshmi}, title = {{A Look At Recent Tinba Banking Trojan Variant}}, date = {2018-07-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant}, language = {English}, urldate = {2019-11-20} } @online{dhs:20181002:alert:6e24ac4, author = {Department of Homeland Security (DHS) and Department of the Treasury (Treasury) and FBI}, title = {{Alert (TA18-275A): HIDDEN COBRA – FASTCash Campaign}}, date = {2018-10-02}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/TA18-275A}, language = {English}, urldate = {2022-04-20} } @techreport{dhss:20210916:department:745be5a, author = {Department Of Health And Social Services (DHSS)}, title = {{Department of Health and Social Services 2021 Cyberattack: Frequently Asked Questions Updated Sept. 16, 2021}}, date = {2021-09-16}, institution = {Department Of Health And Social Services (DHSS)}, url = {http://dhss.alaska.gov/news/Documents/press/2021/DHSS_FAQs_FMS_Cyberattack_20210916.pdf}, language = {English}, urldate = {2022-05-03} } @online{diaries:20211026:ep:e539e19, author = {DARKNET DIARIES}, title = {{EP 103: Cloud Hopper}}, date = {2021-10-26}, organization = {DARKNET DIARIES}, url = {https://darknetdiaries.com/episode/103/}, language = {English}, urldate = {2021-11-08} } @online{diaries:20220208:ep:9f11b1b, author = {DARKNET DIARIES}, title = {{EP 110: Spam Botnets}}, date = {2022-02-08}, organization = {DARKNET DIARIES}, url = {https://darknetdiaries.com/episode/110/}, language = {English}, urldate = {2022-02-14} } @online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } @online{dietrich:20181130:virut:2b9101c, author = {Christian J. Dietrich}, title = {{Virut Resurrects -- Musings on long-term sinkholing}}, date = {2018-11-30}, url = {https://chrisdietri.ch/post/virut-resurrects/}, language = {English}, urldate = {2019-11-25} } @online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } @online{digitrust:20170105:qrat:d5e7b46, author = {DigiTrust}, title = {{QRAT is Living in The World of JAVA}}, date = {2017-01-05}, organization = {DigiTrust}, url = {https://www.digitrustgroup.com/java-rat-qrat/}, language = {English}, urldate = {2020-01-09} } @techreport{dimaggio:20150806:black:af5cf27, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf}, language = {English}, urldate = {2020-01-10} } @online{dimaggio:20150806:black:b0fbb35, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group}, language = {English}, urldate = {2022-04-25} } @online{dimaggio:20160315:suckfly:0b3835e, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates}, language = {English}, urldate = {2020-01-05} } @online{dimaggio:20160315:suckfly:a1c8359, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160329:taiwan:4b83179, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back door Trojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan}, language = {English}, urldate = {2019-12-18} } @online{dimaggio:20160329:taiwan:de4b254, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back doorTrojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm}, language = {English}, urldate = {2020-01-20} } @online{dimaggio:20160428:tick:9fec91a, author = {Jon DiMaggio}, title = {{Tick cyberespionage group zeros in on Japan}}, date = {2016-04-28}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan}, language = {English}, urldate = {2020-01-10} } @online{dimaggio:20160517:indian:98dff05, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160517:indian:baa172f, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks}, language = {English}, urldate = {2019-10-23} } @online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } @techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } @techreport{dimaggio:20210811:nation:815fed9, author = {Jon DiMaggio}, title = {{Nation State Ransomware}}, date = {2021-08-11}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf}, language = {English}, urldate = {2021-08-17} } @techreport{dimaggio:20220127:history:921d98f, author = {Jon DiMaggio}, title = {{A History of Revil}}, date = {2022-01-27}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/History-of-REvil.pdf}, language = {English}, urldate = {2022-02-01} } @online{dimaggio:20220407:north:ab16006, author = {Jon DiMaggio}, title = {{North Korea: Intelligence Assessment 2022}}, date = {2022-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/digital-report/north-korea-2022-intelligence-assessment}, language = {English}, urldate = {2022-04-15} } @online{dimchev:20160927:new:3bba3cd, author = {Alex Dimchev}, title = {{New Voldemort/Nagini Ransomware Virus Infection}}, date = {2016-09-27}, organization = {Best Security Research}, url = {http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/}, language = {English}, urldate = {2019-11-28} } @online{dimino:20120802:cridex:a9b195f, author = {Andre M. DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-02}, url = {http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html}, language = {English}, urldate = {2019-10-23} } @online{dimino:20120803:cridex:eab5b19, author = {Andre DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-03}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html}, language = {English}, urldate = {2019-12-18} } @techreport{ding:20210506:domain:501928a, author = {Tianze Ding and Junyu Zhou}, title = {{Domain Borrowing: Catch My C2 Traffic if You Can}}, date = {2021-05-06}, institution = {Tencent}, url = {https://i.blackhat.com/asia-21/Thursday-Handouts/as-21-Ding-Domain-Borrowing-Catch-My-C2-Traffic-If-You-Can.pdf}, language = {English}, urldate = {2021-09-14} } @techreport{ding:20210506:domain:853dd90, author = {Tianze Ding and Junyu Zhou}, title = {{Domain Borrowing: Catch My C2 Traffic if You Can}}, date = {2021-05-06}, institution = {Tencent}, url = {https://i.blackhat.com/asia-21/Thursday-Handouts/as-21-Ding-Domain-Borrowing-Catch-My-C2-Traffic-If-You-Can.pdf}, language = {English}, urldate = {2021-09-14} } @online{ding:20210901:domain:92aa2f7, author = {Tianze Ding and Junyu Zhou}, title = {{Domain Borrowing: Catch My C2 Traffic if You Can}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=eVr0kKdgM2I}, language = {English}, urldate = {2021-09-14} } @online{dissent:20200526:former:dcfe145, author = {Dissent}, title = {{A former DarkSide listing shows up on REvil’s leak site}}, date = {2020-05-26}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/}, language = {English}, urldate = {2021-06-09} } @online{dissent:20210412:chat:fa8aec8, author = {Dissent}, title = {{A chat with DarkSide}}, date = {2021-04-12}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/a-chat-with-darkside/}, language = {English}, urldate = {2021-04-16} } @online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } @online{dissent:20210926:desorden:3fabe7a, author = {Dissent}, title = {{Desorden Group claims to have stolen 200 GB of data from ABX Express}}, date = {2021-09-26}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/desorden-group-claims-to-have-stolen-200-gb-of-data-from-abx-express/}, language = {English}, urldate = {2021-09-29} } @online{ditch:20220118:formbook:3f03c56, author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{FORMBOOK Adopts CAB-less Approach}}, date = {2022-01-18}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/}, language = {English}, urldate = {2022-01-25} } @online{ditch:20220119:collecting:696e5d0, author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{Collecting Cobalt Strike Beacons with the Elastic Stack}}, date = {2022-01-19}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/}, language = {English}, urldate = {2022-01-25} } @online{ditch:20220119:extracting:39bd5e5, author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{Extracting Cobalt Strike Beacon Configurations}}, date = {2022-01-19}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/}, language = {English}, urldate = {2022-01-25} } @online{division:2000:2000:6d829fc, author = {CERT Division}, title = {{2000 CERT Advisories}}, date = {2000}, organization = {Carnegie Mellon University}, url = {https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186}, language = {English}, urldate = {2020-01-08} } @techreport{division:20200514:malware:34fa46f, author = {Leonardo’s Cyber Security division}, title = {{Malware Technical Insight Turla "Penquin_x64"}}, date = {2020-05-14}, institution = {Leonardo}, url = {https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf}, language = {English}, urldate = {2020-05-14} } @techreport{division:20200707:cosmic:cc97389, author = {AGARI CYBER INTELLIGENCE DIVISION}, title = {{Cosmic Lynx: The Rise of Russian BEC}}, date = {2020-07-07}, institution = {}, url = {https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf}, language = {English}, urldate = {2020-07-08} } @online{dixon:20180623:oceanlotus:555d8bf, author = {Brandon Dixon and Steve Ginty}, title = {{OceanLotus 2018: Malicious Infrastructure}}, date = {2018-06-23}, organization = {passivetotal}, url = {https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f}, language = {English}, urldate = {2019-11-16} } @techreport{dixon:2018:alphathreat:f97b446, author = {Brandon Dixon}, title = {{Alphathreat Soup Burning Actors with Data}}, date = {2018}, institution = {RiskIQ}, url = {https://hitcon.org/2018/CMT/slide-files/d1_s2_r1.pdf}, language = {English}, urldate = {2021-08-09} } @techreport{dnne:20211003:squirrelwaffle:3a35566, author = {Joel Dönne}, title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}}, date = {2021-10-03}, institution = {Github (0xjxd)}, url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf}, language = {English}, urldate = {2021-10-07} } @online{dobberstein:20220408:china:6626bbc, author = {Laura Dobberstein}, title = {{China accused of cyberattacks on Indian power grid}}, date = {2022-04-08}, organization = {The Register}, url = {https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/}, language = {English}, urldate = {2022-04-12} } @online{dobbins:20220216:ddos:004dcc5, author = {Roland Dobbins and Steinthor Bjarnason}, title = {{DDoS Attack Campaign Targeting Multiple Organizations in Ukraine}}, date = {2022-02-16}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine}, language = {English}, urldate = {2022-02-19} } @online{dodia:20190315:immortal:43b3d3d, author = {Rajdeepsinh Dodia and Uday Pratap Singh}, title = {{Immortal information stealer}}, date = {2019-03-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/immortal-information-stealer}, language = {English}, urldate = {2020-06-08} } @online{dodia:20190808:saefko:bdc733d, author = {Rajdeepsinh Dodia and Priyanka Bhati}, title = {{Saefko: A new multi-layered RAT}}, date = {2019-08-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat}, language = {English}, urldate = {2019-11-26} } @online{dodia:20200116:ftcode:9e80307, author = {Rajdeepsinh Dodia and Amandeep Kumar and Atinderpal Singh}, title = {{FTCODE Ransomware - New Version Includes Stealing Capabilities}}, date = {2020-01-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities}, language = {English}, urldate = {2020-01-27} } @online{dodia:20211015:atomsilo:81b4ff1, author = {Rajdeepsinh Dodia}, title = {{AtomSilo Ransomware Enters the League of Double Extortion}}, date = {2021-10-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion}, language = {English}, urldate = {2021-11-03} } @online{dodia:20220323:midas:017f409, author = {Rajdeepsinh Dodia}, title = {{Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants}}, date = {2022-03-23}, organization = {Security Boulevard}, url = {https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/}, language = {English}, urldate = {2022-03-25} } @online{dodia:20220323:midas:8b975b4, author = {Rajdeepsinh Dodia}, title = {{Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants}}, date = {2022-03-23}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants}, language = {English}, urldate = {2022-03-25} } @techreport{doe:20220413:cyber:1dee54e, author = {Department of Energy (DOE) and NSA and FBI and CISA}, title = {{APT Cyber Tools Targeting ICS/SCADA Devices}}, date = {2022-04-13}, institution = {}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/Joint_Cybersecurity_Advisory_APT%20Cyber%20Tools%20Targeting%20ICS%20SCADA%20Devices.pdf}, language = {English}, urldate = {2022-04-15} } @techreport{doerr:20190808:enemy:3962b21, author = {Eric Doerr}, title = {{The Enemy Within: Modern Supply Chain Attacks}}, date = {2019-08-08}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf}, language = {English}, urldate = {2020-08-14} } @online{doerr:20210326:securing:0f170cb, author = {Eric Doerr}, title = {{Securing our approach to domain fronting within Azure}}, date = {2021-03-26}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/26/securing-our-approach-to-domain-fronting-within-azure/}, language = {English}, urldate = {2021-03-30} } @online{doffman:20190816:warning:65452b4, author = {Zak Doffman}, title = {{Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated)}}, date = {2019-08-16}, organization = {Forbes}, url = {https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:1b7b01c, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:72a1bd7, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf}, language = {English}, urldate = {2020-04-21} } @online{dokas:20210921:using:28b3535, author = {Paul Dokas}, title = {{Using Zeek to track communication state}}, date = {2021-09-21}, organization = {Corelight}, url = {https://corelight.com/blog/using-zeek-to-track-communication-state}, language = {English}, urldate = {2021-09-22} } @online{dolas:20200731:masslogger:b17ff73, author = {Aniruddha Dolas}, title = {{MassLogger: An Emerging Spyware and Keylogger}}, date = {2020-07-31}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/}, language = {English}, urldate = {2020-08-05} } @online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } @online{dolgushev:20181019:darkpulsar:c98e816, author = {Andrey Dolgushev and Dmitry Tarakanov and Vasily Berdnikov}, title = {{DarkPulsar}}, date = {2018-10-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkpulsar/88199/}, language = {English}, urldate = {2019-12-20} } @online{dolgushev:20191105:darkuniverse:36ead28, author = {Andrey Dolgushev and Vasily Berdnikov and Alexander Fedotov}, title = {{DarkUniverse – the mysterious APT framework #27}}, date = {2019-11-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/}, language = {English}, urldate = {2020-04-24} } @online{domaintools:20170321:hunt:e4d1473, author = {DomainTools}, title = {{Hunt Case Study: Hunting Campaign Indicators on Privacy Protected Attack Infrastructure}}, date = {2017-03-21}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr}, language = {English}, urldate = {2020-05-18} } @online{domaintools:20220407:spm55:dd2a4c8, author = {DomainTools}, title = {{SPM55: Ascending the Ranks of Indonesian Phishing As A Service Offerings}}, date = {2022-04-07}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/spm55-ascending-the-ranks-of-indonesian-phishing-as-a-service-offerings}, language = {English}, urldate = {2022-04-08} } @online{doman:20141027:scanbox:c4beb38, author = {Chris Doman and Tom Lancaster}, title = {{ScanBox framework – who’s affected, and who’s using it?}}, date = {2014-10-27}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html}, language = {English}, urldate = {2020-01-07} } @online{doman:20161026:moonlight:1edffaa, author = {Chris Doman}, title = {{Moonlight – Targeted attacks in the Middle East}}, date = {2016-10-26}, organization = {Unknown}, url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks}, language = {English}, urldate = {2020-04-06} } @online{doman:20170612:open:b143d52, author = {Christopher Doman}, title = {{Open Source Malware - Sharing is caring?}}, date = {2017-06-12}, organization = {SlideShare}, url = {https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring}, language = {English}, urldate = {2020-01-13} } @online{doman:20181008:delivery:8f2c9ed, author = {Chris Doman}, title = {{Delivery (Key)Boy}}, date = {2018-10-08}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/delivery-keyboy}, language = {English}, urldate = {2019-10-15} } @online{doman:20190306:internet:c3afbc0, author = {Chris Doman}, title = {{Internet of Termites}}, date = {2019-03-06}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/internet-of-termites}, language = {English}, urldate = {2020-01-07} } @online{doman:20200516:recent:bb6d18e, author = {Chris Doman and James Campbell}, title = {{Recent Attacks Against Supercomputers}}, date = {2020-05-16}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/05/16/1318/}, language = {English}, urldate = {2020-05-18} } @online{doman:20200611:ongoing:d94778b, author = {Chris Doman and James Campbell}, title = {{An Ongoing AWS Phishing Campaign}}, date = {2020-06-11}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/}, language = {English}, urldate = {2020-06-12} } @online{doman:20200817:team:01dd484, author = {Chris Doman}, title = {{Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials}}, date = {2020-08-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials}, language = {English}, urldate = {2021-03-12} } @online{doman:20200817:team:a654242, author = {Chris Doman and James Campbell}, title = {{Team TNT - The First Crypto-Mining Worm to Steal AWS Credentials}}, date = {2020-08-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/}, language = {English}, urldate = {2020-08-19} } @online{doman:20201214:responding:639d2ce, author = {Christopher Doman}, title = {{Responding to Solarigate}}, date = {2020-12-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/responding-to-solarigate}, language = {English}, urldate = {2020-12-14} } @online{doman:20210210:punk:dd2c142, author = {Christopher Doman}, title = {{Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks}}, date = {2021-02-10}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks}, language = {English}, urldate = {2021-02-17} } @online{doman:20210713:resources:13f690a, author = {Christopher Doman}, title = {{Resources for Investigating Cloud and Container Penetration Testing Tools}}, date = {2021-07-13}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/resources-for-investigating-cloud-and-container-penetration-testing-tools}, language = {English}, urldate = {2021-07-20} } @online{doman:20210714:triage:5a7151d, author = {Christopher Doman}, title = {{Triage analysis of Serv-U FTP user backdoor deployed by CVE-2021-35211 (DEV-0322)}}, date = {2021-07-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211}, language = {English}, urldate = {2021-07-20} } @online{domesticus:20120423:bkdrcysxla:73fda09, author = {Domesticus}, title = {{BKDR_CYSXL.A}}, date = {2012-04-23}, organization = {enigmasoft}, url = {https://www.enigmasoftware.com/bkdrcysxla-removal/}, language = {English}, urldate = {2021-01-25} } @online{domingues:20210603:breaking:69967e5, author = {Felipe Domingues and Gustavo Palazolo}, title = {{Breaking Dridex Malware}}, date = {2021-06-03}, organization = {YouTube (FIRST)}, url = {https://www.youtube.com/watch?v=1VB15_HgUkg}, language = {English}, urldate = {2021-06-16} } @online{dominguez:20210302:ploutus:5d96786, author = {Jesus Dominguez and Ocelot Offensive Security Team}, title = {{Ploutus is back, targeting Itautec ATMs in Latin America}}, date = {2021-03-02}, organization = {Metabase Q}, url = {https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america}, language = {English}, urldate = {2021-03-11} } @online{dominguez:20210823:prism:f3b6d3d, author = {Fernando Dominguez}, title = {{PRISM attacks fly under the radar}}, date = {2021-08-23}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar}, language = {English}, urldate = {2021-08-25} } @online{dominguez:20211027:code:2d1f1be, author = {Fernando Dominguez}, title = {{Code similarity analysis with r2diaphora}}, date = {2021-10-27}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora}, language = {English}, urldate = {2021-11-03} } @online{done:20201005:darkside:d3005ca, author = {Zawadi Done}, title = {{DarkSide ransomware analysis}}, date = {2020-10-05}, organization = {Zawadi Done}, url = {https://zawadidone.nl/darkside-ransomware-analysis/}, language = {English}, urldate = {2022-02-17} } @online{dong:20201109:old:5454254, author = {Zhengyu Dong}, title = {{An Old Joker’s New Tricks: Using Github To Hide Its Payload}}, date = {2020-11-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html}, language = {English}, urldate = {2020-11-19} } @online{dong:20201117:regretlocker:84dd317, author = {Chuong Dong}, title = {{RegretLocker}}, date = {2020-11-17}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/}, language = {English}, urldate = {2020-11-19} } @online{dong:20201212:contiunpacker:05a9897, author = {Chuong Dong}, title = {{ContiUnpacker: An automatic unpacker for Conti rasnomware}}, date = {2020-12-12}, organization = {Github (cdong1012)}, url = {https://github.com/cdong1012/ContiUnpacker}, language = {English}, urldate = {2020-12-14} } @online{dong:20201215:conti:afb68fe, author = {Chuong Dong}, title = {{Conti Ransomware v2}}, date = {2020-12-15}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/}, language = {English}, urldate = {2020-12-23} } @online{dong:20210103:babuk:b5b2e9e, author = {Chuong Dong}, title = {{Babuk Ransomware}}, date = {2021-01-03}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/}, language = {English}, urldate = {2021-01-21} } @online{dong:20210116:babuk:31553f3, author = {Chuong Dong}, title = {{Babuk Ransomware v3}}, date = {2021-01-16}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/}, language = {English}, urldate = {2021-05-13} } @online{dong:20210506:darkside:461faf9, author = {Chuong Dong}, title = {{Darkside Ransomware}}, date = {2021-05-06}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/}, language = {English}, urldate = {2021-05-13} } @online{dong:20210506:darkside:adaa792, author = {Chuong Dong}, title = {{Darkside Ransomware}}, date = {2021-05-06}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/}, language = {English}, urldate = {2021-05-11} } @online{dong:20210523:mountlocker:4b3d011, author = {Chuong Dong}, title = {{MountLocker Ransomware}}, date = {2021-05-23}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/}, language = {English}, urldate = {2021-06-16} } @online{dong:20210721:strongpity:f87c7bd, author = {Zhengyu Dong and Fyodor Yarochkin and Steven Du}, title = {{StrongPity APT Group Deploys Android Malware for the First Time}}, date = {2021-07-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html}, language = {English}, urldate = {2021-07-26} } @online{dong:20210905:blackmatter:2673021, author = {Chuong Dong}, title = {{BlackMatter Ransomware v2.0}}, date = {2021-09-05}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/}, language = {English}, urldate = {2021-09-09} } @online{dong:20211001:squirrelwaffle:24c9b06, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}}, date = {2021-10-01}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/}, language = {English}, urldate = {2021-10-14} } @online{dong:20211008:squirrelwaffle:4549cd1, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing The Main Loader}}, date = {2021-10-08}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/}, language = {English}, urldate = {2021-10-14} } @online{dong:20211013:atomsilo:9d4ce80, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-02-02} } @online{dong:20211013:atomsilo:d3abf78, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-01-25} } @online{dong:20211026:dridex:e054dc4, author = {Chuong Dong}, title = {{DRIDEX: Analysing API Obfuscation Through VEH}}, date = {2021-10-26}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/}, language = {English}, urldate = {2021-11-03} } @online{dong:20211123:hancitor:140d2c0, author = {Chuong Dong}, title = {{HANCITOR: Analysing The Malicious Document}}, date = {2021-11-23}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/}, language = {English}, urldate = {2022-02-01} } @online{dong:20211217:diavol:710941d, author = {Chuong Dong}, title = {{Diavol Ransomware}}, date = {2021-12-17}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/}, language = {English}, urldate = {2021-12-22} } @online{dong:20211231:hancitor:734a06a, author = {Chuong Dong}, title = {{HANCITOR: Analysing The Main Loader}}, date = {2021-12-31}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/}, language = {English}, urldate = {2022-02-01} } @online{dong:20220106:rook:0b69fa6, author = {Chuong Dong}, title = {{Rook Ransomware Analysis}}, date = {2022-01-06}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/}, language = {English}, urldate = {2022-01-12} } @online{dong:20220215:matanbuchus:cd8acc2, author = {Chuong Dong}, title = {{MATANBUCHUS: Another Loader As A Service Malware}}, date = {2022-02-15}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/}, language = {English}, urldate = {2022-02-17} } @online{dong:20220216:sms:96151cc, author = {Zhengyu Dong and Ryan Flores and Vladimir Kropotov and Paul Pajares and Fyodor Yarochkin}, title = {{SMS PVA Services' Use of Infected Android Phones Reveals Flaws in SMS Verification}}, date = {2022-02-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html}, language = {English}, urldate = {2022-03-02} } @online{dong:20220319:lockbit:cafbe56, author = {Chuong Dong}, title = {{LockBit Ransomware v2.0}}, date = {2022-03-19}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/}, language = {English}, urldate = {2022-03-22} } @online{dong:20220419:bazarloader:902cf53, author = {Chuong Dong}, title = {{BAZARLOADER: Unpacking An ISO File Infection}}, date = {2022-04-19}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/}, language = {English}, urldate = {2022-04-20} } @online{dong:20220527:bazarloader:0729146, author = {Chuong Dong}, title = {{BAZARLOADER: Analysing The Main Loader}}, date = {2022-05-27}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/}, language = {English}, urldate = {2022-05-29} } @online{donohue:20141125:regin:15d544f, author = {Brain Donohue}, title = {{Regin APT Attacks Among the Most Sophisticated Ever Analyzed}}, date = {2014-11-25}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/}, language = {English}, urldate = {2019-12-17} } @online{donohue:20220316:uncompromised:959f0d0, author = {Brian Donohue and Laura Brosnan}, title = {{Uncompromised: When REvil comes knocking}}, date = {2022-03-16}, organization = {Red Canary}, url = {https://redcanary.com/blog/uncompromised-kaseya/}, language = {English}, urldate = {2022-03-17} } @online{doraisjoncas:20120316:osximuler:badbc2e, author = {Alexis Dorais-Joncas}, title = {{OSX/Imuler updated: still a threat on Mac OS X}}, date = {2012-03-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/}, language = {English}, urldate = {2019-11-14} } @techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } @online{dorfman:20200715:exclusive:6a11ebe, author = {Zach Dorfman and Kim Zetter and Jenna McLaughlin and Sean D. Naylor}, title = {{Exclusive: Secret Trump order gives CIA more powers to launch cyberattacks}}, date = {2020-07-15}, organization = {Yahoo News}, url = {https://news.yahoo.com/secret-trump-order-gives-cia-more-powers-to-launch-cyberattacks-090015219.html}, language = {English}, urldate = {2020-07-16} } @online{dorfman:20210128:in:58cbf10, author = {Zach Dorfman}, title = {{In cyber espionage, U.S. is both hunted and hunter}}, date = {2021-01-28}, organization = {axios}, url = {https://www.axios.com/american-cyber-warfare-solarwinds-d50815d6-2e03-4e3c-83ab-9d2f5e20d6f5.html}, language = {English}, urldate = {2021-01-29} } @online{dorneanu:20140707:disect:49df4ee, author = {Victor Dorneanu}, title = {{Disect Android APKs like a Pro - Static code analysis}}, date = {2014-07-07}, url = {http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/}, language = {English}, urldate = {2020-01-07} } @online{douglas:20170309:spora:7038fba, author = {Kevin Douglas}, title = {{Spora Ransomware: Understanding the HTA Infection Vector}}, date = {2017-03-09}, organization = {Tenable}, url = {https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas}, language = {English}, urldate = {2020-01-10} } @online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } @online{downs:20151016:surveillance:86d472f, author = {Rob Downs}, title = {{Surveillance Malware Trends: Tracking Predator Pain and HawkEye}}, date = {2015-10-16}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/}, language = {English}, urldate = {2019-12-20} } @online{dragoni:20210622:how:9ecf77e, author = {Younes Dragoni}, title = {{How to Dissect Unusual Protocols for Troubleshooting OT Security}}, date = {2021-06-22}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/how-to-dissect-unusual-protocols-for-troubleshooting-ot-security/}, language = {English}, urldate = {2021-09-24} } @techreport{dragos:20170613:crashoverride:33b0a7e, author = {Dragos}, title = {{CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{dragos:20171213:trisis:43675c1, author = {Dragos}, title = {{TRISIS Malware: Analysis of Safety System Targeted Malware}}, date = {2017-12-13}, institution = {Dragos}, url = {https://dragos.com/blog/trisis/TRISIS-01.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{dragos:20180301:industrial:6e4e898, author = {Dragos}, title = {{INDUSTRIAL CONTROL SYSTEM THREATS}}, date = {2018-03-01}, institution = {Dragos}, url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf}, language = {English}, urldate = {2020-01-08} } @online{dragos:20180802:raspite:1873c25, author = {Dragos}, title = {{Raspite}}, date = {2018-08-02}, organization = {Dragos}, url = {https://dragos.com/blog/20180802Raspite.html}, language = {English}, urldate = {2020-01-13} } @online{dragos:20190403:allanite:46dcddd, author = {Dragos}, title = {{Allanite}}, date = {2019-04-03}, organization = {Dragos}, url = {https://dragos.com/blog/20180510Allanite.html}, language = {English}, urldate = {2020-01-09} } @techreport{dragos:20190801:global:2b76e8c, author = {Dragos}, title = {{Global Oil and Gas Cyber Threat Perspective}}, date = {2019-08-01}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf}, language = {English}, urldate = {2020-01-09} } @online{dragos:2019:adversary:0237a20, author = {Dragos}, title = {{Adversary Reports}}, date = {2019}, organization = {Dragos}, url = {https://dragos.com/adversaries.html}, language = {English}, urldate = {2020-01-10} } @online{dragos:20200109:parisite:d17dd24, author = {Dragos}, title = {{PARISITE}}, date = {2020-01-09}, organization = {Dragos}, url = {https://www.dragos.com/threat/parisite}, language = {English}, urldate = {2020-09-18} } @techreport{dragos:202001:north:41ab73f, author = {Dragos}, title = {{North American Electric Cyber Threat Perspective}}, date = {2020-01}, institution = {Dragos}, url = {https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf}, language = {English}, urldate = {2020-09-18} } @online{dragos:20200203:ekans:041a3ee, author = {Dragos}, title = {{EKANS Ransomware and ICS Operations}}, date = {2020-02-03}, organization = {Dragos}, url = {https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/}, language = {English}, urldate = {2020-02-04} } @techreport{dragos:20200224:2019:b583cc8, author = {Dragos}, title = {{2019 Year In Review: The ICS Landscape and Threat Actviity Groups}}, date = {2020-02-24}, institution = {Dragos}, url = {https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf}, language = {English}, urldate = {2020-09-18} } @techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } @techreport{dragos:20210224:ics:772b80b, author = {Dragos}, title = {{ICS Cybersecurity Year in Review 2020}}, date = {2021-02-24}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf}, language = {English}, urldate = {2021-02-25} } @online{dragos:20210329:new:6fccae8, author = {Dragos}, title = {{New ICS Threat Activity Group: STIBNITE}}, date = {2021-03-29}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/}, language = {English}, urldate = {2021-03-31} } @online{dragos:20210426:new:19b4a05, author = {Dragos}, title = {{New ICS Threat Activity Group: TALONITE}}, date = {2021-04-26}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/}, language = {English}, urldate = {2021-05-04} } @techreport{dragos:20220223:2021:539931a, author = {Dragos}, title = {{2021 ICS OT Cybersecurity Year In Review}}, date = {2022-02-23}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf}, language = {English}, urldate = {2022-04-12} } @techreport{dragos:20220404:european:3ef1ac2, author = {Dragos}, title = {{European Industrial Infrastructure Cyber Threat Perspective}}, date = {2022-04-04}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_WP_EuropeThreatPerspective_April2022.pdf}, language = {English}, urldate = {2022-04-07} } @techreport{dragos:20220413:pipedream:6135305, author = {Dragos}, title = {{PIPEDREAM: CHERNOVITE’S Emerging Malware Targeting Industrial Control Systems}}, date = {2022-04-13}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf}, language = {English}, urldate = {2022-04-15} } @online{driker:20200915:rudeminer:1cea628, author = {David Driker and Amir Landau}, title = {{Rudeminer, Blacksquid and Lucifer Walk Into A Bar}}, date = {2020-09-15}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/}, language = {English}, urldate = {2020-09-18} } @online{drstache:20200212:manabotnet:9a3d3c6, author = {DrStache}, title = {{Tweet on ManaBotnet}}, date = {2020-02-12}, organization = {Twitter (@DrStache_)}, url = {https://twitter.com/DrStache_/status/1227662001247268864}, language = {English}, urldate = {2020-02-27} } @online{drweb:20120822:first:3c5cc7e, author = {Dr.Web}, title = {{The first Trojan in history to steal Linux and Mac OS X passwords}}, date = {2012-08-22}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=2679&lng=en&c=14}, language = {English}, urldate = {2020-01-13} } @online{drweb:20140409:backdoorgootkit112a:b63758d, author = {Dr.Web}, title = {{BackDoor.Gootkit.112—a new multi-purpose backdoor}}, date = {2014-04-09}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=4338&lng=en}, language = {English}, urldate = {2019-07-11} } @online{drweb:20160822:trojanmutabaha1:912e922, author = {Dr.Web}, title = {{Trojan.Mutabaha.1}}, date = {2016-08-22}, organization = {Dr.Web}, url = {http://vms.drweb.ru/virus/?_is=1&i=8477920}, language = {Russian}, urldate = {2020-01-09} } @online{drweb:20160908:doctor:00c53a5, author = {Dr.Web}, title = {{Doctor Web discovers Linux Trojan written in Rust}}, date = {2016-09-08}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?c=5&i=10193&lng=en}, language = {English}, urldate = {2020-01-05} } @online{drweb:20170511:macbackdoorsystemd1:c74a3ef, author = {Dr.Web}, title = {{Mac.BackDoor.Systemd.1}}, date = {2017-05-11}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en}, language = {English}, urldate = {2020-01-08} } @online{drweb:20180807:doctor:4154c38, author = {Dr.Web}, title = {{Doctor Web discovered a clipper Trojan for Android}}, date = {2018-08-07}, organization = {Dr.Web}, url = {https://news.drweb.com/show?lng=en&i=12739}, language = {English}, urldate = {2020-01-13} } @online{drweb:20190508:new:06a3aa5, author = {Dr.Web}, title = {{A new threat for macOS spreads as WhatsApp}}, date = {2019-05-08}, organization = {Dr.Web}, url = {https://news.drweb.ru/show/?i=13281&c=23}, language = {English}, urldate = {2020-01-08} } @online{drweb:20200301:backdoorspyder1:c9f5b5c, author = {Dr.Web}, title = {{BackDoor.Spyder.1}}, date = {2020-03-01}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?i=23648386}, language = {English}, urldate = {2022-05-05} } @techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{drweb:20200925:spear:aeadfac, author = {Dr.Web}, title = {{Spear phishing campaigns threaten Russian fuel and energy companies}}, date = {2020-09-25}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } @techreport{drweb:20210301:study:f18b66b, author = {Dr.Web}, title = {{Study of the Spyder modularbackdoor for targeted attacks}}, date = {2021-03-01}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf}, language = {English}, urldate = {2021-03-24} } @techreport{drweb:20210402:study:31b191e, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2021-04-02}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf}, language = {English}, urldate = {2021-04-06} } @online{drweb:20210701:android:dfee3fe, author = {Dr.Web}, title = {{Android trojans steal Facebook users’ logins and passwords}}, date = {2021-07-01}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=14244&lng=en}, language = {English}, urldate = {2021-07-11} } @online{dsouza:20190311:resecurity:8388bc5, author = {Melissa Dsouza}, title = {{Resecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+ government agencies, oil and gas companies, and technology companies also targeted.}}, date = {2019-03-11}, organization = {Packt}, url = {https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/}, language = {English}, urldate = {2020-01-10} } @online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } @online{du:20210416:xcsset:9c5ad09, author = {Steven Du and Dechao Zhao and Luis Magisa and Ariel Neimond Lazaro}, title = {{XCSSET Quickly Adapts to macOS 11 and M1-based Macs}}, date = {2021-04-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html}, language = {English}, urldate = {2021-04-28} } @online{du:20210930:mac:9a6648a, author = {Steven Du and Luis Magisa}, title = {{Mac Users Targeted by Trojanized iTerm2 App}}, date = {2021-09-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html}, language = {English}, urldate = {2021-10-19} } @online{duan:20201029:domain:413ffab, author = {Ruian Duan and Zhanhao Chen and Seokkyung Chung and Janos Szurdi and Jingwei Fan}, title = {{Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/domain-parking/}, language = {English}, urldate = {2020-11-02} } @techreport{duarte:20220309:sockbot:a9095cc, author = {Felipe Duarte and Ido Naor}, title = {{Sockbot in GoLand}}, date = {2022-03-09}, institution = {Security Joes}, url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf}, language = {English}, urldate = {2022-03-10} } @online{ducharme:20190911:watchbog:7f5240b, author = {Luke DuCharme and Paul Lee}, title = {{Watchbog and the Importance of Patching}}, date = {2019-09-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/09/watchbog-patching.html}, language = {English}, urldate = {2020-05-18} } @online{ducklin:20140121:digitally:4a7a4ee, author = {Paul Ducklin}, title = {{Digitally signed data-stealing malware targets Mac users in “undelivered courier item” attack}}, date = {2014-01-21}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/}, language = {English}, urldate = {2020-01-09} } @online{ducklin:20160229:hawkeye:e5bd59b, author = {Paul Ducklin}, title = {{The “HawkEye” attack: how cybercrooks target small businesses for big money}}, date = {2016-02-29}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/}, language = {English}, urldate = {2019-11-27} } @online{ducklin:20180131:what:4aa6a12, author = {Paul Ducklin}, title = {{What are “WannaMine” attacks, and how do I avoid them?}}, date = {2018-01-31}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/}, language = {English}, urldate = {2020-11-25} } @online{ducklin:20200624:glupteba:8f0c66a, author = {Paul Ducklin}, title = {{Glupteba - the malware that gets secret messages from the Bitcoin blockchain}}, date = {2020-06-24}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/}, language = {English}, urldate = {2020-06-26} } @online{ducklin:20210806:conti:9bcfb85, author = {Paul Ducklin}, title = {{Conti ransomware affiliate goes rogue, leaks “gang data”}}, date = {2021-08-06}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/}, language = {English}, urldate = {2022-03-18} } @online{dudek:20190410:trisis:480b199, author = {Marcin Dudek}, title = {{TRISIS / TRITON / HatMan Malware Repository}}, date = {2019-04-10}, organization = {Github (ICSrepo)}, url = {https://github.com/ICSrepo/TRISIS-TRITON-HATMAN}, language = {English}, urldate = {2019-07-09} } @online{dudek:20211231:iko:bd137c3, author = {Marcin Dudek and Michał Praszmo}, title = {{IKO activation - Malware campaign}}, date = {2021-12-31}, organization = {CERT.PL}, url = {https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/}, language = {Polish}, urldate = {2022-01-05} } @techreport{dumont:20181201:dark:20efc15, author = {Romain Dumont and Marc-Etienne M.Léveillé and Hugo Porcher}, title = {{THE DARK SIDE OF THE FORSSHE: A landscape of OpenSSH backdoors}}, date = {2018-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf}, language = {English}, urldate = {2020-01-09} } @online{dumont:20190409:oceanlotus:eb8a99f, author = {Romain Dumont}, title = {{OceanLotus: macOS malware update}}, date = {2019-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/}, language = {English}, urldate = {2019-11-14} } @online{duncan:20160509:pseudodarkleech:5dff946, author = {Brad Duncan}, title = {{PSEUDO-DARKLEECH ANGLER EK FROM 185.118.66.154 SENDS BEDEP/CRYPTXXX}}, date = {2016-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2016/05/09/index.html}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170117:eitest:f6e103b, author = {Brad Duncan}, title = {{EITEST RIG-V FROM 92.53.127.86 SENDS SPORA RANSOMWARE}}, date = {2017-01-17}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/01/17/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170117:vreikstadi:aea370f, author = {Brad Duncan}, title = {{Tweet on Vreikstadi Malspam}}, date = {2017-01-17}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/821483557990318080}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170121:sage:cf422da, author = {Brad Duncan}, title = {{Sage 2.0 Ransomware}}, date = {2017-01-21}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/}, language = {English}, urldate = {2019-07-11} } @online{duncan:20170403:dhl:b9c41a9, author = {Brad Duncan}, title = {{DHL Invoice Malspam/Photo Malspam}}, date = {2017-04-03}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/03/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170425:20170425:dfd0f09, author = {Brian Duncan}, title = {{2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT}}, date = {2017-04-25}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/25/index.html}, language = {English}, urldate = {2019-11-29} } @online{duncan:20170509:rig:c6b2df9, author = {Brad Duncan}, title = {{RIG EK SENDS BUNITU TROJAN}}, date = {2017-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/09/index.html}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170516:20170516:920d589, author = {Brad Duncan}, title = {{2017-05-16 - MORE EXAMPLES OF MALSPAM PUSHING JAFF RANSOMWARE}}, date = {2017-05-16}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/16/index.html}, language = {English}, urldate = {2020-01-07} } @online{duncan:20170612:20170612:04b2c09, author = {Brian Duncan}, title = {{2017-06-12 - LOKI BOT MALSPAM - SUBJECT: RE: PURCHASE ORDER 457211}}, date = {2017-06-12}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/06/12/index.html}, language = {English}, urldate = {2019-11-28} } @online{duncan:20170627:checking:23c2251, author = {Brad Duncan}, title = {{Checking out the new Petya variant}}, date = {2017-06-27}, organization = {SANS}, url = {https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20170704:malspam:3713609, author = {Brad Duncan}, title = {{MALSPAM WITH JAVA-BASED RAT}}, date = {2017-07-04}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/07/04/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20170901:eitest:6388761, author = {Brad Duncan}, title = {{EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware}}, date = {2017-09-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/}, language = {English}, urldate = {2019-12-20} } @online{duncan:20171013:blank:71e7858, author = {Brad Duncan}, title = {{Blank Slate Malspam Stops Pushing Locky, Starts Pushing Sage 2.2 Randsomware}}, date = {2017-10-13}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/10/13/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20171102:20171102:dfff76e, author = {Brad Duncan}, title = {{2017-11-02 - ADVENTURES WITH SMOKE LOADER}}, date = {2017-11-02}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/11/02/index.html}, language = {English}, urldate = {2020-01-06} } @online{duncan:20171123:necurs:15f819e, author = {Brad Duncan}, title = {{NECURS BOTNET MALSPAM PUSHES "SCARAB" RANSOMWARE}}, date = {2017-11-23}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/11/23/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20171222:malspam:4a3fd87, author = {Brad Duncan}, title = {{MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT}}, date = {2017-12-22}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/12/22/index.html}, language = {English}, urldate = {2019-07-11} } @online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } @online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } @online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } @online{duncan:20181204:malspam:8e2d810, author = {Brad Duncan}, title = {{Malspam pushing Lokibot malware}}, date = {2018-12-04}, url = {https://isc.sans.edu/diary/24372}, language = {English}, urldate = {2019-10-29} } @online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190117:emotet:0754347, author = {Brad Duncan}, title = {{Emotet infections and follow-up malware}}, date = {2019-01-17}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190123:russian:150eb22, author = {Brad Duncan and Mike Harbison}, title = {{Russian Language Malspam Pushing Redaman Banking Malware}}, date = {2019-01-23}, url = {https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20190220:more:a3216b8, author = {Brad Duncan}, title = {{More Russian language malspam pushing Shade (Troldesh) ransomware}}, date = {2019-02-20}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190522:shade:7647744, author = {Brad Duncan}, title = {{Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada}}, date = {2019-05-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190625:rig:31ecb33, author = {Brad Duncan}, title = {{Rig Exploit Kit sends Pitou.B Trojan}}, date = {2019-06-25}, organization = {SANS}, url = {https://isc.sans.edu/diary/rss/25068}, language = {English}, urldate = {2019-12-17} } @online{duncan:20190711:recent:bd25d5a, author = {Brad Duncan}, title = {{Recent AZORult activity}}, date = {2019-07-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/25120}, language = {English}, urldate = {2020-01-10} } @online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } @online{duncan:20191219:valak:a793639, author = {Brad Duncan}, title = {{Tweet on Valak Malware}}, date = {2019-12-19}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/1207824548021886977}, language = {English}, urldate = {2020-01-05} } @online{duncan:20191223:wireshark:11f95ab, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Ursnif Infections}}, date = {2019-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20200123:german:2c867b2, author = {Brad Duncan}, title = {{German language malspam pushes Ursnif}}, date = {2020-01-23}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/}, language = {English}, urldate = {2020-01-26} } @online{duncan:20200403:guloader:4b27e7a, author = {Brad Duncan}, title = {{GuLoader: Malspam Campaign Installing NetWire RAT}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/}, language = {English}, urldate = {2021-01-10} } @online{duncan:20200528:goodbye:87a0245, author = {Brad Duncan}, title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}}, date = {2020-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/}, language = {English}, urldate = {2020-05-29} } @online{duncan:20200724:evolution:a372b2b, author = {Brad Duncan}, title = {{Evolution of Valak, from Its Beginnings to Mass Distribution}}, date = {2020-07-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/valak-evolution/}, language = {English}, urldate = {2020-08-05} } @online{duncan:20200821:wireshark:d98d5ed, author = {Brad Duncan}, title = {{Wireshark Tutorial: Decrypting HTTPS Traffic}}, date = {2020-08-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/}, language = {English}, urldate = {2020-08-25} } @online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } @online{duncan:20200910:recent:f9e103f, author = {Brad Duncan}, title = {{Recent Dridex activity}}, date = {2020-09-10}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/}, language = {English}, urldate = {2020-09-15} } @online{duncan:20201119:threat:67ef9bd, author = {Kyle Duncan}, title = {{Threat Actor Utilizes COVID-19 Uncertainty to Target Users}}, date = {2020-11-19}, organization = {Cofense}, url = {https://cofense.com/threat-actor-utilizes-covid-19-uncertainty-to-target-users/}, language = {English}, urldate = {2020-11-23} } @online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } @online{duncan:20210107:ta551:6346c62, author = {Brad Duncan}, title = {{TA551: Email Attack Campaign Switches from Valak to IcedID}}, date = {2021-01-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ta551-shathak-icedid/}, language = {English}, urldate = {2021-01-11} } @online{duncan:20210113:hancitor:55f3ea5, author = {Brad Duncan}, title = {{Hancitor activity resumes after a hoilday break}}, date = {2021-01-13}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/}, language = {English}, urldate = {2021-01-21} } @online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } @online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } @online{duncan:20210330:20210329:bf22ea0, author = {Brad Duncan}, title = {{2021-03-29 BazaCall (BazarCall) Example}}, date = {2021-03-30}, organization = {YouTube ( malware-traffic-analysis.net)}, url = {https://www.youtube.com/watch?v=uAkeXCYcl4Y}, language = {English}, urldate = {2021-03-31} } @online{duncan:20210401:hancitors:8876ca1, author = {Brad Duncan}, title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/}, language = {English}, urldate = {2021-04-06} } @online{duncan:20210407:wireshark:3c806d8, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Traffic from Hancitor Infections}}, date = {2021-04-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/}, language = {English}, urldate = {2021-04-12} } @online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } @online{duncan:20210519:bazarcall:60c6562, author = {Brad Duncan}, title = {{BazarCall: Call Centers Help Spread BazarLoader Malware}}, date = {2021-05-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bazarloader-malware/}, language = {English}, urldate = {2021-05-20} } @online{duncan:20210709:hancitor:814e815, author = {Brad Duncan}, title = {{Hancitor tries XLL as initial malware file}}, date = {2021-07-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27618}, language = {English}, urldate = {2021-07-19} } @online{duncan:20210901:strrat:82432b9, author = {Brad Duncan}, title = {{STRRAT: a Java-based RAT that doesn't care if you have Java}}, date = {2021-09-01}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27798}, language = {English}, urldate = {2021-09-02} } @online{duncan:20210917:20210917:b995435, author = {Brad Duncan}, title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}}, date = {2021-09-17}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html}, language = {English}, urldate = {2021-09-20} } @online{duncan:20210929:20210929:e348fca, author = {Brad Duncan}, title = {{2021-09-29 (Wednesday) - Hancitor with Cobalt Strike}}, date = {2021-09-29}, organization = {Malware Traffic Analysis}, url = {https://malware-traffic-analysis.net/2021/09/29/index.html}, language = {English}, urldate = {2021-11-03} } @online{duncan:20210929:hancitor:e510da9, author = {Brad Duncan}, title = {{Hancitor with Cobalt Strike}}, date = {2021-09-29}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/29/index.html}, language = {English}, urldate = {2022-02-01} } @online{duncan:20211018:case:bdd95ff, author = {Brad Duncan}, title = {{Case Study: From BazarLoader to Network Reconnaissance}}, date = {2021-10-18}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/}, language = {English}, urldate = {2021-10-22} } @online{duncan:20211116:emotet:3545954, author = {Brad Duncan}, title = {{Emotet Returns}}, date = {2021-11-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28044}, language = {English}, urldate = {2021-11-17} } @online{duncan:20211203:ta551:f71be57, author = {Brad Duncan}, title = {{TA551 (Shathak) pushes IcedID (Bokbot)}}, date = {2021-12-03}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/}, language = {English}, urldate = {2021-12-06} } @online{duncan:20211216:how:6fd0b06, author = {Brad Duncan}, title = {{How the "Contact Forms" campaign tricks people}}, date = {2021-12-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/}, language = {English}, urldate = {2021-12-31} } @online{duncan:20211230:agent:2b24ea4, author = {Brad Duncan}, title = {{Agent Tesla Updates SMTP Data Exfiltration Technique}}, date = {2021-12-30}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28190}, language = {English}, urldate = {2022-01-03} } @online{duncan:20220117:iocs:2a5e814, author = {Brad Duncan}, title = {{IOCs for Astaroth/Guildma malware infection}}, date = {2022-01-17}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt}, language = {English}, urldate = {2022-01-25} } @online{duncan:20220119:0000:cdac125, author = {Brad Duncan}, title = {{0.0.0.0 in Emotet Spambot Traffic}}, date = {2022-01-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28254}, language = {English}, urldate = {2022-01-24} } @online{duncan:20220125:emotet:9c62525, author = {Brad Duncan}, title = {{Emotet Stops Using 0.0.0.0 in Spambot Traffic}}, date = {2022-01-25}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/}, language = {English}, urldate = {2022-02-01} } @online{duncan:20220316:qakbot:7fe703f, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/}, language = {English}, urldate = {2022-03-17} } @online{duncan:20220316:qakbot:ff11e1e, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28448}, language = {English}, urldate = {2022-03-17} } @online{duncan:20220323:arkei:b2a08f5, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28468}, language = {English}, urldate = {2022-03-25} } @online{duncan:20220406:windows:2685e57, author = {Brad Duncan}, title = {{Windows MetaStealer Malware}}, date = {2022-04-06}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28522}, language = {English}, urldate = {2022-06-27} } @online{duncan:20220406:windows:3802dbd, author = {Brad Duncan}, title = {{Windows MetaStealer Malware}}, date = {2022-04-06}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/}, language = {English}, urldate = {2022-05-05} } @online{duncan:20220420:aa:eb304fb, author = {Brad Duncan}, title = {{'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic}}, date = {2022-04-20}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28568}, language = {English}, urldate = {2022-04-25} } @online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } @online{duncan:20220511:ta578:2128ae0, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28636}, language = {English}, urldate = {2022-05-17} } @online{duncan:20220517:emotet:5f61714, author = {Brad Duncan}, title = {{Emotet Summary: November 2021 Through January 2022}}, date = {2022-05-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/}, language = {English}, urldate = {2022-05-29} } @online{duncan:20220519:bumblebee:20c59e6, author = {Brad Duncan}, title = {{Bumblebee Malware from TransferXL URLs}}, date = {2022-05-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28664}, language = {English}, urldate = {2022-05-25} } @online{duncan:20220609:ta570:a51c1eb, author = {Brad Duncan}, title = {{TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)}}, date = {2022-06-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28728}, language = {English}, urldate = {2022-06-09} } @online{duncan:20220617:malspam:25c76a4, author = {Brad Duncan}, title = {{Malspam pushes Matanbuchus malware, leads to Cobalt Strike}}, date = {2022-06-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28752}, language = {English}, urldate = {2022-06-22} } @online{dunlop:20211111:stopping:8d94f11, author = {Cynthia Dunlop}, title = {{Stopping Cybersecurity Threats: Why Databases Matter}}, date = {2021-11-11}, organization = {scylla}, url = {https://www.scylladb.com/2021/11/11/stopping-cybersecurity-threats-why-databases-matter/}, language = {English}, urldate = {2021-11-17} } @online{dunwoody:20170403:dissecting:65071e7, author = {Matthew Dunwoody}, title = {{Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)}}, date = {2017-04-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html}, language = {English}, urldate = {2019-12-20} } @online{dunwoody:20170404:poshspy:dc59dda, author = {Matthew Dunwoody}, title = {{POSHSPY backdoor code}}, date = {2017-04-04}, organization = {GitHub (matthewdunwoody)}, url = {https://github.com/matthewdunwoody/POSHSPY}, language = {English}, urldate = {2019-12-18} } @online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } @online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } @techreport{dupuy:20210609:gelsemium:05483d4, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf}, language = {English}, urldate = {2021-06-09} } @online{dupuy:20210609:gelsemium:34ccc46, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/}, language = {English}, urldate = {2021-06-16} } @online{duquette:20130124:linuxsshdoora:0b9dc3e, author = {Sébastien Duquette}, title = {{Linux/SSHDoor.A Backdoored SSH daemon that steals passwords}}, date = {2013-01-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/}, language = {English}, urldate = {2019-11-14} } @online{durando:20170426:bankbot:f7430c7, author = {Dario Durando and David Maciejak}, title = {{BankBot, the Prequel}}, date = {2017-04-26}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html}, language = {English}, urldate = {2019-12-17} } @online{durando:20170919:look:79fa513, author = {Dario Durando}, title = {{A Look Into The New Strain Of BankBot}}, date = {2017-09-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html}, language = {English}, urldate = {2020-01-13} } @online{durando:20190703:bianlian:c6f94bb, author = {Dario Durando}, title = {{BianLian: A New Wave Emerges}}, date = {2019-07-03}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html}, language = {English}, urldate = {2019-12-24} } @online{durando:20190904:funkybot:625b9ba, author = {Dario Durando}, title = {{FunkyBot: A New Android Malware Family Targeting Japan}}, date = {2019-09-04}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html}, language = {English}, urldate = {2020-01-13} } @online{dutcher:20130904:sykipot:3c79c33, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2020-01-08} } @online{dutcher:20130904:sykipot:8fffe0c, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2019-12-05} } @online{dvilyanski:20210324:taking:f561bbf, author = {Mike Dvilyanski and Nathaniel Gleicher}, title = {{Taking Action Against Hackers in China}}, date = {2021-03-24}, organization = {Facebook}, url = {https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/}, language = {English}, urldate = {2021-03-25} } @online{dvilyanski:20210421:taking:23e0fb2, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Palestine}}, date = {2021-04-21}, organization = {Facebook}, url = {https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/}, language = {English}, urldate = {2021-04-28} } @online{dvilyanski:20210715:taking:10d945f, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Iran}}, date = {2021-07-15}, organization = {Facebook}, url = {https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/}, language = {English}, urldate = {2021-07-20} } @online{dvilyanski:20211116:taking:7d056cc, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Pakistan and Syria}}, date = {2021-11-16}, organization = {META}, url = {https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/}, language = {English}, urldate = {2021-11-17} } @online{dwoskin:20190220:microsoft:9d4cb73, author = {Elizabeth Dwoskin and Craig Timberg}, title = {{Microsoft says it has found another Russian operation targeting prominent think tanks}}, date = {2019-02-20}, organization = {Washington Post}, url = {https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae}, language = {English}, urldate = {2019-11-29} } @online{dwyer:20220304:new:c661960, author = {John Dwyer and Kevin Henson}, title = {{New Wiper Malware Used Against Ukranian Organizations}}, date = {2022-03-04}, organization = {IBM}, url = {https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/}, language = {English}, urldate = {2022-03-07} } @online{earnshaw:20210405:thwarting:26d6d77, author = {Earle Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload}}, date = {2021-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html}, language = {English}, urldate = {2022-05-04} } @online{earnshaw:20220405:thwarting:03a6217, author = {Earle Maui Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt}, language = {English}, urldate = {2022-05-05} } @online{earnshaw:20220405:thwarting:af5a4fd, author = {Earle Maui Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html}, language = {English}, urldate = {2022-05-05} } @online{earp:20210202:how:923f969, author = {Madeline Earp}, title = {{How Vietnam-based hacking operation OceanLotus targets journalists}}, date = {2021-02-02}, organization = {Committee to Protect Journalists}, url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists}, language = {English}, urldate = {2021-02-04} } @online{east:20150619:russian:fe2f7aa, author = {London South East}, title = {{Russian Hackers Suspected In Cyberattack On German Parliament}}, date = {2015-06-19}, organization = {London South East}, url = {http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament}, language = {English}, urldate = {2020-01-05} } @online{eaton:20210519:colonial:8185b82, author = {Collin Eaton}, title = {{Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom}}, date = {2021-05-19}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636}, language = {English}, urldate = {2021-05-19} } @techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } @online{ebach:20200831:trickbot:c975ec5, author = {Luca Ebach}, title = {{Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers}}, date = {2020-08-31}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/}, language = {English}, urldate = {2020-08-31} } @online{ebach:20211115:guess:81c7df8, author = {Luca Ebach}, title = {{Guess who’s back}}, date = {2021-11-15}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2021/11/15/guess-whos-back/}, language = {English}, urldate = {2021-11-17} } @online{ebach:20220223:what:0a4496e, author = {Luca Ebach}, title = {{What the Pack(er)?}}, date = {2022-02-23}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2022/03/23/what-the-packer/}, language = {English}, urldate = {2022-03-25} } @online{eckels:20201109:wow64hooks:a0c0b3e, author = {Stephen Eckels}, title = {{WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques}}, date = {2020-11-09}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html}, language = {English}, urldate = {2020-11-11} } @online{eckels:20201224:sunburst:3fcb239, author = {Stephen Eckels and Jay Smith and William Ballenthin}, title = {{SUNBURST Additional Technical Details}}, date = {2020-12-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html}, language = {English}, urldate = {2020-12-26} } @online{eckman:20201007:ghostdnsbusters:9a32391, author = {Brian Eckman}, title = {{GhostDNSbusters (Part 2)}}, date = {2020-10-07}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2020/10/07/ghostdnsbusters-part-2/}, language = {English}, urldate = {2020-10-12} } @online{eclypsium:20201203:trickbot:7b5b0eb, author = {Eclypsium}, title = {{TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit}}, date = {2020-12-03}, organization = {Eclypsium}, url = {https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/}, language = {English}, urldate = {2020-12-03} } @online{eclypsium:20220602:conti:abb9754, author = {Eclypsium}, title = {{Conti Targets Critical Firmware}}, date = {2022-06-02}, organization = {Eclypsium}, url = {https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/}, language = {English}, urldate = {2022-06-04} } @online{eden:20210615:defenders:57a0d03, author = {Daniel Eden}, title = {{A Defender's Perspective of SSL VPN Exploitation}}, date = {2021-06-15}, organization = {PARAFLARE}, url = {https://paraflare.com/a-defenders-perspective-of-ssl-vpn-exploitation/}, language = {English}, urldate = {2022-03-07} } @online{edgecombe:20210804:flubot:fdd81a2, author = {Graham Edgecombe}, title = {{FluBot malware spreads to Australia}}, date = {2021-08-04}, organization = {Netcraft}, url = {https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html}, language = {English}, urldate = {2021-08-20} } @online{editor:20170118:flashback:4ac713f, author = {Editor}, title = {{Flashback Wednesday: Pakistani Brain}}, date = {2017-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/}, language = {English}, urldate = {2019-11-14} } @online{editor:20171024:kiev:b706a68, author = {Editor}, title = {{Kiev metro hit with a new variant of the infamous Diskcoder ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer}, language = {English}, urldate = {2019-11-14} } @online{edmondson:20190118:black:e66dcec, author = {Mark Edmondson}, title = {{BLACK ENERGY – Analysis}}, date = {2019-01-18}, url = {https://marcusedmondson.com/2019/01/18/black-energy-analysis/}, language = {English}, urldate = {2020-01-08} } @techreport{edwards:2011:survey:e95ca12, author = {Jeff Edwards and Jose Nazario}, title = {{A Survey of Contemporary Chinese DDoS Malware}}, date = {2011}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{edwards:20161016:hajime:e095dad, author = {Sam Edwards and Ioannis Profetis}, title = {{Hajime: Analysis of a decentralizedinternet worm for IoT devices}}, date = {2016-10-16}, institution = {RapidityNetworks}, url = {https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf}, language = {English}, urldate = {2020-01-09} } @online{edwards:20211231:compromised:3ee8044, author = {Zach Edwards}, title = {{Compromised Godaddy Infrastructure Attacking Numerous U.S. Government Websites to Promote “Canadian Pharmacy” Scam Websites}}, date = {2021-12-31}, organization = {victory medium}, url = {https://victorymedium.com/godaddy-global-issues-canadian-pharmacy-injections/}, language = {English}, urldate = {2022-01-25} } @online{edwards:20220628:smashandgrab:115e907, author = {Joseph Edwards}, title = {{Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs}}, date = {2022-06-28}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs}, language = {English}, urldate = {2022-06-30} } @online{ehmke:20200820:webinar:cad7a98, author = {Kyle Ehmke}, title = {{[webinar] Proactive Infrastructure Hunting with ThreatConnect & DomainTools}}, date = {2020-08-20}, organization = {ThreatConnect}, url = {https://threatconnect.com/resource/proactive-infrastructure-hunting-with-threatconnect-domaintools/}, language = {English}, urldate = {2020-09-06} } @techreport{ehrlich:20210525:from:ebe10c3, author = {Amitai Ben Shushan Ehrlich}, title = {{From Wiper to Ransomware: The Evolution of Agrius}}, date = {2021-05-25}, institution = {SentinelOne}, url = {https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf}, language = {English}, urldate = {2021-06-09} } @online{ehrlich:20210930:new:c3f26e0, author = {Amitai Ben Shushan Ehrlich}, title = {{New Version Of Apostle Ransomware Reemerges In Targeted Attack On Higher Education}}, date = {2021-09-30}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/}, language = {English}, urldate = {2021-10-11} } @online{ehrlich:20220112:wading:52a8e3a, author = {Amitai Ben Shushan Ehrlich}, title = {{Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor}}, date = {2022-01-12}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/}, language = {English}, urldate = {2022-01-18} } @online{ehrlich:20220315:threat:7f64477, author = {Amitai Ben Shushan Ehrlich}, title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}}, date = {2022-03-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/}, language = {English}, urldate = {2022-03-17} } @online{eidgenossenschaft:20190812:trojaner:60574cc, author = {Schweizerische Eidgenossenschaft}, title = {{Trojaner Emotet greift Unternehmensnetzwerke an}}, date = {2019-08-12}, organization = {Schweizerische Eidgenossenschaft}, url = {https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html}, language = {German}, urldate = {2020-01-08} } @online{eisenkraft:20190619:check:0a79b2b, author = {Kobi Eisenkraft and Moshe Hayun}, title = {{Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany}}, date = {2019-06-19}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/}, language = {English}, urldate = {2020-01-08} } @techreport{eker:20181112:national:b091aae, author = {Ensar Şeker and İhsan Burak Tolga}, title = {{National Cyber Security Organisation: TURKEY}}, date = {2018-11-12}, institution = {ccdcoe}, url = {https://ccdcoe.org/uploads/2018/10/CS_organisation_TUR_112018_FINAL.pdf}, language = {English}, urldate = {2022-02-02} } @online{elastic:20200630:detection:79c8fbe, author = {Elastic}, title = {{Detection Rules by Elastic}}, date = {2020-06-30}, organization = {Github (elastic)}, url = {https://github.com/elastic/detection-rules}, language = {English}, urldate = {2020-07-02} } @online{eldeeb:20190820:source:66124bb, author = {Sherif Eldeeb}, title = {{Source code: TinyMet}}, date = {2019-08-20}, organization = {Github (SherifEldeeb)}, url = {https://github.com/SherifEldeeb/TinyMet}, language = {English}, urldate = {2020-02-13} } @online{elder:20190625:ransomware:4b72d11, author = {Jeff Elder}, title = {{Ransomware strain Troldesh spikes again – Avast tracks new attacks}}, date = {2019-06-25}, organization = {Avast}, url = {https://blog.avast.com/ransomware-strain-troldesh-spikes}, language = {English}, urldate = {2020-01-09} } @online{electric:20220413:schneider:d9acfdc, author = {Schneider Electric}, title = {{Schneider Electric Security Bulletin SESB-2022-01: APT Cyber Tools Targeting ICS/SCADA Devices}}, date = {2022-04-13}, organization = {Schneider Electric}, url = {https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2022-01}, language = {English}, urldate = {2022-04-15} } @online{elevenpaths:20180511:new:8c874e9, author = {ElevenPaths}, title = {{New report: Malware attacks Chilean banks and bypasses SmartScreen, by exploiting DLL Hijacking within popular software}}, date = {2018-05-11}, organization = {Think Big}, url = {http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html}, language = {English}, urldate = {2020-01-08} } @online{elias:20220125:prime:20a5b0c, author = {Marc Elias and Christiaan Beek and Alexandre Mundo and Leandro Velasco and Max Kersten}, title = {{Prime Minister’s Office Compromised: Details of Recent Espionage Campaign}}, date = {2022-01-25}, organization = {Trellix}, url = {https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html}, language = {English}, urldate = {2022-01-25} } @online{elias:20220418:conti:b15356d, author = {Marc Elias and Jambul Tologonov and Alexandre Mundo}, title = {{Conti Group Targets ESXi Hypervisors With its Linux Variant}}, date = {2022-04-18}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html}, language = {English}, urldate = {2022-04-20} } @online{elley:20180830:globeimposter:ccc8f6f, author = {Elley}, title = {{GlobeImposter which has more than 20 variants, is still wildly growing}}, date = {2018-08-30}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/}, language = {English}, urldate = {2022-02-14} } @online{elliptic:20210719:revil:12b16d1, author = {Elliptic}, title = {{REvil Revealed - Tracking a Ransomware Negotiation and Payment}}, date = {2021-07-19}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment}, language = {English}, urldate = {2021-07-20} } @online{elliptic:20220506:ofac:10381ac, author = {Elliptic}, title = {{OFAC Sanctions Virtual Asset Mixer For the First Time to Combat North Korea’s Lazarus Group}}, date = {2022-05-06}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/ofac-sanctions-virtual-asset-mixer-for-the-first-time-to-combat-north-koreas-lazarus-group}, language = {English}, urldate = {2022-05-24} } @online{ellis:20210223:surge:ceb4d8d, author = {Jessica Ellis}, title = {{Surge in ZLoader Attacks Observed}}, date = {2021-02-23}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed}, language = {English}, urldate = {2021-02-25} } @online{ellis:20210421:zloader:09056bd, author = {Jessica Ellis}, title = {{ZLoader Dominates Email Payloads in Q1}}, date = {2021-04-21}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1}, language = {English}, urldate = {2021-04-28} } @online{ellis:20210504:alien:3773dbb, author = {Jessica Ellis}, title = {{Alien Mobile Malware Evades Detection, Increases Targets}}, date = {2021-05-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets}, language = {English}, urldate = {2021-05-07} } @online{elnoty:20220206:deep:d85c241, author = {Abdallah Elnoty}, title = {{Deep Analysis of Vidar Information Stealer}}, date = {2022-02-06}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/vidar/}, language = {English}, urldate = {2022-02-17} } @online{elnoty:20220216:playing:e5e3895, author = {Abdallah Elnoty}, title = {{Playing with AsyncRAT}}, date = {2022-02-16}, url = {https://eln0ty.github.io/malware%20analysis/asyncRAT/}, language = {English}, urldate = {2022-02-17} } @online{elnoty:20220304:hermeticwiperfoxblade:55a9f09, author = {Abdallah Elnoty}, title = {{HermeticWiper/FoxBlade Analysis (in-depth)}}, date = {2022-03-04}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/HermeticWiper/}, language = {English}, urldate = {2022-03-04} } @online{elnoty:20220317:icedid:0b8ef27, author = {Abdallah Elnoty}, title = {{IcedID Analysis}}, date = {2022-03-17}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/IcedID/}, language = {English}, urldate = {2022-03-22} } @online{elsad:20211117:astaroth:04788ff, author = {Amer Elsad}, title = {{Astaroth: Banking Trojan}}, date = {2021-11-17}, organization = {ARMOR}, url = {https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/}, language = {English}, urldate = {2021-12-01} } @online{elsad:20220609:lockbit:3cfa609, author = {Amer Elsad and JR Gumarin and Abigail Barr}, title = {{LockBit 2.0: How This RaaS Operates and How to Protect Against It}}, date = {2022-06-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/lockbit-2-ransomware/}, language = {English}, urldate = {2022-06-11} } @online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } @online{elshinbary:20200621:deep:1a39a3f, author = {Abdallah Elshinbary}, title = {{Deep Analysis of SmokeLoader}}, date = {2020-06-21}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/}, language = {English}, urldate = {2020-06-22} } @online{elshinbary:20200704:deep:bdfbd8a, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Anubis Banking Malware}}, date = {2020-07-04}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/}, language = {English}, urldate = {2020-07-06} } @online{elshinbary:20200715:deep:9b38d20, author = {Abdallah Elshinbary}, title = {{Deep Analysis of QBot Banking Trojan}}, date = {2020-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/}, language = {English}, urldate = {2020-07-16} } @techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } @techreport{emerson:20210804:kitten:7033b95, author = {Richard Emerson and Allison Wikoff}, title = {{The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker}}, date = {2021-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf}, language = {English}, urldate = {2021-08-23} } @online{emm:20200531:it:2ac44ec, author = {David Emm}, title = {{IT threat evolution Q1 2021}}, date = {2020-05-31}, organization = {Kaspersky}, url = {https://securelist.com/it-threat-evolution-q1-2021/102382/}, language = {English}, urldate = {2021-06-09} } @online{emsisoft:20161223:emsisoft:0ffcdde, author = {Emsisoft}, title = {{Emsisoft Decryptor for GlobeImposter}}, date = {2016-12-23}, url = {https://www.emsisoft.com/ransomware-decryption-tools/globeimposter}, language = {English}, urldate = {2022-02-14} } @online{enconado:20220517:in:c234e4d, author = {Berman Enconado and Laurie Kirk}, title = {{In hot pursuit of ‘cryware’: Defending hot wallets from attacks}}, date = {2022-05-17}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/}, language = {English}, urldate = {2022-05-25} } @online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } @techreport{eng:2011:nitro:656e464, author = {Erica Eng and Gavin O'Gorman}, title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}}, date = {2011}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-04-21} } @online{englert:20220225:reverse:fb0652a, author = {Thomas Englert}, title = {{Reverse Engineering | Hermetic Wiper}}, date = {2022-02-25}, organization = {EnglertOne}, url = {https://www.englert.one/hermetic-wiper-reverse-code-engineering}, language = {English}, urldate = {2022-03-01} } @online{enki:20210204:internet:cf43566, author = {ENKI}, title = {{Internet Explorer 0day 분석}}, date = {2021-02-04}, organization = {ENKI}, url = {https://enki.co.kr/blog/2021/02/04/ie_0day.html}, language = {Korean}, urldate = {2021-02-04} } @online{entdark:20170530:bankbot:4cb608c, author = {entdark}, title = {{Bankbot on Google Play}}, date = {2017-05-30}, organization = {Koodous}, url = {http://blog.koodous.com/2017/05/bankbot-on-google-play.html}, language = {English}, urldate = {2020-01-13} } @online{erdogan:20220512:network:3befbe5, author = {Onur Mustafa Erdogan and María José Erquiaga}, title = {{Network Footprints of Gamaredon Group}}, date = {2022-05-12}, organization = {Cisco}, url = {https://blogs.cisco.com/security/network-footprints-of-gamaredon-group}, language = {English}, urldate = {2022-05-17} } @online{eremin:20190322:azorult:3080ee5, author = {Alexander Eremin}, title = {{AZORult++: Rewriting history}}, date = {2019-03-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/azorult-analysis-history/89922/}, language = {English}, urldate = {2019-12-20} } @online{eremin:20200324:people:752ed0f, author = {Alexander Eremin}, title = {{People infected with coronavirus are all around you, says Ginp Trojan}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/}, language = {English}, urldate = {2020-03-26} } @online{eremin:20200623:oh:4e55504, author = {Alexander Eremin}, title = {{Oh, what a boot-iful mornin’ Rovnix bootkit back in business}}, date = {2020-06-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/oh-what-a-boot-iful-mornin/97365}, language = {English}, urldate = {2020-06-23} } @online{ergene:20210302:hunting:a538456, author = {Mehmet Ergene}, title = {{Hunting for the Behavior: Scheduled Tasks}}, date = {2021-03-02}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/hunting-for-the-behavior-scheduled-tasks-9efe0b8ade40}, language = {English}, urldate = {2021-03-04} } @online{ergene:20210512:enterprise:09742df, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1}}, date = {2021-05-12}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f}, language = {English}, urldate = {2021-05-26} } @online{ergene:20210519:enterprise:f7fb481, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2}}, date = {2021-05-19}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e}, language = {English}, urldate = {2021-05-26} } @online{ergene:20210601:detecting:5c4b6ff, author = {Mehmet Ergene}, title = {{Detecting Initial Access: HTML Smuggling and ISO Images — Part 1}}, date = {2021-06-01}, organization = {Medium mergene}, url = {https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-1-c4f953edd13f}, language = {English}, urldate = {2021-06-09} } @online{ergene:20210601:detecting:d2d5dd8, author = {Mehmet Ergene}, title = {{Detecting Initial Access: HTML Smuggling and ISO Images — Part 2}}, date = {2021-06-01}, organization = {Medium mergene}, url = {https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-2-f8dd600430e2}, language = {English}, urldate = {2021-06-09} } @online{erlich:20181025:game:af49ad1, author = {Chen Erlich and Yakov Goldberg}, title = {{Game of Trojans: Dissecting the #Khalesi Infostealer Malware}}, date = {2018-10-25}, organization = {enSilo}, url = {https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware}, language = {English}, urldate = {2020-01-06} } @online{erlich:20190716:avast:b3dec63, author = {Chen Erlich}, title = {{The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable}}, date = {2019-07-16}, organization = {enSilo}, url = {https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767}, language = {English}, urldate = {2020-04-13} } @online{erlich:20220504:operation:0d23595, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques}, language = {English}, urldate = {2022-05-09} } @online{erlich:20220504:operation:e40ec58, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive}, language = {English}, urldate = {2022-05-05} } @online{erquiaga:20190412:analysis:bb76a6f, author = {María José Erquiaga}, title = {{Analysis of an IRC based Botnet}}, date = {2019-04-12}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet}, language = {English}, urldate = {2020-01-10} } @online{erquiaga:20220328:emotet:d36774a, author = {María José Erquiaga and Onur Erdogan and Adela Jezkova}, title = {{Emotet is Back}}, date = {2022-03-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/emotet-is-back}, language = {English}, urldate = {2022-03-30} } @online{eschweiler:20181025:cutwail:494e458, author = {Sebastian Eschweiler and Brett Stone-Gross and Bex Hartley}, title = {{Cutwail Spam Campaign Uses Steganography to Distribute URLZone}}, date = {2018-10-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/}, language = {English}, urldate = {2019-12-20} } @online{escinsecurity:20180129:weekly:2cd5b6e, author = {EscInSecurity}, title = {{Weekly TrickBot Analysis - End of w/c 22-Jan-2018 to 1000119}}, date = {2018-01-29}, organization = {EscInSecurity}, url = {https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html}, language = {English}, urldate = {2020-01-09} } @online{esentire:20210405:hackers:d45f86f, author = {eSentire}, title = {{Hackers Spearphish Professionals on LinkedIn with Fake Job Offers, Infecting them with Malware, Warns eSentire}}, date = {2021-04-05}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire}, language = {English}, urldate = {2021-04-06} } @online{esentire:20210413:hackers:bc5d7af, author = {eSentire}, title = {{Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire}}, date = {2021-04-13}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire}, language = {English}, urldate = {2021-04-16} } @online{esentire:20210721:notorious:9d3ca65, author = {eSentire}, title = {{Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.}}, date = {2021-07-21}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc}, language = {English}, urldate = {2021-07-26} } @online{esentire:20211118:emotet:ded09a3, author = {eSentire}, title = {{Emotet Activity Identified}}, date = {2021-11-18}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/emotet-activity-identified}, language = {English}, urldate = {2021-11-19} } @online{esentire:20220321:esentire:d07192a, author = {eSentire}, title = {{eSentire Threat Intelligence Malware Analysis: HermeticWiper & PartyTicket}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket}, language = {English}, urldate = {2022-03-25} } @online{eset:20090805:pc:16d1905, author = {Eset}, title = {{PC Users Threatened by Conficker Worm and new Internet-browser Modifier}}, date = {2009-08-05}, organization = {ESET Research}, url = {https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/}, language = {English}, urldate = {2020-03-19} } @online{eset:20170627:new:891fe4f, author = {Eset}, title = {{New WannaCryptor‑like ransomware attack hits globally: All you need to know}}, date = {2017-06-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/}, language = {English}, urldate = {2020-01-08} } @techreport{eset:201801:diplomats:89688b4, author = {Eset}, title = {{Diplomats in Eastern Europe bitten by a Turla mosquito}}, date = {2018-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf}, language = {English}, urldate = {2020-01-08} } @online{eset:20200423:eset:ac2e55b, author = {Eset}, title = {{ESET researchers disrupt cryptomining botnet VictoryGate}}, date = {2020-04-23}, organization = {ESET Research}, url = {https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/}, language = {English}, urldate = {2022-02-19} } @online{esetresearch:20220504:twitter:48f1a89, author = {Twitter (@ESETresearch)}, title = {{Twitter thread on code similarity analysis, focussing on IsaacWiper and recent Cluster25 publication}}, date = {2022-05-04}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1521910890072842240}, language = {English}, urldate = {2022-05-05} } @online{esparza:20091001:detecting:3586ef7, author = {Jose Miguel Esparza}, title = {{Detecting ZeuS}}, date = {2009-10-01}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/detecting-zeus}, language = {English}, urldate = {2020-01-10} } @online{esparza:20091106:new:f49d94c, author = {Jose Miguel Esparza}, title = {{New ZeuS binary}}, date = {2009-11-06}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/new-zeus-binary}, language = {English}, urldate = {2020-01-08} } @online{esparza:20100202:zeus:c1a8f1f, author = {Jose Miguel Esparza}, title = {{ZeuS spreading via Facebook}}, date = {2010-02-02}, organization = {EternalTODO Blog}, url = {http://eternal-todo.com/blog/zeus-spreading-facebook}, language = {English}, urldate = {2019-07-11} } @online{esparza:20130901:yet:d6bf0b6, author = {Jose Miguel Esparza}, title = {{Yet another Andromeda / Gamarue analysis}}, date = {2013-09-01}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis}, language = {English}, urldate = {2020-01-10} } @online{esparza:20141005:dissecting:93f306b, author = {Jose Miguel Esparza}, title = {{Dissecting SmokeLoader (or Yulia's sweet ass proposition)}}, date = {2014-10-05}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo}, language = {English}, urldate = {2020-01-13} } @online{esparza:20150417:andromedagamarue:2330f4e, author = {Jose Miguel Esparza}, title = {{Andromeda/Gamarue bot loves JSON too (new versions details)}}, date = {2015-04-17}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/andromeda-gamarue-loves-json}, language = {English}, urldate = {2020-01-10} } @online{esparza:20191106:spanish:eaf5520, author = {Jose Miguel Esparza and Blueliv Team}, title = {{Spanish consultancy Everis suffers BitPaymer ransomware attack: a brief analysis}}, date = {2019-11-06}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/}, language = {English}, urldate = {2020-01-08} } @online{ettlinger:20211109:invisible:7436e05, author = {Wolfgang Ettlinger}, title = {{The Invisible JavaScript Backdoor}}, date = {2021-11-09}, organization = {Certitude}, url = {https://certitude.consulting/blog/en/invisible-backdoor/}, language = {English}, urldate = {2021-12-06} } @online{eurojust:20210127:worlds:d416adc, author = {Eurojust}, title = {{World’s most dangerous malware EMOTET disrupted through global action}}, date = {2021-01-27}, organization = {Eurojust}, url = {https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action}, language = {English}, urldate = {2021-01-27} } @online{europol:20140710:global:63da679, author = {Europol}, title = {{Global Action Targeting Shylock Malware}}, date = {2014-07-10}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware}, language = {English}, urldate = {2019-12-18} } @online{europol:20171204:andromeda:2024e4d, author = {Europol}, title = {{Andromeda botnet dismantled in international cyber operation}}, date = {2017-12-04}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation}, language = {English}, urldate = {2020-01-09} } @online{europol:20181025:pay:d82bbfc, author = {Europol}, title = {{Pay No More: universal GandCrab decryption tool released for free on No More Ransom}}, date = {2018-10-25}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom}, language = {English}, urldate = {2019-11-26} } @online{europol:20190516:goznym:37f6fa9, author = {Europol}, title = {{GOZNYM MALWARE: CYBERCRIMINAL NETWORK DISMANTLED IN INTERNATIONAL OPERATION}}, date = {2019-05-16}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation}, language = {English}, urldate = {2019-12-18} } @online{europol:20201217:spain:9b7a4ef, author = {Europol}, title = {{Spain dismantles top Russian-speaking organised crime network that had infiltrated public institutions}}, date = {2020-12-17}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/spain-dismantles-top-russian-speaking-organised-crime-network-had-infiltrated-public-institutions}, language = {English}, urldate = {2020-12-18} } @online{europol:20211029:12:5c0fd59, author = {Europol}, title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}}, date = {2021-10-29}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure}, language = {English}, urldate = {2021-11-02} } @online{europol:20211108:five:20be45a, author = {Europol}, title = {{Five Affiliates to Sodinokibi/REvil Unplugged}}, date = {2021-11-08}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged}, language = {English}, urldate = {2021-11-08} } @online{europol:20220601:takedown:237ca0d, author = {Europol}, title = {{Takedown of SMS-based FluBot spyware infecting Android phones}}, date = {2022-06-01}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones}, language = {English}, urldate = {2022-06-02} } @online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, l